On Wed, Aug 17, 2022 at 12:55:40PM -0700, Andrew Morton wrote:
> Add the function dump_stack_print_cmdline() which can be used by arch code
> to print the command line of the current processs. This function is
> useful in arch code when dumping information for a faulting process.
>
> Wire this function up in the dump_stack_print_info() function to include
> the dumping of the command line for architectures which use
> dump_stack_print_info().
>
> As an example, with this patch a failing glibc testcase (which uses
> ld.so.1 as starting program) up to now reported just "ld.so.1" failing:
>
> do_page_fault() command='ld.so.1' type=15 address=0x565921d8 in libc.so[f7339000+1bb000]
> trap #15: Data TLB miss fault, vm_start = 0x0001a000, vm_end = 0x0001b000
>
> and now it reports in addition:
>
> ld.so.1[1151] cmdline: /home/gnu/glibc/objdir/elf/ld.so.1 --library-path =
> /home/gnu/glibc/objdir:/home/gnu/glibc/objdir/math:/home/gnu/
> /home/gnu/glibc/objdir/malloc/tst-safe-linking-malloc-hugetlb1
>
> Josh Triplett noted that dumping such command line parameters into syslog
> may theoretically lead to information disclosure. That's why this patch
> checks the value of the kptr_restrict sysctl variable and will not print
> any information if kptr_restrict==2, and will not show the program
> parameters if kptr_restrict==1.
This whole feature needs its own sysctl. How is "kernel pointer restriction"
is related to "dump full command line to syslog at segfault"?
I've checked my non-customised Fedora system and kptr_restrict is 0.
It looks like Centos and Ubuntu ship with kptr_restrict=1.
There was a patch recently to hide specific command line options from
/proc/*/cmdline because some programs accept passwords from the command
line.
On 8/18/22 07:50, Alexey Dobriyan wrote:
> On Wed, Aug 17, 2022 at 12:55:40PM -0700, Andrew Morton wrote:
>> Add the function dump_stack_print_cmdline() which can be used by arch code
>> to print the command line of the current processs. This function is
>> useful in arch code when dumping information for a faulting process.
>>
>> Wire this function up in the dump_stack_print_info() function to include
>> the dumping of the command line for architectures which use
>> dump_stack_print_info().
>>
>> As an example, with this patch a failing glibc testcase (which uses
>> ld.so.1 as starting program) up to now reported just "ld.so.1" failing:
>>
>> do_page_fault() command='ld.so.1' type=15 address=0x565921d8 in libc.so[f7339000+1bb000]
>> trap #15: Data TLB miss fault, vm_start = 0x0001a000, vm_end = 0x0001b000
>>
>> and now it reports in addition:
>>
>> ld.so.1[1151] cmdline: /home/gnu/glibc/objdir/elf/ld.so.1 --library-path =
>> /home/gnu/glibc/objdir:/home/gnu/glibc/objdir/math:/home/gnu/
>> /home/gnu/glibc/objdir/malloc/tst-safe-linking-malloc-hugetlb1
>>
>> Josh Triplett noted that dumping such command line parameters into syslog
>> may theoretically lead to information disclosure. That's why this patch
>> checks the value of the kptr_restrict sysctl variable and will not print
>> any information if kptr_restrict==2, and will not show the program
>> parameters if kptr_restrict==1.
>
> This whole feature needs its own sysctl. How is "kernel pointer restriction"
> is related to "dump full command line to syslog at segfault"?
Usually if you enable one of those b/c of security concerns, then you probably
want to enable the other as well. So, to some degree it makes sense.
The original discussion is here:
https://lore.kernel.org/lkml/[email protected]/T/#mfa009226e45e2420db5e7f4e980e381be6434448
But I'm fine with adding another sysctl too, if that's the preferred solution.
If so, any suggestions?
And, the sysctl could be added later too...
> I've checked my non-customised Fedora system and kptr_restrict is 0.
> It looks like Centos and Ubuntu ship with kptr_restrict=1.
... which seems ok then, IMHO.
> There was a patch recently to hide specific command line options from
> /proc/*/cmdline because some programs accept passwords from the command
> line.
Do you have a link to that?
Helge