lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <X7uGlDg88bI6zebS@alley>
Date:   Mon, 23 Nov 2020 10:53:24 +0100
From:   Petr Mladek <pmladek@...e.com>
To:     Steven Rostedt <rostedt@...dmis.org>
Cc:     Alan Stern <stern@...land.harvard.edu>,
        Sergey Senozhatsky <sergey.senozhatsky@...il.com>,
        Kernel development list <linux-kernel@...r.kernel.org>,
        Kees Cook <keescook@...omium.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: Printk specifiers for __user pointers

On Fri 2020-11-20 13:42:42, Steven Rostedt wrote:
> On Fri, 20 Nov 2020 11:44:12 -0500
> Alan Stern <stern@...land.harvard.edu> wrote:
> 
> > To the VSPRINTF maintainers:
> > 
> > Documentation/core-api/printk-formats.rst lists a large number of format 
> > specifiers for pointers of various sorts.  Yet as far as I can see, 
> > there is no specifier meant for use with __user pointers.
> > 
> > The security implications of printing the true, unmangled value of a 
> > __user pointer are minimal, since doing so does not leak any kernel 
> > information.  So %px would work, but tools like checkpatch.pl don't like 
> > it.

Just to be sure as I am not a security expert. Is there really that
big difference in the risk? The following scenarios come to my mind:

1. The address would show a well defined location in the userspace
   application? Could it be used to attack the application?

2. The address shows a location that is being accessed by kernel.
   Could not it be used to pass a value that might be used to attack
   kernel?


> > Should a new specifier be added?  If not, should we simply use %px?
> 
> There's currently no user of '%pu' (although there is a '%pus'. Perhaps we
> should have a '%pux'?
> 
> I would even state that if it is used, that if makes sure that the value is
> indeed a user space pointer (goes through the same checks as accessing user
> space), before its printed, otherwise it shows "(fault)" or something.

I have mixed feelings about this.

One one hand, it might make sense to mark locations where userspace
address is printed. We could easily decide how to print them (hash or
value) and we could check that it is really from a userspace one.

But I have few concerns:

1. The existing "%pus" has a kind of opposite meaning. It says what
   address space should be used when the kernel and userspace address
   space is overlapping.

2. There is the history with "%pk". It did not work because people did
   not use it.

3. I am not sure about the output when the address is not from
   userspace. Printing ("fault") is not much helpful. Printing
   hashed value might be confusing. Well, I am still not sure
   that it is really safe to print real userspace addresses
   by default.

Best Regards,
Petr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ