[RFC,V2,2/6] lib: vsprintf: whitelist stack traces

Message ID	1506816410-10230-3-git-send-email-me@tobin.cc (mailing list archive)
State	New, archived
Headers	show Return-Path: <kernel-hardening-return-9970-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com> Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk From: "Tobin C. Harding" <me@tobin.cc> To: Greg KH <gregkh@linuxfoundation.org>, Petr Mladek <pmladek@suse.com>, Joe Perches <joe@perches.com>, Ian Campbell <ijc@hellion.org.uk>, Sergey Senozhatsky <sergey.senozhatsky@gmail.com> Cc: "Tobin C. Harding" <me@tobin.cc>, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will.deacon@arm.com>, Steven Rostedt <rostedt@goodmis.org>, William Roberts <william.c.roberts@intel.com>, Chris Fries <cfries@google.com>, Dave Weinstein <olorin@google.com> Date: Sun, 1 Oct 2017 11:06:46 +1100 Message-Id: <1506816410-10230-3-git-send-email-me@tobin.cc> In-Reply-To: <1506816410-10230-1-git-send-email-me@tobin.cc> References: <1506816410-10230-1-git-send-email-me@tobin.cc> Subject: [kernel-hardening] [RFC V2 2/6] lib: vsprintf: whitelist stack traces

Tobin Harding Oct. 1, 2017, 12:06 a.m. UTC

Use the %pP functionality to explicitly allow kernel
pointers to be logged for stack traces.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
---
 arch/arm64/kernel/traps.c | 4 ++--
 kernel/printk/printk.c    | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

Will Deacon Oct. 2, 2017, 10:42 a.m. UTC | #1

On Sun, Oct 01, 2017 at 11:06:46AM +1100, Tobin C. Harding wrote:
> Use the %pP functionality to explicitly allow kernel
> pointers to be logged for stack traces.
> 
> Signed-off-by: Tobin C. Harding <me@tobin.cc>
> ---
>  arch/arm64/kernel/traps.c | 4 ++--
>  kernel/printk/printk.c    | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
> index 5ea4b85..fe09660 100644
> --- a/arch/arm64/kernel/traps.c
> +++ b/arch/arm64/kernel/traps.c
> @@ -147,7 +147,7 @@ void dump_backtrace(struct pt_regs *regs, struct task_struct *tsk)
>  	struct stackframe frame;
>  	int skip;
>  
> -	pr_debug("%s(regs = %p tsk = %p)\n", __func__, regs, tsk);
> +	pr_debug("%s(regs = %pP tsk = %pP)\n", __func__, regs, tsk);

Why do we care for pr_debug?

>  	if (!tsk)
>  		tsk = current;
> @@ -233,7 +233,7 @@ static int __die(const char *str, int err, struct pt_regs *regs)
>  
>  	print_modules();
>  	__show_regs(regs);
> -	pr_emerg("Process %.*s (pid: %d, stack limit = 0x%p)\n",
> +	pr_emerg("Process %.*s (pid: %d, stack limit = 0x%pP)\n",
>  		 TASK_COMM_LEN, tsk->comm, task_pid_nr(tsk),
>  		 end_of_stack(tsk));
>  
> diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
> index 512f7c2..af0bc8e 100644
> --- a/kernel/printk/printk.c
> +++ b/kernel/printk/printk.c

It probably makes sense to keep this separate from arch/ changes

Will

Tobin Harding Oct. 2, 2017, 9:49 p.m. UTC | #2

On Mon, Oct 02, 2017 at 11:42:05AM +0100, Will Deacon wrote:
> On Sun, Oct 01, 2017 at 11:06:46AM +1100, Tobin C. Harding wrote:
> > Use the %pP functionality to explicitly allow kernel
> > pointers to be logged for stack traces.
> > 
> > Signed-off-by: Tobin C. Harding <me@tobin.cc>
> > ---
> >  arch/arm64/kernel/traps.c | 4 ++--
> >  kernel/printk/printk.c    | 2 +-
> >  2 files changed, 3 insertions(+), 3 deletions(-)
> > 
> > diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
> > index 5ea4b85..fe09660 100644
> > --- a/arch/arm64/kernel/traps.c
> > +++ b/arch/arm64/kernel/traps.c
> > @@ -147,7 +147,7 @@ void dump_backtrace(struct pt_regs *regs, struct task_struct *tsk)
> >  	struct stackframe frame;
> >  	int skip;
> >  
> > -	pr_debug("%s(regs = %p tsk = %p)\n", __func__, regs, tsk);
> > +	pr_debug("%s(regs = %pP tsk = %pP)\n", __func__, regs, tsk);
> 
> Why do we care for pr_debug?

Thanks for the review Will. I did not do the original work on this series so do not know the
original intent behind this change. I tend to agree with your comment. Will remove this change for
v3.

> >  	if (!tsk)
> >  		tsk = current;
> > @@ -233,7 +233,7 @@ static int __die(const char *str, int err, struct pt_regs *regs)
> >  
> >  	print_modules();
> >  	__show_regs(regs);
> > -	pr_emerg("Process %.*s (pid: %d, stack limit = 0x%p)\n",
> > +	pr_emerg("Process %.*s (pid: %d, stack limit = 0x%pP)\n",
> >  		 TASK_COMM_LEN, tsk->comm, task_pid_nr(tsk),
> >  		 end_of_stack(tsk));
> >  
> > diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
> > index 512f7c2..af0bc8e 100644
> > --- a/kernel/printk/printk.c
> > +++ b/kernel/printk/printk.c
> 
> It probably makes sense to keep this separate from arch/ changes

Point noted.

thanks,
Tobin.

Greg KH Oct. 4, 2017, 8:56 a.m. UTC | #3

On Mon, Oct 02, 2017 at 11:42:05AM +0100, Will Deacon wrote:
> On Sun, Oct 01, 2017 at 11:06:46AM +1100, Tobin C. Harding wrote:
> > Use the %pP functionality to explicitly allow kernel
> > pointers to be logged for stack traces.
> > 
> > Signed-off-by: Tobin C. Harding <me@tobin.cc>
> > ---
> >  arch/arm64/kernel/traps.c | 4 ++--
> >  kernel/printk/printk.c    | 2 +-
> >  2 files changed, 3 insertions(+), 3 deletions(-)
> > 
> > diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
> > index 5ea4b85..fe09660 100644
> > --- a/arch/arm64/kernel/traps.c
> > +++ b/arch/arm64/kernel/traps.c
> > @@ -147,7 +147,7 @@ void dump_backtrace(struct pt_regs *regs, struct task_struct *tsk)
> >  	struct stackframe frame;
> >  	int skip;
> >  
> > -	pr_debug("%s(regs = %p tsk = %p)\n", __func__, regs, tsk);
> > +	pr_debug("%s(regs = %pP tsk = %pP)\n", __func__, regs, tsk);
> 
> Why do we care for pr_debug?

Because you really want the real value?  Seems to make sense to me...

thanks,

greg k-h

Will Deacon Oct. 4, 2017, 8:58 a.m. UTC | #4

On Wed, Oct 04, 2017 at 10:56:57AM +0200, Greg KH wrote:
> On Mon, Oct 02, 2017 at 11:42:05AM +0100, Will Deacon wrote:
> > On Sun, Oct 01, 2017 at 11:06:46AM +1100, Tobin C. Harding wrote:
> > > Use the %pP functionality to explicitly allow kernel
> > > pointers to be logged for stack traces.
> > > 
> > > Signed-off-by: Tobin C. Harding <me@tobin.cc>
> > > ---
> > >  arch/arm64/kernel/traps.c | 4 ++--
> > >  kernel/printk/printk.c    | 2 +-
> > >  2 files changed, 3 insertions(+), 3 deletions(-)
> > > 
> > > diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
> > > index 5ea4b85..fe09660 100644
> > > --- a/arch/arm64/kernel/traps.c
> > > +++ b/arch/arm64/kernel/traps.c
> > > @@ -147,7 +147,7 @@ void dump_backtrace(struct pt_regs *regs, struct task_struct *tsk)
> > >  	struct stackframe frame;
> > >  	int skip;
> > >  
> > > -	pr_debug("%s(regs = %p tsk = %p)\n", __func__, regs, tsk);
> > > +	pr_debug("%s(regs = %pP tsk = %pP)\n", __func__, regs, tsk);
> > 
> > Why do we care for pr_debug?
> 
> Because you really want the real value?  Seems to make sense to me...

Just seems like anybody debugging the kernel using pr_debug can probably
change /proc/sys/kernel/kptr_restrict...

Will

Greg KH Oct. 4, 2017, 9:02 a.m. UTC | #5

On Wed, Oct 04, 2017 at 09:58:10AM +0100, Will Deacon wrote:
> On Wed, Oct 04, 2017 at 10:56:57AM +0200, Greg KH wrote:
> > On Mon, Oct 02, 2017 at 11:42:05AM +0100, Will Deacon wrote:
> > > On Sun, Oct 01, 2017 at 11:06:46AM +1100, Tobin C. Harding wrote:
> > > > Use the %pP functionality to explicitly allow kernel
> > > > pointers to be logged for stack traces.
> > > > 
> > > > Signed-off-by: Tobin C. Harding <me@tobin.cc>
> > > > ---
> > > >  arch/arm64/kernel/traps.c | 4 ++--
> > > >  kernel/printk/printk.c    | 2 +-
> > > >  2 files changed, 3 insertions(+), 3 deletions(-)
> > > > 
> > > > diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
> > > > index 5ea4b85..fe09660 100644
> > > > --- a/arch/arm64/kernel/traps.c
> > > > +++ b/arch/arm64/kernel/traps.c
> > > > @@ -147,7 +147,7 @@ void dump_backtrace(struct pt_regs *regs, struct task_struct *tsk)
> > > >  	struct stackframe frame;
> > > >  	int skip;
> > > >  
> > > > -	pr_debug("%s(regs = %p tsk = %p)\n", __func__, regs, tsk);
> > > > +	pr_debug("%s(regs = %pP tsk = %pP)\n", __func__, regs, tsk);
> > > 
> > > Why do we care for pr_debug?
> > 
> > Because you really want the real value?  Seems to make sense to me...
> 
> Just seems like anybody debugging the kernel using pr_debug can probably
> change /proc/sys/kernel/kptr_restrict...

Ok, fair enough :)

Tobin Harding Oct. 4, 2017, 10:42 a.m. UTC | #6

On Wed, Oct 04, 2017 at 11:02:55AM +0200, Greg KH wrote:
> On Wed, Oct 04, 2017 at 09:58:10AM +0100, Will Deacon wrote:
> > On Wed, Oct 04, 2017 at 10:56:57AM +0200, Greg KH wrote:
> > > On Mon, Oct 02, 2017 at 11:42:05AM +0100, Will Deacon wrote:
> > > > On Sun, Oct 01, 2017 at 11:06:46AM +1100, Tobin C. Harding wrote:
> > > > > Use the %pP functionality to explicitly allow kernel
> > > > > pointers to be logged for stack traces.
> > > > > 
> > > > > Signed-off-by: Tobin C. Harding <me@tobin.cc>
> > > > > ---
> > > > >  arch/arm64/kernel/traps.c | 4 ++--
> > > > >  kernel/printk/printk.c    | 2 +-
> > > > >  2 files changed, 3 insertions(+), 3 deletions(-)
> > > > > 
> > > > > diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
> > > > > index 5ea4b85..fe09660 100644
> > > > > --- a/arch/arm64/kernel/traps.c
> > > > > +++ b/arch/arm64/kernel/traps.c
> > > > > @@ -147,7 +147,7 @@ void dump_backtrace(struct pt_regs *regs, struct task_struct *tsk)
> > > > >  	struct stackframe frame;
> > > > >  	int skip;
> > > > >  
> > > > > -	pr_debug("%s(regs = %p tsk = %p)\n", __func__, regs, tsk);
> > > > > +	pr_debug("%s(regs = %pP tsk = %pP)\n", __func__, regs, tsk);
> > > > 
> > > > Why do we care for pr_debug?
> > > 
> > > Because you really want the real value?  Seems to make sense to me...
> > 
> > Just seems like anybody debugging the kernel using pr_debug can probably
> > change /proc/sys/kernel/kptr_restrict...
> 
> Ok, fair enough :)

For what its worth I agree with Will.

[RFC,V2,2/6] lib: vsprintf: whitelist stack traces

Commit Message

Comments

Patch