From patchwork Mon Oct 23 22:33:28 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tobin Harding X-Patchwork-Id: 10023313 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2A43660381 for ; Mon, 23 Oct 2017 22:33:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1CD09269DA for ; Mon, 23 Oct 2017 22:33:56 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 10BD7286C4; Mon, 23 Oct 2017 22:33:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id DF415269DA for ; Mon, 23 Oct 2017 22:33:54 +0000 (UTC) Received: (qmail 26009 invoked by uid 550); 23 Oct 2017 22:33:52 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 25971 invoked from network); 23 Oct 2017 22:33:51 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobin.cc; h=cc :date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=ivgc1zNIkW+Tl7XvUpiEQKdpDjiJF2VV6ixEMVaUF SM=; b=koJ3LUuXYR+URiyGXaX5+YjEMR6hTcCsN3Sh7Ki3C9AqDIVQvfD4qL3My j7fgFzyhDOrQlyydVOEDHu7TTcK7+i9R/6MJVc30R1HIIVBcaNcd1u/31LMXBCfo oiYpoT1rV1cpkUui4HLOcxUiEhBrmP6zSU5UPMSqWC15tEuVqHvMBmaxpXH0kswK py51zjJmwpswNMtDDZnLenelzyYrdrsCYgvmyngVw9H248jthIVinWJVt5wKXmjI +2XIN4CU2TxQitEGdyaoLJXi5/bYTFR4OJCQ4PvMcWJnjCx72vJm74BbVMj6+94q ySqq+7z7K4b0qEDLE828lMhOIsehg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=ivgc1zNIkW+Tl7XvU piEQKdpDjiJF2VV6ixEMVaUFSM=; b=SmbQ2kFAKN2ia40y7m7MpKs97MyXEPb8W /Natpy7R7ozrOf7t+GeErEEA56Va/ywm0XDPfNQ/o0iNMVnU9QeHMnjxUyov/r5l pIWiKFnkqK6TV4iYAy+cOXIlr7YOo/PSShVhYVo++pN6UUzcpxHTrJsZx4ywilIK NQ6GxHfVm3IWGZ5f4o88rChb+Bkvae6ON3CoYkr0cqZlti/CXypFw9CndV5cUMiQ 11HjYWq6NpESd/IYQA0CaMUx/Xgxg+GzV+iwbGONegtUjvvE3Zr3iGOkTd/lU8z7 /+2ony71rTdi6GQzZbLtjW1UlCACZkDKu9TP1WwDUwiX77tKav9mg== X-ME-Sender: From: "Tobin C. Harding" To: kernel-hardening@lists.openwall.com Cc: "Tobin C. Harding" , "Jason A. Donenfeld" , Theodore Ts'o , Linus Torvalds , Kees Cook , Paolo Bonzini , Tycho Andersen , "Roberts, William C" , Tejun Heo , Jordan Glover , Greg KH , Petr Mladek , Joe Perches , Ian Campbell , Sergey Senozhatsky , Catalin Marinas , Will Deacon , Steven Rostedt , Chris Fries , Dave Weinstein , Daniel Micay , Djalal Harouni , linux-kernel@vger.kernel.org Date: Tue, 24 Oct 2017 09:33:28 +1100 Message-Id: <1508798008-1692-1-git-send-email-me@tobin.cc> X-Mailer: git-send-email 2.7.4 Subject: [kernel-hardening] [PATCH v7] printk: hash addresses printed with %p X-Virus-Scanned: ClamAV using ClamSMTP Currently there are many places in the kernel where addresses are being printed using an unadorned %p. Kernel pointers should be printed using %pK allowing some control via the kptr_restrict sysctl. Exposing addresses gives attackers sensitive information about the kernel layout in memory. We can reduce the attack surface by hashing all addresses printed with %p. This will of course break some users, forcing code printing needed addresses to be updated. For what it's worth, usage of unadorned %p can be broken down as follows (thanks to Joe Perches). $ git grep -E '%p[^A-Za-z0-9]' | cut -f1 -d"/" | sort | uniq -c 1084 arch 20 block 10 crypto 32 Documentation 8121 drivers 1221 fs 143 include 101 kernel 69 lib 100 mm 1510 net 40 samples 7 scripts 11 security 166 sound 152 tools 2 virt Add function ptr_to_id() to map an address to a 32 bit unique identifier. Signed-off-by: Tobin C. Harding Reviewed-by: Jason A. Donenfeld --- V7: - Use tabs instead of spaces (ouch!). V6: - Use __early_initcall() to fill the SipHash key. - Use static keys to guard hashing before the key is available. V5: - Remove spin lock. - Add Jason A. Donenfeld to CC list by request. - Add Theodore Ts'o to CC list due to comment on previous version. V4: - Remove changes to siphash.{ch} - Do word size check, and return value cast, directly in ptr_to_id(). - Use add_ready_random_callback() to guard call to get_random_bytes() V3: - Use atomic_xchg() to guard setting [random] key. - Remove erroneous white space change. V2: - Use SipHash to do the hashing. The discussion related to this patch has been fragmented. There are three threads associated with this patch. Email threads by subject: [PATCH] printk: hash addresses printed with %p [PATCH 0/3] add %pX specifier [kernel-hardening] [RFC V2 0/6] add more kernel pointer filter options lib/vsprintf.c | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/lib/vsprintf.c b/lib/vsprintf.c index 86c3385b9eb3..3faecf219412 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -33,6 +33,7 @@ #include #include #include +#include #ifdef CONFIG_BLOCK #include #endif @@ -1591,6 +1592,55 @@ char *device_node_string(char *buf, char *end, struct device_node *dn, return widen_string(buf, buf - buf_start, end, spec); } +static siphash_key_t ptr_secret __read_mostly; +static DEFINE_STATIC_KEY_TRUE(no_ptr_secret); + +static void fill_random_ptr_key(struct random_ready_callback *rdy) +{ + get_random_bytes(&ptr_secret, sizeof(ptr_secret)); + static_branch_disable(&no_ptr_secret); +} + +static struct random_ready_callback random_ready = { + .func = fill_random_ptr_key +}; + +static int __init initialize_ptr_random(void) +{ + int ret = add_random_ready_callback(&random_ready); + + if (!ret) + return 0; + else if (ret == -EALREADY) { + fill_random_ptr_key(&random_ready); + return 0; + } + + return ret; +} +early_initcall(initialize_ptr_random); + +/* Maps a pointer to a 32 bit unique identifier. */ +static char *ptr_to_id(char *buf, char *end, void *ptr, struct printf_spec spec) +{ + unsigned int hashval; + + if (static_branch_unlikely(&no_ptr_secret)) + return "(pointer value)"; + +#ifdef CONFIG_64BIT + hashval = (unsigned int)siphash_1u64((u64)ptr, &ptr_secret); +#else + hashval = (unsigned int)siphash_1u32((u32)ptr, &ptr_secret); +#endif + + spec.field_width = 2 * sizeof(unsigned int); + spec.flags = SMALL; + spec.base = 16; + + return number(buf, end, hashval, spec); +} + int kptr_restrict __read_mostly; /* @@ -1703,6 +1753,9 @@ int kptr_restrict __read_mostly; * Note: The difference between 'S' and 'F' is that on ia64 and ppc64 * function pointers are really function descriptors, which contain a * pointer to the real address. + * + * Note: The default behaviour (unadorned %p) is to hash the address, + * rendering it useful as a unique identifier. */ static noinline_for_stack char *pointer(const char *fmt, char *buf, char *end, void *ptr, @@ -1857,7 +1910,11 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, case 'F': return device_node_string(buf, end, ptr, spec, fmt + 1); } + default: /* default is to _not_ leak addresses, hash before printing */ + return ptr_to_id(buf, end, ptr, spec); } + + /* OK, let's print the address */ spec.flags |= SMALL; if (spec.field_width == -1) { spec.field_width = default_width;