lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 Sep 2021 18:01:51 -0700 From: Kees Cook <keescook@...omium.org> To: Helge Deller <deller@....de> Cc: kernel test robot <oliver.sang@...el.com>, 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org, Alexey Dobriyan <adobriyan@...il.com>, Andrew Morton <akpm@...ux-foundation.org>, linux-fsdevel@...r.kernel.org, linux-hardening@...r.kernel.org, Jann Horn <jannh@...gle.com>, Qi Zheng <zhengqi.arch@...edance.com>, Vito Caputo <vcaputo@...garu.com>, Josh Poimboeuf <jpoimboe@...hat.com>, stable@...r.kernel.org Subject: /proc/$pid/chan kernel address exposures (was Re: [proc/wchan] 30a3a19273: leaking-addresses.proc.wchan./proc/bus/input/devices:B:KEY=1000000000007ff980000000007fffebeffdfffeffffffffffffffffffffe) On Sun, Jan 03, 2021 at 07:25:36PM +0100, Helge Deller wrote: > On 1/3/21 3:27 PM, kernel test robot wrote: > > FYI, we noticed the following commit (built with gcc-9): > > > > commit: 30a3a192730a997bc4afff5765254175b6fb64f3 ("[PATCH] proc/wchan: Use printk format instead of lookup_symbol_name()") > > url: https://github.com/0day-ci/linux/commits/Helge-Deller/proc-wchan-Use-printk-format-instead-of-lookup_symbol_name/20201218-010048 > > base: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git 09162bc32c880a791c6c0668ce0745cf7958f576 > > > > in testcase: leaking-addresses > > version: leaking-addresses-x86_64-4f19048-1_20201111 > > [...] > > caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace): > > I don't see anything wrong with the wchan patch (30a3a192730a997bc4afff5765254175b6fb64f3), > or that it could have leaked anything. > > Maybe the kernel test robot picked up the wchan patch by mistake ? > > > [...] > > [2 wchan] 0xffffc9000000003c ^^^^^ As the root cause of a kernel address exposure, Jann pointed out[2] commit 152c432b128c, which I've tracked to here, only to discover this regression was, indeed, reported. :( So, we have a few things: 1) wchan has been reporting "0" in the default x86 config (ORC unwinder) for 4 years now. 2) non-x86 or non-ORC, wchan has been leaking raw kernel addresses since commit 152c432b128c (v5.12). 3) the output of scripts/leaking_addresses.pl is hard to read. :) We can fix 1 and 2 with: https://lore.kernel.org/lkml/20210923233105.4045080-1-keescook@chromium.org/ (though that will need a Cc: stable now...) If we don't do that, we still need to revert 152c432b128c in v5.12 and later. We should likely make leaking_addresses.pl a little more readable while we're at it. -Kees [1] https://lore.kernel.org/lkml/20210921193249.el476vlhg5k6lfcq@shells.gnugeneration.com/ [2] https://lore.kernel.org/lkml/CAG48ez2zC=+PuNgezH53HBPZ8CXU5H=vkWx7nJs60G8RXt3w0Q@mail.gmail.com/ -- Kees Cook
Powered by blists - more mailing lists