Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Oct 2017 14:45:38 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Kees Cook <keescook@...omium.org>
Cc: "Roberts, William C" <william.c.roberts@...el.com>, "Theodore Ts'o" <tytso@....edu>, 
	"Tobin C. Harding" <me@...in.cc>, Tejun Heo <tj@...nel.org>, 
	Jordan Glover <Golden_Miller83@...tonmail.ch>, Greg KH <gregkh@...uxfoundation.org>, 
	Petr Mladek <pmladek@...e.com>, Joe Perches <joe@...ches.com>, Ian Campbell <ijc@...lion.org.uk>, 
	Sergey Senozhatsky <sergey.senozhatsky@...il.com>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, 
	Catalin Marinas <catalin.marinas@....com>, Will Deacon <will.deacon@....com>, 
	Steven Rostedt <rostedt@...dmis.org>, Chris Fries <cfries@...gle.com>, 
	Dave Weinstein <olorin@...gle.com>
Subject: Re: [RFC V2 0/6] add more kernel pointer filter options

On Fri, Oct 13, 2017 at 1:47 PM, Kees Cook <keescook@...omium.org> wrote:
>
> Is the correct path to:
> - unconditionally convert %p to reporting a 32-bit hash
> - actively start removing as much %p use as possible
> - do something to discourage %x on pointers (checkpatch.pl?)

I don't know if we even need to remove %p if we just unconditionally hash it.

I _think_ that what will happen if we just start hashing %p is that
99% of existing %p cases will just stay around, because many of them
are likely effectively stale. Maybe they were useful for driver
development, but they probably aren't any more.

The 1% that will cause people to look at the code may well be painful,
though. We are potentially talking more than just a handful here.

We *may* actually want to introduce %pX as a way to opt _out_ of the
hashing, so that  %p users that really do want an address can keep it
- while making it  really easy to grep for (and then maybe
kptr_restrict=4 would say "even %pX gets hashed anyway").

As to %x and pointers, I'm not sure how to do that with checkpatch.
And I don't even think it's about pointers. If people care about the
physical addresses leaking (and the %pa format kind of indicates
people do), the most common physical addresses likely are %x printouts
before those addresses were made into pointers at all. Those physical
addresses often came from somewhere else where they were just integers
(eg PCI BAR values etc).

So realistically, that's where the "let's try to come up with scripts
to find those things" comes in.

... and just perhaps generally talk about this "don't leak pointers or
physical addresses to random user space" so that people are more aware
of it in general.

That, btw, might be a side effect of %p being hashed in the first
place. People will go "WTF?" for a while, and just _explaining_ the %p
hashing might make people more aware of this issue in the first place.

Or maybe I'm just unrealistically optimistic, and what will _actually_
happen if we start hashing %p output is just a lot and lot of
complaining and whining and tons of breakage. ;(

> Can we do something more about %x?
>
> Do we want to remove %pK also?

I'm not sure we need to. But there may be %pK users that simply think
that getting a hashed address is better than getting just zeroes, and
that would thus prefer going back to %p.

           Linus

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.