| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Dec 2010 22:26:09 +0100 From: Ingo Molnar <mingo@...e.hu> To: Dan Rosenberg <drosenberg@...curity.com> Cc: linux-kernel@...r.kernel.org, netdev@...r.kernel.org, linux-security-module@...r.kernel.org, jmorris@...ei.org, eric.dumazet@...il.com, tgraf@...radead.org, eugeneteo@...nel.org, kees.cook@...onical.com, davem@...emloft.net, a.p.zijlstra@...llo.nl, akpm@...ux-foundation.org, eparis@...isplace.org Subject: Re: [PATCH v5] kptr_restrict for hiding kernel pointers * Dan Rosenberg <drosenberg@...curity.com> wrote: > On Wed, 2010-12-22 at 18:13 +0100, Ingo Molnar wrote: > > * Dan Rosenberg <drosenberg@...curity.com> wrote: > > > > > + case 'K': > > > + /* > > > + * %pK cannot be used in IRQ context because its test > > > + * for CAP_SYSLOG would be meaningless. > > > + */ > > > + if (in_irq() || in_serving_softirq() || in_nmi()) > > > + WARN_ONCE(1, "%%pK used in interrupt context.\n"); > > > > Hm, that bit looks possibly broken - some useful warning in irq context could print > > a pointer into the syslog and this would generate a second warning? That probably > > would crash as it recurses back into the printk code? > > > > I don't see a reason to ever use %pK to print to the syslog, since > reading it is now optionally protected with dmesg_restrict, and > stripping pointers from the syslog will cripple any post-mortem > debugging for everyone. I understand the desire to prevent things from > breaking even if it's used incorrectly, but I'm not really convinced > that this would break anything even in this scenario. The WARN_ONCE > will prevent any unbounded recursion. I'm just not clear on how this > could cause a crash. It's a simple QOI issue. We simply do not add kernel facilities that can produce a stack overflow, memory corruption and triple fault if a rare debug statement triggers in an IRQ context by accident: printk(KERN_WARN "driver bar: bug foo in function %pK\n"); > > Instead a warning could be inserted into the generated output instead, for > > example 'pK-error' (carefully staying within pointer length limits). > > If it's used in IRQ context and its output needs to be read by a > userspace utility using %p to parse, this will break it. Didnt you just say that it should not be used from IRQ context? There wont be any user-space tool to read it - it's a simple robustness change: the warning as you implemented it can crash the system. I suggested an implementation that would emit the warning in a more robust way. Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists