From: Kees Cook <keescook@chromium.org>
To: Jonathan Corbet <corbet@lwn.net>
Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] docs: deprecated.rst: Add %p to the list
Date: Wed, 4 Mar 2020 11:13:28 -0800 [thread overview]
Message-ID: <202003041103.A5842AD@keescook> (raw)
Once in a while %p usage comes up, and I've needed to have a reference
to point people to. Add %p details to deprecated.rst.
Signed-off-by: Kees Cook <keescook@chromium.org>
---
Documentation/process/deprecated.rst | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/Documentation/process/deprecated.rst b/Documentation/process/deprecated.rst
index f9f196d3a69b..a4db119f4e09 100644
--- a/Documentation/process/deprecated.rst
+++ b/Documentation/process/deprecated.rst
@@ -109,6 +109,23 @@ the given limit of bytes to copy. This is inefficient and can lead to
linear read overflows if a source string is not NUL-terminated. The
safe replacement is :c:func:`strscpy`.
+%p format specifier
+-------------------
+Using %p in format strings leads to a huge number of address exposures.
+Instead of leaving these to be exploitable, "%p" should not be used in
+the kernel. If used currently, it is a hashed value, rendering it
+unusable for addressing. Paraphrasing Linus's current `guideance <https://lore.kernel.org/lkml/CA+55aFwQEd_d40g4mUCSsVRZzrFPUJt74vc6PPpb675hYNXcKw@mail.gmail.com/>`_:
+
+- Just use %p and get the hashed value.
+- If the hashed value is pointless, ask yourself whether the pointer
+ itself is important. Maybe it should be removed entirely?
+- As a last option, if you really think the true pointer value is
+ important, why is some system state or user privilege level considered
+ "special"? If it is well justified (in comments and commit log), maybe
+ you can use %px along with making sure you have sensible permissions.
+
+A system-wide toggle will `not be accepted <https://lore.kernel.org/lkml/CA+55aFwieC1-nAs+NFq9RTwaR8ef9hWa4MjNBWL41F-8wM49eA@mail.gmail.com/>`_.
+
Variable Length Arrays (VLAs)
-----------------------------
Using stack VLAs produces much worse machine code than statically
--
2.20.1
--
Kees Cook
next reply other threads:[~2020-03-04 19:13 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-04 19:13 Kees Cook [this message]
2020-03-05 6:22 ` [PATCH] docs: deprecated.rst: Add %p to the list James Troup
2020-03-05 6:47 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202003041103.A5842AD@keescook \
--to=keescook@chromium.org \
--cc=corbet@lwn.net \
--cc=gustavo@embeddedor.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.