| From: |
| "Tobin C. Harding" <me-AT-tobin.cc> |
| To: |
| kernel-hardening-AT-lists.openwall.com |
| Subject: |
| [PATCH V8 0/2] printk: hash addresses printed with %p |
| Date: |
| Thu, 26 Oct 2017 13:53:54 +1100 |
| Message-ID: |
| <1508986436-31966-1-git-send-email-me@tobin.cc> |
| Cc: |
| "Tobin C. Harding" <me-AT-tobin.cc>, "Jason A. Donenfeld" <Jason-AT-zx2c4.com>, Theodore Ts'o <tytso-AT-mit.edu>, Linus Torvalds <torvalds-AT-linux-foundation.org>, Kees Cook <keescook-AT-chromium.org>, Paolo Bonzini <pbonzini-AT-redhat.com>, Tycho Andersen <tycho-AT-docker.com>, "Roberts, William C" <william.c.roberts-AT-intel.com>, Tejun Heo <tj-AT-kernel.org>, Jordan Glover <Golden_Miller83-AT-protonmail.ch>, Greg KH <gregkh-AT-linuxfoundation.org>, Petr Mladek <pmladek-AT-suse.com>, Joe Perches <joe-AT-perches.com>, Ian Campbell <ijc-AT-hellion.org.uk>, Sergey Senozhatsky <sergey.senozhatsky-AT-gmail.com>, Catalin Marinas <catalin.marinas-AT-arm.com>, Will Deacon <wilal.deacon-AT-arm.com>, Steven Rostedt <rostedt-AT-goodmis.org>, Chris Fries <cfries-AT-google.com>, Dave Weinstein <olorin-AT-google.com>, Daniel Micay <danielmicay-AT-gmail.com>, Djalal Harouni <tixxdz-AT-gmail.com>, linux-kernel-AT-vger.kernel.org |
Currently there are many places in the kernel where addresses are being
printed using an unadorned %p. Kernel pointers should be printed using
%pK allowing some control via the kptr_restrict sysctl. Exposing
addresses gives attackers sensitive information about the kernel layout
in memory.
We can reduce the attack surface by hashing all addresses printed with
%p. This will of course break some users, forcing code printing needed
addresses to be updated.
With this version we include hashing of malformed specifiers also.
Malformed specifiers include incomplete (e.g %pi) and also non-existent
specifiers. checkpatch should warn for non-existent specifiers but
AFAICT won't warn for incomplete specifiers.
Here is the behaviour that this set implements.
For kpt_restrict==0
Randomness not ready:
printed with %p: (pointer) # NOTE: with padding
Valid pointer:
printed with %pK: deadbeefdeadbeef
printed with %p: 0xdeadbeef
malformed specifier (eg %i): 0xdeadbeef
NULL pointer:
printed with %pK: 0000000000000000
printed with %p: (null) # NOTE: no padding
malformed specifier (eg %i): (null)
For kpt_restrict==2
Valid pointer:
printed with %pK: 0000000000000000
All other output as for kptr_restrict==0
V8:
- Add second patch cleaning up null pointer printing in pointer()
- Move %pK handling to separate function, further cleaning up pointer()
- Move ptr_to_id() call outside of switch statement making hashing
the default behaviour (including malformed specifiers).
- Remove use of static_key, replace with simple boolean.
V7:
- Use tabs instead of spaces (ouch!).
V6:
- Use __early_initcall() to fill the SipHash key.
- Use static keys to guard hashing before the key is available.
V5:
- Remove spin lock.
- Add Jason A. Donenfeld to CC list by request.
- Add Theodore Ts'o to CC list due to comment on previous version.
V4:
- Remove changes to siphash.{ch}
- Do word size check, and return value cast, directly in ptr_to_id().
- Use add_ready_random_callback() to guard call to get_random_bytes()
V3:
- Use atomic_xchg() to guard setting [random] key.
- Remove erroneous white space change.
V2:
- Use SipHash to do the hashing.
The discussion related to this patch has been fragmented. There are
three threads associated with this patch. Email threads by subject:
[PATCH] printk: hash addresses printed with %p
[PATCH 0/3] add %pX specifier
[kernel-hardening] [RFC V2 0/6] add more kernel pointer filter options
Tobin C. Harding (2):
printk: remove tabular output for NULL pointer
printk: hash addresses printed with %p
lib/vsprintf.c | 166 +++++++++++++++++++++++++++++++++++++--------------------
1 file changed, 108 insertions(+), 58 deletions(-)
--
2.7.4
