[kernel-hardening] [PATCH v4 3/3] doc: add documentation on printing kernel addresses

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Tobin C. Harding" <me@tobin.cc>
To: Jonathan Corbet <corbet@lwn.net>
Cc: "Tobin C. Harding" <me@tobin.cc>,
	Randy Dunlap <rdunlap@infradead.org>,
	linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
	Kees Cook <keescook@chromium.org>,
	Alexander Popov <alex.popov@linux.com>,
	Joe Perches <joe@perches.com>,
	kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] [PATCH v4 3/3] doc: add documentation on printing kernel addresses
Date: Wed, 20 Dec 2017 08:17:17 +1100	[thread overview]
Message-ID: <1513718237-24140-4-git-send-email-me@tobin.cc> (raw)
In-Reply-To: <1513718237-24140-1-git-send-email-me@tobin.cc>

Hashing addresses printed with printk specifier %p was implemented
recently. During development a number of issues were raised regarding
leaking kernel addresses to userspace. Other documentation was updated but
security/self-protection missed out.

Add self-protection documentation regarding printing kernel addresses.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
---
 Documentation/security/self-protection.rst | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/Documentation/security/self-protection.rst b/Documentation/security/self-protection.rst
index 60c8bd8b77bf..0f53826c78b9 100644
--- a/Documentation/security/self-protection.rst
+++ b/Documentation/security/self-protection.rst
@@ -270,6 +270,21 @@ attacks, it is important to defend against exposure of both kernel memory
 addresses and kernel memory contents (since they may contain kernel
 addresses or other sensitive things like canary values).
 
+Kernel addresses
+----------------
+
+Printing kernel addresses to userspace leaks sensitive information about
+the kernel memory layout. Care should be exercised when using any printk
+specifier that prints the raw address, currently %px, %p[ad], (and %p[sSb]
+in certain circumstances [*]).  Any file written to using one of these
+specifiers should be readable only by privileged processes.
+
+Kernels 4.14 and older printed the raw address using %p. As of 4.15-rc1
+addresses printed with the specifier %p are hashed before printing.
+
+[*] If KALLSYMS is enabled and symbol lookup fails, the raw address is
+printed. If KALLSYMS is not enabled the raw address is printed.
+
 Unique identifiers
 ------------------
 
-- 
2.7.4

WARNING: multiple messages have this Message-ID (diff)

From: "Tobin C. Harding" <me@tobin.cc>
To: Jonathan Corbet <corbet@lwn.net>
Cc: "Tobin C. Harding" <me@tobin.cc>,
	Randy Dunlap <rdunlap@infradead.org>,
	linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
	Kees Cook <keescook@chromium.org>,
	Alexander Popov <alex.popov@linux.com>,
	Joe Perches <joe@perches.com>,
	kernel-hardening@lists.openwall.com
Subject: [PATCH v4 3/3] doc: add documentation on printing kernel addresses
Date: Wed, 20 Dec 2017 08:17:17 +1100	[thread overview]
Message-ID: <1513718237-24140-4-git-send-email-me@tobin.cc> (raw)
In-Reply-To: <1513718237-24140-1-git-send-email-me@tobin.cc>

Hashing addresses printed with printk specifier %p was implemented
recently. During development a number of issues were raised regarding
leaking kernel addresses to userspace. Other documentation was updated but
security/self-protection missed out.

Add self-protection documentation regarding printing kernel addresses.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
---
 Documentation/security/self-protection.rst | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/Documentation/security/self-protection.rst b/Documentation/security/self-protection.rst
index 60c8bd8b77bf..0f53826c78b9 100644
--- a/Documentation/security/self-protection.rst
+++ b/Documentation/security/self-protection.rst
@@ -270,6 +270,21 @@ attacks, it is important to defend against exposure of both kernel memory
 addresses and kernel memory contents (since they may contain kernel
 addresses or other sensitive things like canary values).
 
+Kernel addresses
+----------------
+
+Printing kernel addresses to userspace leaks sensitive information about
+the kernel memory layout. Care should be exercised when using any printk
+specifier that prints the raw address, currently %px, %p[ad], (and %p[sSb]
+in certain circumstances [*]).  Any file written to using one of these
+specifiers should be readable only by privileged processes.
+
+Kernels 4.14 and older printed the raw address using %p. As of 4.15-rc1
+addresses printed with the specifier %p are hashed before printing.
+
+[*] If KALLSYMS is enabled and symbol lookup fails, the raw address is
+printed. If KALLSYMS is not enabled the raw address is printed.
+
 Unique identifiers
 ------------------
 
-- 
2.7.4

next prev parent reply	other threads:[~2017-12-19 21:17 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-12-19 21:17 [kernel-hardening] [PATCH v4 0/3] doc: update printk documentation Tobin C. Harding
2017-12-19 21:17 ` Tobin C. Harding
2017-12-19 21:17 ` [kernel-hardening] [PATCH v4 1/3] doc: convert printk-formats.txt to rst Tobin C. Harding
2017-12-19 21:17   ` Tobin C. Harding
2017-12-19 21:17 ` [kernel-hardening] [PATCH v4 2/3] doc: update kptr_restrict documentation Tobin C. Harding
2017-12-19 21:17   ` Tobin C. Harding
2017-12-19 21:17 ` Tobin C. Harding [this message]
2017-12-19 21:17   ` [PATCH v4 3/3] doc: add documentation on printing kernel addresses Tobin C. Harding
2017-12-21 19:21 ` [kernel-hardening] Re: [PATCH v4 0/3] doc: update printk documentation Jonathan Corbet
2017-12-21 19:21   ` Jonathan Corbet
2017-12-21 19:26   ` [kernel-hardening] " Randy Dunlap
2017-12-21 19:26     ` Randy Dunlap
2017-12-21 21:59     ` [kernel-hardening] " Tobin C. Harding
2017-12-21 21:59       ` Tobin C. Harding
2017-12-21 19:30   ` [kernel-hardening] " Joe Perches
2017-12-21 19:30     ` Joe Perches
2017-12-21 19:34     ` [kernel-hardening] " Jonathan Corbet
2017-12-21 19:34       ` Jonathan Corbet
2017-12-21 22:04   ` [kernel-hardening] " Tobin C. Harding
2017-12-21 22:04     ` Tobin C. Harding

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:60c8bd8b77b dfblob:0f53826c78b dfblob:60c8bd8b77b
dfblob:0f53826c78b )
 OR (
bs:"[PATCH v4 3/3] doc: add documentation on printing kernel addresses" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1513718237-24140-4-git-send-email-me@tobin.cc \
    --to=me@tobin.cc \
    --cc=alex.popov@linux.com \
    --cc=corbet@lwn.net \
    --cc=joe@perches.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rdunlap@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.