Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752623AbdCOHdW (ORCPT <rfc822;w@1wt.eu>);
        Wed, 15 Mar 2017 03:33:22 -0400
Received: from mailout1.w1.samsung.com ([210.118.77.11]:43877 "EHLO
        mailout1.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752578AbdCOHdI (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 15 Mar 2017 03:33:08 -0400
X-AuditID: cbfec7f5-f79d06d000004445-6c-58c8ee2b52d5
Subject: Re: [PATCH] drm/exynos: Print kernel pointers in a restricted form
To: Tobias Jakobi <tjakobi@math.uni-bielefeld.de>,
        Krzysztof Kozlowski <krzk@kernel.org>
Cc: Inki Dae <inki.dae@samsung.com>,
        Joonyoung Shim <jy0922.shim@samsung.com>,
        Seung-Woo Kim <sw0312.kim@samsung.com>,
        Kyungmin Park <kyungmin.park@samsung.com>,
        David Airlie <airlied@linux.ie>, Kukjin Kim <kgene@kernel.org>,
        Javier Martinez Canillas <javier@osg.samsung.com>,
        dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org,
        linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org
From: Andrzej Hajda <a.hajda@samsung.com>
Message-id: <ee50f87d-d79e-d74e-25b3-091c49a5e1d4@samsung.com>
Date: Wed, 15 Mar 2017 08:32:56 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
        Thunderbird/45.7.0
MIME-version: 1.0
In-reply-to: <e147ef15-0f7c-19f0-8e1b-db6a75930932@math.uni-bielefeld.de>
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA02Sa0hTYRjHeXfO2Tlaq9PUfJqlMChIcSUYnLLEyOBEfai+tKSwoQddummb
        SnYhtRIv5TVKhqJFRpl52YaXNG+lm4hTyzSpVFJMU9fSjCQduYvgt9/zPv/n8n94KUzYQogo
        uTKBUyllsWK+K17XtWzy9zMbpfuNk8DcN3XzmMGln3ymYCwPZ+bmK3nM9OgAzuROzGJMX18N
        yfSmzZGMdmKIYD68LuYzRX0tPKaocIbPpL+0ECECVluRyWfr/4wT7Fi2gcfqnt5irV0kq8/9
        SrI5+grELmq9T1NhrocjuVh5EqfaF3zJNbovpxrFv/K8erctn0hBv4RZyIUCOhA6mp8QDt4O
        /aPV/CzkSgnpcgTG1OfOYBHBautnfL1iTN9EOBLPEFgazTxHMIWgLaMTs6nc6JNQ/77azu50
        GPSmlCCbCKPLMSgeSLG34tN7YVU3wrexgA6GO51Ddsbp3aBvMiEbe9BSaPh0z6nZBn8LR+21
        LvQJWMh/ZB+ArfWZ/l2AO9gHdJXzmGPVbyT0T64ZpdZ4F2jbnM+hULpSQjrYDX4Y9E7eCZkZ
        7XYzQGcjWMg1ko7gAQKrpchZHQRvDQOEY9gWKKizLWEbIICMdOdRWRgfLnPKj0LllxfOCz3G
        YLnWSuYhH80GP5oNHjQbPJQhrAK5c4lqRRSnPiBRyxTqRGWUJCJOoUVrv6rHalhqQOVdhzoQ
        TSHxZkHNgkEqJGRJ6mRFBwIKE7sLRC1GqVAQKUu+xqniwlWJsZy6A3lRuNhT0Fw2eE5IR8kS
        uBiOi+dU61ke5SJKQSFLR1JLg9K2JlMxcd4+louTKk1smffxmMrypjffz553W2ztT5s8I+rt
        6b6tK6k6VvsvYCRQSctPXZbgH3cIu81TwfpI2uwVvnJBb8jxj/G7HqZ5mG68uWd12EPeK8q+
        ItfQuk2l1Y1VpkAyt10Sqpy98U7Ca/aNSJqJF0oPWsS4OloW4Iup1LL/vCleDlEDAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrFIsWRmVeSWpSXmKPExsVy+t/xK7oT3p2IMFi0wMCi99xJJosrX9+z
        WUy6P4HF4s3bNUwWL+5dZLHof/ya2eL8+Q3sFmeb3rBbbHp8jdXi8q45bBYzzu9jspgx+SWb
        RdvqD6wOvB6bVnWyeWz/9oDV4373cSaPzUvqPf4dY/fY0n+X3aNvyypGj8+b5AI4otxsMlIT
        U1KLFFLzkvNTMvPSbZVCQ9x0LZQU8hJzU22VInR9Q4KUFMoSc0qBPCMDNODgHOAerKRvl+CW
        cb5vPWPBWvGK1gMTWRsYPwp1MXJySAiYSNzfspsVwhaTuHBvPRuILSSwhFHiyMmgLkYuIPsZ
        o8TX7r1gRcIC3hLbL61nBrFFBKIkHn99ywJRtJBZoufGX7AEs8ByZolzR2tBbDYBTYm/m2+C
        TeUVsJNoOXoNzGYRUJXYsvscI4gtKhAhMf/pKiaIGkGJH5PvsYDYnAKeEp8mTgeayQE0U11i
        ypRciPHyEpvXvGWewCgwC0nHLISqWUiqFjAyr2IUSS0tzk3PLTbUK07MLS7NS9dLzs/dxAiM
        123Hfm7ewXhpY/AhRgEORiUeXo6vxyOEWBPLiitzDzFKcDArifBK7TsRIcSbklhZlVqUH19U
        mpNafIjRFOiFicxSosn5wFSSVxJvaGJobmloZGxhYW5kpCTOW/LhSriQQHpiSWp2ampBahFM
        HxMHp1QDY8bWDJ9pIaJnqozb3sjximhm/liZ1Kys/lI7SGiVwaL/i1dx/inddFsnOl5YS+LS
        161i4hEhmdceM1cqP9h2/tpBRsVpvxyO2pfP7jg8+8y7H03pMrnONck/LSakWgvyv2f/KyRz
        Zm2vd0fBDOZblrmqsklpH6uz91cLneIs28Q+qZF3+h99JZbijERDLeai4kQACOTRFO0CAAA=
X-MTR: 20000000000000000@CPGS
X-CMS-MailID: 20170315073259eucas1p15cee632f0f0aa8a7f9b26108c01d608d
X-Msg-Generator: CA
X-Sender-IP: 182.198.249.179
X-Local-Sender: =?UTF-8?B?QW5kcnplaiBIYWpkYRtTUlBPTC1LZXJuZWwgKFRQKRvsgrw=?=
        =?UTF-8?B?7ISx7KCE7J6QG1NlbmlvciBTb2Z0d2FyZSBFbmdpbmVlcg==?=
X-Global-Sender: =?UTF-8?B?QW5kcnplaiBIYWpkYRtTUlBPTC1LZXJuZWwgKFRQKRtTYW1z?=
        =?UTF-8?B?dW5nIEVsZWN0cm9uaWNzG1NlbmlvciBTb2Z0d2FyZSBFbmdpbmVlcg==?=
X-Sender-Code: =?UTF-8?B?QzEwG0VIURtDMTBDRDAyQ0QwMjczOTI=?=
CMS-TYPE: 201P
X-HopCount: 7
X-CMS-RootMailID: 20170314204224epcas4p1c8b7716ebbebe60d14463f64da61d135
X-RootMTR: 20170314204224epcas4p1c8b7716ebbebe60d14463f64da61d135
References: <20170314183804.13788-1-krzk@kernel.org>
 <e1800491-0b60-74d1-1377-756d5b0bb371@math.uni-bielefeld.de>
 <20170314190859.y55wlc4z7xdsbbxg@kozik-lap>
 <de5e8583-748b-9df2-f7cc-c1b4fb499d17@math.uni-bielefeld.de>
 <20170314195240.gj7jbgql7hfziw42@kozik-lap>
 <CGME20170314204224epcas4p1c8b7716ebbebe60d14463f64da61d135@epcas4p1.samsung.com>
 <e147ef15-0f7c-19f0-8e1b-db6a75930932@math.uni-bielefeld.de>
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2916
Lines: 73

Hi Tobias,

On 14.03.2017 21:41, Tobias Jakobi wrote:
> Krzysztof Kozlowski wrote:
>> On Tue, Mar 14, 2017 at 08:17:35PM +0100, Tobias Jakobi wrote:
>>> Krzysztof Kozlowski wrote:
>>>> On Tue, Mar 14, 2017 at 08:01:41PM +0100, Tobias Jakobi wrote:
>>>>> Hello Krzysztof,
>>>>>
>>>>> I was wondering about the benefit of this. From a quick look these are
>>>>> all messages that end up in the kernel log / dmesg.
>>>>>
>>>>> IIRC %pK does nothing there, since dmest_restrict is supposed to be used
>>>>> to deny an unpriviliged user the access to the kernel log.
>>>>>
>>>>> Or am I missing something here?
>>>> These are regular printks so depending on kernel options (e.g. dynamic
>>>> debug, drm.debug) these might be printed also in the console. Of course
>>>> we could argue then if access to one of the consoles is worth
>>>> securing.
>>> This here suggests otherwise.
>>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/sysctl/kernel.txt#n388
>>>
>>> I have not tested this, but IIRC %pK is not honored by the kernel
>>> logging infrastucture. That's why dmesg_restrict is there.
>>>
>>> Correct me if I'm wrong.
>> The %pK will not help for dmesg or /proc/kmsg but it will help for
>> console (/dev/ttySACN, ttySN etc) because effectively it uses the same
>> vsprintf()/pointer() functions.
> Thanks for the explanation, I didn't know that there was a difference
> there. In that case, looks good to me.
>
>

Just to clarify %pK:

Documentation/printk-formats.txt:
        %pK     0x01234567 or 0x0123456789abcdef

        For printing kernel pointers which should be hidden from
unprivileged
        users. The behaviour of %pK depends on the kptr_restrict sysctl
- see
        Documentation/sysctl/kernel.txt for more details.

Documentation/sysctl/kernel.txt:

kptr_restrict:

This toggle indicates whether restrictions are placed on
exposing kernel addresses via /proc and other interfaces.

When kptr_restrict is set to (0), the default, there are no restrictions.

When kptr_restrict is set to (1), kernel pointers printed using the %pK
format specifier will be replaced with 0's unless the user has CAP_SYSLOG
and effective user and group ids are equal to the real ids. This is
because %pK checks are done at read() time rather than open() time, so
if permissions are elevated between the open() and the read() (e.g via
a setuid binary) then %pK will not leak kernel pointers to unprivileged
users. Note, this is a temporary solution only. The correct long-term
solution is to do the permission checks at open() time. Consider removing
world read permissions from files that use %pK, and using dmesg_restrict
to protect against uses of %pK in dmesg(8) if leaking kernel pointer
values to unprivileged users is a concern.

When kptr_restrict is set to (2), kernel pointers printed using
%pK will be replaced with 0's regardless of privileges.
---

Regards
Andrzej