Re: [kernel-hardening] [PATCH] printk: hash addresses printed with %p

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Tobin C. Harding" <me@tobin.cc>
To: "Theodore Ts'o" <tytso@mit.edu>,
	kernel-hardening@lists.openwall.com,
	linux-kernel@vger.kernel.org,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Kees Cook <keescook@chromium.org>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Tycho Andersen <tycho@docker.com>,
	"Roberts, William C" <william.c.roberts@intel.com>,
	Tejun Heo <tj@kernel.org>,
	Jordan Glover <Golden_Miller83@protonmail.ch>,
	Greg KH <gregkh@linuxfoundation.org>,
	Petr Mladek <pmladek@suse.com>, Joe Perches <joe@perches.com>,
	Ian Campbell <ijc@hellion.org.uk>,
	Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will.deacon@arm.com>,
	Steven Rostedt <rostedt@goodmis.org>,
	Chris Fries <cfries@google.com>,
	Dave Weinstein <olorin@google.com>,
	Daniel Micay <danielmicay@gmail.com>,
	Djalal Harouni <tixxdz@gmail.com>
Subject: Re: [kernel-hardening] [PATCH] printk: hash addresses printed with %p
Date: Thu, 12 Oct 2017 13:55:18 +1100	[thread overview]
Message-ID: <20171012025518.GD30753@eros> (raw)
In-Reply-To: <20171011174858.bga4okxq5plxzxze@thunk.org>

Removing kvm@vger.kernel.org from the CC list.

On Wed, Oct 11, 2017 at 01:48:58PM -0400, Theodore Ts'o wrote:
> On Wed, Oct 11, 2017 at 02:48:16PM +1100, Tobin C. Harding wrote:
> > +/*
> > + * Obfuscates pointer (algorithm taken from kptr_obfuscate(). See kernel/kcmp.c)
> > + * v is the pointer value, randval is some random value, oddval is some random
> > + * odd value.
> > + *
> > + * The obfuscation is done in two steps. First we xor the kernel pointer with
> > + * a random value, which puts pointer into a new position in a reordered space.
> > + * Secondly we multiply the xor production with a large odd random number to
> > + * permute its bits even more (the odd multiplier guarantees that the product
> > + * is unique ever after the high bits are truncated, since any odd number is
> > + * relative prime to 2^n).
> > + */
> 
> Why not just expose kptr_obfusecate() and use it, instead of copying
> code?
> 
> Also, I'm nervous about the obfuscation.  If the attacker can get a
> handful of known "real kernel pointer" and "obfuscated kernel pointer"
> values, it wouldn't be that hard for them to be able to reverse
> engineer the two secret values.
> 
> Perhaps the argument is "if the attacker can get a _single_ real
> kernel address, it's all over anyway", which is probably true for
> KASLR, but which might not be true for all attacks.
> 
> Anyway, if you use kptr_obfuscate in kernel/kcmp.c, then if we later
> decide that we should change the obfuscation algorithm to something
> stronger, we only need to do it in one place.
> 
> 					- Ted

Thanks Ted, others have misgivings about this method also. The email threads are all a bit mixed up
(thansk to my ineptness at posting patches :).

FYI, in the other threads Jason A. Donenfel and Linus Torvalds have discussed SipHash as a solution.

thanks,
Tobin.

     prev parent reply	other threads:[~2017-10-12  2:55 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-11  3:48 [PATCH] printk: hash addresses printed with %p Tobin C. Harding
2017-10-11  4:06 ` Joe Perches
2017-10-12  2:24   ` Tobin C. Harding
2017-10-11 16:49 ` Linus Torvalds
2017-10-11 17:48 ` [kernel-hardening] " Theodore Ts'o
2017-10-12  2:55   ` Tobin C. Harding [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171012025518.GD30753@eros \
    --to=me@tobin.cc \
    --cc=Golden_Miller83@protonmail.ch \
    --cc=catalin.marinas@arm.com \
    --cc=cfries@google.com \
    --cc=danielmicay@gmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=ijc@hellion.org.uk \
    --cc=joe@perches.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=olorin@google.com \
    --cc=pbonzini@redhat.com \
    --cc=pmladek@suse.com \
    --cc=rostedt@goodmis.org \
    --cc=sergey.senozhatsky@gmail.com \
    --cc=tixxdz@gmail.com \
    --cc=tj@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tycho@docker.com \
    --cc=tytso@mit.edu \
    --cc=will.deacon@arm.com \
    --cc=william.c.roberts@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox