Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 Nov 2017 15:21:07 -0800
From: Andrew Morton <akpm@...ux-foundation.org>
To: "Tobin C. Harding" <me@...in.cc>
Cc: kernel-hardening@...ts.openwall.com, Linus Torvalds
 <torvalds@...ux-foundation.org>, "Jason A. Donenfeld" <Jason@...c4.com>,
 "Theodore Ts'o" <tytso@....edu>, Kees Cook <keescook@...omium.org>, Paolo
 Bonzini <pbonzini@...hat.com>, Tycho Andersen <tycho@...ho.ws>,
 "Roberts, William C" <william.c.roberts@...el.com>, Tejun Heo
 <tj@...nel.org>, Jordan Glover <Golden_Miller83@...tonmail.ch>, Greg KH
 <gregkh@...uxfoundation.org>, Petr Mladek <pmladek@...e.com>, Joe Perches
 <joe@...ches.com>, Ian Campbell <ijc@...lion.org.uk>, Sergey Senozhatsky
 <sergey.senozhatsky@...il.com>, Catalin Marinas <catalin.marinas@....com>,
 Will Deacon <wilal.deacon@....com>, Steven Rostedt <rostedt@...dmis.org>,
 Chris Fries <cfries@...gle.com>, Dave Weinstein <olorin@...gle.com>, Daniel
 Micay <danielmicay@...il.com>, Djalal Harouni <tixxdz@...il.com>, Radim
 Krčmář <rkrcmar@...hat.com>,
 linux-kernel@...r.kernel.org, Network Development <netdev@...r.kernel.org>,
 David Miller <davem@...emloft.net>, Stephen Rothwell
 <sfr@...b.auug.org.au>, Andrey Ryabinin <aryabinin@...tuozzo.com>,
 Alexander Potapenko <glider@...gle.com>, Dmitry Vyukov <dvyukov@...gle.com>
Subject: Re: [PATCH V11 3/5] printk: hash addresses printed with %p

On Wed, 29 Nov 2017 13:05:03 +1100 "Tobin C. Harding" <me@...in.cc> wrote:

> Currently there exist approximately 14 000 places in the kernel where
> addresses are being printed using an unadorned %p. This potentially
> leaks sensitive information regarding the Kernel layout in memory. Many
> of these calls are stale, instead of fixing every call lets hash the
> address by default before printing. This will of course break some
> users, forcing code printing needed addresses to be updated.
> 
> Code that _really_ needs the address will soon be able to use the new
> printk specifier %px to print the address.
> 
> For what it's worth, usage of unadorned %p can be broken down as
> follows (thanks to Joe Perches).
> 
> $ git grep -E '%p[^A-Za-z0-9]' | cut -f1 -d"/" | sort | uniq -c
>    1084 arch
>      20 block
>      10 crypto
>      32 Documentation
>    8121 drivers
>    1221 fs
>     143 include
>     101 kernel
>      69 lib
>     100 mm
>    1510 net
>      40 samples
>       7 scripts
>      11 security
>     166 sound
>     152 tools
>       2 virt
> 
> Add function ptr_to_id() to map an address to a 32 bit unique
> identifier. Hash any unadorned usage of specifier %p and any malformed
> specifiers.
> 
> ...
>
> @@ -1644,6 +1646,73 @@ char *device_node_string(char *buf, char *end, struct device_node *dn,
>  	return widen_string(buf, buf - buf_start, end, spec);
>  }
>  
> +static bool have_filled_random_ptr_key __read_mostly;
> +static siphash_key_t ptr_key __read_mostly;
> +
> +static void fill_random_ptr_key(struct random_ready_callback *unused)
> +{
> +	get_random_bytes(&ptr_key, sizeof(ptr_key));
> +	/*
> +	 * have_filled_random_ptr_key==true is dependent on get_random_bytes().
> +	 * ptr_to_id() needs to see have_filled_random_ptr_key==true
> +	 * after get_random_bytes() returns.
> +	 */
> +	smp_mb();
> +	WRITE_ONCE(have_filled_random_ptr_key, true);
> +}

I don't think I'm seeing anything which prevents two CPUs from
initializing ptr_key at the same time.  Probably doesn't matter much...

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.