lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20171215173156.nvggmxozugo5jld5@hirez.programming.kicks-ass.net>
Date:   Fri, 15 Dec 2017 18:31:56 +0100
From:   Peter Zijlstra <peterz@...radead.org>
To:     Thomas Richter <tmricht@...ux.vnet.ibm.com>,
        Steven Rostedt <rostedt@...dmis.org>, mhiramat@...nel.org
Cc:     linux-kernel@...r.kernel.org, heiko.carstens@...ibm.com,
        schwidefsky@...ibm.com, brueckner@...ux.vnet.ibm.com
Subject: Re: [PATCH] trace/uprobes: fix output issue with address
 randomization


I'm not in fact the maintainer covering this file..

On Fri, Dec 15, 2017 at 04:36:25PM +0100, Thomas Richter wrote:
> Commit ad67b74d2469 ("printk: hash addresses printed with %p")
> changed %p to hash pointers in order to avoid leaking
> kernel addresses.
> 
> This breaks the tool perf probe.
> 
> To set a uprobe on a function named inet_pton in libc library,
> obtain the address of the symbol inet_pton using command nm and
> then use the following command to set the uprobe:
> 
>  # echo "p:probe_libc/inet_pton /usr/lib64/libc-2.26.so:0x142060"
> 	> /sys/kernel/debug/tracing/uprobe_events
> 
> However the output shows a randomized address:
>  # cat /sys/kernel/debug/tracing/uprobe_events
>  p:probe_libc/inet_pton /usr/lib64/libc-2.26.so:0x000000002d0f8952
> 
> The displayed address 0x000000002d0f8952 is incorrect and breaks
> tools post processing it:
> 
>  # linux/tools/perf/perf probe -l
>  Failed to find debug information for address 2d0f8952
>    probe_libc:inet_pton (on 0x2d0f8952 in /usr/lib64/libc-2.26.so)
> 
> Using the %px printk format string fixes this issue for root
> and shows the correct address allowing the perf probe tool
> to resolve the address to the symbol:
> 
>  # echo "p:probe_libc/inet_pton /usr/lib64/libc-2.26.so:0x142060"
> 	> /sys/kernel/debug/tracing/uprobe_events
>  # cat /sys/kernel/debug/tracing/uprobe_events
>  p:probe_libc/inet_pton /usr/lib64/libc-2.26.so:0x0000000000142060
>  # linux/tools/perf/perf probe -l
>   probe_libc:inet_pton (on __inet_pton@...olv/inet_pton.c
> 					in /usr/lib64/libc-2.26.so)
> 
> Signed-off-by: Thomas Richter <tmricht@...ux.vnet.ibm.com>
> Suggested-by: Peter Zijlstra <peterz@...radead.org>
> ---
>  kernel/trace/trace_uprobe.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
> index 40592e7b3568..268029ae1be6 100644
> --- a/kernel/trace/trace_uprobe.c
> +++ b/kernel/trace/trace_uprobe.c
> @@ -608,7 +608,7 @@ static int probes_seq_show(struct seq_file *m, void *v)
>  
>  	/* Don't print "0x  (null)" when offset is 0 */
>  	if (tu->offset) {
> -		seq_printf(m, "0x%p", (void *)tu->offset);
> +		seq_printf(m, "0x%px", (void *)tu->offset);
>  	} else {
>  		switch (sizeof(void *)) {
>  		case 4:

So I had a wee peek and afaict this ends up at:

        trace_create_file("uprobe_events", 0644, d_tracer,
                                    NULL, &uprobe_events_ops);

which is a world readable file. Doesn't that leak the kaslr offset?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ