Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1109706imm;
        Fri, 27 Jul 2018 11:15:35 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpf0sszRO/6hCtRn4uBBftEF3ypFJLak3c2hi/zEESBdngrO5ChrtqyBJpTwIPFYUP50Ox3r
X-Received: by 2002:a17:902:4c88:: with SMTP id b8-v6mr6755130ple.285.1532715335902;
        Fri, 27 Jul 2018 11:15:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1532715335; cv=none;
        d=google.com; s=arc-20160816;
        b=Jeqp2wOcenvLY9cPVXIARZ/gkmlT2IyrsPtXtzyWjMQlcwbnZqVlCjxs9+wKGiT2bp
         NKMHdf30lVAl0/AnZdcraP/SZUYnIYsApWxriv56vAnlT/Ku/A9MuzER46/aw5srLRf2
         H1NXrCj04b2ouLvTxdKQX20PEgZShX/RgG0aZ5P78UHvKIatwpxci0XBFdLB5KePzeps
         0QSJfh1mfKT+Yw7iUOEbiEbOEvT4l9CdERH4tq/ye76IMIo73eup158GAjdh0ZAZgugM
         9rynAc9JwLQbt205vHVNgz/U2h8d+upqoX07AjOdpRNz66vubE2imGa0zKFK4443Pz9s
         XT+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature
         :arc-authentication-results;
        bh=C6U4Waqa/3ME/5HP/Y9f6Ju2Z/mr5jUc1nqYMbCXurU=;
        b=CUboyJUZWNIQSalUk85yysPAYdaDfbA9FvD8vs1s4Fs3oJGkffkXZk1tFMbCpdiiVX
         ZzWnYJ/PFyXlra58Gz8u3xtqzCkiD6gyJooWTVH1RcIHmPmF8d5SNAUMeNCHcOG2sveb
         mS9jTWszRFrGVHVIVdKg0dH5DypnxULUCKFc4DCuG9iBmvxfhHlj7SZ1l4zR0/7o/zUP
         FfL8PoQH4rZgISquBet4rh93GvUux8S4PMRAophztHht52BoSIzHNBriBkGlgYi55xbQ
         O83IXTsTLd3EDcwkZwyTfnSBfcZ2OxVNeopHnAra8gR+FnVoyeKMLQHbPR5HQHcvYOqo
         QUEA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=Gq8vH1L6;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g6-v6si3760775pgq.240.2018.07.27.11.15.20;
        Fri, 27 Jul 2018 11:15:35 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=Gq8vH1L6;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388922AbeG0ThG (ORCPT <rfc822;yxhlfx@gmail.com> + 99 others);
        Fri, 27 Jul 2018 15:37:06 -0400
Received: from mail-pg1-f193.google.com ([209.85.215.193]:43372 "EHLO
        mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730636AbeG0ThG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 27 Jul 2018 15:37:06 -0400
Received: by mail-pg1-f193.google.com with SMTP id v13-v6so3667225pgr.10
        for <linux-kernel@vger.kernel.org>; Fri, 27 Jul 2018 11:14:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=C6U4Waqa/3ME/5HP/Y9f6Ju2Z/mr5jUc1nqYMbCXurU=;
        b=Gq8vH1L6Lq5C2StvDQgbMn9c3IWi+OGnUiOutpQzcIUN0UWLQglAgBfblj8iRUHp+j
         2G/jvDueT/DF3p2ctD2SomoSyRFtwr/oV/Wf0qynDup3TsA9+ViDPfrup/Mp36l+db3D
         7KWCL9p6IrZyEuwNa8BxG+jkq/tOrK95JE1KtZ9zq3+AXrr1QfjQDdz/vmxp4EOZysRx
         EqrdSPP9TRGsz78CQ6AJEkUm7pVzg5qajH2oVuZdWsQyjhKLtXpe3nB+nS2V8AgofGAV
         VCB8dab3p1rPqsdN//Yfo921WyjV5+unHY5Rg+VloOOyVoKMhxevNAG8jlpmRxjKqMQB
         c77w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=C6U4Waqa/3ME/5HP/Y9f6Ju2Z/mr5jUc1nqYMbCXurU=;
        b=Ubgw6z/dHGq/L9bqXys6EeQLwZp4aEGF/9MnGNrGeLth7tuUJWAVYJ26IzpGAD8e7m
         kWWFaeqa1iHTgqr7fexxm3NjyVdOCBaF5LiaP0NMgvZha6art+T+c0csE+SUIiwsTr9U
         bPojqDZTRDhQ/5tVbRVsjmFJ2tdJPwuac1NkkkAl2qh2U8oreXVtRFhbcyl09S4qqpK7
         TOG3ejuvh0PWg2QwDZdCAOREYkQe8z7y7kNkzPkIBbHCrTj8xte2VQoBIvLKUP6h/0z5
         5mhVdqIGjlAUimycgZCHu1EFB0zh+ZFQsW/VQ62OIJJcjzjvtAjKRG1yFo1LU1PQXShd
         v7Eg==
X-Gm-Message-State: AOUpUlHuxoTy0hPa9KgG+rXytkqJdy54BCyEj8M+M42EEdGTG/3Wc8KS
        lwkDRWJ6RzHVjkV4fbfFvIz1pAHwm+Ed1xoAmLuduw==
X-Received: by 2002:a63:d916:: with SMTP id r22-v6mr6904989pgg.381.1532715242897;
 Fri, 27 Jul 2018 11:14:02 -0700 (PDT)
MIME-Version: 1.0
References: <20180725202238.165314-1-salyzyn@android.com> <20180725210717.3b807191@vmware.local.home>
 <11437c3e-5131-7190-c496-7b51eb7fcc2a@android.com> <20180726153153.GA8327@kroah.com>
 <CAKwvOdk9s+=kUwcPGQzZNxR7eOGAiiasAyWhZxgKom4_6h+oxA@mail.gmail.com>
 <20180726181558.25a5c3b8@gandalf.local.home> <753E9YR1QhdsPhsFoYuXCwfUzfyntDrc_A93hMUkktMi7lbh3KUZMcbfqKVWUfi15zYhuiDFant-ROa4QNV5shx74ff4hGngq2BOJDv-hq4=@protonmail.ch>
 <CAG48ez1U=5nTOrnOqwMuXhdER-7XxJUYLcyYNuczwasQLQ0gXA@mail.gmail.com> <20180727094730.3a448629@gandalf.local.home>
In-Reply-To: <20180727094730.3a448629@gandalf.local.home>
From:   Nick Desaulniers <ndesaulniers@google.com>
Date:   Fri, 27 Jul 2018 11:13:51 -0700
Message-ID: <CAKwvOdmg4DSSwy9YBccYWzc+6ZU2yKSSFmfnj72wqbYDJU0gzw@mail.gmail.com>
Subject: Re: [PATCH] tracing: do not leak kernel addresses
To:     rostedt@goodmis.org
Cc:     Jann Horn <jannh@google.com>, Golden_Miller83@protonmail.ch,
        greg@kroah.com, Kees Cook <keescook@google.com>,
        salyzyn@android.com, LKML <linux-kernel@vger.kernel.org>,
        mingo@redhat.com, kernel-team@android.com, stable@vger.kernel.org,
        kernel-hardening@lists.openwall.com
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Jul 27, 2018 at 6:47 AM Steven Rostedt <rostedt@goodmis.org> wrote:
>
> On Fri, 27 Jul 2018 15:40:32 +0200
> Jann Horn <jannh@google.com> wrote:
>
> > > > But the code doesn't go to dmesg. It's only available
> > > > via /sys/kernel/debug/tracing/printk_formats which is only available
> > > > via root. Nobody else has access to that directory.

Oh, sorry, you're right. We're not printing an address to dmesg, but
to a sysfs node.  If you must have CAP_SYS_ADMIN to read this dir,
then printk's %pK wont save you, because then you can modify
kptr_restrict with sysctl.

> > > I think the point was that when we take capabilities into account the root
> > > privileges aren't unequivocal anymore. The 'root' owned process with only
> > > 'CAP_SYSLOG' shouldn't have access to /sys/kernel/debug/tracing/printk_formats
> >
> > Then they shouldn't have access to debugfs at all, right?
>
> That's what I'm thinking.

I found the internal bug report (reported Jan '17, you'll have to
forgive me if my memory of the issue is hazy, or if the fix used at
the time wasn't perfect), which was reported against the Nexus 6.
From the report, it was possible to `cat
/sys/kernel/debug/tracing/printk_formats` without being root, which I
can't do on my workstations much more modern kernel (Nexus 6 was
3.10).  So I guess the question is what governs access to files below
/sys/kernel/debug, and why was it missing from those kernels?  I
assume some check was added, but either not backported to 3.10 stable
(or more likely not pulled in to Nexus 6's kernel through stable;
Android is now in a much better place for that kind of issue).

--
Thanks,
~Nick Desaulniers