lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20180403033123.GB781@eros>
Date:   Tue, 3 Apr 2018 13:31:23 +1000
From:   "Tobin C. Harding" <me@...in.cc>
To:     Matthew Wilcox <willy@...radead.org>
Cc:     linux-kernel@...r.kernel.org, Eric Biggers <ebiggers3@...il.com>
Subject: Re: [PATCH] list_debug: Print unmangled addresses

On Sun, Apr 01, 2018 at 03:32:37PM -0700, Matthew Wilcox wrote:
> From: Matthew Wilcox <mawilcox@...rosoft.com>
> 
> The entire point of printing the pointers in list_debug is to see if
> there's any useful information in them (eg poison values, ASCII, etc);
> obscuring them to see if they compare equal makes them much less useful.
> If an attacker can force this message to be printed, we've already lost.

Is this because CONFIG_DEBUG_LIST should not be enabled on production
kernels so an attacker should never hit this?

I'm inclined to agree, if there is already a memory corruption bug,
causing this code to execute, the extra address is probably not making
the situation any worse.

(I am in no way a security expert.)

> Signed-off-by: Matthew Wilcox <mawilcox@...rosoft.com>

Reviewed-by: Tobin C. Harding <me@...in.cc>

> diff --git a/lib/list_debug.c b/lib/list_debug.c
> index a34db8d27667..5d5424b51b74 100644
> --- a/lib/list_debug.c
> +++ b/lib/list_debug.c
> @@ -21,13 +21,13 @@ bool __list_add_valid(struct list_head *new, struct list_head *prev,
>  		      struct list_head *next)
>  {
>  	if (CHECK_DATA_CORRUPTION(next->prev != prev,
> -			"list_add corruption. next->prev should be prev (%p), but was %p. (next=%p).\n",
> +			"list_add corruption. next->prev should be prev (%px), but was %px. (next=%px).\n",
>  			prev, next->prev, next) ||
>  	    CHECK_DATA_CORRUPTION(prev->next != next,
> -			"list_add corruption. prev->next should be next (%p), but was %p. (prev=%p).\n",
> +			"list_add corruption. prev->next should be next (%px), but was %px. (prev=%px).\n",
>  			next, prev->next, prev) ||
>  	    CHECK_DATA_CORRUPTION(new == prev || new == next,
> -			"list_add double add: new=%p, prev=%p, next=%p.\n",
> +			"list_add double add: new=%px, prev=%px, next=%px.\n",
>  			new, prev, next))
>  		return false;
>  
> @@ -43,16 +43,16 @@ bool __list_del_entry_valid(struct list_head *entry)
>  	next = entry->next;
>  
>  	if (CHECK_DATA_CORRUPTION(next == LIST_POISON1,
> -			"list_del corruption, %p->next is LIST_POISON1 (%p)\n",
> +			"list_del corruption, %px->next is LIST_POISON1 (%px)\n",
>  			entry, LIST_POISON1) ||
>  	    CHECK_DATA_CORRUPTION(prev == LIST_POISON2,
> -			"list_del corruption, %p->prev is LIST_POISON2 (%p)\n",
> +			"list_del corruption, %px->prev is LIST_POISON2 (%px)\n",
>  			entry, LIST_POISON2) ||
>  	    CHECK_DATA_CORRUPTION(prev->next != entry,
> -			"list_del corruption. prev->next should be %p, but was %p\n",
> +			"list_del corruption. prev->next should be %px, but was %px\n",
>  			entry, prev->next) ||
>  	    CHECK_DATA_CORRUPTION(next->prev != entry,
> -			"list_del corruption. next->prev should be %p, but was %p\n",
> +			"list_del corruption. next->prev should be %px, but was %px\n",
>  			entry, next->prev))
>  		return false;
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ