| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGXu5jKG7FD_wGbeGtATLA4h3eAwvV5P+74T=DKAN58XLqGhEw@mail.gmail.com>
Date: Wed, 29 Nov 2017 15:56:16 -0800
From: Kees Cook <keescook@...omium.org>
To: "Tobin C. Harding" <me@...in.cc>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
David Laight <David.Laight@...lab.com>,
"Jason A. Donenfeld" <Jason@...c4.com>,
"Theodore Ts'o" <tytso@....edu>,
Paolo Bonzini <pbonzini@...hat.com>,
Tycho Andersen <tycho@...ho.ws>,
"Roberts, William C" <william.c.roberts@...el.com>,
Tejun Heo <tj@...nel.org>,
Jordan Glover <Golden_Miller83@...tonmail.ch>,
Greg KH <gregkh@...uxfoundation.org>,
Petr Mladek <pmladek@...e.com>, Joe Perches <joe@...ches.com>,
Ian Campbell <ijc@...lion.org.uk>,
Sergey Senozhatsky <sergey.senozhatsky@...il.com>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <wilal.deacon@....com>,
Steven Rostedt <rostedt@...dmis.org>,
Chris Fries <cfries@...gle.com>,
Dave Weinstein <olorin@...gle.com>,
Daniel Micay <danielmicay@...il.com>,
Djalal Harouni <tixxdz@...il.com>,
Radim Krcmár <rkrcmar@...hat.com>,
David Miller <davem@...emloft.net>,
Stephen Rothwell <sfr@...b.auug.org.au>,
Andrey Ryabinin <aryabinin@...tuozzo.com>,
Alexander Potapenko <glider@...gle.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
Andrew Morton <akpm@...ux-foundation.org>,
kernel-hardening@...ts.openwall.com,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Network Development <netdev@...r.kernel.org>
Subject: Re: [PATCH 0/2] replace %pK with %p
On Wed, Nov 29, 2017 at 3:38 PM, Tobin C. Harding <me@...in.cc> wrote:
> We are now hashing addresses printed with %pK (when
> kptr_restrict==0). Perhaps we can get rid of %pK (and kptr_restrict)
> entirely. Instead of rushing ahead and doing so let's replace all printk
> format strings that use %pK with %p.
NAK. Real people use kptr_restrict -- removing %pK is a regression for
them. Setting kptr_restrict should zero the values marked with %pK.
There is still a risk of correlating information leaks to at least
select a target. If we add a knob for the %p hashing to switch to
zeroing, then we could drop %pK, IMO.
-Kees
>
> It is a nice time to do this now while we are prepared for breakages
> from applying the pointer hashing patch series.
>
> The patch to remove kptr_restrict entirely should then be a non-event.
>
> Second patch adds printk specifier %pz to display zeroed address. This
> may be useful for fixing things that break during the fallout from
> hashing and replacing %pK. We can always revert this patch if it turns
> out to be worthless, right?
>
> Patch 1 was created using
>
> for file in $(git grep -l '%pK')
> do
> perl -pi -e 's/%pK/%p/g' $file
> done
>
> thanks,
> Tobin.
>
> Tobin C. Harding (2):
> tree-wide: replace all users of %pK with %p
> printk: add specifier %pz, for zeroed address
>
> Documentation/printk-formats.txt | 11 +++
> arch/arm/mm/physaddr.c | 2 +-
> arch/arm64/mm/physaddr.c | 2 +-
> arch/mips/kernel/relocate.c | 10 +--
> arch/mips/kvm/mips.c | 2 +-
> arch/powerpc/perf/hv-24x7.c | 8 +--
> arch/s390/kvm/intercept.c | 2 +-
> arch/s390/kvm/kvm-s390.c | 10 +--
> arch/s390/kvm/trace-s390.h | 4 +-
> drivers/android/binder.c | 2 +-
> drivers/android/binder_alloc.c | 28 ++++----
> drivers/gpu/drm/exynos/exynos_drm_dsi.c | 4 +-
> drivers/gpu/drm/exynos/exynos_drm_fimc.c | 2 +-
> drivers/gpu/drm/exynos/exynos_drm_gem.c | 2 +-
> drivers/gpu/drm/exynos/exynos_drm_gsc.c | 2 +-
> drivers/gpu/drm/exynos/exynos_drm_ipp.c | 22 +++---
> drivers/gpu/drm/exynos/exynos_drm_rotator.c | 2 +-
> drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
> drivers/infiniband/hw/usnic/usnic_uiom.c | 2 +-
> drivers/net/wireless/ath/ath10k/ahb.c | 2 +-
> drivers/net/wireless/ath/ath10k/bmi.c | 4 +-
> drivers/net/wireless/ath/ath10k/ce.c | 4 +-
> drivers/net/wireless/ath/ath10k/core.c | 4 +-
> drivers/net/wireless/ath/ath10k/htc.c | 6 +-
> drivers/net/wireless/ath/ath10k/htt_rx.c | 2 +-
> drivers/net/wireless/ath/ath10k/mac.c | 22 +++---
> drivers/net/wireless/ath/ath10k/pci.c | 2 +-
> drivers/net/wireless/ath/ath10k/testmode.c | 4 +-
> drivers/net/wireless/ath/ath10k/txrx.c | 2 +-
> drivers/net/wireless/ath/ath10k/usb.c | 4 +-
> drivers/net/wireless/ath/ath10k/wmi.c | 4 +-
> drivers/spi/spi-loopback-test.c | 12 ++--
> drivers/staging/ccree/ssi_buffer_mgr.c | 54 +++++++-------
> drivers/staging/ccree/ssi_cipher.c | 4 +-
> drivers/staging/ccree/ssi_hash.c | 30 ++++----
> .../interface/vchiq_arm/vchiq_2835_arm.c | 6 +-
> .../vc04_services/interface/vchiq_arm/vchiq_arm.c | 16 ++---
> .../vc04_services/interface/vchiq_arm/vchiq_core.c | 84 +++++++++++-----------
> .../interface/vchiq_arm/vchiq_kern_lib.c | 4 +-
> drivers/usb/core/devio.c | 14 ++--
> drivers/usb/core/hcd.c | 4 +-
> drivers/usb/core/urb.c | 2 +-
> drivers/usb/dwc3/dwc3-st.c | 2 +-
> drivers/usb/dwc3/gadget.c | 4 +-
> include/linux/filter.h | 2 +-
> kernel/cgroup/debug.c | 8 +--
> kernel/module.c | 2 +-
> kernel/time/timer_list.c | 4 +-
> lib/vsprintf.c | 26 +++++--
> mm/vmalloc.c | 4 +-
> net/atm/proc.c | 4 +-
> net/bluetooth/af_bluetooth.c | 2 +-
> net/can/bcm.c | 6 +-
> net/can/proc.c | 4 +-
> net/ipv4/ping.c | 2 +-
> net/ipv4/raw.c | 2 +-
> net/ipv4/tcp_ipv4.c | 6 +-
> net/ipv4/udp.c | 2 +-
> net/ipv6/datagram.c | 2 +-
> net/ipv6/tcp_ipv6.c | 6 +-
> net/key/af_key.c | 2 +-
> net/netlink/af_netlink.c | 2 +-
> net/packet/af_packet.c | 2 +-
> net/phonet/socket.c | 2 +-
> net/unix/af_unix.c | 2 +-
> sound/soc/bcm/cygnus-pcm.c | 2 +-
> 66 files changed, 269 insertions(+), 240 deletions(-)
>
> --
> 2.7.4
>
--
Kees Cook
Pixel Security
Powered by blists - more mailing lists