From: Petr Mladek <pmladek@suse.com>
To: Kees Cook <kees@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>,
Sergio Perez Gonzalez <sperezglz@gmail.com>,
Jonathan Corbet <corbet@lwn.net>,
Steven Rostedt <rostedt@goodmis.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Sergey Senozhatsky <senozhatsky@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Roman Gushchin <roman.gushchin@linux.dev>,
Harry Yoo <harry.yoo@oracle.com>,
"Paul E. McKenney" <paulmck@kernel.org>,
Randy Dunlap <rdunlap@infradead.org>,
Tamir Duberstein <tamird@gmail.com>,
Miguel Ojeda <ojeda@kernel.org>,
Alice Ryhl <aliceryhl@google.com>,
linux-doc@vger.kernel.org, linux-mm@kvack.org,
Thomas Huth <thuth@redhat.com>,
"Borislav Petkov (AMD)" <bp@alien8.de>,
Ard Biesheuvel <ardb@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Andreas Hindborg <a.hindborg@kernel.org>,
Stephen Boyd <swboyd@chromium.org>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH] slab: Decouple slab_debug and no_hash_pointers
Date: Mon, 14 Apr 2025 14:31:42 +0200 [thread overview]
Message-ID: <Z_0AFjai6Bvg-YLD@pathway.suse.cz> (raw)
In-Reply-To: <20250410174428.work.488-kees@kernel.org>
On Thu 2025-04-10 10:44:31, Kees Cook wrote:
> Some system owners use slab_debug=FPZ (or similar) as a hardening option,
> but do not want to be forced into having kernel addresses exposed due
> to the implicit "no_hash_pointers" boot param setting.[1]
>
> Introduce the "hash_pointers" boot param, which defaults to "auto"
> (the current behavior), but also includes "always" (forcing on hashing
> even when "slab_debug=..." is defined), and "never". The existing
> "no_hash_pointers" boot param becomes an alias for "hash_pointers=never".
>
> This makes it possible to boot with "slab_debug=FPZ hash_pointers=always".
The idea makes sense. But it seems that the patch did not handle
the "always" mode correctly, see below.
> --- a/lib/vsprintf.c
> +++ b/lib/vsprintf.c
> @@ -60,6 +60,20 @@
> bool no_hash_pointers __ro_after_init;
> EXPORT_SYMBOL_GPL(no_hash_pointers);
>
> +/*
> + * Hashed pointers policy selected by "hash_pointers=..." boot param
> + *
> + * `auto` - Hashed pointers enabled unless disabled by slub_debug_enabled=true
> + * `always` - Hashed pointers enabled unconditionally
> + * `never` - Hashed pointers disabled unconditionally
> + */
> +enum hash_pointers_policy {
> + HASH_PTR_AUTO = 0,
> + HASH_PTR_ALWAYS,
> + HASH_PTR_NEVER
> +};
> +static enum hash_pointers_policy hash_pointers_mode __initdata;
> +
> noinline
> static unsigned long long simple_strntoull(const char *startp, char **endp, unsigned int base, size_t max_chars)
> {
> @@ -2271,12 +2285,13 @@ char *resource_or_range(const char *fmt, char *buf, char *end, void *ptr,
> return resource_string(buf, end, ptr, spec, fmt);
> }
>
> -int __init no_hash_pointers_enable(char *str)
> +void __init hash_pointers_finalize(bool slub_debug)
> {
> - if (no_hash_pointers)
> - return 0;
> + if (hash_pointers_mode == HASH_PTR_AUTO && slub_debug)
> + no_hash_pointers = true;
>
> - no_hash_pointers = true;
> + if (!no_hash_pointers)
> + return;
>
> pr_warn("**********************************************************\n");
> pr_warn("** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **\n");
The mode/policy is generic but this function is ready to be called
only once. And we might actually want to call it twice, see below.
I would suggest to use a generic names and allow to call it more
times, something like:
/**
* hash_pointers_update() - update the decision whether to hash
* printed pointers
* @auto_disable: Disable hashing in auto mode
*
* The function allows to disable hashing printed pointers either
* when the global mode is HASH_PTR_NEVER or when the caller
* wants to disable it and the mode is HASH_PTR_AUTO.
*/
void __init hash_pointers_update(bool auto_disable)
{
bool disable_hashing = false;
switch(hash_pointers_mode) {
case HASH_PTR_AUTO:
disable_hashing = auto_disable;
break;
case HASH_PTR_ALWAYS:
disable_hashing = true;
break;
case HASH_PTR_NEVER:
if (no_hash_pointers) {
pr_warn("Pointers were temporary printed without hashing. Force hashing again.\n");
no_hash_pointers = false;
}
break;
default:
pr_warn("Unknown hash_pointers mode '%d' specified; assuming auto.\n",
hash_pointers_mode);
disable_hashing = auto_disable;
}
/* Nope when no change requested. */
if (no_hash_pointers || !disable_hashing)
return;
no_hash_pointers = true;
pr_warn("**********************************************************\n");
pr_warn("** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **\n");
pr_warn("** **\n");
pr_warn("** This system shows unhashed kernel memory addresses **\n");
pr_warn("** via the console, logs, and other interfaces. This **\n");
pr_warn("** might reduce the security of your system. **\n");
pr_warn("** **\n");
pr_warn("** If you see this message and you are not debugging **\n");
pr_warn("** the kernel, report this immediately to your system **\n");
pr_warn("** administrator! **\n");
pr_warn("** **\n");
pr_warn("** Use hash_pointers=always to force this mode off **\n");
pr_warn("** **\n");
pr_warn("** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **\n");
pr_warn("**********************************************************\n");
}
> @@ -2289,11 +2304,39 @@ int __init no_hash_pointers_enable(char *str)
> pr_warn("** the kernel, report this immediately to your system **\n");
> pr_warn("** administrator! **\n");
> pr_warn("** **\n");
> + pr_warn("** Use hash_pointers=always to force this mode off **\n");
> + pr_warn("** **\n");
> pr_warn("** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **\n");
> pr_warn("**********************************************************\n");
> +}
> +
> +static int __init hash_pointers_mode_parse(char *str)
> +{
> + if (!str) {
> + pr_warn("Hash pointers mode empty; falling back to auto.\n");
> + hash_pointers_mode = HASH_PTR_AUTO;
> + } else if (strncmp(str, "auto", 4) == 0) {
> + pr_info("Hash pointers mode set to auto.\n");
> + hash_pointers_mode = HASH_PTR_AUTO;
> + } else if (strncmp(str, "never", 5) == 0) {
> + pr_info("Hash pointers mode set to never.\n");
> + hash_pointers_mode = HASH_PTR_NEVER;
> + } else if (strncmp(str, "always", 6) == 0) {
> + pr_info("Hash pointers mode set to always.\n");
> + hash_pointers_mode = HASH_PTR_ALWAYS;
This mode is not handled anywhere, see below.
> + } else {
> + pr_warn("Unknown hash_pointers mode '%s' specified; assuming auto.\n", str);
> + hash_pointers_mode = HASH_PTR_AUTO;
> + }
We might handle HASH_PTR_ALWAYS by calling:
hash_pointers_update(false);
> return 0;
> }
> +early_param("hash_pointers", hash_pointers_mode_parse);
> +
> +static int __init no_hash_pointers_enable(char *str)
> +{
> + return hash_pointers_mode_parse("never");
> +}
> early_param("no_hash_pointers", no_hash_pointers_enable);
>
> /*
Best Regards,
Petr
next prev parent reply other threads:[~2025-04-14 12:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-10 17:44 [PATCH] slab: Decouple slab_debug and no_hash_pointers Kees Cook
2025-04-11 7:47 ` Vlastimil Babka
2025-04-13 23:00 ` David Rientjes
2025-04-13 23:57 ` Bagas Sanjaya
2025-04-14 12:31 ` Petr Mladek [this message]
2025-04-15 17:00 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z_0AFjai6Bvg-YLD@pathway.suse.cz \
--to=pmladek@suse.com \
--cc=a.hindborg@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=aliceryhl@google.com \
--cc=andriy.shevchenko@linux.intel.com \
--cc=ardb@kernel.org \
--cc=bp@alien8.de \
--cc=cl@linux.com \
--cc=corbet@lwn.net \
--cc=gregkh@linuxfoundation.org \
--cc=harry.yoo@oracle.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=kees@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux@rasmusvillemoes.dk \
--cc=ojeda@kernel.org \
--cc=paulmck@kernel.org \
--cc=penberg@kernel.org \
--cc=rdunlap@infradead.org \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=rostedt@goodmis.org \
--cc=senozhatsky@chromium.org \
--cc=sperezglz@gmail.com \
--cc=swboyd@chromium.org \
--cc=tamird@gmail.com \
--cc=thuth@redhat.com \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.