From: Stephen Hemminger <shemminger@vyatta.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Dan Rosenberg <drosenberg@vsecurity.com>,
David Miller <davem@davemloft.net>,
socketcan@hartkopp.net, kuznet@ms2.inr.ac.ru,
urs.thuermann@volkswagen.de, yoshfuji@linux-ipv6.org,
kaber@trash.net, jmorris@namei.org,
remi.denis-courmont@nokia.com, pekkas@netcore.fi, sri@us.ibm.com,
vladislav.yasevich@hp.com, tj@kernel.org, lizf@cn.fujitsu.com,
joe@perches.com, hadi@mojatatu.com, ebiederm@xmission.com,
adobriyan@gmail.com, jpirko@redhat.com, johannes.berg@intel.com,
daniel.lezcano@free.fr, xemul@openvz.org,
socketcan-core@lists.berlios.de, netdev@vger.kernel.org,
linux-sctp@vger.kernel.org, torvalds@linux-foundation.org
Subject: Re: [PATCH 4/10] Fix leaking of kernel heap addresses in net/
Date: Fri, 12 Nov 2010 16:33:15 +0000 [thread overview]
Message-ID: <20101112083315.096dfaa3@nehalam> (raw)
In-Reply-To: <1289546610.17691.1770.camel@edumazet-laptop>
On Fri, 12 Nov 2010 08:23:30 +0100
Eric Dumazet <eric.dumazet@gmail.com> wrote:
> Le jeudi 11 novembre 2010 à 21:34 -0500, Dan Rosenberg a écrit :
> > > I want whatever you replace it with to be equivalent for
> > > object tracking purposes.
> >
> > In nearly all of the cases I fixed, the socket inode is already
> > provided, which serves as a perfectly good unique identifier. Would you
> > prefer I include that information twice?
>
> Oh well. Please read this answer carefuly.
>
> Some facts to feed your next patch. I am very pleased you changed your
> mind and that we keep useful information in kernel log.
>
> 1) Inode numbers are not guaranteed to be unique. Its a 32bit seq
> number, and we dont check another socket inode use the same inode number
> (after 2^32 allocations it can happens)
>
> 2) /proc/net/ files can deliver same "line" of information several
> times, because of their implementation.
>
> 3) Because of SLAB_DESTROY_BY_RCU, same 'kernel socket pointer' can be
> seen several times in /proc/net/tcp & /proc/net/udp, but really on
> different "sockets"
>
> 4) Some good applications use both the socket pointer and inode number
> (tuple) to filter out the [2] problem. Dont break them, please ?
> Anything that might break an application must be at the very least
> tunable.
>
> In my opinion, a good thing would be :
>
> - Use a special printf() format , aka "secure pointer", as Thomas
> suggested.
>
> - Make sure you print different opaque values for two different kernel
> pointers. This is mandatory.
>
> - Make sure the NULL pointer stay as a NULL pointer to not let the
> hostile user know your secret, and to ease debugging stuff.
>
> - Have security experts advice to chose a nice crypto function, maybe
> jenkin hash. Not too slow would be nice.
>
>
> static unsigned long securize_kpointers_rnd;
>
> At boot time, stick a random value in this variable.
> (Maybe make sure the 5 low order bits are 0)
>
> unsigned long opacify_kptr(unsigned long ptr)
> {
> if (ptr = 0)
> return ptr;
> if (capable(CAP_NET_ADMIN))
> return ptr;
>
> return some_crypto_hash(ptr, &securize_kpointers_rnd);
> }
>
> At least, use a central point, so that we can easily add/change the
> logic if needed.
>
> Please provide this patch in kernel/printk.c for initial review, then
> once everybody is OK, you can send one patch for net tree.
>
> No need to send 10 patches if we dont agree on the general principle.
Also, the whole idea needs to be under a config option, so only
the paranoid idiots turn it on.
--
WARNING: multiple messages have this Message-ID (diff)
From: Stephen Hemminger <shemminger@vyatta.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Dan Rosenberg <drosenberg@vsecurity.com>,
David Miller <davem@davemloft.net>,
socketcan@hartkopp.net, kuznet@ms2.inr.ac.ru,
urs.thuermann@volkswagen.de, yoshfuji@linux-ipv6.org,
kaber@trash.net, jmorris@namei.org,
remi.denis-courmont@nokia.com, pekkas@netcore.fi, sri@us.ibm.com,
vladislav.yasevich@hp.com, tj@kernel.org, lizf@cn.fujitsu.com,
joe@perches.com, hadi@mojatatu.com, ebiederm@xmission.com,
adobriyan@gmail.com, jpirko@redhat.com, johannes.berg@intel.com,
daniel.lezcano@free.fr, xemul@openvz.org,
socketcan-core@lists.berlios.de, netdev@vger.kernel.org,
linux-sctp@vger.kernel.org, torvalds@linux-foundation.org
Subject: Re: [PATCH 4/10] Fix leaking of kernel heap addresses in net/
Date: Fri, 12 Nov 2010 08:33:15 -0800 [thread overview]
Message-ID: <20101112083315.096dfaa3@nehalam> (raw)
In-Reply-To: <1289546610.17691.1770.camel@edumazet-laptop>
On Fri, 12 Nov 2010 08:23:30 +0100
Eric Dumazet <eric.dumazet@gmail.com> wrote:
> Le jeudi 11 novembre 2010 à 21:34 -0500, Dan Rosenberg a écrit :
> > > I want whatever you replace it with to be equivalent for
> > > object tracking purposes.
> >
> > In nearly all of the cases I fixed, the socket inode is already
> > provided, which serves as a perfectly good unique identifier. Would you
> > prefer I include that information twice?
>
> Oh well. Please read this answer carefuly.
>
> Some facts to feed your next patch. I am very pleased you changed your
> mind and that we keep useful information in kernel log.
>
> 1) Inode numbers are not guaranteed to be unique. Its a 32bit seq
> number, and we dont check another socket inode use the same inode number
> (after 2^32 allocations it can happens)
>
> 2) /proc/net/ files can deliver same "line" of information several
> times, because of their implementation.
>
> 3) Because of SLAB_DESTROY_BY_RCU, same 'kernel socket pointer' can be
> seen several times in /proc/net/tcp & /proc/net/udp, but really on
> different "sockets"
>
> 4) Some good applications use both the socket pointer and inode number
> (tuple) to filter out the [2] problem. Dont break them, please ?
> Anything that might break an application must be at the very least
> tunable.
>
> In my opinion, a good thing would be :
>
> - Use a special printf() format , aka "secure pointer", as Thomas
> suggested.
>
> - Make sure you print different opaque values for two different kernel
> pointers. This is mandatory.
>
> - Make sure the NULL pointer stay as a NULL pointer to not let the
> hostile user know your secret, and to ease debugging stuff.
>
> - Have security experts advice to chose a nice crypto function, maybe
> jenkin hash. Not too slow would be nice.
>
>
> static unsigned long securize_kpointers_rnd;
>
> At boot time, stick a random value in this variable.
> (Maybe make sure the 5 low order bits are 0)
>
> unsigned long opacify_kptr(unsigned long ptr)
> {
> if (ptr == 0)
> return ptr;
> if (capable(CAP_NET_ADMIN))
> return ptr;
>
> return some_crypto_hash(ptr, &securize_kpointers_rnd);
> }
>
> At least, use a central point, so that we can easily add/change the
> logic if needed.
>
> Please provide this patch in kernel/printk.c for initial review, then
> once everybody is OK, you can send one patch for net tree.
>
> No need to send 10 patches if we dont agree on the general principle.
Also, the whole idea needs to be under a config option, so only
the paranoid idiots turn it on.
--
next prev parent reply other threads:[~2010-11-12 16:33 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-12 1:07 [PATCH 4/10] Fix leaking of kernel heap addresses in net/ Dan Rosenberg
2010-11-12 1:07 ` Dan Rosenberg
2010-11-12 1:10 ` David Miller
2010-11-12 1:10 ` David Miller
2010-11-12 1:20 ` Dan Rosenberg
2010-11-12 1:20 ` Dan Rosenberg
2010-11-12 2:02 ` David Miller
2010-11-12 2:02 ` David Miller
2010-11-12 2:15 ` Dan Rosenberg
2010-11-12 2:15 ` Dan Rosenberg
[not found] ` <2129857903-1289528127-cardhu_decombobulator_blackberry.rim.net-1506931048--JnVBb1XAImjjL2gL5RxOEzYg3SYOavFBmZ6FRVpaDsI@public.gmane.org>
2010-11-12 2:29 ` David Miller
2010-11-12 2:29 ` David Miller
2010-11-12 2:34 ` Dan Rosenberg
2010-11-12 2:34 ` Dan Rosenberg
2010-11-12 2:49 ` David Miller
2010-11-12 2:49 ` David Miller
2010-11-12 2:51 ` Dan Rosenberg
2010-11-12 2:51 ` Dan Rosenberg
2010-11-12 2:59 ` David Miller
2010-11-12 2:59 ` David Miller
2010-11-12 7:23 ` Eric Dumazet
2010-11-12 7:23 ` Eric Dumazet
2010-11-12 12:37 ` Dan Rosenberg
2010-11-12 12:37 ` Dan Rosenberg
2010-11-12 16:33 ` Stephen Hemminger [this message]
2010-11-12 16:33 ` Stephen Hemminger
2010-11-12 17:24 ` Dan Rosenberg
2010-11-12 17:24 ` Dan Rosenberg
2010-11-12 18:33 ` Stephen Hemminger
2010-11-12 18:33 ` Stephen Hemminger
2010-11-12 20:18 ` Alexey Dobriyan
2010-11-12 20:37 ` David Miller
2010-11-12 22:40 ` Alexey Dobriyan
2010-11-12 22:46 ` David Miller
[not found] <1289673008.3090.350.camel@Dan>
2010-11-13 18:42 ` Dan Rosenberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101112083315.096dfaa3@nehalam \
--to=shemminger@vyatta.com \
--cc=adobriyan@gmail.com \
--cc=daniel.lezcano@free.fr \
--cc=davem@davemloft.net \
--cc=drosenberg@vsecurity.com \
--cc=ebiederm@xmission.com \
--cc=eric.dumazet@gmail.com \
--cc=hadi@mojatatu.com \
--cc=jmorris@namei.org \
--cc=joe@perches.com \
--cc=johannes.berg@intel.com \
--cc=jpirko@redhat.com \
--cc=kaber@trash.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-sctp@vger.kernel.org \
--cc=lizf@cn.fujitsu.com \
--cc=netdev@vger.kernel.org \
--cc=pekkas@netcore.fi \
--cc=remi.denis-courmont@nokia.com \
--cc=socketcan-core@lists.berlios.de \
--cc=socketcan@hartkopp.net \
--cc=sri@us.ibm.com \
--cc=tj@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=urs.thuermann@volkswagen.de \
--cc=vladislav.yasevich@hp.com \
--cc=xemul@openvz.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.