From: Eric Dumazet <eric.dumazet@gmail.com>
To: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: David Miller <davem@davemloft.net>,
socketcan@hartkopp.net, kuznet@ms2.inr.ac.ru,
urs.thuermann@volkswagen.de, yoshfuji@linux-ipv6.org,
kaber@trash.net, jmorris@namei.org,
remi.denis-courmont@nokia.com, pekkas@netcore.fi, sri@us.ibm.com,
vladislav.yasevich@hp.com, tj@kernel.org, lizf@cn.fujitsu.com,
joe@perches.com, shemminger@vyatta.com, hadi@mojatatu.com,
ebiederm@xmission.com, adobriyan@gmail.com, jpirko@redhat.com,
johannes.berg@intel.com, daniel.lezcano@free.fr,
xemul@openvz.org, socketcan-core@lists.berlios.de,
netdev@vger.kernel.org, linux-sctp@vger.kernel.org,
torvalds@linux-foundation.org
Subject: Re: [PATCH 4/10] Fix leaking of kernel heap addresses in net/
Date: Fri, 12 Nov 2010 08:23:30 +0100 [thread overview]
Message-ID: <1289546610.17691.1770.camel@edumazet-laptop> (raw)
In-Reply-To: <1289529269.3090.207.camel@Dan>
Le jeudi 11 novembre 2010 à 21:34 -0500, Dan Rosenberg a écrit :
> > I want whatever you replace it with to be equivalent for
> > object tracking purposes.
>
> In nearly all of the cases I fixed, the socket inode is already
> provided, which serves as a perfectly good unique identifier. Would you
> prefer I include that information twice?
Oh well. Please read this answer carefuly.
Some facts to feed your next patch. I am very pleased you changed your
mind and that we keep useful information in kernel log.
1) Inode numbers are not guaranteed to be unique. Its a 32bit seq
number, and we dont check another socket inode use the same inode number
(after 2^32 allocations it can happens)
2) /proc/net/ files can deliver same "line" of information several
times, because of their implementation.
3) Because of SLAB_DESTROY_BY_RCU, same 'kernel socket pointer' can be
seen several times in /proc/net/tcp & /proc/net/udp, but really on
different "sockets"
4) Some good applications use both the socket pointer and inode number
(tuple) to filter out the [2] problem. Dont break them, please ?
Anything that might break an application must be at the very least
tunable.
In my opinion, a good thing would be :
- Use a special printf() format , aka "secure pointer", as Thomas
suggested.
- Make sure you print different opaque values for two different kernel
pointers. This is mandatory.
- Make sure the NULL pointer stay as a NULL pointer to not let the
hostile user know your secret, and to ease debugging stuff.
- Have security experts advice to chose a nice crypto function, maybe
jenkin hash. Not too slow would be nice.
static unsigned long securize_kpointers_rnd;
At boot time, stick a random value in this variable.
(Maybe make sure the 5 low order bits are 0)
unsigned long opacify_kptr(unsigned long ptr)
{
if (ptr == 0)
return ptr;
if (capable(CAP_NET_ADMIN))
return ptr;
return some_crypto_hash(ptr, &securize_kpointers_rnd);
}
At least, use a central point, so that we can easily add/change the
logic if needed.
Please provide this patch in kernel/printk.c for initial review, then
once everybody is OK, you can send one patch for net tree.
No need to send 10 patches if we dont agree on the general principle.
next prev parent reply other threads:[~2010-11-12 7:23 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-12 2:15 [PATCH 4/10] Fix leaking of kernel heap addresses in net/ Dan Rosenberg
[not found] ` <2129857903-1289528127-cardhu_decombobulator_blackberry.rim.net-1506931048--JnVBb1XAImjjL2gL5RxOEzYg3SYOavFBmZ6FRVpaDsI@public.gmane.org>
2010-11-12 2:29 ` David Miller
2010-11-12 2:34 ` Dan Rosenberg
2010-11-12 2:49 ` David Miller
2010-11-12 2:51 ` Dan Rosenberg
2010-11-12 2:59 ` David Miller
2010-11-12 7:23 ` Eric Dumazet [this message]
2010-11-12 12:37 ` Dan Rosenberg
2010-11-12 16:33 ` Stephen Hemminger
2010-11-12 17:24 ` Dan Rosenberg
2010-11-12 18:33 ` Stephen Hemminger
2010-11-12 20:18 ` Alexey Dobriyan
2010-11-12 20:37 ` David Miller
2010-11-12 22:40 ` Alexey Dobriyan
2010-11-12 22:46 ` David Miller
[not found] <1289673008.3090.350.camel@Dan>
2010-11-13 18:42 ` Dan Rosenberg
-- strict thread matches above, loose matches on Subject: below --
2010-11-12 1:07 Dan Rosenberg
2010-11-12 1:10 ` David Miller
2010-11-12 1:20 ` Dan Rosenberg
2010-11-12 2:02 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1289546610.17691.1770.camel@edumazet-laptop \
--to=eric.dumazet@gmail.com \
--cc=adobriyan@gmail.com \
--cc=daniel.lezcano@free.fr \
--cc=davem@davemloft.net \
--cc=drosenberg@vsecurity.com \
--cc=ebiederm@xmission.com \
--cc=hadi@mojatatu.com \
--cc=jmorris@namei.org \
--cc=joe@perches.com \
--cc=johannes.berg@intel.com \
--cc=jpirko@redhat.com \
--cc=kaber@trash.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-sctp@vger.kernel.org \
--cc=lizf@cn.fujitsu.com \
--cc=netdev@vger.kernel.org \
--cc=pekkas@netcore.fi \
--cc=remi.denis-courmont@nokia.com \
--cc=shemminger@vyatta.com \
--cc=socketcan-core@lists.berlios.de \
--cc=socketcan@hartkopp.net \
--cc=sri@us.ibm.com \
--cc=tj@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=urs.thuermann@volkswagen.de \
--cc=vladislav.yasevich@hp.com \
--cc=xemul@openvz.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox