* [PATCH] docs: add documentation on printing kernel addresses
@ 2017-12-07 0:26 Tobin C. Harding
2017-12-07 0:43 ` Kees Cook
2017-12-07 20:39 ` Tobin C. Harding
0 siblings, 2 replies; 4+ messages in thread
From: Tobin C. Harding @ 2017-12-07 0:26 UTC (permalink / raw)
To: Jonathan Corbet, Kees Cook; +Cc: Tobin C. Harding, linux-doc, linux-kernel
Hashing addresses printed with printk specifier %p was implemented
recently. During development a number of issues were raised regarding
leaking kernel addresses to userspace. We should update the
documentation appropriately.
Add documentation regarding printing kernel addresses.
Signed-off-by: Tobin C. Harding <me@tobin.cc>
---
Is there a proffered method for subscripts in sphinx kernel docs? Here
we use '[*]'
thanks,
Tobin.
Documentation/security/self-protection.rst | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/Documentation/security/self-protection.rst b/Documentation/security/self-protection.rst
index 60c8bd8b77bf..e711280cfdd7 100644
--- a/Documentation/security/self-protection.rst
+++ b/Documentation/security/self-protection.rst
@@ -270,6 +270,20 @@ attacks, it is important to defend against exposure of both kernel memory
addresses and kernel memory contents (since they may contain kernel
addresses or other sensitive things like canary values).
+Kernel addresses
+----------------
+
+Printing kernel addresses to userspace leaks sensitive information about
+the kernel memory layout. Care should be exercised when using any printk
+specifier that prints the raw address, currently %px, %p[ad], (and %p[sSb]
+in certain circumstances [*]). Any file written to using one of these
+specifiers should be readable only by privileged processes.
+
+Kernels 4.14 and older printed the raw address using %p. As of 4.15-rc1
+addresses printed with the specifier %p are hashed before printing.
+
+[*] If symbol lookup fails, the raw address is currently printed.
+
Unique identifiers
------------------
--
2.7.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] docs: add documentation on printing kernel addresses
2017-12-07 0:26 [PATCH] docs: add documentation on printing kernel addresses Tobin C. Harding
@ 2017-12-07 0:43 ` Kees Cook
2017-12-07 4:10 ` Tobin C. Harding
2017-12-07 20:39 ` Tobin C. Harding
1 sibling, 1 reply; 4+ messages in thread
From: Kees Cook @ 2017-12-07 0:43 UTC (permalink / raw)
To: Tobin C. Harding; +Cc: Jonathan Corbet, linux-doc, LKML
On Wed, Dec 6, 2017 at 4:26 PM, Tobin C. Harding <me@tobin.cc> wrote:
> Hashing addresses printed with printk specifier %p was implemented
> recently. During development a number of issues were raised regarding
> leaking kernel addresses to userspace. We should update the
> documentation appropriately.
>
> Add documentation regarding printing kernel addresses.
>
> Signed-off-by: Tobin C. Harding <me@tobin.cc>
Acked-by: Kees Cook <keescook@chromium.org>
> ---
>
> Is there a proffered method for subscripts in sphinx kernel docs? Here
> we use '[*]'
Great question... I can't find an answer to this. :P
>
> thanks,
> Tobin.
>
> Documentation/security/self-protection.rst | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/Documentation/security/self-protection.rst b/Documentation/security/self-protection.rst
> index 60c8bd8b77bf..e711280cfdd7 100644
> --- a/Documentation/security/self-protection.rst
> +++ b/Documentation/security/self-protection.rst
> @@ -270,6 +270,20 @@ attacks, it is important to defend against exposure of both kernel memory
> addresses and kernel memory contents (since they may contain kernel
> addresses or other sensitive things like canary values).
>
> +Kernel addresses
> +----------------
> +
> +Printing kernel addresses to userspace leaks sensitive information about
> +the kernel memory layout. Care should be exercised when using any printk
> +specifier that prints the raw address, currently %px, %p[ad], (and %p[sSb]
> +in certain circumstances [*]). Any file written to using one of these
> +specifiers should be readable only by privileged processes.
> +
> +Kernels 4.14 and older printed the raw address using %p. As of 4.15-rc1
> +addresses printed with the specifier %p are hashed before printing.
> +
> +[*] If symbol lookup fails, the raw address is currently printed.
Is there a plan to adjust this case?
Thanks!
-Kees
> +
> Unique identifiers
> ------------------
>
> --
> 2.7.4
>
--
Kees Cook
Pixel Security
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] docs: add documentation on printing kernel addresses
2017-12-07 0:43 ` Kees Cook
@ 2017-12-07 4:10 ` Tobin C. Harding
0 siblings, 0 replies; 4+ messages in thread
From: Tobin C. Harding @ 2017-12-07 4:10 UTC (permalink / raw)
To: Kees Cook; +Cc: Jonathan Corbet, linux-doc, LKML
On Wed, Dec 06, 2017 at 04:43:40PM -0800, Kees Cook wrote:
> On Wed, Dec 6, 2017 at 4:26 PM, Tobin C. Harding <me@tobin.cc> wrote:
> > Hashing addresses printed with printk specifier %p was implemented
> > recently. During development a number of issues were raised regarding
> > leaking kernel addresses to userspace. We should update the
> > documentation appropriately.
> >
> > Add documentation regarding printing kernel addresses.
> >
> > Signed-off-by: Tobin C. Harding <me@tobin.cc>
>
> Acked-by: Kees Cook <keescook@chromium.org>
>
> > ---
> >
> > Is there a proffered method for subscripts in sphinx kernel docs? Here
> > we use '[*]'
>
> Great question... I can't find an answer to this. :P
>
> >
> > thanks,
> > Tobin.
> >
> > Documentation/security/self-protection.rst | 14 ++++++++++++++
> > 1 file changed, 14 insertions(+)
> >
> > diff --git a/Documentation/security/self-protection.rst b/Documentation/security/self-protection.rst
> > index 60c8bd8b77bf..e711280cfdd7 100644
> > --- a/Documentation/security/self-protection.rst
> > +++ b/Documentation/security/self-protection.rst
> > @@ -270,6 +270,20 @@ attacks, it is important to defend against exposure of both kernel memory
> > addresses and kernel memory contents (since they may contain kernel
> > addresses or other sensitive things like canary values).
> >
> > +Kernel addresses
> > +----------------
> > +
> > +Printing kernel addresses to userspace leaks sensitive information about
> > +the kernel memory layout. Care should be exercised when using any printk
> > +specifier that prints the raw address, currently %px, %p[ad], (and %p[sSb]
> > +in certain circumstances [*]). Any file written to using one of these
> > +specifiers should be readable only by privileged processes.
> > +
> > +Kernels 4.14 and older printed the raw address using %p. As of 4.15-rc1
> > +addresses printed with the specifier %p are hashed before printing.
> > +
> > +[*] If symbol lookup fails, the raw address is currently printed.
>
> Is there a plan to adjust this case?
RFC is in flight at the moment
[RFC 0/3] kallsyms: don't leak address when printing symbol
You commented already that you liked it. Had no response from Steve, I
was intending to give him two weeks and then put in the patch for
real.
Or I could put it in without the ftrace stuff and just break tracing -
just kidding, I wouldn't do that :)
thanks,
Tobin.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] docs: add documentation on printing kernel addresses
2017-12-07 0:26 [PATCH] docs: add documentation on printing kernel addresses Tobin C. Harding
2017-12-07 0:43 ` Kees Cook
@ 2017-12-07 20:39 ` Tobin C. Harding
1 sibling, 0 replies; 4+ messages in thread
From: Tobin C. Harding @ 2017-12-07 20:39 UTC (permalink / raw)
To: Jonathan Corbet, Kees Cook; +Cc: linux-doc, linux-kernel
Please drop this patch, needs amendment (commented inline).
On Thu, Dec 07, 2017 at 11:26:38AM +1100, Tobin C. Harding wrote:
> Hashing addresses printed with printk specifier %p was implemented
> recently. During development a number of issues were raised regarding
> leaking kernel addresses to userspace. We should update the
> documentation appropriately.
>
> Add documentation regarding printing kernel addresses.
>
> Signed-off-by: Tobin C. Harding <me@tobin.cc>
> ---
>
> Is there a proffered method for subscripts in sphinx kernel docs? Here
> we use '[*]'
>
> thanks,
> Tobin.
>
> Documentation/security/self-protection.rst | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/Documentation/security/self-protection.rst b/Documentation/security/self-protection.rst
> index 60c8bd8b77bf..e711280cfdd7 100644
> --- a/Documentation/security/self-protection.rst
> +++ b/Documentation/security/self-protection.rst
> @@ -270,6 +270,20 @@ attacks, it is important to defend against exposure of both kernel memory
> addresses and kernel memory contents (since they may contain kernel
> addresses or other sensitive things like canary values).
>
> +Kernel addresses
> +----------------
> +
> +Printing kernel addresses to userspace leaks sensitive information about
> +the kernel memory layout. Care should be exercised when using any printk
> +specifier that prints the raw address, currently %px, %p[ad], (and %p[sSb]
> +in certain circumstances [*]). Any file written to using one of these
> +specifiers should be readable only by privileged processes.
> +
> +Kernels 4.14 and older printed the raw address using %p. As of 4.15-rc1
> +addresses printed with the specifier %p are hashed before printing.
> +
> +[*] If symbol lookup fails, the raw address is currently printed.
[*] If KALLSYMS is enabled and symbol lookup fails, the raw address is
currently printed. If KALLSYMS is not enabled the address is printed.
thanks,
Tobin.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-12-07 20:39 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-12-07 0:26 [PATCH] docs: add documentation on printing kernel addresses Tobin C. Harding
2017-12-07 0:43 ` Kees Cook
2017-12-07 4:10 ` Tobin C. Harding
2017-12-07 20:39 ` Tobin C. Harding
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox