From patchwork Mon Oct  9 02:59:05 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tobin Harding <me@tobin.cc>
X-Patchwork-Id: 9992123
Return-Path: 
 <kernel-hardening-return-10095-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	5C34D60231 for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Mon,  9 Oct 2017 02:59:50 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 55EF9285E2
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Mon,  9 Oct 2017 02:59:50 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 4AD642869A; Mon,  9 Oct 2017 02:59:50 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 6B636285E2
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Mon,  9 Oct 2017 02:59:48 +0000 (UTC)
Received: (qmail 11287 invoked by uid 550); 9 Oct 2017 02:59:46 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 10217 invoked from network); 9 Oct 2017 02:59:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobin.cc; h=cc
	:date:from:message-id:subject:to:x-me-sender:x-me-sender
	:x-sasl-enc:x-sasl-enc; s=fm1; bh=z1vq/rv8tHp+HyfRi0tJVQ/Du8k/mU
	A07PSuADJnlZA=; b=VQveYBZ0OXHoWFIQIto1YbVYK9QYDdVdrg9/kQMxvXvWdM
	CAeNRPSbgAxVYL9BLHwutnlhznKYTrj4guBmTmvzh1tq+InqNoX7xombeWUV8m/p
	t6oMWA2XXuG0xfJR2PHWSV/2A1yQ6xfaUDEVjD6ce2v1uME0J9X6n/LHNVlUSqYf
	Fwu6K2DQGXspi2HG+IYVOZ20dhq9vFDQUU6/P/4blqTS0ZbslAbfkBht3ZZAfqt1
	TetCgHQsNXHlSuxiF5yRwMzoe2QbdbvwGNOxXXVY+8lqtIL0bakb1EXuWwzAzGzK
	fit9NpJw4/I1OwevFVdfwqutKd5KNnPnmqcfuG3Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:date:from:message-id:subject:to
	:x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=z1vq/r
	v8tHp+HyfRi0tJVQ/Du8k/mUA07PSuADJnlZA=; b=dI5kKiTnsIxkbxtOJkVFY6
	AfQ1iL2hBidMVyTVZTaXCJQ8FNc5Q4XMxcOfyqToetJ+s0fTOCF6AHmEWMOSEUlo
	4TfblZitmGSTkpDoamNZKFHgAhBzAPKnw0TcSAjJw4v0CtxpJMVSKWmEsFwS4Wfq
	RkjbNSVj7uinkajYFZioGo7G8W8Ay1XrBhWw0U1ODEL0R6wmb7PYlQp4SL8nqHLV
	doXe5no5VKESPBujjuapzhzZ/hzGce7GtkKLnsKKQ+GHTtoSU+kJajTotnRbGlx5
	HmlCSdp6N+NvOc26EGSRlSIvXxOSpQygZ0NRAXUl0rtKe6JfX2+9qENYnPe/HplQ
	==
X-ME-Sender: <xms:FebaWTAd0zWVsf-MN2Bj0FfZLbNX3nC_NqMx4ntIqQqj92AYU-c2aA>
X-Sasl-enc: 9UKduc8VpRrEOaP2n036VzjZg+A7B0s1uYXVMULQ38Mw 1507517972
From: "Tobin C. Harding" <me@tobin.cc>
To: kernel-hardening@lists.openwall.com
Cc: "Tobin C. Harding" <me@tobin.cc>,
	linux-kernel@vger.kernel.org
Date: Mon,  9 Oct 2017 13:59:05 +1100
Message-Id: <1507517945-27155-1-git-send-email-me@tobin.cc>
X-Mailer: git-send-email 2.7.4
Subject: [kernel-hardening] [PATCH] lib/vsprintf: add default case to 'i'
	specifier
X-Virus-Scanned: ClamAV using ClamSMTP

%pi leaks kernel addresses if incorrectly specified.

Currently the printk specifier %pi (%pI) contains a switch statement
without a default clause. The %pi specifier requires a subsequent
character (4, 6, or S) controlling the output. If the specifier is
incomplete the switch statement will fall through and print the variable
argument address in hex instead of the value of the argument (as an IP
address).

If uncaught this leaks kernel addresses into dmesg. We can return an
error string to make the bug visible and stop addresses leaking.

Add a default clause returning an error string, stops leaking addresses
and makes the buggy code

Signed-off-by: Tobin C. Harding <me@tobin.cc>
---
 lib/vsprintf.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 86c3385b9eb3..155702f05b14 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -1775,6 +1775,8 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
 			default:
 				return string(buf, end, "(invalid address)", spec);
 			}}
+		default:
+			return string(buf, end, "(invalid specifier, form: %pi4)", spec);
 		}
 		break;
 	case 'E':