From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752933AbdK2UyF (ORCPT ); Wed, 29 Nov 2017 15:54:05 -0500 Received: from smtprelay0109.hostedemail.com ([216.40.44.109]:39521 "EHLO smtprelay.hostedemail.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751783AbdK2UyE (ORCPT ); Wed, 29 Nov 2017 15:54:04 -0500 X-Session-Marker: 6A6F6540706572636865732E636F6D X-Spam-Summary: 2,0,0,,d41d8cd98f00b204,joe@perches.com,:::::::,RULES_HIT:41:355:379:541:599:800:960:968:973:988:989:1260:1277:1311:1313:1314:1345:1359:1373:1437:1515:1516:1518:1534:1541:1593:1594:1711:1730:1747:1777:1792:1801:2194:2199:2393:2553:2559:2562:2828:3138:3139:3140:3141:3142:3354:3622:3865:3866:3867:3868:3870:3871:3872:3873:3874:4321:4605:5007:6691:8568:10004:10400:10848:11232:11658:11914:12043:12296:12663:12740:12760:12895:13069:13311:13357:13439:14096:14097:14181:14659:14721:21067:21080:21324:21627:30012:30034:30054:30056:30090:30091,0,RBL:none,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:,MSBL:0,DNSBL:none,Custom_rules:0:0:0,LFtime:2,LUA_SUMMARY:none X-HE-Tag: page59_7a8d28fcaa73c X-Filterd-Recvd-Size: 2624 Message-ID: <1511988840.19952.76.camel@perches.com> Subject: Re: [GIT PULL] hash addresses printed with %p From: Joe Perches To: Linus Torvalds , "Tobin C. Harding" , Kees Cook Cc: LKML Date: Wed, 29 Nov 2017 12:54:00 -0800 In-Reply-To: References: <20171129045927.GA6217@eros> Content-Type: text/plain; charset="ISO-8859-1" X-Mailer: Evolution 3.26.1-1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2017-11-29 at 11:39 -0800, Linus Torvalds wrote: > On Wed, Nov 29, 2017 at 11:22 AM, Linus Torvalds > wrote: > > > > What I didn't realize until after pulling this and testing, is that it > > completely breaks '%pK'. > > > > We've marked various sensitive pointers with %pK, but that is now > > _less_ secure than %p is, since it doesn't do the hashing because of > > how you refactored the %pK code out of 'pointer()' into its own > > function. > > > > So now %pK ends up using the plain "number()" function. Reading > > through the series I hadn't noticed that the refactoring ended up > > messing with that. > > > > I'll fix it up somehow. > > I ended up just doing this: > > case 'K': > + if (!kptr_restrict) > + break; > return restricted_pointer(buf, end, ptr, spec); > > which basically says that "if kptr_restrict isn't set, %pK is the same as %p". > > Now, I feel that we should probably get rid of 'restricted_pointer()' > entirely, since now the regular '%p' is arguably safer than '%pK' is, > but I also didn't want to mess with the case that I have never used > and that most distros don't seem to set. > > Alternatively, we might make the 'K' behavior of clearing the pointer > be in addition to the other flags, so that you could do '%pxK' and get > the old %pK behavior. But since I am not a huge fan of %pK to begin > with, I can't find it in myself to care too much. > > So I'll leave that for Kees & co to decide on. Comments? I'd prefer a global sed of '%pK' to '%pxK' and remove '%pK' altogether