Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp708655pxu; Mon, 23 Nov 2020 01:58:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJzHYh2o7b/DwnJo3ZUQnyjK+R7LojL/qP7K4RfeSpuHR0ZDxwA9ylqC+mBnwcS9jwmhKiPB X-Received: by 2002:a17:906:2452:: with SMTP id a18mr15578187ejb.66.1606125512137; Mon, 23 Nov 2020 01:58:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606125512; cv=none; d=google.com; s=arc-20160816; b=eADzYA7aW4WeChUVdUiKq9t/sIeOsuKZmkbijiVsfOaCyu5JYE7P+/Iv9O+b+9p/5k yJ7OqnFOMlQL/kOLf1MSbbMOUpIZ0HwZEmz1II9gb10RDvTLCueJqMNXa2P7FM87Upfv 9O6bGPskkyzrnhlPnVYf4Hy8fRo8Xg4X/t1ZqVTJnMfyAlyMv1MFZKfpWngVud9rhlec Gr2soRrFHPZD/AtGZO8CVV2RIvVj0DeJ8Q7kWbQvIKFZwd/5LlyAd9AxwMUkI8svKztT S+bI4liqPzkRNMZ6Wgz4Uk+qEytu2qitgx5YRbiAcwqrSdkVYUv5k9hCrFl2y15v96R8 3dTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=CWE9aaL7FjNx6siMu72tnDhc+74qhGXlXrHv8loEhJ4=; b=feYaOZl2BJQ20BcXiRjL0xzRJMmyz9xuYO9LHzN73A4p/WU54wCfyh5rW4gaR1eF0Z 84ukXHh23kewwKEm0w67BE4Ydeue1hU588uuMhUWb2mX/tZnh+tBrRkpimzNM1gyiD5N 2qepUmNLvaB0qFzMsratWckAOQS9W1wer0h+nOJzVQ95tJB6ImMGvDeUBEQgSNrocKmJ Mr/sXIbys9LXC42gncHG3kuwUrE0cgWzCl7IpRqVHw+MZTwmqIh+VKnvg3pMapqNZB+t tuXF1x1xLVWmG3Y+NXJOzJomEwwYlUamw+JdtCgTYZIt+hI0RgD6CoFA+bdIGgPqa2n/ FWTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=CVCNLFZ6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=suse.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w17si5952669edi.225.2020.11.23.01.58.09; Mon, 23 Nov 2020 01:58:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=CVCNLFZ6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=suse.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728177AbgKWJx1 (ORCPT + 99 others); Mon, 23 Nov 2020 04:53:27 -0500 Received: from mx2.suse.de ([195.135.220.15]:39848 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725843AbgKWJx1 (ORCPT ); Mon, 23 Nov 2020 04:53:27 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1606125205; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=CWE9aaL7FjNx6siMu72tnDhc+74qhGXlXrHv8loEhJ4=; b=CVCNLFZ6aKFK5I6KC9QU4Me1iCyHVXhYXQWzq8xKVvC5EHQwiZLTnDQZ9JH8k+Kh0JRIwR mLW9RyomXe4ZzQ12LNHmEshYiXQiP0ssnLzl3wrA63p9PHeRVwaru2K5DPhy73fikSAH0y 0/UEfsLuw3qcjfh5fRnDrBhDDLqHNbk= Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 97614AC24; Mon, 23 Nov 2020 09:53:25 +0000 (UTC) Date: Mon, 23 Nov 2020 10:53:24 +0100 From: Petr Mladek To: Steven Rostedt Cc: Alan Stern , Sergey Senozhatsky , Kernel development list , Kees Cook , Daniel Borkmann , Linus Torvalds Subject: Re: Printk specifiers for __user pointers Message-ID: References: <20201120164412.GD619708@rowland.harvard.edu> <20201120134242.6cae9e72@gandalf.local.home> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201120134242.6cae9e72@gandalf.local.home> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri 2020-11-20 13:42:42, Steven Rostedt wrote: > On Fri, 20 Nov 2020 11:44:12 -0500 > Alan Stern wrote: > > > To the VSPRINTF maintainers: > > > > Documentation/core-api/printk-formats.rst lists a large number of format > > specifiers for pointers of various sorts. Yet as far as I can see, > > there is no specifier meant for use with __user pointers. > > > > The security implications of printing the true, unmangled value of a > > __user pointer are minimal, since doing so does not leak any kernel > > information. So %px would work, but tools like checkpatch.pl don't like > > it. Just to be sure as I am not a security expert. Is there really that big difference in the risk? The following scenarios come to my mind: 1. The address would show a well defined location in the userspace application? Could it be used to attack the application? 2. The address shows a location that is being accessed by kernel. Could not it be used to pass a value that might be used to attack kernel? > > Should a new specifier be added? If not, should we simply use %px? > > There's currently no user of '%pu' (although there is a '%pus'. Perhaps we > should have a '%pux'? > > I would even state that if it is used, that if makes sure that the value is > indeed a user space pointer (goes through the same checks as accessing user > space), before its printed, otherwise it shows "(fault)" or something. I have mixed feelings about this. One one hand, it might make sense to mark locations where userspace address is printed. We could easily decide how to print them (hash or value) and we could check that it is really from a userspace one. But I have few concerns: 1. The existing "%pus" has a kind of opposite meaning. It says what address space should be used when the kernel and userspace address space is overlapping. 2. There is the history with "%pk". It did not work because people did not use it. 3. I am not sure about the output when the address is not from userspace. Printing ("fault") is not much helpful. Printing hashed value might be confusing. Well, I am still not sure that it is really safe to print real userspace addresses by default. Best Regards, Petr