From: "Tobin C. Harding" <me@tobin.cc>
To: Jonathan Corbet <corbet@lwn.net>, Kees Cook <keescook@chromium.org>
Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] docs: add documentation on printing kernel addresses
Date: Fri, 8 Dec 2017 07:39:00 +1100 [thread overview]
Message-ID: <20171207203900.GG2191@eros> (raw)
In-Reply-To: <1512606398-31409-1-git-send-email-me@tobin.cc>
Please drop this patch, needs amendment (commented inline).
On Thu, Dec 07, 2017 at 11:26:38AM +1100, Tobin C. Harding wrote:
> Hashing addresses printed with printk specifier %p was implemented
> recently. During development a number of issues were raised regarding
> leaking kernel addresses to userspace. We should update the
> documentation appropriately.
>
> Add documentation regarding printing kernel addresses.
>
> Signed-off-by: Tobin C. Harding <me@tobin.cc>
> ---
>
> Is there a proffered method for subscripts in sphinx kernel docs? Here
> we use '[*]'
>
> thanks,
> Tobin.
>
> Documentation/security/self-protection.rst | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/Documentation/security/self-protection.rst b/Documentation/security/self-protection.rst
> index 60c8bd8b77bf..e711280cfdd7 100644
> --- a/Documentation/security/self-protection.rst
> +++ b/Documentation/security/self-protection.rst
> @@ -270,6 +270,20 @@ attacks, it is important to defend against exposure of both kernel memory
> addresses and kernel memory contents (since they may contain kernel
> addresses or other sensitive things like canary values).
>
> +Kernel addresses
> +----------------
> +
> +Printing kernel addresses to userspace leaks sensitive information about
> +the kernel memory layout. Care should be exercised when using any printk
> +specifier that prints the raw address, currently %px, %p[ad], (and %p[sSb]
> +in certain circumstances [*]). Any file written to using one of these
> +specifiers should be readable only by privileged processes.
> +
> +Kernels 4.14 and older printed the raw address using %p. As of 4.15-rc1
> +addresses printed with the specifier %p are hashed before printing.
> +
> +[*] If symbol lookup fails, the raw address is currently printed.
[*] If KALLSYMS is enabled and symbol lookup fails, the raw address is
currently printed. If KALLSYMS is not enabled the address is printed.
thanks,
Tobin.
prev parent reply other threads:[~2017-12-07 20:39 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-07 0:26 [PATCH] docs: add documentation on printing kernel addresses Tobin C. Harding
2017-12-07 0:43 ` Kees Cook
2017-12-07 4:10 ` Tobin C. Harding
2017-12-07 20:39 ` Tobin C. Harding [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171207203900.GG2191@eros \
--to=me@tobin.cc \
--cc=corbet@lwn.net \
--cc=keescook@chromium.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.