lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAGXu5j+a5uQ8CCjFpz4rZRHEQZQmR-PkRPsfguV_7KVo1qAhdQ@mail.gmail.com>
Date:   Wed, 2 May 2018 07:20:14 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Thomas-Mich Richter <tmricht@...ux.ibm.com>
Cc:     Jessica Yu <jeyu@...nel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Christian Borntraeger <borntraeger@...ibm.com>,
        Martin Schwidefsky <schwidefsky@...ibm.com>,
        brueckner@...ux.vnet.ibm.com,
        Heiko Carstens <heiko.carstens@...ibm.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Arnaldo Carvalho de Melo <acme@...nel.org>,
        "Tobin C. Harding" <me@...in.cc>,
        "# 3.4.x" <stable@...r.kernel.org>
Subject: Re: [PATCH v3] module: Fix display of wrong module .text address

On Wed, May 2, 2018 at 1:13 AM, Thomas-Mich Richter
<tmricht@...ux.ibm.com> wrote:
> On 05/02/2018 04:20 AM, Kees Cook wrote:
>> On Wed, Apr 18, 2018 at 12:14 AM, Thomas Richter <tmricht@...ux.ibm.com> wrote:
>>> Reading file /proc/modules shows the correct address:
>>> [root@...lp76 ~]# cat /proc/modules | egrep '^qeth_l2'
>>> qeth_l2 94208 1 - Live 0x000003ff80401000
>>>
>>> and reading file /sys/module/qeth_l2/sections/.text
>>> [root@...lp76 ~]# cat /sys/module/qeth_l2/sections/.text
>>> 0x0000000018ea8363
>>> displays a random address.
>>>
>>> This breaks the perf tool which uses this address on s390
>>> to calculate start of .text section in memory.
>>>
>>> Fix this by printing the correct (unhashed) address.
>>>
>>> Thanks to Jessica Yu for helping on this.
>>>
>>> Fixes: ef0010a30935 ("vsprintf: don't use 'restricted_pointer()' when not restricting")
>>> Cc: <stable@...r.kernel.org> # v4.15+
>>> Suggested-by: Linus Torvalds <torvalds@...ux-foundation.org>
>>> Signed-off-by: Thomas Richter <tmricht@...ux.ibm.com>
>>> Cc: Jessica Yu <jeyu@...nel.org>
>>> ---
>>>  kernel/module.c | 3 ++-
>>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/kernel/module.c b/kernel/module.c
>>> index a6e43a5806a1..40b42000bd80 100644
>>> --- a/kernel/module.c
>>> +++ b/kernel/module.c
>>> @@ -1472,7 +1472,8 @@ static ssize_t module_sect_show(struct module_attribute *mattr,
>>>  {
>>>         struct module_sect_attr *sattr =
>>>                 container_of(mattr, struct module_sect_attr, mattr);
>>> -       return sprintf(buf, "0x%pK\n", (void *)sattr->address);
>>> +       return sprintf(buf, "0x%px\n", kptr_restrict < 2 ?
>>> +                      (void *)sattr->address : NULL);
>>
>> Errr... this looks reversed to me.
>>
>> I would expect: "kptr_restrict < 2 ? NULL : (void *)sattr->address"
>>
>> -Kees
>>
>
> I am confused:
> In my patch, if kptr_restrict == 2 it prints NULL, which kptr_restrict
> being 0 or 1 it prints the address.
>
> In your comment if kptr_restrict == 2 it prints the address, which
> kptr_restrict being 0 or 1 it prints NULL.
>
> Looking into Documentation/sysctl/kernel.txt:
>   When kptr_restrict is set to (2), kernel pointers printed using
>   %pK will be replaced with 0's regardless of privileges.
>
> With my patch, setting kptr_restrict to 0 or 1
> prints the real kernel address (format %px, unmodified address
> according to Documentation/printk-formats.txt).
>
> I have tested this on s390 (which is the only arch using file
> /sys/module/<XXX>/sections/.text) in the perf tool.
>
> root@...60047 ~]# sysctl  kernel.kptr_restrict
> kernel.kptr_restrict = 0
> [root@...60047 ~]# cat /proc/modules | egrep '^qeth_l2'
> qeth_l2 102400 1 - Live 0x000003ff8034d000
> [root@...60047 ~]# cat /sys/module/qeth_l2/sections/.text
> 0x000003ff8034da68
> [root@...60047 ~]# sysctl  -w kernel.kptr_restrict=2
> kernel.kptr_restrict = 2
> [root@...60047 ~]# cat /proc/modules | egrep '^qeth_l2'
> qeth_l2 102400 1 - Live 0x0000000000000000
> [root@...60047 ~]# cat /sys/module/qeth_l2/sections/.text
> 0x0000000000000000
> [root@...60047 ~]# uname -a
> Linux s8360047 4.17.0-rc3m-perf+ #6 SMP PREEMPT Wed May 2 10:02:38 CEST 2018 s390x s390x s390x GNU/Linux
> [root@...60047 ~]#
>
> Hope this helps.

Thanks! Yes, I was looking at too many of the %px commits in a row and
confused myself. Sorry for the noise!

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ