From: "Tobin C. Harding" <me@tobin.cc>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: rkrcmar@redhat.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] KVM: remove printing of token address
Date: Tue, 10 Oct 2017 10:51:07 +1100 [thread overview]
Message-ID: <20171009235107.GD20083@eros> (raw)
In-Reply-To: <f3b2e079-4ed2-dd21-2229-24655d6ea54d@redhat.com>
On Mon, Oct 09, 2017 at 12:58:12PM +0200, Paolo Bonzini wrote:
> On 09/10/2017 12:04, Tobin C. Harding wrote:
> > On Mon, Oct 09, 2017 at 03:49:38AM -0400, Paolo Bonzini wrote:
> >>
> >>
> >> ----- Original Message -----
> >>> From: "Tobin C. Harding" <me@tobin.cc>
> >>> To: "Paolo Bonzini" <pbonzini@redhat.com>, rkrcmar@redhat.com
> >>> Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, "Tobin C. Harding" <me@tobin.cc>
> >>> Sent: Monday, October 9, 2017 8:30:14 AM
> >>> Subject: [PATCH] KVM: remove printing of token address
> >>>
> >>> KVM currently prints the address of the consumer token. It is not
> >>> immediately clear what benefit it is to see this address. Printing
> >>> this address leaks kernel pointers into dmesg and is a security risk.
> >>>
> >>> Remove the consumer token address from error message output.
> >>
> >> It should use %pK instead.
> >
> > Is there any other way we can identify a token? There is some push back against kpt_restrict (as
> > used by %pK) at the moment. If there is another sane way to do it perhaps we could consider that,
> > else I'll use %pK for v2.
>
> Not really, we know it is an eventfd but you can't go from the struct
> eventfd_ctx* (the token) to the corresponding struct file.
>
> I'm not sure about the pushback... I've read your name in
> https://lwn.net/Articles/735589/ :) and that article says "the same
> effect as a restrictive kptr_restrict setting could be achieved by
> searching for (and fixing) every use of unadorned "%p" directives in the
> kernel". As I understand it, the push back is against restrictive
> kptr_restrict settings, not against using "%pK" _to avoid the need_ for
> such a restrictive setting.
In the thread that article is based on Linus airs his view that kptr_restrict is fundamentally
broken.
Would you be happy if instead of printing the pointer we printed a unique identifier (some suitable
hash of the pointer value)? I'm working on that patch ATM, if this sounds ok I'll leave this patch
until unique identifiers are implemented.
But if we really want the address here I can put in the patch using %pK. What is your thoughts?
> Thanks,
>
> Paolo
>
> >> Also, please do the same change on the VFIO
> >> side (drivers/vfio/pci/vfio_pci_intrs.c, call to irq_bypass_register_producer).
And same here obviously.
thanks,
Tobin.
next prev parent reply other threads:[~2017-10-09 23:51 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-09 6:30 [PATCH] KVM: remove printing of token address Tobin C. Harding
2017-10-09 7:49 ` Paolo Bonzini
2017-10-09 10:04 ` Tobin C. Harding
2017-10-09 10:58 ` Paolo Bonzini
2017-10-09 23:51 ` Tobin C. Harding [this message]
2017-10-10 8:31 ` Paolo Bonzini
2017-10-10 21:49 ` Tobin C. Harding
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171009235107.GD20083@eros \
--to=me@tobin.cc \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).