diff mbox

[v4] printk: hash addresses printed with %p

Message ID 1508300515-28824-1-git-send-email-me@tobin.cc (mailing list archive)
State New, archived
Headers show

Commit Message

Tobin Harding Oct. 18, 2017, 4:21 a.m. UTC
Currently there are many places in the kernel where addresses are being
printed using an unadorned %p. Kernel pointers should be printed using
%pK allowing some control via the kptr_restrict sysctl. Exposing addresses
gives attackers sensitive information about the kernel layout in memory.

We can reduce the attack surface by hashing all addresses printed with
%p. This will of course break some users, forcing code printing needed
addresses to be updated.

For what it's worth, usage of unadorned %p can be broken down as
follows (thanks to Joe Perches).

$ git grep -E '%p[^A-Za-z0-9]' | cut -f1 -d"/" | sort | uniq -c
   1084 arch
     20 block
     10 crypto
     32 Documentation
   8121 drivers
   1221 fs
    143 include
    101 kernel
     69 lib
    100 mm
   1510 net
     40 samples
      7 scripts
     11 security
    166 sound
    152 tools
      2 virt

Add function ptr_to_id() to map an address to a 32 bit unique identifier.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
---

V4:
 - Remove changes to siphash.{ch}        
 - Do word size check, and return value cast, directly in ptr_to_id().
 - Use add_ready_random_callback() to guard call to get_random_bytes()

V3:
 - Use atomic_xchg() to guard setting [random] key.
 - Remove erroneous white space change.

V2:
 - Use SipHash to do the hashing.

The discussion related to this patch has been fragmented. There are
three threads associated with this patch. Email threads by subject:

[PATCH] printk: hash addresses printed with %p
[PATCH 0/3] add %pX specifier
[kernel-hardening] [RFC V2 0/6] add more kernel pointer filter options

 lib/vsprintf.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 71 insertions(+), 3 deletions(-)

Comments

Sergey Senozhatsky Oct. 18, 2017, 5:44 a.m. UTC | #1
On (10/18/17 15:21), Tobin C. Harding wrote:
[..]
> diff --git a/lib/vsprintf.c b/lib/vsprintf.c
> index 86c3385b9eb3..4609738cd2cd 100644
> --- a/lib/vsprintf.c
> +++ b/lib/vsprintf.c
> @@ -33,6 +33,8 @@
>  #include <linux/uuid.h>
>  #include <linux/of.h>
>  #include <net/addrconf.h>
> +#include <linux/siphash.h>
> +#include <linux/spinlock.h>
>  #ifdef CONFIG_BLOCK
>  #include <linux/blkdev.h>
>  #endif
> @@ -1591,6 +1593,70 @@ char *device_node_string(char *buf, char *end, struct device_node *dn,
>  	return widen_string(buf, buf - buf_start, end, spec);
>  }
>  
> +/* protects ptr_secret and have_key */
> +DEFINE_SPINLOCK(key_lock);
> +static siphash_key_t ptr_secret __read_mostly;
> +static atomic_t have_key = ATOMIC_INIT(0);
> +
> +static int initialize_ptr_secret(void)
> +{
> +	spin_lock(&key_lock);
> +	if (atomic_read(&have_key) == 1)
> +		goto unlock;
> +
> +	get_random_bytes(&ptr_secret, sizeof(ptr_secret));
> +	atomic_set(&have_key, 1);
> +
> +unlock:
> +	spin_unlock(&key_lock);
> +	return 0;
> +}

is this spinlock legal? what happens if we are getting interrupted by NMI?

printk()
 vprintk_emit()
  vscnprintf()
   pointer()
    ptr_to_id()
     initialize_ptr_secret()
      spin_lock(&key_lock)

----> NMI

      printk()
       printk_safe_log_store()
        vscnprintf()
         pointer()
          ptr_to_id()
           initialize_ptr_secret()
            spin_lock(&key_lock)   <<<<


or am I completely misreading the patch? sorry if so.

	-ss
Tobin Harding Oct. 18, 2017, 6:04 a.m. UTC | #2
On Wed, Oct 18, 2017 at 02:44:31PM +0900, Sergey Senozhatsky wrote:
> On (10/18/17 15:21), Tobin C. Harding wrote:
> [..]
> > diff --git a/lib/vsprintf.c b/lib/vsprintf.c
> > index 86c3385b9eb3..4609738cd2cd 100644
> > --- a/lib/vsprintf.c
> > +++ b/lib/vsprintf.c
> > @@ -33,6 +33,8 @@
> >  #include <linux/uuid.h>
> >  #include <linux/of.h>
> >  #include <net/addrconf.h>
> > +#include <linux/siphash.h>
> > +#include <linux/spinlock.h>
> >  #ifdef CONFIG_BLOCK
> >  #include <linux/blkdev.h>
> >  #endif
> > @@ -1591,6 +1593,70 @@ char *device_node_string(char *buf, char *end, struct device_node *dn,
> >  	return widen_string(buf, buf - buf_start, end, spec);
> >  }
> >  
> > +/* protects ptr_secret and have_key */
> > +DEFINE_SPINLOCK(key_lock);
> > +static siphash_key_t ptr_secret __read_mostly;
> > +static atomic_t have_key = ATOMIC_INIT(0);
> > +
> > +static int initialize_ptr_secret(void)
> > +{
> > +	spin_lock(&key_lock);
> > +	if (atomic_read(&have_key) == 1)
> > +		goto unlock;
> > +
> > +	get_random_bytes(&ptr_secret, sizeof(ptr_secret));
> > +	atomic_set(&have_key, 1);
> > +
> > +unlock:
> > +	spin_unlock(&key_lock);
> > +	return 0;
> > +}
> 
> is this spinlock legal? what happens if we are getting interrupted by NMI?

I think we can do without the spinlock. I think I was already told that when
I tried to put it [some where else] in v1.

It's fun failing in public ;)

> printk()
>  vprintk_emit()
>   vscnprintf()
>    pointer()
>     ptr_to_id()
>      initialize_ptr_secret()
>       spin_lock(&key_lock)
> 
> ----> NMI
> 
>       printk()
>        printk_safe_log_store()
>         vscnprintf()
>          pointer()
>           ptr_to_id()
>            initialize_ptr_secret()
>             spin_lock(&key_lock)   <<<<
> 
> 
> or am I completely misreading the patch? sorry if so.
> 
> 	-ss

thanks,
Tobin.
Sergey Senozhatsky Oct. 19, 2017, midnight UTC | #3
On (10/18/17 17:04), Tobin C. Harding wrote:
[..]
> > > +/* protects ptr_secret and have_key */
> > > +DEFINE_SPINLOCK(key_lock);
> > > +static siphash_key_t ptr_secret __read_mostly;
> > > +static atomic_t have_key = ATOMIC_INIT(0);
> > > +
> > > +static int initialize_ptr_secret(void)
> > > +{
> > > +	spin_lock(&key_lock);
> > > +	if (atomic_read(&have_key) == 1)
> > > +		goto unlock;
> > > +
> > > +	get_random_bytes(&ptr_secret, sizeof(ptr_secret));
> > > +	atomic_set(&have_key, 1);
> > > +
> > > +unlock:
> > > +	spin_unlock(&key_lock);
> > > +	return 0;
> > > +}
> > 
> > is this spinlock legal? what happens if we are getting interrupted by NMI?
> 
> I think we can do without the spinlock. I think I was already told that when
> I tried to put it [some where else] in v1.
> 
> It's fun failing in public ;)

another note is that printk()->vscnprintf()->get_random_bytes()->warn_unseeded_randomness()
causes a printk() recursion, but we should be fine now, we are in printk_safe
mode by the time we vscnprintf().

but a bigger problem might the following thing:

vscnprintf()
 pointer()
  ptr_to_id()
   initialize_ptr_secret()
    get_random_bytes()
     _get_random_bytes()
      extract_crng()
       _extract_crng()
        spin_lock_irqsave(&crng->lock, flags);   <<<<<


this, once again, can deadlock. can it? just like before:

> > printk()
> >  vprintk_emit()
> >   vscnprintf()
> >    pointer()
> >     ptr_to_id()
> >      initialize_ptr_secret()
> >       spin_lock(&key_lock)
> > 
> > ----> NMI
> > 
> >       printk()
> >        printk_safe_log_store()
> >         vscnprintf()
> >          pointer()
> >           ptr_to_id()
> >            initialize_ptr_secret()
> >             spin_lock(&key_lock)   <<<<

	-ss
diff mbox

Patch

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 86c3385b9eb3..4609738cd2cd 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -33,6 +33,8 @@ 
 #include <linux/uuid.h>
 #include <linux/of.h>
 #include <net/addrconf.h>
+#include <linux/siphash.h>
+#include <linux/spinlock.h>
 #ifdef CONFIG_BLOCK
 #include <linux/blkdev.h>
 #endif
@@ -1591,6 +1593,70 @@  char *device_node_string(char *buf, char *end, struct device_node *dn,
 	return widen_string(buf, buf - buf_start, end, spec);
 }
 
+/* protects ptr_secret and have_key */
+DEFINE_SPINLOCK(key_lock);
+static siphash_key_t ptr_secret __read_mostly;
+static atomic_t have_key = ATOMIC_INIT(0);
+
+static int initialize_ptr_secret(void)
+{
+	spin_lock(&key_lock);
+	if (atomic_read(&have_key) == 1)
+		goto unlock;
+
+	get_random_bytes(&ptr_secret, sizeof(ptr_secret));
+	atomic_set(&have_key, 1);
+
+unlock:
+	spin_unlock(&key_lock);
+	return 0;
+}
+
+static void schedule_async_key_init(struct random_ready_callback *rdy)
+{
+	initialize_ptr_secret();
+}
+
+/* Maps a pointer to a 32 bit unique identifier. */
+static char *ptr_to_id(char *buf, char *end, void *ptr, struct printf_spec spec)
+{
+	static struct random_ready_callback random_ready;
+	unsigned int hashval;
+	int err;
+
+	if (atomic_read(&have_key) == 0) {
+		random_ready.owner = NULL;
+		random_ready.func = schedule_async_key_init;
+
+		err = add_random_ready_callback(&random_ready);
+
+		switch (err) {
+		case 0:
+			return "(pointer value)";
+
+		case -EALREADY:
+			initialize_ptr_secret();
+			break;
+
+		default:
+			/* shouldn't get here */
+			return "(ptr_to_id() error)";
+		}
+	}
+
+#ifdef CONFIG_64BIT
+	hashval = (unsigned int)siphash_1u64((u64)ptr, &ptr_secret);
+#else
+	hashval = (unsigned int)siphash_1u32((u32)ptr, &ptr_secret);
+#endif
+
+	spec.field_width = 2 + 2 * sizeof(unsigned int); /* 0x + hex */
+	spec.flags = SPECIAL | SMALL | ZEROPAD;
+	spec.base = 16;
+
+	return number(buf, end, hashval, spec);
+}
+
 int kptr_restrict __read_mostly;
 
 /*
@@ -1703,6 +1769,9 @@  int kptr_restrict __read_mostly;
  * Note: The difference between 'S' and 'F' is that on ia64 and ppc64
  * function pointers are really function descriptors, which contain a
  * pointer to the real address.
+ *
+ * Default behaviour (unadorned %p) is to hash the address, rendering it useful
+ * as a unique identifier.
  */
 static noinline_for_stack
 char *pointer(const char *fmt, char *buf, char *end, void *ptr,
@@ -1858,14 +1927,13 @@  char *pointer(const char *fmt, char *buf, char *end, void *ptr,
 			return device_node_string(buf, end, ptr, spec, fmt + 1);
 		}
 	}
-	spec.flags |= SMALL;
+
 	if (spec.field_width == -1) {
 		spec.field_width = default_width;
 		spec.flags |= ZEROPAD;
 	}
-	spec.base = 16;
 
-	return number(buf, end, (unsigned long) ptr, spec);
+	return ptr_to_id(buf, end, ptr, spec);
 }
 
 /*