lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20171207041021.GB3275@eros> Date: Thu, 7 Dec 2017 15:10:21 +1100 From: "Tobin C. Harding" <me@...in.cc> To: Kees Cook <keescook@...omium.org> Cc: Jonathan Corbet <corbet@....net>, linux-doc@...r.kernel.org, LKML <linux-kernel@...r.kernel.org> Subject: Re: [PATCH] docs: add documentation on printing kernel addresses On Wed, Dec 06, 2017 at 04:43:40PM -0800, Kees Cook wrote: > On Wed, Dec 6, 2017 at 4:26 PM, Tobin C. Harding <me@...in.cc> wrote: > > Hashing addresses printed with printk specifier %p was implemented > > recently. During development a number of issues were raised regarding > > leaking kernel addresses to userspace. We should update the > > documentation appropriately. > > > > Add documentation regarding printing kernel addresses. > > > > Signed-off-by: Tobin C. Harding <me@...in.cc> > > Acked-by: Kees Cook <keescook@...omium.org> > > > --- > > > > Is there a proffered method for subscripts in sphinx kernel docs? Here > > we use '[*]' > > Great question... I can't find an answer to this. :P > > > > > thanks, > > Tobin. > > > > Documentation/security/self-protection.rst | 14 ++++++++++++++ > > 1 file changed, 14 insertions(+) > > > > diff --git a/Documentation/security/self-protection.rst b/Documentation/security/self-protection.rst > > index 60c8bd8b77bf..e711280cfdd7 100644 > > --- a/Documentation/security/self-protection.rst > > +++ b/Documentation/security/self-protection.rst > > @@ -270,6 +270,20 @@ attacks, it is important to defend against exposure of both kernel memory > > addresses and kernel memory contents (since they may contain kernel > > addresses or other sensitive things like canary values). > > > > +Kernel addresses > > +---------------- > > + > > +Printing kernel addresses to userspace leaks sensitive information about > > +the kernel memory layout. Care should be exercised when using any printk > > +specifier that prints the raw address, currently %px, %p[ad], (and %p[sSb] > > +in certain circumstances [*]). Any file written to using one of these > > +specifiers should be readable only by privileged processes. > > + > > +Kernels 4.14 and older printed the raw address using %p. As of 4.15-rc1 > > +addresses printed with the specifier %p are hashed before printing. > > + > > +[*] If symbol lookup fails, the raw address is currently printed. > > Is there a plan to adjust this case? RFC is in flight at the moment [RFC 0/3] kallsyms: don't leak address when printing symbol You commented already that you liked it. Had no response from Steve, I was intending to give him two weeks and then put in the patch for real. Or I could put it in without the ftrace stuff and just break tracing - just kidding, I wouldn't do that :) thanks, Tobin.
Powered by blists - more mailing lists