Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 29 Nov 2017 15:56:16 -0800
From: Kees Cook <keescook@...omium.org>
To: "Tobin C. Harding" <me@...in.cc>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>, David Laight <David.Laight@...lab.com>, 
	"Jason A. Donenfeld" <Jason@...c4.com>, "Theodore Ts'o" <tytso@....edu>, Paolo Bonzini <pbonzini@...hat.com>, 
	Tycho Andersen <tycho@...ho.ws>, "Roberts, William C" <william.c.roberts@...el.com>, Tejun Heo <tj@...nel.org>, 
	Jordan Glover <Golden_Miller83@...tonmail.ch>, Greg KH <gregkh@...uxfoundation.org>, 
	Petr Mladek <pmladek@...e.com>, Joe Perches <joe@...ches.com>, Ian Campbell <ijc@...lion.org.uk>, 
	Sergey Senozhatsky <sergey.senozhatsky@...il.com>, Catalin Marinas <catalin.marinas@....com>, 
	Will Deacon <wilal.deacon@....com>, Steven Rostedt <rostedt@...dmis.org>, 
	Chris Fries <cfries@...gle.com>, Dave Weinstein <olorin@...gle.com>, 
	Daniel Micay <danielmicay@...il.com>, Djalal Harouni <tixxdz@...il.com>, 
	Radim Krcm√°r <rkrcmar@...hat.com>, 
	David Miller <davem@...emloft.net>, Stephen Rothwell <sfr@...b.auug.org.au>, 
	Andrey Ryabinin <aryabinin@...tuozzo.com>, Alexander Potapenko <glider@...gle.com>, 
	Dmitry Vyukov <dvyukov@...gle.com>, Andrew Morton <akpm@...ux-foundation.org>, 
	kernel-hardening@...ts.openwall.com, 
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Network Development <netdev@...r.kernel.org>
Subject: Re: [PATCH 0/2] replace %pK with %p

On Wed, Nov 29, 2017 at 3:38 PM, Tobin C. Harding <me@...in.cc> wrote:
> We are now hashing addresses printed with %pK (when
> kptr_restrict==0). Perhaps we can get rid of %pK (and kptr_restrict)
> entirely. Instead of rushing ahead and doing so let's replace all printk
> format strings that use %pK with %p.

NAK. Real people use kptr_restrict -- removing %pK is a regression for
them. Setting kptr_restrict should zero the values marked with %pK.
There is still a risk of correlating information leaks to at least
select a target. If we add a knob for the %p hashing to switch to
zeroing, then we could drop %pK, IMO.

-Kees

>
> It is a nice time to do this now while we are prepared for breakages
> from applying the pointer hashing patch series.
>
> The patch to remove kptr_restrict entirely should then be a non-event.
>
> Second patch adds printk specifier %pz to display zeroed address. This
> may be useful for fixing things that break during the fallout from
> hashing and replacing %pK. We can always revert this patch if it turns
> out to be worthless, right?
>
> Patch 1 was created using
>
> for file in $(git grep -l '%pK')
> do
>         perl -pi -e 's/%pK/%p/g' $file
> done
>
> thanks,
> Tobin.
>
> Tobin C. Harding (2):
>   tree-wide: replace all users of %pK with %p
>   printk: add specifier %pz, for zeroed address
>
>  Documentation/printk-formats.txt                   | 11 +++
>  arch/arm/mm/physaddr.c                             |  2 +-
>  arch/arm64/mm/physaddr.c                           |  2 +-
>  arch/mips/kernel/relocate.c                        | 10 +--
>  arch/mips/kvm/mips.c                               |  2 +-
>  arch/powerpc/perf/hv-24x7.c                        |  8 +--
>  arch/s390/kvm/intercept.c                          |  2 +-
>  arch/s390/kvm/kvm-s390.c                           | 10 +--
>  arch/s390/kvm/trace-s390.h                         |  4 +-
>  drivers/android/binder.c                           |  2 +-
>  drivers/android/binder_alloc.c                     | 28 ++++----
>  drivers/gpu/drm/exynos/exynos_drm_dsi.c            |  4 +-
>  drivers/gpu/drm/exynos/exynos_drm_fimc.c           |  2 +-
>  drivers/gpu/drm/exynos/exynos_drm_gem.c            |  2 +-
>  drivers/gpu/drm/exynos/exynos_drm_gsc.c            |  2 +-
>  drivers/gpu/drm/exynos/exynos_drm_ipp.c            | 22 +++---
>  drivers/gpu/drm/exynos/exynos_drm_rotator.c        |  2 +-
>  drivers/gpu/drm/i915/i915_debugfs.c                |  2 +-
>  drivers/infiniband/hw/usnic/usnic_uiom.c           |  2 +-
>  drivers/net/wireless/ath/ath10k/ahb.c              |  2 +-
>  drivers/net/wireless/ath/ath10k/bmi.c              |  4 +-
>  drivers/net/wireless/ath/ath10k/ce.c               |  4 +-
>  drivers/net/wireless/ath/ath10k/core.c             |  4 +-
>  drivers/net/wireless/ath/ath10k/htc.c              |  6 +-
>  drivers/net/wireless/ath/ath10k/htt_rx.c           |  2 +-
>  drivers/net/wireless/ath/ath10k/mac.c              | 22 +++---
>  drivers/net/wireless/ath/ath10k/pci.c              |  2 +-
>  drivers/net/wireless/ath/ath10k/testmode.c         |  4 +-
>  drivers/net/wireless/ath/ath10k/txrx.c             |  2 +-
>  drivers/net/wireless/ath/ath10k/usb.c              |  4 +-
>  drivers/net/wireless/ath/ath10k/wmi.c              |  4 +-
>  drivers/spi/spi-loopback-test.c                    | 12 ++--
>  drivers/staging/ccree/ssi_buffer_mgr.c             | 54 +++++++-------
>  drivers/staging/ccree/ssi_cipher.c                 |  4 +-
>  drivers/staging/ccree/ssi_hash.c                   | 30 ++++----
>  .../interface/vchiq_arm/vchiq_2835_arm.c           |  6 +-
>  .../vc04_services/interface/vchiq_arm/vchiq_arm.c  | 16 ++---
>  .../vc04_services/interface/vchiq_arm/vchiq_core.c | 84 +++++++++++-----------
>  .../interface/vchiq_arm/vchiq_kern_lib.c           |  4 +-
>  drivers/usb/core/devio.c                           | 14 ++--
>  drivers/usb/core/hcd.c                             |  4 +-
>  drivers/usb/core/urb.c                             |  2 +-
>  drivers/usb/dwc3/dwc3-st.c                         |  2 +-
>  drivers/usb/dwc3/gadget.c                          |  4 +-
>  include/linux/filter.h                             |  2 +-
>  kernel/cgroup/debug.c                              |  8 +--
>  kernel/module.c                                    |  2 +-
>  kernel/time/timer_list.c                           |  4 +-
>  lib/vsprintf.c                                     | 26 +++++--
>  mm/vmalloc.c                                       |  4 +-
>  net/atm/proc.c                                     |  4 +-
>  net/bluetooth/af_bluetooth.c                       |  2 +-
>  net/can/bcm.c                                      |  6 +-
>  net/can/proc.c                                     |  4 +-
>  net/ipv4/ping.c                                    |  2 +-
>  net/ipv4/raw.c                                     |  2 +-
>  net/ipv4/tcp_ipv4.c                                |  6 +-
>  net/ipv4/udp.c                                     |  2 +-
>  net/ipv6/datagram.c                                |  2 +-
>  net/ipv6/tcp_ipv6.c                                |  6 +-
>  net/key/af_key.c                                   |  2 +-
>  net/netlink/af_netlink.c                           |  2 +-
>  net/packet/af_packet.c                             |  2 +-
>  net/phonet/socket.c                                |  2 +-
>  net/unix/af_unix.c                                 |  2 +-
>  sound/soc/bcm/cygnus-pcm.c                         |  2 +-
>  66 files changed, 269 insertions(+), 240 deletions(-)
>
> --
> 2.7.4
>



-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.