Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp817652imm; Fri, 27 Jul 2018 06:42:20 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfGsaLsdYCmlKr8lNFQ+W2bLpVdO3xuaecdXnyR4XCrYuER7h1cvf5LAuuIsE0hQeqMO+8E X-Received: by 2002:a17:902:8341:: with SMTP id z1-v6mr5987249pln.51.1532698940323; Fri, 27 Jul 2018 06:42:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532698940; cv=none; d=google.com; s=arc-20160816; b=C7i5fKU6olwNXcLbKihp50ZySbkrjdb0PWIKAvDyFKa86kc0q6Mfje3dNIyers/eG8 PvueSW1KlQc/6f0F1JRVmXWf+IgTSGJZolaBq6ZDwDt926uQBGtvMRJ6Mj1HS3kcHz/M T3i+613kY/f+QvxHqg4ReW86316ObafSoEzCbfvQrLB3WVyNXB3XRyOd5wW8jXBT+1ZT kGnHOVcenV0LX5OjztWOPChw051n5JpIeoCeiIGkDMwSi+Ml7/8oebHPTz3RLhsh18nk xyKWjSwbmQDYkuey73gMpEsucnge0dRew7E4rwwn8v6sxkMRXwgKf3KPL4LDqiH/NPvp mAfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=eAbMEN+2DJ5S6xDdkEXDNicooV0nOiDd5RKj1as19k4=; b=FtVIul7Qe03veyR3NSHV54fKr+UvWUA/7sMEDnLJZbKEGbb2IuGlNFjrm93AyDdmao vyEVb3mW957jMO/v+2gMm/PfxI2jy1jKNeB/sE2ZxtihURL1eYIcZdNBM/MmHXirNr+B g/aSiPdxLnK6PkA8gAFp6cjqz0v96Yr1u/MixWXWptHYyRujER311eR15Sn+fnLRUzes 0OMHKDTDi997sfWnRjBrX8k3XR49a9IDc0phNyPv9EGQUFV8Ye8nC2gMXZewCUTaIRMf /MehXAfc63jKmmzAJcKFUyhketNnOLT12v0zknrt3lfvP97mk7ZpAF5f0g1u8mMSfb0a IpUw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=EQLl5DEQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p1-v6si4171764pfp.237.2018.07.27.06.42.05; Fri, 27 Jul 2018 06:42:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=EQLl5DEQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730791AbeG0PC7 (ORCPT + 99 others); Fri, 27 Jul 2018 11:02:59 -0400 Received: from mail-oi0-f66.google.com ([209.85.218.66]:36197 "EHLO mail-oi0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730354AbeG0PC7 (ORCPT ); Fri, 27 Jul 2018 11:02:59 -0400 Received: by mail-oi0-f66.google.com with SMTP id n21-v6so9109190oig.3 for ; Fri, 27 Jul 2018 06:41:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eAbMEN+2DJ5S6xDdkEXDNicooV0nOiDd5RKj1as19k4=; b=EQLl5DEQLsB4PrKBBennCV3eoA0nXTWnxGGYC359EMZaxpFPKgOhV0nJ2+HkSKApYz m+EBqopMquBBEavCkXU48RnKymu4/uTMeybMyWGsEWok6UMwL4Du1HDPv0Y2wLpTJIiJ SQvW3Yz0OraXA1Wyy4GMKipVhx01Hngjt2+bNhFtz4pRa0myQzM97aNan+4mvIIa9j7P pCchDnFF93u5DCqcL/3w2LHx2cJ/16dIMjS8CMZUfmRCF7ivX4lVhuT85RlqeqYSm520 dfpKL6r/fDzN0peqsnycq+XwdQ7SxcFVujfQK21W7EjCnEv4tRtDJe8hN4OhtMS1xQ9U LDxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eAbMEN+2DJ5S6xDdkEXDNicooV0nOiDd5RKj1as19k4=; b=NYiOmUkv7oigPA3UZGpe2EsdlrkfguMwq2WS+pEmkwjLY32BIoInUbjLc51OTpzfuL 5cNY4q6wi/if8+Em/F1lbpT5Foz5CCHGXt8WIASXczRcWwayaKqGjKHjBHsZSIHBiZNx pLQkvScQZS5vL1dJsJ79hSw9mU3eP/bApA8IHEzDA9d6I8luKB3dm+Ti6EKsAua4S34A p3q0cwoLJpNpW5EVJiPnD9hRg74ZPOugduK+SLbKh4lOYe5bCcwX62MyD7h8hFa8C07R NrJQugQn2ZJX5yu0m0T4zncT+rRBZhMbecCYG8h52lL/JaQmswtlutGz6iDe2OscV9B/ 11bQ== X-Gm-Message-State: AOUpUlHRUyU5H0QNP2EVw7b+ILbgDppmb0gy6XzbhNhFrAaviz1e32yD G44Dz6dsiKrsdpa+WaSRih7qj6JyimbBAti1oluiQA== X-Received: by 2002:aca:e089:: with SMTP id x131-v6mr6142483oig.221.1532698859228; Fri, 27 Jul 2018 06:40:59 -0700 (PDT) MIME-Version: 1.0 References: <20180725202238.165314-1-salyzyn@android.com> <20180725210717.3b807191@vmware.local.home> <11437c3e-5131-7190-c496-7b51eb7fcc2a@android.com> <20180726153153.GA8327@kroah.com> <20180726181558.25a5c3b8@gandalf.local.home> <753E9YR1QhdsPhsFoYuXCwfUzfyntDrc_A93hMUkktMi7lbh3KUZMcbfqKVWUfi15zYhuiDFant-ROa4QNV5shx74ff4hGngq2BOJDv-hq4=@protonmail.ch> In-Reply-To: <753E9YR1QhdsPhsFoYuXCwfUzfyntDrc_A93hMUkktMi7lbh3KUZMcbfqKVWUfi15zYhuiDFant-ROa4QNV5shx74ff4hGngq2BOJDv-hq4=@protonmail.ch> From: Jann Horn Date: Fri, 27 Jul 2018 15:40:32 +0200 Message-ID: Subject: Re: [PATCH] tracing: do not leak kernel addresses To: Golden_Miller83@protonmail.ch Cc: Steven Rostedt , Nick Desaulniers , Greg KH , Kees Cook , salyzyn@android.com, kernel list , Ingo Molnar , kernel-team@android.com, stable@vger.kernel.org, Kernel Hardening Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 27, 2018 at 2:07 PM Jordan Glover wrote: > > On July 27, 2018 12:15 AM, Steven Rostedt wrote: > > > On Thu, 26 Jul 2018 09:52:11 -0700 > > Nick Desaulniers ndesaulniers@google.com wrote: > > > > > See the section "Kernel addresses" in > > > Documentation/security/self-protection. IIRC, the issue is that a > > > process may have CAP_SYSLOG but not necessarily CAP_SYS_ADMIN (so it > > > can read dmesg, but not necessarily issue a sysctl to change > > > kptr_restrict), get compromised and used to leak kernel addresses, > > > which can then be used to defeat KASLR. > > > > But the code doesn't go to dmesg. It's only available > > via /sys/kernel/debug/tracing/printk_formats which is only available > > via root. Nobody else has access to that directory. > > > > -- Steve > > I think the point was that when we take capabilities into account the root > privileges aren't unequivocal anymore. The 'root' owned process with only > 'CAP_SYSLOG' shouldn't have access to /sys/kernel/debug/tracing/printk_formats Then they shouldn't have access to debugfs at all, right?