Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp638485imm; Thu, 26 Jul 2018 09:24:10 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfs0zhvVT3gyTtK6zL3BLG/xszaNJvYk/6t2j7maQt45SQbrRV2FX5DIrLfyIWVdlHmXCzw X-Received: by 2002:a17:902:599b:: with SMTP id p27-v6mr2523265pli.191.1532622250087; Thu, 26 Jul 2018 09:24:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532622250; cv=none; d=google.com; s=arc-20160816; b=g7YkpYXSnpr/0MqEsl+wexpmH0/n41qlHL/48hRAiCvx1Nxq7z0NHpJnEXqVvfCExk oJKcYJn6+OsaVFg+JupW44wek3Pb9KTgb+T5+Dlfoa/Q7MPfo6P4MybwK5z3zfDS8THO FtK2cn4wcLFWLW925YIgn+D/5yMJu/h75BaEFXRaLWcT+OSW8f9xlhNYc8lobl4f2kcI Ouk9eghgNKHBIwviLUwQqdzHIQGwDwfaHjioQK6Dripem3SFTRluSwntd4t81fzJITxl GmeS0kRJhRg42y+aADshzggpPgVpbQFZd8h3XYkCGym2WsICVSZaCe7TtGhSw5TG3OjS rtBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=YhHi/dVQWSm1RFv0JuicmB9BtQrPGV4rHFVPofAhMb0=; b=D95vXQM7Yk0g9Wdc950hVxp2VwTseMsR6kwt3HQAW7MIT1QzLsnoLbhkJgt9ZH3Vjn icZvWQ/pOzvY21qUERAQAlYjTfCk75Dm/yE2dj/BKu7MDm2YfVy+oGzS9mqvHI5L6xCR l5Bd9x6GYgy/cyzyLTjyYK/foF6Sqk0oVUhLZYpYAh1/DhnCxg+Q98fqSC1sVM63TnRL SCFnZRVieWOk3VN37fzUuR3nTXfjzV80OEnl1yQC+TipONhn0Qd3vf0iHMPVB9j6gUmo ep71cv48Zi6V4TUdqRION2p2w7V64jgUPE5Dz8qkHoy5PJA44fPLOz7VWg/4FIAYTB8G AKWQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b="n+/FpwDe"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n17-v6si1689786pgh.609.2018.07.26.09.23.55; Thu, 26 Jul 2018 09:24:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b="n+/FpwDe"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731740AbeGZQb1 (ORCPT + 99 others); Thu, 26 Jul 2018 12:31:27 -0400 Received: from mail-pg1-f196.google.com ([209.85.215.196]:33297 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729801AbeGZQb1 (ORCPT ); Thu, 26 Jul 2018 12:31:27 -0400 Received: by mail-pg1-f196.google.com with SMTP id r5-v6so1368478pgv.0 for ; Thu, 26 Jul 2018 08:14:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=YhHi/dVQWSm1RFv0JuicmB9BtQrPGV4rHFVPofAhMb0=; b=n+/FpwDeNyU+NKym7VPjZfPxaR4fFlSEW11XEteNsdfILN4t5Gu/r003e9M7TgBjnf yuEmeWEG89CQBIiho4bH1ZNhPcbD7wgMfbOIHSkem05VTSKNLVJfVbqHr/2Huj8LaKeV rrRBBXmZg3txosIM8PQWLmR0U7P9HMJvfZzvXTzPSlGg9TIyloZL1S/pnDbff9ycGEuz oyfJWKXdLrMC+aYoQ6OD7PDWj6XChyhQ4WOrmuD67v5MIjq89CjZGlH0HtPi0jtFmHnE Yp+aUDhQYzlKMwD0nUZhDfMtUaAVaCnmCsGuumF4uae0OPOwo0B6x5mfc4jtbJ2ypbyp U9ig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=YhHi/dVQWSm1RFv0JuicmB9BtQrPGV4rHFVPofAhMb0=; b=arZLc+p4agjoB3DZPl0AegcMoewaphj3OC8ZIPOfbqNceMuEwvU32XgNSOAGAjV7Gg 3C0sIMLHL3wEnQU/Z3RNd0i2qHZTb6eGV1FqLR0BmIK6tMWWxb2TydGMsTRQZSHG7fBA JTltNy0CzigP11aebS+qJmp6aMvOquMmY/amuru7Rzgmizv/R7yGuBNT3lEZajpZA7RS iGls/qEmutFvYxae7RwivzqeuYrRbCOxwYjyCz05Y5CNtbJIMu8kzmk/ag3lM8QBKUsJ cCikNG14coKeIWU8RjSH4X6m1uvJHhxrtu1t8uwBpSrtjN4qmZc09nRVYdpI+MDNENLx OUZg== X-Gm-Message-State: AOUpUlETlfwmiFMTPm0hBYIjcGhGGBjGArrRz1uslPYS38jh5Zxm3H/R 3gQykO/vUsdXv2A3lL8CLzvfJQ== X-Received: by 2002:a63:291:: with SMTP id 139-v6mr2343488pgc.365.1532618049586; Thu, 26 Jul 2018 08:14:09 -0700 (PDT) Received: from nebulus.mtv.corp.google.com ([2620:0:1000:1611:8fc3:703d:7635:5997]) by smtp.googlemail.com with ESMTPSA id b192-v6sm2934942pga.2.2018.07.26.08.14.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jul 2018 08:14:09 -0700 (PDT) Subject: Re: [PATCH] tracing: do not leak kernel addresses To: Steven Rostedt Cc: linux-kernel@vger.kernel.org, Nick Desaulniers , Ingo Molnar , kernel-team@android.com, stable@vger.kernel.org References: <20180725202238.165314-1-salyzyn@android.com> <20180725210717.3b807191@vmware.local.home> From: Mark Salyzyn Message-ID: <11437c3e-5131-7190-c496-7b51eb7fcc2a@android.com> Date: Thu, 26 Jul 2018 08:14:08 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20180725210717.3b807191@vmware.local.home> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 07/25/2018 06:07 PM, Steven Rostedt wrote: > On Wed, 25 Jul 2018 13:22:36 -0700 > Mark Salyzyn wrote: > >> From: Nick Desaulniers >> >> Switch from 0x%lx to 0x%pK to print the kernel addresses. >> >> Fixes: CVE-2017-0630 > Wait!!!! This breaks perf and trace-cmd! They require this to be able > to print various strings in trace events. This file is root read only, > as the CVE says. > > NAK for this fix. Come up with something that doesn't break perf and > trace-cmd. That will not be trivial, as the format is stored in the > ring buffer with an address, then referenced directly. It also handles > trace_printk() functions that simply point to the string format itself. > > A fix would require having a pointer be the same that is referenced > inside the kernel as well as in this file. Maybe make the format string > placed in a location that doesn't leak where the rest of the kernel > exists? > > -- Steve Thank you Steve, much appreciated feedback, I have asked the security developers to keep this in mind and come up with a correct fix. The correct fix that meets your guidelines would _not_ be suitable for stable due to the invasiveness it sounds, only for the latest will such a rework make sense. As such, the fix proposed in this patch is the only one that meets the bar for stable patch simplicity, and merely(!) needs to state that if the fix is taken, perf and trace are broken. Posting this patch publicly on the lists, that may never be applied, may be the limit of our responsibility for a fix to stable kernel releases, to be optionally applied by vendors concerned with this CVE criteria? -- Mark