lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <11437c3e-5131-7190-c496-7b51eb7fcc2a@android.com>
Date:   Thu, 26 Jul 2018 08:14:08 -0700
From:   Mark Salyzyn <salyzyn@...roid.com>
To:     Steven Rostedt <rostedt@...dmis.org>
Cc:     linux-kernel@...r.kernel.org,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Ingo Molnar <mingo@...hat.com>, kernel-team@...roid.com,
        stable@...r.kernel.org
Subject: Re: [PATCH] tracing: do not leak kernel addresses

On 07/25/2018 06:07 PM, Steven Rostedt wrote:
> On Wed, 25 Jul 2018 13:22:36 -0700
> Mark Salyzyn <salyzyn@...roid.com> wrote:
>
>> From: Nick Desaulniers <ndesaulniers@...gle.com>
>>
>> Switch from 0x%lx to 0x%pK to print the kernel addresses.
>>
>> Fixes: CVE-2017-0630
> Wait!!!! This breaks perf and trace-cmd! They require this to be able
> to print various strings in trace events. This file is root read only,
> as the CVE says.
>
> NAK for this fix. Come up with something that doesn't break perf and
> trace-cmd. That will not be trivial, as the format is stored in the
> ring buffer with an address, then referenced directly. It also handles
> trace_printk() functions that simply point to the string format itself.
>
> A fix would require having a pointer be the same that is referenced
> inside the kernel as well as in this file. Maybe make the format string
> placed in a location that doesn't leak where the rest of the kernel
> exists?
>
> -- Steve
Thank you Steve, much appreciated feedback, I have asked the security 
developers to keep this in mind and come up with a correct fix.

The correct fix that meets your guidelines would _not_ be suitable for 
stable due to the invasiveness it sounds, only for the latest will such 
a rework make sense. As such, the fix proposed in this patch is the only 
one that meets the bar for stable patch simplicity, and merely(!) needs 
to state that if the fix is taken, perf and trace are broken.

Posting this patch publicly on the lists, that may never be applied, may 
be the limit of our responsibility for a fix to stable kernel releases, 
to be optionally applied by vendors concerned with this CVE criteria?

-- Mark

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ