restricted_pointer() pretends that it prints the address when kptr_restrict
is set to zero. But it is never called in this situation. Instead,
pointer() falls back to ptr_to_id() and hashes the pointer.
This patch removes the potential confusion. klp_restrict is checked only
in restricted_pointer().
It actually fixes a small race when the address might get printed unhashed:
CPU0 CPU1
pointer()
if (!kptr_restrict)
/* for example set to 2 */
restricted_pointer()
/* echo 0 >/proc/sys/kernel/kptr_restrict */
proc_dointvec_minmax_sysadmin()
klpr_restrict = 0;
switch(kptr_restrict)
case 0:
break:
number()
Fixes: commit ef0010a30935de4e0211 ("vsprintf: don't use 'restricted_pointer()'
when not restricting")
Cc: Linus Torvalds <[email protected]>
Cc: Tobin Harding <[email protected]>
Cc: Kees Cook <[email protected]>
Signed-off-by: Petr Mladek <[email protected]>
Reviewed-by: Andy Shevchenko <[email protected]>
---
lib/vsprintf.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index e164d7b734f3..76ce12b278c3 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -724,8 +724,8 @@ char *restricted_pointer(char *buf, char *end, const void
*ptr,
{
switch (kptr_restrict) {
case 0:
- /* Always print %pK values */
- break;
+ /* Handle as %p, hash and do _not_ leak addresses. */
+ return ptr_to_id(buf, end, ptr, spec);
case 1: {
const struct cred *cred;
@@ -2041,8 +2041,6 @@ char *pointer(const char *fmt, char *buf, char *end, void
*ptr,
return buf;
}
case 'K':
- if (!kptr_restrict)
- break;
return restricted_pointer(buf, end, ptr, spec);
case 'N':
return netdev_bits(buf, end, ptr, spec, fmt);
--
2.13.7
