Re: [PATCH] docs: add documentation on printing kernel addresses
Please drop this patch, needs amendment (commented inline). On Thu, Dec 07, 2017 at 11:26:38AM +1100, Tobin C. Harding wrote: > Hashing addresses printed with printk specifier %p was implemented > recently. During development a number of issues were raised regarding > leaking kernel addresses to userspace. We should update the > documentation appropriately. > > Add documentation regarding printing kernel addresses. > > Signed-off-by: Tobin C. Harding > --- > > Is there a proffered method for subscripts in sphinx kernel docs? Here > we use '[*]' > > thanks, > Tobin. > > Documentation/security/self-protection.rst | 14 ++ > 1 file changed, 14 insertions(+) > > diff --git a/Documentation/security/self-protection.rst > b/Documentation/security/self-protection.rst > index 60c8bd8b77bf..e711280cfdd7 100644 > --- a/Documentation/security/self-protection.rst > +++ b/Documentation/security/self-protection.rst > @@ -270,6 +270,20 @@ attacks, it is important to defend against exposure of > both kernel memory > addresses and kernel memory contents (since they may contain kernel > addresses or other sensitive things like canary values). > > +Kernel addresses > + > + > +Printing kernel addresses to userspace leaks sensitive information about > +the kernel memory layout. Care should be exercised when using any printk > +specifier that prints the raw address, currently %px, %p[ad], (and %p[sSb] > +in certain circumstances [*]). Any file written to using one of these > +specifiers should be readable only by privileged processes. > + > +Kernels 4.14 and older printed the raw address using %p. As of 4.15-rc1 > +addresses printed with the specifier %p are hashed before printing. > + > +[*] If symbol lookup fails, the raw address is currently printed. [*] If KALLSYMS is enabled and symbol lookup fails, the raw address is currently printed. If KALLSYMS is not enabled the address is printed. thanks, Tobin. -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] docs: add documentation on printing kernel addresses
On Wed, Dec 06, 2017 at 04:43:40PM -0800, Kees Cook wrote: > On Wed, Dec 6, 2017 at 4:26 PM, Tobin C. Harding wrote: > > Hashing addresses printed with printk specifier %p was implemented > > recently. During development a number of issues were raised regarding > > leaking kernel addresses to userspace. We should update the > > documentation appropriately. > > > > Add documentation regarding printing kernel addresses. > > > > Signed-off-by: Tobin C. Harding > > Acked-by: Kees Cook > > > --- > > > > Is there a proffered method for subscripts in sphinx kernel docs? Here > > we use '[*]' > > Great question... I can't find an answer to this. :P > > > > > thanks, > > Tobin. > > > > Documentation/security/self-protection.rst | 14 ++ > > 1 file changed, 14 insertions(+) > > > > diff --git a/Documentation/security/self-protection.rst > > b/Documentation/security/self-protection.rst > > index 60c8bd8b77bf..e711280cfdd7 100644 > > --- a/Documentation/security/self-protection.rst > > +++ b/Documentation/security/self-protection.rst > > @@ -270,6 +270,20 @@ attacks, it is important to defend against exposure of > > both kernel memory > > addresses and kernel memory contents (since they may contain kernel > > addresses or other sensitive things like canary values). > > > > +Kernel addresses > > + > > + > > +Printing kernel addresses to userspace leaks sensitive information about > > +the kernel memory layout. Care should be exercised when using any printk > > +specifier that prints the raw address, currently %px, %p[ad], (and %p[sSb] > > +in certain circumstances [*]). Any file written to using one of these > > +specifiers should be readable only by privileged processes. > > + > > +Kernels 4.14 and older printed the raw address using %p. As of 4.15-rc1 > > +addresses printed with the specifier %p are hashed before printing. > > + > > +[*] If symbol lookup fails, the raw address is currently printed. > > Is there a plan to adjust this case? RFC is in flight at the moment [RFC 0/3] kallsyms: don't leak address when printing symbol You commented already that you liked it. Had no response from Steve, I was intending to give him two weeks and then put in the patch for real. Or I could put it in without the ftrace stuff and just break tracing - just kidding, I wouldn't do that :) thanks, Tobin. -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] docs: add documentation on printing kernel addresses
On Wed, Dec 6, 2017 at 4:26 PM, Tobin C. Harding wrote: > Hashing addresses printed with printk specifier %p was implemented > recently. During development a number of issues were raised regarding > leaking kernel addresses to userspace. We should update the > documentation appropriately. > > Add documentation regarding printing kernel addresses. > > Signed-off-by: Tobin C. Harding Acked-by: Kees Cook > --- > > Is there a proffered method for subscripts in sphinx kernel docs? Here > we use '[*]' Great question... I can't find an answer to this. :P > > thanks, > Tobin. > > Documentation/security/self-protection.rst | 14 ++ > 1 file changed, 14 insertions(+) > > diff --git a/Documentation/security/self-protection.rst > b/Documentation/security/self-protection.rst > index 60c8bd8b77bf..e711280cfdd7 100644 > --- a/Documentation/security/self-protection.rst > +++ b/Documentation/security/self-protection.rst > @@ -270,6 +270,20 @@ attacks, it is important to defend against exposure of > both kernel memory > addresses and kernel memory contents (since they may contain kernel > addresses or other sensitive things like canary values). > > +Kernel addresses > + > + > +Printing kernel addresses to userspace leaks sensitive information about > +the kernel memory layout. Care should be exercised when using any printk > +specifier that prints the raw address, currently %px, %p[ad], (and %p[sSb] > +in certain circumstances [*]). Any file written to using one of these > +specifiers should be readable only by privileged processes. > + > +Kernels 4.14 and older printed the raw address using %p. As of 4.15-rc1 > +addresses printed with the specifier %p are hashed before printing. > + > +[*] If symbol lookup fails, the raw address is currently printed. Is there a plan to adjust this case? Thanks! -Kees > + > Unique identifiers > -- > > -- > 2.7.4 > -- Kees Cook Pixel Security -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] docs: add documentation on printing kernel addresses
Hashing addresses printed with printk specifier %p was implemented recently. During development a number of issues were raised regarding leaking kernel addresses to userspace. We should update the documentation appropriately. Add documentation regarding printing kernel addresses. Signed-off-by: Tobin C. Harding --- Is there a proffered method for subscripts in sphinx kernel docs? Here we use '[*]' thanks, Tobin. Documentation/security/self-protection.rst | 14 ++ 1 file changed, 14 insertions(+) diff --git a/Documentation/security/self-protection.rst b/Documentation/security/self-protection.rst index 60c8bd8b77bf..e711280cfdd7 100644 --- a/Documentation/security/self-protection.rst +++ b/Documentation/security/self-protection.rst @@ -270,6 +270,20 @@ attacks, it is important to defend against exposure of both kernel memory addresses and kernel memory contents (since they may contain kernel addresses or other sensitive things like canary values). +Kernel addresses + + +Printing kernel addresses to userspace leaks sensitive information about +the kernel memory layout. Care should be exercised when using any printk +specifier that prints the raw address, currently %px, %p[ad], (and %p[sSb] +in certain circumstances [*]). Any file written to using one of these +specifiers should be readable only by privileged processes. + +Kernels 4.14 and older printed the raw address using %p. As of 4.15-rc1 +addresses printed with the specifier %p are hashed before printing. + +[*] If symbol lookup fails, the raw address is currently printed. + Unique identifiers -- -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html