[PATCH] Do not hash userspace addresses in fault handlers

[PATCH] Do not hash userspace addresses in fault handlers

[Kees Cook]

The hashing of %p was designed to restrict kernel addresses. There is
no reason to hash the userspace values seen during a segfault report,
so switch these to %px. (Some architectures already use %lx.)

Fixes: ad67b74d2469d9b8 ("printk: hash addresses printed with %p")
Signed-off-by: Kees Cook <keescook@chromium.org>
---
Alternatively, we could enhance the %p hashing to only hash for values
above TASK_SIZE, which would mean userspace values would automatically
go unhashed... But that seems fragile to me.
---
 arch/sparc/mm/fault_32.c | 2 +-
 arch/sparc/mm/fault_64.c | 2 +-
 arch/um/kernel/trap.c    | 2 +-
 arch/x86/mm/fault.c      | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/arch/sparc/mm/fault_32.c b/arch/sparc/mm/fault_32.c
index be3136f142a9..b969db2fde5f 100644
--- a/arch/sparc/mm/fault_32.c
+++ b/arch/sparc/mm/fault_32.c
@@ -113,7 +113,7 @@ show_signal_msg(struct pt_regs *regs, int sig, int code,
 	if (!printk_ratelimit())
 		return;
 
-	printk("%s%s[%d]: segfault at %lx ip %p (rpc %p) sp %p error %x",
+	printk("%s%s[%d]: segfault at %lx ip %px (rpc %px) sp %px error %x",
 	       task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
 	       tsk->comm, task_pid_nr(tsk), address,
 	       (void *)regs->pc, (void *)regs->u_regs[UREG_I7],
diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c
index 815c03d7a765..5c70edd7c56c 100644
--- a/arch/sparc/mm/fault_64.c
+++ b/arch/sparc/mm/fault_64.c
@@ -154,7 +154,7 @@ show_signal_msg(struct pt_regs *regs, int sig, int code,
 	if (!printk_ratelimit())
 		return;
 
-	printk("%s%s[%d]: segfault at %lx ip %p (rpc %p) sp %p error %x",
+	printk("%s%s[%d]: segfault at %lx ip %px (rpc %px) sp %px error %x",
 	       task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
 	       tsk->comm, task_pid_nr(tsk), address,
 	       (void *)regs->tpc, (void *)regs->u_regs[UREG_I7],
diff --git a/arch/um/kernel/trap.c b/arch/um/kernel/trap.c
index 4e6fcb32620f..428644175956 100644
--- a/arch/um/kernel/trap.c
+++ b/arch/um/kernel/trap.c
@@ -150,7 +150,7 @@ static void show_segv_info(struct uml_pt_regs *regs)
 	if (!printk_ratelimit())
 		return;
 
-	printk("%s%s[%d]: segfault at %lx ip %p sp %p error %x",
+	printk("%s%s[%d]: segfault at %lx ip %px sp %px error %x",
 		task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
 		tsk->comm, task_pid_nr(tsk), FAULT_ADDRESS(*fi),
 		(void *)UPT_IP(regs), (void *)UPT_SP(regs),
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index febf6980e653..06fe3d51d385 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -860,7 +860,7 @@ show_signal_msg(struct pt_regs *regs, unsigned long error_code,
 	if (!printk_ratelimit())
 		return;
 
-	printk("%s%s[%d]: segfault at %lx ip %p sp %p error %lx",
+	printk("%s%s[%d]: segfault at %lx ip %px sp %px error %lx",
 		task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
 		tsk->comm, task_pid_nr(tsk), address,
 		(void *)regs->ip, (void *)regs->sp, error_code);
-- 
2.7.4


-- 
Kees Cook
Pixel Security

Re: [PATCH] Do not hash userspace addresses in fault handlers

[Thomas Gleixner]

On Tue, 19 Dec 2017, Kees Cook wrote:
> diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
> index febf6980e653..06fe3d51d385 100644
> --- a/arch/x86/mm/fault.c
> +++ b/arch/x86/mm/fault.c
> @@ -860,7 +860,7 @@ show_signal_msg(struct pt_regs *regs, unsigned long error_code,
>  	if (!printk_ratelimit())
>  		return;
>  
> -	printk("%s%s[%d]: segfault at %lx ip %p sp %p error %lx",
> +	printk("%s%s[%d]: segfault at %lx ip %px sp %px error %lx",
>  		task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
>  		tsk->comm, task_pid_nr(tsk), address,
>  		(void *)regs->ip, (void *)regs->sp, error_code);

For that part:

Reviewed-by: Thomas Gleixner <tglx@linutronix.de>