From: "Tobin C. Harding" <me@tobin.cc>
To: kernel-hardening@lists.openwall.com
Cc: "Tobin C. Harding" <me@tobin.cc>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
"Theodore Ts'o" <tytso@mit.edu>,
"Kees Cook" <keescook@chromium.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Tycho Andersen" <tycho@tycho.ws>,
"Roberts, William C" <william.c.roberts@intel.com>,
"Tejun Heo" <tj@kernel.org>,
"Jordan Glover" <Golden_Miller83@protonmail.ch>,
"Greg KH" <gregkh@linuxfoundation.org>,
"Petr Mladek" <pmladek@suse.com>, "Joe Perches" <joe@perches.com>,
"Ian Campbell" <ijc@hellion.org.uk>,
"Sergey Senozhatsky" <sergey.senozhatsky@gmail.com>,
"Catalin Marinas" <catalin.marinas@arm.com>,
"Will Deacon" <wilal.deacon@arm.com>,
"Steven Rostedt" <rostedt@goodmis.org>,
"Chris Fries" <cfries@google.com>,
"Dave Weinstein" <olorin@google.com>,
"Daniel Micay" <danielmicay@gmail.com>,
"Djalal Harouni" <tixxdz@gmail.com>,
"Radim Krčmář" <rkrcmar@redhat.com>,
linux-kernel@vger.kernel.org,
"Network Development" <netdev@vger.kernel.org>,
"David Miller" <davem@davemloft.net>,
"Stephen Rothwell" <sfr@canb.auug.org.au>,
"Andrey Ryabinin" <aryabinin@virtuozzo.com>,
"Alexander Potapenko" <glider@google.com>,
"Dmitry Vyukov" <dvyukov@google.com>,
"Andrew Morton" <akpm@linux-foundation.org>
Subject: [PATCH V11 2/5] vsprintf: refactor %pK code out of pointer()
Date: Wed, 29 Nov 2017 13:05:02 +1100 [thread overview]
Message-ID: <1511921105-3647-3-git-send-email-me@tobin.cc> (raw)
In-Reply-To: <1511921105-3647-1-git-send-email-me@tobin.cc>
Currently code to handle %pK is all within the switch statement in
pointer(). This is the wrong level of abstraction. Each of the other switch
clauses call a helper function, pK should do the same.
Refactor code out of pointer() to new function restricted_pointer().
Signed-off-by: Tobin C. Harding <me@tobin.cc>
---
lib/vsprintf.c | 97 ++++++++++++++++++++++++++++++++--------------------------
1 file changed, 54 insertions(+), 43 deletions(-)
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 1746bae94d41..8dc5cf85cef4 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -1343,6 +1343,59 @@ char *uuid_string(char *buf, char *end, const u8 *addr,
return string(buf, end, uuid, spec);
}
+int kptr_restrict __read_mostly;
+
+static noinline_for_stack
+char *restricted_pointer(char *buf, char *end, const void *ptr,
+ struct printf_spec spec)
+{
+ spec.base = 16;
+ spec.flags |= SMALL;
+ if (spec.field_width == -1) {
+ spec.field_width = 2 * sizeof(ptr);
+ spec.flags |= ZEROPAD;
+ }
+
+ switch (kptr_restrict) {
+ case 0:
+ /* Always print %pK values */
+ break;
+ case 1: {
+ const struct cred *cred;
+
+ /*
+ * kptr_restrict==1 cannot be used in IRQ context
+ * because its test for CAP_SYSLOG would be meaningless.
+ */
+ if (in_irq() || in_serving_softirq() || in_nmi())
+ return string(buf, end, "pK-error", spec);
+
+ /*
+ * Only print the real pointer value if the current
+ * process has CAP_SYSLOG and is running with the
+ * same credentials it started with. This is because
+ * access to files is checked at open() time, but %pK
+ * checks permission at read() time. We don't want to
+ * leak pointer values if a binary opens a file using
+ * %pK and then elevates privileges before reading it.
+ */
+ cred = current_cred();
+ if (!has_capability_noaudit(current, CAP_SYSLOG) ||
+ !uid_eq(cred->euid, cred->uid) ||
+ !gid_eq(cred->egid, cred->gid))
+ ptr = NULL;
+ break;
+ }
+ case 2:
+ default:
+ /* Always print 0's for %pK */
+ ptr = NULL;
+ break;
+ }
+
+ return number(buf, end, (unsigned long)ptr, spec);
+}
+
static noinline_for_stack
char *netdev_bits(char *buf, char *end, const void *addr, const char *fmt)
{
@@ -1591,8 +1644,6 @@ char *device_node_string(char *buf, char *end, struct device_node *dn,
return widen_string(buf, buf - buf_start, end, spec);
}
-int kptr_restrict __read_mostly;
-
/*
* Show a '%p' thing. A kernel extension is that the '%p' is followed
* by an extra set of alphanumeric characters that are extended format
@@ -1792,47 +1843,7 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
return buf;
}
case 'K':
- switch (kptr_restrict) {
- case 0:
- /* Always print %pK values */
- break;
- case 1: {
- const struct cred *cred;
-
- /*
- * kptr_restrict==1 cannot be used in IRQ context
- * because its test for CAP_SYSLOG would be meaningless.
- */
- if (in_irq() || in_serving_softirq() || in_nmi()) {
- if (spec.field_width == -1)
- spec.field_width = default_width;
- return string(buf, end, "pK-error", spec);
- }
-
- /*
- * Only print the real pointer value if the current
- * process has CAP_SYSLOG and is running with the
- * same credentials it started with. This is because
- * access to files is checked at open() time, but %pK
- * checks permission at read() time. We don't want to
- * leak pointer values if a binary opens a file using
- * %pK and then elevates privileges before reading it.
- */
- cred = current_cred();
- if (!has_capability_noaudit(current, CAP_SYSLOG) ||
- !uid_eq(cred->euid, cred->uid) ||
- !gid_eq(cred->egid, cred->gid))
- ptr = NULL;
- break;
- }
- case 2:
- default:
- /* Always print 0's for %pK */
- ptr = NULL;
- break;
- }
- break;
-
+ return restricted_pointer(buf, end, ptr, spec);
case 'N':
return netdev_bits(buf, end, ptr, fmt);
case 'a':
--
2.7.4
next prev parent reply other threads:[~2017-11-29 2:06 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-29 2:05 [PATCH V11 0/5] hash addresses printed with %p Tobin C. Harding
2017-11-29 2:05 ` [PATCH V11 1/5] docs: correct documentation for %pK Tobin C. Harding
2017-11-29 2:05 ` Tobin C. Harding [this message]
2017-11-29 2:39 ` [PATCH V11 2/5] vsprintf: refactor %pK code out of pointer() Steven Rostedt
2017-11-29 4:27 ` Tobin C. Harding
2017-11-29 11:54 ` Steven Rostedt
2017-11-29 2:05 ` [PATCH V11 3/5] printk: hash addresses printed with %p Tobin C. Harding
2017-11-29 23:21 ` Andrew Morton
2017-12-05 20:20 ` Geert Uytterhoeven
2017-12-05 20:31 ` David Miller
2017-12-06 10:31 ` David Laight
2017-12-06 23:21 ` Kees Cook
2017-12-06 23:28 ` Linus Torvalds
2017-12-05 20:44 ` Tobin C. Harding
2017-12-05 22:57 ` Geert Uytterhoeven
2017-12-05 23:33 ` Linus Torvalds
2017-12-06 8:48 ` Geert Uytterhoeven
2017-11-29 2:05 ` [PATCH V11 4/5] vsprintf: add printk specifier %px Tobin C. Harding
2017-11-29 2:29 ` Linus Torvalds
2017-11-29 4:29 ` Tobin C. Harding
2017-11-29 10:07 ` David Laight
2017-11-29 22:28 ` Kees Cook
2017-11-29 22:36 ` Roberts, William C
2017-11-29 22:47 ` Linus Torvalds
2017-11-30 10:38 ` David Laight
2017-12-05 21:08 ` Randy Dunlap
2017-12-05 21:22 ` Linus Torvalds
2017-12-06 1:36 ` Sergey Senozhatsky
2017-12-06 1:59 ` Linus Torvalds
2017-12-06 2:15 ` Sergey Senozhatsky
2017-12-06 8:32 ` Geert Uytterhoeven
2017-12-06 8:45 ` Sergey Senozhatsky
2017-12-07 5:17 ` Tobin C. Harding
2017-12-07 5:37 ` Sergey Senozhatsky
2017-12-07 5:12 ` Tobin C. Harding
2017-11-29 23:20 ` Andrew Morton
2017-11-29 23:26 ` Tobin C. Harding
2017-11-30 3:58 ` Joe Perches
2017-11-30 4:18 ` Tobin C. Harding
2017-11-30 4:41 ` Joe Perches
2017-11-30 5:00 ` Tobin C. Harding
2017-11-29 2:05 ` [PATCH V11 5/5] kasan: use %px to print addresses instead of %p Tobin C. Harding
2017-11-29 23:20 ` [PATCH V11 0/5] hash addresses printed with %p Andrew Morton
2017-11-29 23:34 ` Tobin C. Harding
2017-11-30 10:23 ` David Laight
2017-11-30 10:26 ` Sergey Senozhatsky
2017-12-01 6:15 ` Sergey Senozhatsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1511921105-3647-3-git-send-email-me@tobin.cc \
--to=me@tobin.cc \
--cc=Golden_Miller83@protonmail.ch \
--cc=Jason@zx2c4.com \
--cc=akpm@linux-foundation.org \
--cc=aryabinin@virtuozzo.com \
--cc=catalin.marinas@arm.com \
--cc=cfries@google.com \
--cc=danielmicay@gmail.com \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=ijc@hellion.org.uk \
--cc=joe@perches.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olorin@google.com \
--cc=pbonzini@redhat.com \
--cc=pmladek@suse.com \
--cc=rkrcmar@redhat.com \
--cc=rostedt@goodmis.org \
--cc=sergey.senozhatsky@gmail.com \
--cc=sfr@canb.auug.org.au \
--cc=tixxdz@gmail.com \
--cc=tj@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tycho@tycho.ws \
--cc=tytso@mit.edu \
--cc=wilal.deacon@arm.com \
--cc=william.c.roberts@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).