lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20210929112446.1115555-1-qtxuning1999@sjtu.edu.cn>
Date:   Wed, 29 Sep 2021 19:24:45 +0800
From:   Guo Zhi <qtxuning1999@...u.edu.cn>
To:     Kees Cook <keescook@...omium.org>, Arnd Bergmann <arnd@...db.de>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     Guo Zhi <qtxuning1999@...u.edu.cn>, linux-kernel@...r.kernel.org
Subject: [PATCH] dirvers/lkdtm: Fix kernel pointer leak

Pointers should be printed with %p rather than %px
which printed kernel pointer directly.
Change %px to %p to print the secured pointer.

Signed-off-by: Guo Zhi <qtxuning1999@...u.edu.cn>
---
 drivers/misc/lkdtm/perms.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
index 2dede2ef658f..ceff8668877a 100644
--- a/drivers/misc/lkdtm/perms.c
+++ b/drivers/misc/lkdtm/perms.c
@@ -47,7 +47,7 @@ static noinline void execute_location(void *dst, bool write)
 {
 	void (*func)(void) = dst;
 
-	pr_info("attempting ok execution at %px\n", do_nothing);
+	pr_info("attempting ok execution at %p\n", do_nothing);
 	do_nothing();
 
 	if (write == CODE_WRITE) {
@@ -55,7 +55,7 @@ static noinline void execute_location(void *dst, bool write)
 		flush_icache_range((unsigned long)dst,
 				   (unsigned long)dst + EXEC_SIZE);
 	}
-	pr_info("attempting bad execution at %px\n", func);
+	pr_info("attempting bad execution at %p\n", func);
 	func();
 	pr_err("FAIL: func returned\n");
 }
@@ -67,14 +67,14 @@ static void execute_user_location(void *dst)
 	/* Intentionally crossing kernel/user memory boundary. */
 	void (*func)(void) = dst;
 
-	pr_info("attempting ok execution at %px\n", do_nothing);
+	pr_info("attempting ok execution at %p\n", do_nothing);
 	do_nothing();
 
 	copied = access_process_vm(current, (unsigned long)dst, do_nothing,
 				   EXEC_SIZE, FOLL_WRITE);
 	if (copied < EXEC_SIZE)
 		return;
-	pr_info("attempting bad execution at %px\n", func);
+	pr_info("attempting bad execution at %p\n", func);
 	func();
 	pr_err("FAIL: func returned\n");
 }
@@ -84,7 +84,7 @@ void lkdtm_WRITE_RO(void)
 	/* Explicitly cast away "const" for the test and make volatile. */
 	volatile unsigned long *ptr = (unsigned long *)&rodata;
 
-	pr_info("attempting bad rodata write at %px\n", ptr);
+	pr_info("attempting bad rodata write at %p\n", ptr);
 	*ptr ^= 0xabcd1234;
 	pr_err("FAIL: survived bad write\n");
 }
@@ -103,7 +103,7 @@ void lkdtm_WRITE_RO_AFTER_INIT(void)
 		return;
 	}
 
-	pr_info("attempting bad ro_after_init write at %px\n", ptr);
+	pr_info("attempting bad ro_after_init write at %p\n", ptr);
 	*ptr ^= 0xabcd1234;
 	pr_err("FAIL: survived bad write\n");
 }
@@ -116,7 +116,7 @@ void lkdtm_WRITE_KERN(void)
 	size = (unsigned long)do_overwritten - (unsigned long)do_nothing;
 	ptr = (unsigned char *)do_overwritten;
 
-	pr_info("attempting bad %zu byte write at %px\n", size, ptr);
+	pr_info("attempting bad %zu byte write at %p\n", size, ptr);
 	memcpy((void *)ptr, (unsigned char *)do_nothing, size);
 	flush_icache_range((unsigned long)ptr, (unsigned long)(ptr + size));
 	pr_err("FAIL: survived bad write\n");
@@ -195,12 +195,12 @@ void lkdtm_ACCESS_USERSPACE(void)
 
 	ptr = (unsigned long *)user_addr;
 
-	pr_info("attempting bad read at %px\n", ptr);
+	pr_info("attempting bad read at %p\n", ptr);
 	tmp = *ptr;
 	tmp += 0xc0dec0de;
 	pr_err("FAIL: survived bad read\n");
 
-	pr_info("attempting bad write at %px\n", ptr);
+	pr_info("attempting bad write at %p\n", ptr);
 	*ptr = tmp;
 	pr_err("FAIL: survived bad write\n");
 
@@ -212,12 +212,12 @@ void lkdtm_ACCESS_NULL(void)
 	unsigned long tmp;
 	volatile unsigned long *ptr = (unsigned long *)NULL;
 
-	pr_info("attempting bad read at %px\n", ptr);
+	pr_info("attempting bad read at %p\n", ptr);
 	tmp = *ptr;
 	tmp += 0xc0dec0de;
 	pr_err("FAIL: survived bad read\n");
 
-	pr_info("attempting bad write at %px\n", ptr);
+	pr_info("attempting bad write at %p\n", ptr);
 	*ptr = tmp;
 	pr_err("FAIL: survived bad write\n");
 }
-- 
2.33.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ