Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2391038pxb; Mon, 20 Sep 2021 21:08:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxyWAI8KaFgB526YHliZD8TD3VdTfycYn9k3XEsDJiUc+xLhwsGpRUJ087+Yl95y3on/ELq X-Received: by 2002:a17:906:c1da:: with SMTP id bw26mr32668287ejb.253.1632197308893; Mon, 20 Sep 2021 21:08:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632197308; cv=none; d=google.com; s=arc-20160816; b=kpCHNk+rL95u763Yyg1PrAHHRw+viKWhKNt+8BQ/YXv+tPsq12sjIKGkwUjRYYn3ZQ cEwVCU3kXc6FX70gyNzA9wepDp94aycuU4BZVDrwP5eRq/d+0u4BchebsggtsNlGKAo9 zEaFhBPXg5MtyfRm8dkpxS15GQwycAL/qxu1TJaTdkzuwhAxtb+CEozjNGssVde6SkWN rt7IF5L0jLXtv4bwYdEFq/LzF7SXKxYZ5//7UXUE7nJvfPxWaQ7V1pCGqvpDiyoyE9iN QOjOaVGpzfNeDsS06rS+E/8zR/oMkstISLdFWq/KvTXZCGTc8ufLAdg+fJgU3qrOjWMu utIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:user-agent:from :references:in-reply-to:mime-version:dkim-signature; bh=YSVdlrDBVCVVyrsd5P+CkOqJiePqjs/Ib4JDP05yk6g=; b=SzzaM0rPc95cigsWBqOejvfKsBhHgEvnbAYMlGWFGLuBJvUWTtH7E0qRRX9FRYz4E3 cfpdCUykz9RvOmxLgaA2uUnphZ6ErctzEE9XUZloY1hzZ1d7yAxwj8nXdMmBR2RBUFSO nOTa0F2MBkVLyAyTuKx08u2JMwPuj/vPpNCC43j463fDB+Z0vX5VyPMlHQhcsmtcfFrO joE42WaT1Fqj6GsKkzmNPUd8JfYZ0UH9nZkcGKPif44NeJeLmDmSst8JwfX1+TjH9qTx 8zRzxbdcY2Thhi1DkUAJmBokqZ9Y5g93IbDislqnsT3Lq61LhBghYzAojYrYEuDO94cb YhMA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ZsvwpP2v; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h4si13869241ejo.291.2021.09.20.21.08.05; Mon, 20 Sep 2021 21:08:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ZsvwpP2v; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235952AbhIUCvo (ORCPT + 99 others); Mon, 20 Sep 2021 22:51:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40316 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347496AbhIUCUn (ORCPT ); Mon, 20 Sep 2021 22:20:43 -0400 Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 552F7C1A2E8B for ; Mon, 20 Sep 2021 11:44:11 -0700 (PDT) Received: by mail-oi1-x234.google.com with SMTP id o66so23407235oib.11 for ; Mon, 20 Sep 2021 11:44:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:in-reply-to:references:from:user-agent:date:message-id :subject:to:cc; bh=YSVdlrDBVCVVyrsd5P+CkOqJiePqjs/Ib4JDP05yk6g=; b=ZsvwpP2v4ozbtgRIFQq2vJIcLOO1oeeC3S05lrMD/GKvbZ+S4hSMMmUSYMlVuhCjTo nVqPHY0QCuPSqvt2V+wHAawRZ59em5t9cZhdAxWSuX0oTRZzwLt8mZz49UDQgDV5MYwh xp/wPE1UkkV0oCf/ovgIZDgy7DMYX0bVKJr4k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:in-reply-to:references:from :user-agent:date:message-id:subject:to:cc; bh=YSVdlrDBVCVVyrsd5P+CkOqJiePqjs/Ib4JDP05yk6g=; b=So+ylcu2acdL+XUL55XFzNbvuR4YPZ0SPI8dkHZdNxx2ivw60+KMC654pvOg0j+OEi 4T2m+ZV2tzduXViKiNlEZUQZ9AxLwy7oxBPG535L+DjaehVy5uTNEtnA+GLozSXy6SB/ 725UYTrF3ajQdTPRApIubwo2OXH8V9NEWJA0N23gi7D3xFBhr68LLhmEdJYbX3BXyEqK +oPKmR9f5l8SfD/P0rkkmCFYxwGW1yRMgCqGdaBm/zAFNRpQ/MgT4F7XMx2QRKvPTfZ0 slAca9uFGX16s3QDa9smVn4oMtYIAai5uIXZqAOfcnILAZ1r7E8CUn2o5qZs/Z5VaMQT UpPg== X-Gm-Message-State: AOAM533WlXwpTjfkaRKP/nGEjoGCbEDMumuiC0sMoweHUlKEMXV3Jtgi U78G5l9VdBaCHCumBaTk+FyRNBdHn1dw8HfYsZcr7w== X-Received: by 2002:aca:3110:: with SMTP id x16mr422958oix.64.1632163450731; Mon, 20 Sep 2021 11:44:10 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Mon, 20 Sep 2021 11:44:10 -0700 MIME-Version: 1.0 In-Reply-To: <202109201126.E9902480D9@keescook> References: <20210601182202.3011020-1-swboyd@chromium.org> <20210601182202.3011020-5-swboyd@chromium.org> <202109200726.2EFEDC5@keescook> <202109201126.E9902480D9@keescook> From: Stephen Boyd User-Agent: alot/0.9.1 Date: Mon, 20 Sep 2021 11:44:10 -0700 Message-ID: Subject: Re: [PATCH v3 4/4] slub: Force on no_hash_pointers when slub_debug is enabled To: Kees Cook Cc: Andrew Morton , linux-kernel@vger.kernel.org, Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Vlastimil Babka , linux-mm@kvack.org, Petr Mladek , Joe Perches Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Kees Cook (2021-09-20 11:28:50) > On Mon, Sep 20, 2021 at 11:23:01AM -0700, Stephen Boyd wrote: > > Quoting Kees Cook (2021-09-20 07:29:54) > > > On Tue, Jun 01, 2021 at 11:22:02AM -0700, Stephen Boyd wrote: > > > > Obscuring the pointers that slub shows when debugging makes for some > > > > confusing slub debug messages: > > > > > > > > Padding overwritten. 0x0000000079f0674a-0x000000000d4dce17 > > > > > > > > Those addresses are hashed for kernel security reasons. If we're trying > > > > to be secure with slub_debug on the commandline we have some big > > > > problems given that we dump whole chunks of kernel memory to the kernel > > > > logs. Let's force on the no_hash_pointers commandline flag when > > > > slub_debug is on the commandline. This makes slub debug messages more > > > > meaningful and if by chance a kernel address is in some slub debug > > > > object dump we will have a better chance of figuring out what went > > > > wrong. > > > > > > > > Note that we don't use %px in the slub code because we want to reduce > > > > the number of places that %px is used in the kernel. This also nicely > > > > prints a big fat warning at kernel boot if slub_debug is on the > > > > commandline so that we know that this kernel shouldn't be used on > > > > production systems. > > > > > > Eeeek. I missed this patch. NAK NAK. People use slub_debug for > > > production systems to gain redzoning, etc, as a layer of defense, and > > > they absolutely do not want %p-hashing disabled. %p hashing is > > > controlled by the no_hash_pointers boot param (since v5.12), and needs to stay > > > separate from slub_debug. > > > > > > Can we please revert this in Linus's tree and in v5.14? > > > > > > > This is fine with me as long as debugging with slub_debug on the > > commandline is possible. Would you prefer v1 of this patch series[1] > > that uses the printk format to print unhashed pointers in slub debugging > > messages? > > > > [1] https://lore.kernel.org/r/20210520013539.3733631-1-swboyd@chromium.org > > I'd like to keep %px use in the kernel minimized. Seeing full pointers (%p > hashing disabled) can be done with the no_hash_pointers boot param, and > that's used in other debug cases as well. I'd rather keep it a global > knob. > Can you elaborate on your use case where slub debugging is used for security in production systems via redzoning? Maybe that redzoning logic in slub debug should be moved out of CONFIG_SLUB_DEBUG into slub proper? Or maybe the config symbol should be changed to something that doesn't have 'debug' in the name? The main goal of this series was to make slub debug messages I saw useful instead of confusing given that all the pointers were hashed. If some part of slub debugging is production critical then I wonder why it's behind a debug named config knob and why it prints so much pointer information on production systems.