From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752920AbdK0Wal (ORCPT ); Mon, 27 Nov 2017 17:30:41 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:51781 "EHLO out4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752712AbdK0Wah (ORCPT ); Mon, 27 Nov 2017 17:30:37 -0500 X-ME-Sender: From: "Tobin C. Harding" To: kernel-hardening@lists.openwall.com Cc: "Tobin C. Harding" , linux-kernel@vger.kernel.org, Network Development , Steven Rostedt , Tycho Andersen , Daniel Borkmann , Masahiro Yamada , "David S. Miller" , Alexei Starovoitov Subject: [RFC 1/3] kallsyms: don't leak address when symbol not found Date: Tue, 28 Nov 2017 09:30:17 +1100 Message-Id: <1511821819-5496-2-git-send-email-me@tobin.cc> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1511821819-5496-1-git-send-email-me@tobin.cc> References: <1511821819-5496-1-git-send-email-me@tobin.cc> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Currently if kallsyms_lookup() fails to find the symbol then the address is printed. This potentially leaks sensitive information. Instead of printing the address we can return an error, giving the calling code the option to print the address or print some sanitized message. Return error instead of printing address to argument buffer. Leave buffer in a sane state. Signed-off-by: Tobin C. Harding --- kernel/kallsyms.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c index 531ffa984bc2..4bfa4ee3ce93 100644 --- a/kernel/kallsyms.c +++ b/kernel/kallsyms.c @@ -394,8 +394,10 @@ static int __sprint_symbol(char *buffer, unsigned long address, address += symbol_offset; name = kallsyms_lookup(address, &size, &offset, &modname, buffer); - if (!name) - return sprintf(buffer, "0x%lx", address - symbol_offset); + if (!name) { + buffer[0] = '\0'; + return -1; + } if (name != buffer) strcpy(buffer, name); -- 2.7.4 From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Tobin C. Harding" Date: Tue, 28 Nov 2017 09:30:17 +1100 Message-Id: <1511821819-5496-2-git-send-email-me@tobin.cc> In-Reply-To: <1511821819-5496-1-git-send-email-me@tobin.cc> References: <1511821819-5496-1-git-send-email-me@tobin.cc> Subject: [kernel-hardening] [RFC 1/3] kallsyms: don't leak address when symbol not found To: kernel-hardening@lists.openwall.com Cc: "Tobin C. Harding" , linux-kernel@vger.kernel.org, Network Development , Steven Rostedt , Tycho Andersen , Daniel Borkmann , Masahiro Yamada , "David S. Miller" , Alexei Starovoitov List-ID: Currently if kallsyms_lookup() fails to find the symbol then the address is printed. This potentially leaks sensitive information. Instead of printing the address we can return an error, giving the calling code the option to print the address or print some sanitized message. Return error instead of printing address to argument buffer. Leave buffer in a sane state. Signed-off-by: Tobin C. Harding --- kernel/kallsyms.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c index 531ffa984bc2..4bfa4ee3ce93 100644 --- a/kernel/kallsyms.c +++ b/kernel/kallsyms.c @@ -394,8 +394,10 @@ static int __sprint_symbol(char *buffer, unsigned long address, address += symbol_offset; name = kallsyms_lookup(address, &size, &offset, &modname, buffer); - if (!name) - return sprintf(buffer, "0x%lx", address - symbol_offset); + if (!name) { + buffer[0] = '\0'; + return -1; + } if (name != buffer) strcpy(buffer, name); -- 2.7.4