Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp3425719ybk; Tue, 19 May 2020 04:29:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw1UVGRH85YTJQVT+A2VhwyKsDy+JhRcR8dFlCBan/d4I7jXtHiod6LwtrlqqsDahCG7qjF X-Received: by 2002:a50:8dc2:: with SMTP id s2mr18695027edh.318.1589887757846; Tue, 19 May 2020 04:29:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589887757; cv=none; d=google.com; s=arc-20160816; b=xaeoWBj/WmSooGk1ywvz+PBmIYlAWF7tHaouZjiaq1GHftbeCdJobzMzKodoG5Dob3 1pj4XiDT/or09Ur3ci5oDvemcHCYeliI5hIgQ248KHspPyJgIrRZgeRyWiC47S/1R+GR iDQTpXfMuz5clKMuyibsA5ubRe50I1UWwJ6Qly18b4m1p5+YJDwz8pD4Ux1GrGxtkudd Arps7LW+GfRXH5dww0FcA261xVugJheclwqwJPw4L4lw232LkWqEXYibWE93gl7j8wXK kAJIaCz1OjY84owYhdXWotRdl+kZuiuJhyO+IC33cA+oRxPP9xt1GA6PQr2BA9OcDy5t 7nKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=X9s1mFt4Y+m2GazZ8OD2weZt7bXYsBrAFY1mL2LOceo=; b=wyZDw2M7QhkepnLw6ctiQ6OxVxGW0Dy03u3Gwb6OuxVZ+QzB6gUxE+kMiVotExvXxk EY4CZzOdRJCvI9HfG9q2K+Hn2fLsOqarrGRdgheIn7NwsFlcF3zOHe7mzYdrpCzlzYwF MQOnN6APqWyto5s8kZVbq18cDSWiIuhyeMhSIxRePMSWTfxFL9q3Lecb+ueCCMLKyu/f T2qsCstzzC8Sgm5uUp08ycCKLjul3GlFqY2h4dSdm2OyG+7Ih0mzbO0Vux+BJ+CTiISJ Tw0PQ71kz6tO0a3WFO7aVSQGgb18/isG0bLo7ZS2koKXIJx62Jh9F3+goL1mtYt7qxDJ s0WQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=cX4DoIYH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bi20si9560206edb.233.2020.05.19.04.28.52; Tue, 19 May 2020 04:29:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=cX4DoIYH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726949AbgESL1Q (ORCPT + 99 others); Tue, 19 May 2020 07:27:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56442 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726157AbgESL1P (ORCPT ); Tue, 19 May 2020 07:27:15 -0400 Received: from mail-wm1-x344.google.com (mail-wm1-x344.google.com [IPv6:2a00:1450:4864:20::344]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E080C061A0C for ; Tue, 19 May 2020 04:27:15 -0700 (PDT) Received: by mail-wm1-x344.google.com with SMTP id u1so1886801wmn.3 for ; Tue, 19 May 2020 04:27:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=X9s1mFt4Y+m2GazZ8OD2weZt7bXYsBrAFY1mL2LOceo=; b=cX4DoIYH4zV4RRwh3M8eeDx2prhyfWGoLozgWJzLGaCQtFLdCN3mhGyaLeM0u24A2y KdvyIoGFULIuT3yUVPC1yPJ6zHpKBN5VDF1reoaLRfxBGUBc8KEVy+GWtOiBpKv3ScU9 KQJjY4quqA7OwJ8jdkg67DLfYm0taMb1LXsyfGcyPVV0AlO180hzrG/nE8WyVVZO3dhq VTkzUoE/hKL+ZjAyql7ShrqsToG/V+iHDqxStHhbDhl8ii4upu0rT8j7w54FMM6PXx2Q N1Zu6dseEeAEI5BVJyXwQ8unjhF4jqR19YWH+dwRli6DO4VJz/wxBgrVqn9lLG4FEZJq uVuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=X9s1mFt4Y+m2GazZ8OD2weZt7bXYsBrAFY1mL2LOceo=; b=OIyBi9ssIEmU1S+uODte7cJJJD0zXZmmgsFGu0p/1o7bOOaHymUcT+19NhF9H5oA8c eDb38s10Lg2hkL9Y/QEXUg2zCOh0rKlgQATe1JXFJHX5HfmoDdJDfcE+cC8bZg+w8Jg4 NP8z1ZmwHpwzHPl+rRJu73zAEnLYaETjgd3DSOUkzTpE2Wda5sisoE9kS0i+kEQ7kGto CkV/t02v2C0OyKwk5jTY4ACfkVC0e4CMAbEDNpajWtc2SadlnmIg/Lo94XIvDVIYb+os avVJbk/CVqjNj8ZTZBNeGRUqff5BmmasbJk2kuC6hb6SLdPuJQyQFx4Mrk6GQuhC3uFk 4Low== X-Gm-Message-State: AOAM531xhh4fjNBWZX4e4Wl7kfExL6hydDNpM9M2SfAIkMv16O8V6Eyk 9gZ2+ak80vZPyNx4PsPp9rc= X-Received: by 2002:a7b:c3d2:: with SMTP id t18mr5015488wmj.100.1589887633716; Tue, 19 May 2020 04:27:13 -0700 (PDT) Received: from kwango.local (ip-94-112-129-237.net.upcbroadband.cz. [94.112.129.237]) by smtp.gmail.com with ESMTPSA id 88sm19886645wrq.77.2020.05.19.04.27.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 May 2020 04:27:12 -0700 (PDT) From: Ilya Dryomov To: Petr Mladek Cc: Linus Torvalds , Steven Rostedt , Randy Dunlap , Kees Cook , Sergey Senozhatsky , "Tobin C . Harding" , Rasmus Villemoes , Andy Shevchenko , linux-kernel@vger.kernel.org Subject: [PATCH v3] vsprintf: don't obfuscate NULL and error pointers Date: Tue, 19 May 2020 13:26:57 +0200 Message-Id: <20200519112657.17098-1-idryomov@gmail.com> X-Mailer: git-send-email 2.19.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I don't see what security concern is addressed by obfuscating NULL and IS_ERR() error pointers, printed with %p/%pK. Given the number of sites where %p is used (over 10000) and the fact that NULL pointers aren't uncommon, it probably wouldn't take long for an attacker to find the hash that corresponds to 0. Although harder, the same goes for most common error values, such as -1, -2, -11, -14, etc. The NULL part actually fixes a regression: NULL pointers weren't obfuscated until commit 3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid pointers") which went into 5.2. I'm tacking the IS_ERR() part on here because error pointers won't leak kernel addresses and printing them as pointers shouldn't be any different from e.g. %d with PTR_ERR_OR_ZERO(). Obfuscating them just makes debugging based on existing pr_debug and friends excruciating. Note that the "always print 0's for %pK when kptr_restrict == 2" behaviour which goes way back is left as is. Example output with the patch applied: ptr error-ptr NULL %p: 0000000001f8cc5b fffffffffffffff2 0000000000000000 %pK, kptr = 0: 0000000001f8cc5b fffffffffffffff2 0000000000000000 %px: ffff888048c04020 fffffffffffffff2 0000000000000000 %pK, kptr = 1: ffff888048c04020 fffffffffffffff2 0000000000000000 %pK, kptr = 2: 0000000000000000 0000000000000000 0000000000000000 Fixes: 3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid pointers") Signed-off-by: Ilya Dryomov Reviewed-by: Petr Mladek Reviewed-by: Sergey Senozhatsky Acked-by: Steven Rostedt (VMware) Acked-by: Linus Torvalds --- lib/test_printf.c | 19 ++++++++++++++++++- lib/vsprintf.c | 7 +++++++ 2 files changed, 25 insertions(+), 1 deletion(-) Hi Petr, This just came up again, please consider sending this to Linus for 5.7. Prior discussion was split in three threads and revolved around the vision for how lib/test_printf.c should be structured between Rasmus and yourself. The fix itself wasn't disputed and has several acks. If you want to restructure the test suite before adding any new test cases, v1 doesn't have them, but I'm reposting with test cases because I think it's best to add them right away to prevent further regressions. v3: - don't use EAGAIN macro in error_pointer() test case as the actual error code varies between architectures v2: - fix null_pointer() test case (it didn't catch the original regression because test_hashed() doesn't really test much) and add error_pointer() test case diff --git a/lib/test_printf.c b/lib/test_printf.c index 2d9f520d2f27..6b1622f4d7c2 100644 --- a/lib/test_printf.c +++ b/lib/test_printf.c @@ -214,6 +214,7 @@ test_string(void) #define PTR_STR "ffff0123456789ab" #define PTR_VAL_NO_CRNG "(____ptrval____)" #define ZEROS "00000000" /* hex 32 zero bits */ +#define ONES "ffffffff" /* hex 32 one bits */ static int __init plain_format(void) @@ -245,6 +246,7 @@ plain_format(void) #define PTR_STR "456789ab" #define PTR_VAL_NO_CRNG "(ptrval)" #define ZEROS "" +#define ONES "" static int __init plain_format(void) @@ -330,14 +332,28 @@ test_hashed(const char *fmt, const void *p) test(buf, fmt, p); } +/* + * NULL pointers aren't hashed. + */ static void __init null_pointer(void) { - test_hashed("%p", NULL); + test(ZEROS "00000000", "%p", NULL); test(ZEROS "00000000", "%px", NULL); test("(null)", "%pE", NULL); } +/* + * Error pointers aren't hashed. + */ +static void __init +error_pointer(void) +{ + test(ONES "fffffff5", "%p", ERR_PTR(-11)); + test(ONES "fffffff5", "%px", ERR_PTR(-11)); + test("(efault)", "%pE", ERR_PTR(-11)); +} + #define PTR_INVALID ((void *)0x000000ab) static void __init @@ -649,6 +665,7 @@ test_pointer(void) { plain(); null_pointer(); + error_pointer(); invalid_pointer(); symbol_ptr(); kernel_ptr(); diff --git a/lib/vsprintf.c b/lib/vsprintf.c index 7c488a1ce318..f0f0522cd5a7 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -794,6 +794,13 @@ static char *ptr_to_id(char *buf, char *end, const void *ptr, unsigned long hashval; int ret; + /* + * Print the real pointer value for NULL and error pointers, + * as they are not actual addresses. + */ + if (IS_ERR_OR_NULL(ptr)) + return pointer_string(buf, end, ptr, spec); + /* When debugging early boot use non-cryptographically secure hash. */ if (unlikely(debug_boot_weak_hash)) { hashval = hash_long((unsigned long)ptr, 32); -- 2.19.2