[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <202507301603.62E553F93@keescook>
Date: Wed, 30 Jul 2025 16:07:59 -0700
From: Kees Cook <kees@...nel.org>
To: Jeff Layton <jlayton@...nel.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Simon Horman <horms@...nel.org>,
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
Maxime Ripard <mripard@...nel.org>,
Thomas Zimmermann <tzimmermann@...e.de>,
David Airlie <airlied@...il.com>, Simona Vetter <simona@...ll.ch>,
Jani Nikula <jani.nikula@...ux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@...ux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@...el.com>,
Tvrtko Ursulin <tursulin@...ulin.net>,
Krzysztof Karas <krzysztof.karas@...el.com>,
Kuniyuki Iwashima <kuniyu@...zon.com>,
Qasim Ijaz <qasdev00@...il.com>,
Nathan Chancellor <nathan@...nel.org>, Andrew Lunn <andrew@...n.ch>,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
dri-devel@...ts.freedesktop.org, intel-gfx@...ts.freedesktop.org
Subject: Re: [PATCH v15 6/9] ref_tracker: automatically register a file in
debugfs for a ref_tracker_dir
On Wed, Jun 18, 2025 at 10:24:19AM -0400, Jeff Layton wrote:
> [...]
> The file is given the name "class@%px", as having the unmodified address
> is helpful for debugging. This should be safe since this directory is only
> accessible by root
> [...]
> +void ref_tracker_dir_debugfs(struct ref_tracker_dir *dir)
> +{
> + char name[NAME_MAX + 1];
> + struct dentry *dentry;
> + int ret;
> +
> + /* No-op if already created */
> + dentry = xa_load(&debugfs_dentries, (unsigned long)dir);
> + if (dentry && !xa_is_err(dentry))
> + return;
> +
> + ret = snprintf(name, sizeof(name), "%s@%px", dir->class, dir);
> + name[sizeof(name) - 1] = '\0';
Yikes! Never use %px, and especially don't use it for a stable
identifier nor expose it to userspace like this. If you absolutely must,
use %p, but never %px. This is a kernel address leak:
https://docs.kernel.org/process/deprecated.html#p-format-specifier
"helpful for debugging" is not a sufficiently good reason; and "only
accessible by root" has nothing to do with kernel address integrity.
Those kinds of things are (roughly) managed by various capabilities,
not DAC uid==0.
--
Kees Cook
Powered by blists - more mailing lists