Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Oct 2017 13:53:54 +1100
From: "Tobin C. Harding" <>
Cc: "Tobin C. Harding" <>,
	"Jason A. Donenfeld" <>,
	Theodore Ts'o <>,
	Linus Torvalds <>,
	Kees Cook <>,
	Paolo Bonzini <>,
	Tycho Andersen <>,
	"Roberts, William C" <>,
	Tejun Heo <>,
	Jordan Glover <>,
	Greg KH <>,
	Petr Mladek <>,
	Joe Perches <>,
	Ian Campbell <>,
	Sergey Senozhatsky <>,
	Catalin Marinas <>,
	Will Deacon <>,
	Steven Rostedt <>,
	Chris Fries <>,
	Dave Weinstein <>,
	Daniel Micay <>,
	Djalal Harouni <>,
Subject: [PATCH V8 0/2] printk: hash addresses printed with %p

Currently there are many places in the kernel where addresses are being
printed using an unadorned %p. Kernel pointers should be printed using
%pK allowing some control via the kptr_restrict sysctl. Exposing
addresses gives attackers sensitive information about the kernel layout
in memory.

We can reduce the attack surface by hashing all addresses printed with
%p. This will of course break some users, forcing code printing needed
addresses to be updated.

With this version we include hashing of malformed specifiers also.
Malformed specifiers include incomplete (e.g %pi) and also non-existent
specifiers. checkpatch should warn for non-existent specifiers but
AFAICT won't warn for incomplete specifiers.

Here is the behaviour that this set implements.

For kpt_restrict==0

Randomness not ready:
  printed with %p: 		(pointer)          # NOTE: with padding
Valid pointer:
  printed with %pK: 		deadbeefdeadbeef
  printed with %p: 		0xdeadbeef
  malformed specifier (eg %i):  0xdeadbeef
NULL pointer:
  printed with %pK: 		0000000000000000
  printed with %p: 		(null)               # NOTE: no padding
  malformed specifier (eg %i):  (null)

For kpt_restrict==2

Valid pointer:
  printed with %pK: 		0000000000000000

All other output as for kptr_restrict==0

 - Add second patch cleaning up null pointer printing in pointer()
 - Move %pK handling to separate function, further cleaning up pointer()
 - Move ptr_to_id() call outside of switch statement making hashing
   the default behaviour (including malformed specifiers).
 - Remove use of static_key, replace with simple boolean.

 - Use tabs instead of spaces (ouch!).

 - Use __early_initcall() to fill the SipHash key.
 - Use static keys to guard hashing before the key is available.

 - Remove spin lock.
 - Add Jason A. Donenfeld to CC list by request.
 - Add Theodore Ts'o to CC list due to comment on previous version.

 - Remove changes to siphash.{ch}
 - Do word size check, and return value cast, directly in ptr_to_id().
 - Use add_ready_random_callback() to guard call to get_random_bytes()

 - Use atomic_xchg() to guard setting [random] key.
 - Remove erroneous white space change.

 - Use SipHash to do the hashing.

The discussion related to this patch has been fragmented. There are
three threads associated with this patch. Email threads by subject:

[PATCH] printk: hash addresses printed with %p
[PATCH 0/3] add %pX specifier
[kernel-hardening] [RFC V2 0/6] add more kernel pointer filter options

Tobin C. Harding (2):
  printk: remove tabular output for NULL pointer
  printk: hash addresses printed with %p

 lib/vsprintf.c | 166 +++++++++++++++++++++++++++++++++++++--------------------
 1 file changed, 108 insertions(+), 58 deletions(-)


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.