From: Greg Kroah-Hartman <gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
To: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
Cc: Linus Torvalds
<torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
"Tobin C. Harding" <me-xzjC0nNlxno@public.gmane.org>,
Matt Fleming
<matt-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>,
LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [GIT PULL] hash addresses printed with %p
Date: Fri, 1 Dec 2017 15:34:44 +0000 [thread overview]
Message-ID: <20171201153444.GA17867@kroah.com> (raw)
In-Reply-To: <CAKv+Gu-YyuE-Hs4MVPWfS8Exx0S6qo5sgV2VdO0MP5wEXSrM1Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Fri, Dec 01, 2017 at 09:54:43AM +0000, Ard Biesheuvel wrote:
> On 1 December 2017 at 09:48, Greg Kroah-Hartman
> <gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org> wrote:
> > On Thu, Nov 30, 2017 at 05:18:42PM +0000, Ard Biesheuvel wrote:
> >> On 30 November 2017 at 17:10, Greg Kroah-Hartman
> >> <gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org> wrote:
> >> > On Thu, Nov 30, 2017 at 04:32:35PM +0000, Greg Kroah-Hartman wrote:
> >> >> On Wed, Nov 29, 2017 at 01:36:25PM -0800, Linus Torvalds wrote:
> >> >> > On Wed, Nov 29, 2017 at 1:14 PM, Linus Torvalds
> >> >> > <torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> wrote:
> >> >> > >
> >> >> > > Not because %pK itself changed, but because the semantics of %p did.
> >> >> > > The baseline moved, and the "safe" version did not.
> >> >> >
> >> >> > Btw, that baseline for me is now that I can do
> >> >> >
> >> >> > ./scripts/leaking_addresses.pl | wc -l
> >> >> > 18
> >> >> >
> >> >> > and of those 18 hits, six are false positives (looks like bitmaps in
> >> >> > the uevent keys).
> >> >> >
> >> >> > The remaining 12 are from the EFI runtime map files
> >> >> > (/sys/firmware/efi/runtime-map/*). They should presumably not be
> >> >> > world-readable, but sadly the kset_create_and_add() helper seems to do
> >> >> > that by default.
> >> >> >
> >> >> > I think the sysfs code makes it insanely too easy to make things
> >> >> > world-readable. You try to be careful, and mark things read-only etc,
> >> >> > but __ATTR_RO() jkust means S_IRUGO, which means world-readable.
> >> >> >
> >> >> > There seems to be no convenient model for kobjects having better
> >> >> > permissions. Greg?
> >> >>
> >> >> They can just use __ATTR() which lets you set the exact mode settings
> >> >> that are wanted.
> >> >>
> >> >> Something like the patch below, which breaks the build as the
> >> >> map_attributes are "odd", but you get the idea. The EFI developers can
> >> >> fix this up properly :)
> >> >>
> >> >> Note, this only accounts for 5 attributes, what is the whole list?
> >> >
> >> > Ah, it's the virt_addr file 12 times, I just ran it on my laptop:
> >> >
> >> > /sys/firmware/efi/runtime-map/7/virt_addr: 0xfffffffeea6ea000
> >> > /sys/firmware/efi/runtime-map/5/virt_addr: 0xfffffffeee88b000
> >> > /sys/firmware/efi/runtime-map/3/virt_addr: 0xfffffffefea00000
> >> > /sys/firmware/efi/runtime-map/11/virt_addr: 0xfffffffed9c00000
> >> > /sys/firmware/efi/runtime-map/1/virt_addr: 0xfffffffefee00000
> >> > /sys/firmware/efi/runtime-map/8/virt_addr: 0xfffffffedba4e000
> >> > /sys/firmware/efi/runtime-map/6/virt_addr: 0xfffffffeee2de000
> >> > /sys/firmware/efi/runtime-map/4/virt_addr: 0xfffffffeeea00000
> >> > /sys/firmware/efi/runtime-map/2/virt_addr: 0xfffffffefec00000
> >> > /sys/firmware/efi/runtime-map/10/virt_addr: 0xfffffffed9c60000
> >> > /sys/firmware/efi/runtime-map/0/virt_addr: 0xfffffffeff000000
> >> > /sys/firmware/efi/runtime-map/9/virt_addr: 0xfffffffedb9c9000
> >> >
> >> > So changing it to use __ATTR() should fix this remaning leakage up.
> >> > That is if we even really need to export these values at all. What does
> >> > userspace do with them? Shouldn't they just be in debugfs instead?
> >> >
> >>
> >> These are the virtual mappings UEFI firmware regions, which must
> >> remain in the same place across kexec reboots. So kexec tooling
> >> consumes this information and passes it on to the incoming kernel in
> >> some way.
> >>
> >> Note that these are not kernel addresses, so while I agree they should
> >> not be world readable, they won't give you any clue as to where the
> >> kernel itself is mapped.
> >>
> >> So the recommendation is to switch to __ATTR( ... 0400 ... ) instead?
> >> If so, I'll code up a patch.
> >
> > If these pointers are not "real", I recommend just leaving them as-is.
>
> That's not what I said :-)
>
> These are real pointers, and stuff will actually be mapped there
> (although I am not intimately familiar with the way x86 does this, but
> on ARM [which does not have these sysfs nodes in the first place],
> these mappings are only live during the time a UEFI runtime service
> call is in progress, and IIRC, work was underway to do the same for
> x86). So while these values don't correlate with the placement of
> kernel data structures, they could still be useful for an attacker to
> figure out where exploitable firmware memory regions are located,
> especially given that some of these may be mapped RWX.
Ah, ok, then yes, make that file readable from root only.
And isn't there a specific %p modifier you should use for a kernel
pointer. I've lost the thread here for what should, or should not, be
done for kernel pointers these days based on the long email discussion.
thanks,
greg k-h
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
"Tobin C. Harding" <me@tobin.cc>,
Matt Fleming <matt@codeblueprint.co.uk>,
LKML <linux-kernel@vger.kernel.org>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>
Subject: Re: [GIT PULL] hash addresses printed with %p
Date: Fri, 1 Dec 2017 15:34:44 +0000 [thread overview]
Message-ID: <20171201153444.GA17867@kroah.com> (raw)
In-Reply-To: <CAKv+Gu-YyuE-Hs4MVPWfS8Exx0S6qo5sgV2VdO0MP5wEXSrM1Q@mail.gmail.com>
On Fri, Dec 01, 2017 at 09:54:43AM +0000, Ard Biesheuvel wrote:
> On 1 December 2017 at 09:48, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> > On Thu, Nov 30, 2017 at 05:18:42PM +0000, Ard Biesheuvel wrote:
> >> On 30 November 2017 at 17:10, Greg Kroah-Hartman
> >> <gregkh@linuxfoundation.org> wrote:
> >> > On Thu, Nov 30, 2017 at 04:32:35PM +0000, Greg Kroah-Hartman wrote:
> >> >> On Wed, Nov 29, 2017 at 01:36:25PM -0800, Linus Torvalds wrote:
> >> >> > On Wed, Nov 29, 2017 at 1:14 PM, Linus Torvalds
> >> >> > <torvalds@linux-foundation.org> wrote:
> >> >> > >
> >> >> > > Not because %pK itself changed, but because the semantics of %p did.
> >> >> > > The baseline moved, and the "safe" version did not.
> >> >> >
> >> >> > Btw, that baseline for me is now that I can do
> >> >> >
> >> >> > ./scripts/leaking_addresses.pl | wc -l
> >> >> > 18
> >> >> >
> >> >> > and of those 18 hits, six are false positives (looks like bitmaps in
> >> >> > the uevent keys).
> >> >> >
> >> >> > The remaining 12 are from the EFI runtime map files
> >> >> > (/sys/firmware/efi/runtime-map/*). They should presumably not be
> >> >> > world-readable, but sadly the kset_create_and_add() helper seems to do
> >> >> > that by default.
> >> >> >
> >> >> > I think the sysfs code makes it insanely too easy to make things
> >> >> > world-readable. You try to be careful, and mark things read-only etc,
> >> >> > but __ATTR_RO() jkust means S_IRUGO, which means world-readable.
> >> >> >
> >> >> > There seems to be no convenient model for kobjects having better
> >> >> > permissions. Greg?
> >> >>
> >> >> They can just use __ATTR() which lets you set the exact mode settings
> >> >> that are wanted.
> >> >>
> >> >> Something like the patch below, which breaks the build as the
> >> >> map_attributes are "odd", but you get the idea. The EFI developers can
> >> >> fix this up properly :)
> >> >>
> >> >> Note, this only accounts for 5 attributes, what is the whole list?
> >> >
> >> > Ah, it's the virt_addr file 12 times, I just ran it on my laptop:
> >> >
> >> > /sys/firmware/efi/runtime-map/7/virt_addr: 0xfffffffeea6ea000
> >> > /sys/firmware/efi/runtime-map/5/virt_addr: 0xfffffffeee88b000
> >> > /sys/firmware/efi/runtime-map/3/virt_addr: 0xfffffffefea00000
> >> > /sys/firmware/efi/runtime-map/11/virt_addr: 0xfffffffed9c00000
> >> > /sys/firmware/efi/runtime-map/1/virt_addr: 0xfffffffefee00000
> >> > /sys/firmware/efi/runtime-map/8/virt_addr: 0xfffffffedba4e000
> >> > /sys/firmware/efi/runtime-map/6/virt_addr: 0xfffffffeee2de000
> >> > /sys/firmware/efi/runtime-map/4/virt_addr: 0xfffffffeeea00000
> >> > /sys/firmware/efi/runtime-map/2/virt_addr: 0xfffffffefec00000
> >> > /sys/firmware/efi/runtime-map/10/virt_addr: 0xfffffffed9c60000
> >> > /sys/firmware/efi/runtime-map/0/virt_addr: 0xfffffffeff000000
> >> > /sys/firmware/efi/runtime-map/9/virt_addr: 0xfffffffedb9c9000
> >> >
> >> > So changing it to use __ATTR() should fix this remaning leakage up.
> >> > That is if we even really need to export these values at all. What does
> >> > userspace do with them? Shouldn't they just be in debugfs instead?
> >> >
> >>
> >> These are the virtual mappings UEFI firmware regions, which must
> >> remain in the same place across kexec reboots. So kexec tooling
> >> consumes this information and passes it on to the incoming kernel in
> >> some way.
> >>
> >> Note that these are not kernel addresses, so while I agree they should
> >> not be world readable, they won't give you any clue as to where the
> >> kernel itself is mapped.
> >>
> >> So the recommendation is to switch to __ATTR( ... 0400 ... ) instead?
> >> If so, I'll code up a patch.
> >
> > If these pointers are not "real", I recommend just leaving them as-is.
>
> That's not what I said :-)
>
> These are real pointers, and stuff will actually be mapped there
> (although I am not intimately familiar with the way x86 does this, but
> on ARM [which does not have these sysfs nodes in the first place],
> these mappings are only live during the time a UEFI runtime service
> call is in progress, and IIRC, work was underway to do the same for
> x86). So while these values don't correlate with the placement of
> kernel data structures, they could still be useful for an attacker to
> figure out where exploitable firmware memory regions are located,
> especially given that some of these may be mapped RWX.
Ah, ok, then yes, make that file readable from root only.
And isn't there a specific %p modifier you should use for a kernel
pointer. I've lost the thread here for what should, or should not, be
done for kernel pointers these days based on the long email discussion.
thanks,
greg k-h
next prev parent reply other threads:[~2017-12-01 15:34 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-29 4:59 [GIT PULL] hash addresses printed with %p Tobin C. Harding
2017-11-29 19:22 ` Linus Torvalds
2017-11-29 19:39 ` Linus Torvalds
2017-11-29 20:54 ` Joe Perches
2017-11-29 21:05 ` Linus Torvalds
2017-11-29 21:31 ` Kees Cook
2017-11-29 21:08 ` Tobin C. Harding
2017-11-29 21:14 ` Linus Torvalds
2017-11-29 21:28 ` Tobin C. Harding
2017-11-29 21:36 ` Linus Torvalds
[not found] ` <CA+55aFwPXV0sXb+edcQc4epz0pWustZgJsoq95=a3OEDxynq7g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-30 16:32 ` Greg Kroah-Hartman
2017-11-30 16:32 ` Greg Kroah-Hartman
[not found] ` <20171130163235.GA27849-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2017-11-30 17:10 ` Greg Kroah-Hartman
2017-11-30 17:10 ` Greg Kroah-Hartman
[not found] ` <20171130171036.GB31817-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2017-11-30 17:18 ` Ard Biesheuvel
2017-11-30 17:18 ` Ard Biesheuvel
2017-12-01 9:48 ` Greg Kroah-Hartman
2017-12-01 9:54 ` Ard Biesheuvel
[not found] ` <CAKv+Gu-YyuE-Hs4MVPWfS8Exx0S6qo5sgV2VdO0MP5wEXSrM1Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-12-01 15:34 ` Greg Kroah-Hartman [this message]
2017-12-01 15:34 ` Greg Kroah-Hartman
[not found] ` <20171201153444.GA17867-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2017-12-01 16:33 ` Kees Cook
2017-12-01 16:33 ` Kees Cook
2017-12-02 8:51 ` Ard Biesheuvel
2017-12-02 22:22 ` Matt Fleming
2017-12-02 22:22 ` Matt Fleming
[not found] ` <20171202222244.GA3799-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>
2017-12-03 1:15 ` Dave Young
2017-12-03 1:15 ` Dave Young
2017-12-04 2:02 ` Dave Young
2017-12-04 2:02 ` Dave Young
2017-12-04 2:33 ` Joe Perches
[not found] ` <1512354837.6321.41.camel-6d6DIl74uiNBDgjK7y7TUQ@public.gmane.org>
2017-12-04 2:39 ` Dave Young
2017-12-04 2:39 ` Dave Young
[not found] ` <20171204020216.GA2436-0VdLhd/A9Pl+NNSt+8eSiB/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2017-12-04 7:36 ` Greg Kroah-Hartman
2017-12-04 7:36 ` Greg Kroah-Hartman
2017-12-04 9:29 ` Dave Young
[not found] ` <20171204092928.GA4421-0VdLhd/A9Pl+NNSt+8eSiB/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2017-12-04 9:34 ` Greg Kroah-Hartman
2017-12-04 9:34 ` Greg Kroah-Hartman
2017-12-04 9:48 ` Ard Biesheuvel
[not found] ` <CAKv+Gu8iOF1BCpZEVRwT=_6FbXsK0ve7fiWKA5R0D5x2P5MavA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-12-04 9:59 ` Greg Kroah-Hartman
2017-12-04 9:59 ` Greg Kroah-Hartman
[not found] ` <20171204095936.GA10547-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2017-12-04 10:03 ` Ard Biesheuvel
2017-12-04 10:03 ` Ard Biesheuvel
2017-12-04 10:11 ` Greg Kroah-Hartman
2017-12-04 12:51 ` David Laight
[not found] ` <d455baafa3d44669a774c7d555c01416-1XygrNkDbNvwg4NCKwmqgw@public.gmane.org>
2017-12-04 14:00 ` Greg Kroah-Hartman
2017-12-04 14:00 ` Greg Kroah-Hartman
[not found] ` <20171204140012.GA8744-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2017-12-05 5:14 ` Dave Young
2017-12-05 5:14 ` Dave Young
2017-12-05 8:09 ` Greg Kroah-Hartman
[not found] ` <20171205080957.GA18268-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2017-12-05 8:45 ` Dave Young
2017-12-05 8:45 ` Dave Young
2017-12-05 8:52 ` Greg Kroah-Hartman
[not found] ` <20171205085219.GA16055-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2017-12-05 9:25 ` Ard Biesheuvel
2017-12-05 9:25 ` Ard Biesheuvel
[not found] ` <CAKv+Gu9=4Rrgb3UgmP37LpTjd_xzZ2aVqA2KMAkek9Wxr8fSTA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-12-05 10:15 ` Greg Kroah-Hartman
2017-12-05 10:15 ` Greg Kroah-Hartman
2017-12-05 9:32 ` Dave Young
2017-12-05 9:32 ` Dave Young
[not found] ` <20171205084537.GA5974-0VdLhd/A9Pl+NNSt+8eSiB/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2017-12-05 9:24 ` Dave Young
2017-12-05 9:24 ` Dave Young
[not found] ` <20171205092410.GA16190-0VdLhd/A9Pl+NNSt+8eSiB/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2017-12-05 10:14 ` Greg Kroah-Hartman
2017-12-05 10:14 ` Greg Kroah-Hartman
2017-11-30 23:17 ` Linus Torvalds
2017-12-01 9:47 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171201153444.GA17867@kroah.com \
--to=gregkh-hqyy1w1ycw8ekmwlsbkhg0b+6bgklq7r@public.gmane.org \
--cc=ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org \
--cc=linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=matt-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org \
--cc=me-xzjC0nNlxno@public.gmane.org \
--cc=torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.