From patchwork Wed Feb 24 20:01:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Gardner X-Patchwork-Id: 1444050 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Dm6xd1xNwz9sRN for ; Thu, 25 Feb 2021 07:30:45 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lF0LN-0000rW-Up; Wed, 24 Feb 2021 20:01:09 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lF0LM-0000r6-2s for kernel-team@lists.ubuntu.com; Wed, 24 Feb 2021 20:01:08 +0000 Received: from mail-pj1-f70.google.com ([209.85.216.70]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lF0LL-0007rX-Mo for kernel-team@lists.ubuntu.com; Wed, 24 Feb 2021 20:01:07 +0000 Received: by mail-pj1-f70.google.com with SMTP id f5so2716634pjs.6 for ; Wed, 24 Feb 2021 12:01:07 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=+xGWPYG9EZZMwbWy7a48puORdwvQwz8vbUOM0ySW4r0=; b=DIZLel5t0E6CyNqHKBv/Ardkz5SSdBXBrFgnLErLmc0vKCzW9dRubYZFqSmV18CKr0 TPIyQwjsiAwx7KY4ETSGGE1Wuy8Z2keFDPUiUpFxEDxDQ9Z9+ZoyDoeA+zlOshVFfH5Q 8lsnJhQnyZO4lFWzJYwSHkKoP1q+n24LgVZ/nop1EuZyGhdlHzqPa6Ra5nY2VY94/MBx U4rbDMg//ATFuraL9UKt04uX5Qljud6Mu+1sg8HG7d8M95zuCPnupIix8C2Mwh+OBKEb Gws8h/Y/hFO5g7efNTIsDQ+D4wBzh1KmH9Q5j4bLvXlo0i5aHcvATaNMYC01IWvQi1Db 0oeA== X-Gm-Message-State: AOAM530gW38gxQ62Yf2g1tW5f54xgkqZaewslhrihXsW6RzQG2hGhmZI yPVmLBCuWqOxTgGkz/ABsX1rZ/j8uXopysDMLR1fCrIxhPzNg6m7N7krK9B3yKWoc7Yh4iIeTIl 69IGmqRxewukArowlYY9Nqgf5jpcT1qCHRINwAg4e+Q== X-Received: by 2002:a17:90a:e281:: with SMTP id d1mr833745pjz.40.1614196865972; Wed, 24 Feb 2021 12:01:05 -0800 (PST) X-Google-Smtp-Source: ABdhPJz711LYIHCt86sV/tW6FWndINHoUz5UVS/geyy8G5fDRZNhgCXoFxk+yeON9IM8tLOsy1grzA== X-Received: by 2002:a17:90a:e281:: with SMTP id d1mr833727pjz.40.1614196865738; Wed, 24 Feb 2021 12:01:05 -0800 (PST) Received: from localhost.localdomain ([69.163.84.166]) by smtp.gmail.com with ESMTPSA id b15sm3295892pgg.85.2021.02.24.12.01.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Feb 2021 12:01:05 -0800 (PST) From: Tim Gardner To: kernel-team@lists.ubuntu.com Subject: [PATCH 0/1] [SRU xenial/linux] CVE-2018-7273 Date: Wed, 24 Feb 2021 13:01:00 -0700 Message-Id: <20210224200101.9835-1-tim.gardner@canonical.com> X-Mailer: git-send-email 2.17.1 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] In the Linux kernel through 4.15.4, the floppy driver reveals the addresses of kernel functions and global variables using printk calls within the function show_floppy in drivers/block/floppy.c. An attacker can read this information from dmesg and use the addresses to find the locations of kernel code and data and bypass kernel security protections such as KASLR. Canonical kernel team: According to the commit log there are thousands of call sites using '%p', each of which could expose internal memory addresses. The upstream solution was to hash all addresses printed using an unadorned '%p'. This issue appears to be much broader then just the floppy disk driver. [Test Case] Boot tested on bare metal. [Potential regression] Simple backport. This patch was introduced in v4.15.