[0/1,SRU,xenial/linux] CVE-2018-7273

Message ID	20210224200101.9835-1-tim.gardner@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Tim Gardner <tim.gardner@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [PATCH 0/1] [SRU xenial/linux] CVE-2018-7273 Date: Wed, 24 Feb 2021 13:01:00 -0700 Message-Id: <20210224200101.9835-1-tim.gardner@canonical.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2018-7273 \| expand [0/1,SRU,xenial/linux] CVE-2018-7273 printk: hash addresses printed with %p

Message ID

20210224200101.9835-1-tim.gardner@canonical.com

Headers

From: Tim Gardner <tim.gardner@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 0/1] [SRU xenial/linux] CVE-2018-7273
Date: Wed, 24 Feb 2021 13:01:00 -0700
Message-Id: <20210224200101.9835-1-tim.gardner@canonical.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2018-7273 | expand

Message

Tim Gardner Feb. 24, 2021, 8:01 p.m. UTC

[Impact]
In the Linux kernel through 4.15.4, the floppy driver reveals the addresses of
kernel functions and global variables using printk calls within the function
show_floppy in drivers/block/floppy.c. An attacker can read this information
from dmesg and use the addresses to find the locations of kernel code and data
and bypass kernel security protections such as KASLR.

Canonical kernel team: According to the commit log there are thousands of call
sites using '%p', each of which could expose internal memory addresses. The
upstream solution was to hash all addresses printed using an unadorned '%p'.
This issue appears to be much broader then just the floppy disk driver.

[Test Case]
Boot tested on bare metal.

[Potential regression]
Simple backport. This patch was introduced in v4.15.

Comments

Kleber Sacilotto de Souza May 5, 2021, 9:17 a.m. UTC | #1

On 24.02.21 21:01, Tim Gardner wrote:
> [Impact]
> In the Linux kernel through 4.15.4, the floppy driver reveals the addresses of
> kernel functions and global variables using printk calls within the function
> show_floppy in drivers/block/floppy.c. An attacker can read this information
> from dmesg and use the addresses to find the locations of kernel code and data
> and bypass kernel security protections such as KASLR.
> 
> Canonical kernel team: According to the commit log there are thousands of call
> sites using '%p', each of which could expose internal memory addresses. The
> upstream solution was to hash all addresses printed using an unadorned '%p'.
> This issue appears to be much broader then just the floppy disk driver.
> 
> [Test Case]
> Boot tested on bare metal.
> 
> [Potential regression]
> Simple backport. This patch was introduced in v4.15.
> 
> 

Xenial has EOL'ed and we won't be applying further patches from this mailing-list.

Thanks,
Kleber