All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ilya Dryomov <idryomov@gmail.com>
To: Kees Cook <keescook@chromium.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Petr Mladek <pmladek@suse.com>,
	Steven Rostedt <rostedt@goodmis.org>,
	Randy Dunlap <rdunlap@infradead.org>,
	Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
	"Tobin C . Harding" <me@tobin.cc>
Subject: Re: [PATCH] vsprintf: don't obfuscate NULL and error pointers
Date: Tue, 18 Feb 2020 01:07:53 +0100	[thread overview]
Message-ID: <CAOi1vP-2uAD83Vi=Eebu_GPzq5DUt+z9zogA7BNGF1B1jUgAVw@mail.gmail.com> (raw)
In-Reply-To: <202002171546.A291F23F12@keescook>

On Tue, Feb 18, 2020 at 12:47 AM Kees Cook <keescook@chromium.org> wrote:
>
> On Mon, Feb 17, 2020 at 11:28:03PM +0100, Ilya Dryomov wrote:
> > I don't see what security concern is addressed by obfuscating NULL
> > and IS_ERR() error pointers, printed with %p/%pK.  Given the number
> > of sites where %p is used (over 10000) and the fact that NULL pointers
> > aren't uncommon, it probably wouldn't take long for an attacker to
> > find the hash that corresponds to 0.  Although harder, the same goes
> > for most common error values, such as -1, -2, -11, -14, etc.
> >
> > The NULL part actually fixes a regression: NULL pointers weren't
> > obfuscated until commit 3e5903eb9cff ("vsprintf: Prevent crash when
> > dereferencing invalid pointers") which went into 5.2.  I'm tacking
> > the IS_ERR() part on here because error pointers won't leak kernel
> > addresses and printing them as pointers shouldn't be any different
> > from e.g. %d with PTR_ERR_OR_ZERO().  Obfuscating them just makes
> > debugging based on existing pr_debug and friends excruciating.
> >
> > Note that the "always print 0's for %pK when kptr_restrict == 2"
> > behaviour which goes way back is left as is.
> >
> > Example output with the patch applied:
> >
> >                             ptr         error-ptr              NULL
> > %p:            0000000001f8cc5b  fffffffffffffff2  0000000000000000
> > %pK, kptr = 0: 0000000001f8cc5b  fffffffffffffff2  0000000000000000
> > %px:           ffff888048c04020  fffffffffffffff2  0000000000000000
> > %pK, kptr = 1: ffff888048c04020  fffffffffffffff2  0000000000000000
> > %pK, kptr = 2: 0000000000000000  0000000000000000  0000000000000000
>
> This seems reasonable. Though I wonder -- since the efault string is
> exposed now -- should this instead print all the error-ptr strings
> instead of the unsigned negative pointer value?

I'm not sure what you mean by efault string.  Are you referring to what
%pe is doing?  If so, no -- I would keep %p and %pe separate.

Thanks,

                Ilya

  reply	other threads:[~2020-02-18  0:07 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-17 22:28 [PATCH] vsprintf: don't obfuscate NULL and error pointers Ilya Dryomov
2020-02-17 23:47 ` Kees Cook
2020-02-18  0:07   ` Ilya Dryomov [this message]
2020-02-18 10:33     ` Petr Mladek
2020-02-18 11:16       ` Ilya Dryomov
2020-02-18 16:50       ` Steven Rostedt
2020-02-19  2:13       ` Sergey Senozhatsky
2020-02-18 18:49     ` Linus Torvalds
2020-02-18 19:31       ` Adam Borowski
2020-02-18 19:38         ` Linus Torvalds
2020-02-18 20:19           ` Ilya Dryomov
2020-02-18 20:21             ` Linus Torvalds
2020-02-19  7:30             ` Rasmus Villemoes
2020-02-19  8:21           ` [PATCH] vsprintf: sanely handle NULL passed to %pe Rasmus Villemoes
2020-02-19  9:35             ` Andy Shevchenko
2020-02-19 11:20             ` Ilya Dryomov
2020-02-19 11:25               ` Andy Shevchenko
2020-02-19 11:29                 ` Ilya Dryomov
2020-02-19 11:53               ` Rasmus Villemoes
2020-02-19 13:48                 ` Petr Mladek
2020-02-19 13:56                   ` Rasmus Villemoes
2020-02-19 14:45                     ` Petr Mladek
2020-02-19 15:38                       ` Andy Shevchenko
2020-02-19 15:40                       ` Rasmus Villemoes
2020-02-19 17:23                         ` Ilya Dryomov
2020-02-20 12:57                         ` Petr Mladek
2020-02-20 15:02                           ` Ilya Dryomov
2020-02-21 13:05                             ` Petr Mladek
2020-02-21 23:52                               ` Rasmus Villemoes
2020-02-22  8:14                                 ` Andy Shevchenko
2020-02-24  9:55                                 ` Petr Mladek
2020-02-18 18:44 ` [PATCH] vsprintf: don't obfuscate NULL and error pointers Linus Torvalds

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAOi1vP-2uAD83Vi=Eebu_GPzq5DUt+z9zogA7BNGF1B1jUgAVw@mail.gmail.com' \
    --to=idryomov@gmail.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=me@tobin.cc \
    --cc=pmladek@suse.com \
    --cc=rdunlap@infradead.org \
    --cc=rostedt@goodmis.org \
    --cc=sergey.senozhatsky@gmail.com \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.