Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp832085ybv; Wed, 19 Feb 2020 10:08:24 -0800 (PST) X-Google-Smtp-Source: APXvYqxI3+zP2CNtryNEz6bVZeYwRYnENImJ4AmItaZWfelUDZGyzsqQ4PP9QJ75VLqQGMKh2szg X-Received: by 2002:aca:b2c5:: with SMTP id b188mr5514729oif.163.1582135703791; Wed, 19 Feb 2020 10:08:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582135703; cv=none; d=google.com; s=arc-20160816; b=IwOIohRNgqvEIMxrlHsXu+H1FGTHGNnHmPcX/eh8xDfjBI769LKuc2lgBZXiQTKPtp 18BgaYRLYjw4I7Q1aJ5wrAbiOjIFFb/943hDdpxZywDF5sfs31mj9hneNsIbroAvUnLG 7ABdHODarolG1AylQpOoBVXSddLnwgt6HJ00r5bnDMxwdQJAKVy1i36KqBXU7EONRLkV kDx4d9JiDxNnjTgiZ955zju3D6TZyJe2j+Cso/B4uSO4Vd/e8upRsdBtJ5/PLUlzRnNP T4YXBjPyWqC+jP/eaIamPQ9RyJT7NZvbdzxUUgBlccrzG0cFe7C/+UlSZfNH5iLLBWRM NMPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=lh9HDmiIL2+C6gKZFkkGaBll4E2H2sF+884fA79a3d4=; b=LnUWasZMxdS9bXjtedfB/mAgeNft8sJcG8N2WDXdC8AII1V0DWrYDr9bIN8PkIKAjP i2iRQixw0heykOsisuI1OJyWx9AvyDctXRCfVYtayp/jaRjyzEsHr4nCfviL0AnBknre +k5nT/u7awxVPSCVNMDojdxdL+oWUOckipLyhP5vMHuedcaE47NN5Q6iRE9xoLmmP5h0 xcJLzj/lVg2vb+t5qKjxrI1fxnSJOTz6UV5gtSzhrsAbvcseN0rclgJhgjgoN9m4R0x/ aSf8P8AeEN4VcSCcWQnLZK8W+WtbJIxyUKbn8p20v0Xu0MDMNbhUE+JPHh2QXYakYro2 WAmw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=OKInHGSK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j21si1306027oie.210.2020.02.19.10.08.10; Wed, 19 Feb 2020 10:08:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=OKInHGSK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726638AbgBSSGp (ORCPT + 99 others); Wed, 19 Feb 2020 13:06:45 -0500 Received: from mail-io1-f65.google.com ([209.85.166.65]:36137 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726514AbgBSSGp (ORCPT ); Wed, 19 Feb 2020 13:06:45 -0500 Received: by mail-io1-f65.google.com with SMTP id d15so1591439iog.3 for ; Wed, 19 Feb 2020 10:06:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lh9HDmiIL2+C6gKZFkkGaBll4E2H2sF+884fA79a3d4=; b=OKInHGSKvIkqurX1aNTcyJ5ZRSa99BcEVRAEw2dytl0WWVormMy+BNoYv2PhuWZg/J O+DlL7WwCVTj1WuJcoFPIQsDb6tKsiHotMHwQ4MYGMDjT9Mm2sxDCU7CTMFLeHQj3Ltq PfczyxtesAHl5KW7TobIH+e1VxayU21t97tT/V45NFJj2i3hdwBP/zEqLlgQEw+GMTDP fei14aYzXuov9cqupGB0xWLve/ofzYAAULe6TVWfjcDQiJvTiu5Y3LGXTWeHpqUeG1Ey kxkVbp7nPQuwN/lNspRFq8jHZq7tRJMdTAAInZhnhd38Uxc8fmN10h/zcNPJYAvFfAHw J5XA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lh9HDmiIL2+C6gKZFkkGaBll4E2H2sF+884fA79a3d4=; b=YtYUK5To7WDrjE1unt8A6xPtSRk++/7tEHhTkKMpINIqxuG+0Vo1sRgEV80h2PsFKj 3l1Z/eGww6V4voGnMQgaVSGhSL5Ak0Vw8Jhzqc1mguc0+1ib0xpBIbqYjm04HqP1yil5 yEaYamj8DoncnA7leIQGtWl2gX88YcwB4h2Fnd7EjQUz/lvQR1YkXF0nPuLRgU5k3QX4 Ixxjq7RYXtJ5ADGnDcsKt3YSebuRAmkcEpft5+O9+iT8uD0zRMAo9t7GfBXI90qR97hS q9smRdVHhzNNntzaZJx6qdl3n7nMm5SRjM1GM4UwQBeiuxwsxMCdNi3J8vUi7Bn5hZew 6+eA== X-Gm-Message-State: APjAAAVm7Av3o4vtgjnJ/uWFA/C21pfPdUgjWdsWxpIWnWHEs0c246v4 gxxQu/6wDr5RzKA1UP2zO2jaNS0TA+/oPTU/irYRjV1PyMhZ4A== X-Received: by 2002:a6b:1781:: with SMTP id 123mr19791852iox.282.1582135604653; Wed, 19 Feb 2020 10:06:44 -0800 (PST) MIME-Version: 1.0 References: <20200219171225.5547-1-idryomov@gmail.com> In-Reply-To: From: Ilya Dryomov Date: Wed, 19 Feb 2020 19:07:10 +0100 Message-ID: Subject: Re: [PATCH v2] vsprintf: don't obfuscate NULL and error pointers To: Andy Shevchenko Cc: Linux Kernel Mailing List , Linus Torvalds , Petr Mladek , Steven Rostedt , Randy Dunlap , Kees Cook , Sergey Senozhatsky , "Tobin C . Harding" , Rasmus Villemoes , Andy Shevchenko Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 19, 2020 at 6:37 PM Andy Shevchenko wrote: > > On Wed, Feb 19, 2020 at 7:13 PM Ilya Dryomov wrote: > > > > I don't see what security concern is addressed by obfuscating NULL > > and IS_ERR() error pointers, printed with %p/%pK. Given the number > > of sites where %p is used (over 10000) and the fact that NULL pointers > > aren't uncommon, it probably wouldn't take long for an attacker to > > find the hash that corresponds to 0. Although harder, the same goes > > for most common error values, such as -1, -2, -11, -14, etc. > > > > The NULL part actually fixes a regression: NULL pointers weren't > > obfuscated until commit 3e5903eb9cff ("vsprintf: Prevent crash when > > dereferencing invalid pointers") which went into 5.2. I'm tacking > > the IS_ERR() part on here because error pointers won't leak kernel > > addresses and printing them as pointers shouldn't be any different > > from e.g. %d with PTR_ERR_OR_ZERO(). Obfuscating them just makes > > debugging based on existing pr_debug and friends excruciating. > > > > Note that the "always print 0's for %pK when kptr_restrict == 2" > > behaviour which goes way back is left as is. > > > > Example output with the patch applied: > > > > ptr error-ptr NULL > > %p: 0000000001f8cc5b fffffffffffffff2 0000000000000000 > > %pK, kptr = 0: 0000000001f8cc5b fffffffffffffff2 0000000000000000 > > %px: ffff888048c04020 fffffffffffffff2 0000000000000000 > > %pK, kptr = 1: ffff888048c04020 fffffffffffffff2 0000000000000000 > > %pK, kptr = 2: 0000000000000000 0000000000000000 0000000000000000 > > ... > > > +/* > > + * NULL pointers aren't hashed. > > + */ > > static void __init > > null_pointer(void) > > { > > - test_hashed("%p", NULL); > > + test(ZEROS "00000000", "%p", NULL); > > test(ZEROS "00000000", "%px", NULL); > > test("(null)", "%pE", NULL); > > } > > > > +/* > > + * Error pointers aren't hashed. > > + */ > > +static void __init > > +error_pointer(void) > > +{ > > + test(ONES "fffffff5", "%p", ERR_PTR(-EAGAIN)); > > + test(ONES "fffffff5", "%px", ERR_PTR(-EAGAIN)); > > > + test("(efault)", "%pE", ERR_PTR(-EAGAIN)); > > Hmm... Is capital E on purpose here? Yes. It shows that for %pE an error pointer is still invalid. %pe is tested separately, in errptr(), and the output would have been "-EAGAIN". > Maybe we may use something else ('%ph'?) for sake of deviation? If you look at the resulting file, you will see that null_pointer(), error_pointer() and invalid_pointer() exercise the same three variants: %p, %px and %pE. This is somewhat confusing, but there seems to be some disagreement between Pavel and Rasmus as to how the test suite should be structured and I didn't want to attempt to restructure anything in this patch. Thanks, Ilya