From patchwork Wed Feb 24 20:01:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Gardner X-Patchwork-Id: 1444045 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Dm6Hd31VKz9sVF; Thu, 25 Feb 2021 07:01:16 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lF0LQ-0000rj-3h; Wed, 24 Feb 2021 20:01:12 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lF0LN-0000rQ-L3 for kernel-team@lists.ubuntu.com; Wed, 24 Feb 2021 20:01:09 +0000 Received: from mail-pj1-f72.google.com ([209.85.216.72]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lF0LN-0007ri-8C for kernel-team@lists.ubuntu.com; Wed, 24 Feb 2021 20:01:09 +0000 Received: by mail-pj1-f72.google.com with SMTP id k92so2624121pjc.5 for ; Wed, 24 Feb 2021 12:01:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=s9IJuCztsXZ1xyyu/OHvXRrHTfai+XxUjvplgB9dstQ=; b=ZDVXMyCbab5Rz6INzQFObWdUbQIGN0fiHFpEKbmfkbm5MaOABvJfJzVXri66qwYL98 DaVvCp95kf/O7YN1YaJ8N9hxp+NEf07Au+5ihzS3Nht9s82jSUKzOZr2XKFHqMS6szDt PsqA9EF6jll9Uu8lrbjUltjnJqrIjoFIg7nupgOVmhm4/fe3cpYqSAkXk6w0To9C8U6c bp6KgaIYiSMuum5TNMS/+7F0MD5Q0FZxqAr871e/jf+aiSUJ02m0TSJC6o49hc2n+axq OonJBbPDYKyEPfyJnCjk3Q3IX3UOH71Z0WPvv6Xfji0DB9tWq6tm6dK0DnaSPLPTcECF wCMw== X-Gm-Message-State: AOAM533RYlC5TX6xt3/JNxdp/F6/jXZpmuo074dCGCUPKWYg8P2Buc3T q8cg/RmPGqUqe1LZNqkvLUISPhY+P0WiLrMCq/CZC/xfoRAR1nbcI6LZl74QGWUwY3K1HQxiSKw j8KtclClEnVM9SMtqa+mtzd5anWvakMVy6j3YrGC94w== X-Received: by 2002:a17:902:d4cd:b029:e4:1abc:37e3 with SMTP id o13-20020a170902d4cdb02900e41abc37e3mr9146594plg.29.1614196867234; Wed, 24 Feb 2021 12:01:07 -0800 (PST) X-Google-Smtp-Source: ABdhPJzuluQVg1l2LSZaU3Ik2YGQpejRajGoxDBAk4kjoTB1eP3g0jy45rQEAfebNePJoBiEz6iIVQ== X-Received: by 2002:a17:902:d4cd:b029:e4:1abc:37e3 with SMTP id o13-20020a170902d4cdb02900e41abc37e3mr9146571plg.29.1614196866827; Wed, 24 Feb 2021 12:01:06 -0800 (PST) Received: from localhost.localdomain ([69.163.84.166]) by smtp.gmail.com with ESMTPSA id b15sm3295892pgg.85.2021.02.24.12.01.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Feb 2021 12:01:06 -0800 (PST) From: Tim Gardner To: kernel-team@lists.ubuntu.com Subject: [PATCH] printk: hash addresses printed with %p Date: Wed, 24 Feb 2021 13:01:01 -0700 Message-Id: <20210224200101.9835-2-tim.gardner@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210224200101.9835-1-tim.gardner@canonical.com> References: <20210224200101.9835-1-tim.gardner@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: "Tobin C. Harding" Currently there exist approximately 14 000 places in the kernel where addresses are being printed using an unadorned %p. This potentially leaks sensitive information regarding the Kernel layout in memory. Many of these calls are stale, instead of fixing every call lets hash the address by default before printing. This will of course break some users, forcing code printing needed addresses to be updated. Code that _really_ needs the address will soon be able to use the new printk specifier %px to print the address. For what it's worth, usage of unadorned %p can be broken down as follows (thanks to Joe Perches). $ git grep -E '%p[^A-Za-z0-9]' | cut -f1 -d"/" | sort | uniq -c 1084 arch 20 block 10 crypto 32 Documentation 8121 drivers 1221 fs 143 include 101 kernel 69 lib 100 mm 1510 net 40 samples 7 scripts 11 security 166 sound 152 tools 2 virt Add function ptr_to_id() to map an address to a 32 bit unique identifier. Hash any unadorned usage of specifier %p and any malformed specifiers. Signed-off-by: Tobin C. Harding (backported from commit ad67b74d2469d9b82aaa572d76474c95bc484d57) CVE-2018-7273 Signed-off-by: Tim Gardner Conflicts: Documentation/printk-formats.txt (Added a paragraph under Kernel Pointers) lib/vsprintf.c (required additional include files, no code changes) --- Documentation/printk-formats.txt | 6 ++ lib/test_printf.c | 108 ++++++++++++++++++++----------- lib/vsprintf.c | 86 ++++++++++++++++++++++-- 3 files changed, 155 insertions(+), 45 deletions(-) diff --git a/Documentation/printk-formats.txt b/Documentation/printk-formats.txt index ed6f6abaad57..2329b1eac0fa 100644 --- a/Documentation/printk-formats.txt +++ b/Documentation/printk-formats.txt @@ -64,6 +64,12 @@ Kernel Pointers: users. The behaviour of %pK depends on the kptr_restrict sysctl - see Documentation/sysctl/kernel.txt for more details. + Pointers printed without a specifier extension (i.e unadorned %p) are + hashed to give a unique identifier without leaking kernel addresses to user + space. On 64 bit machines the first 32 bits are zeroed. + + %p abcdef12 or 00000000abcdef12 + Struct Resources: %pr [mem 0x60000000-0x6fffffff flags 0x2200] or diff --git a/lib/test_printf.c b/lib/test_printf.c index c5a666af9ba5..e2200f06f168 100644 --- a/lib/test_printf.c +++ b/lib/test_printf.c @@ -18,24 +18,6 @@ #define BUF_SIZE 256 #define FILL_CHAR '$' -#define PTR1 ((void*)0x01234567) -#define PTR2 ((void*)(long)(int)0xfedcba98) - -#if BITS_PER_LONG == 64 -#define PTR1_ZEROES "000000000" -#define PTR1_SPACES " " -#define PTR1_STR "1234567" -#define PTR2_STR "fffffffffedcba98" -#define PTR_WIDTH 16 -#else -#define PTR1_ZEROES "0" -#define PTR1_SPACES " " -#define PTR1_STR "1234567" -#define PTR2_STR "fedcba98" -#define PTR_WIDTH 8 -#endif -#define PTR_WIDTH_STR stringify(PTR_WIDTH) - static unsigned total_tests __initdata; static unsigned failed_tests __initdata; static char *test_buffer __initdata; @@ -160,30 +142,79 @@ test_string(void) test("a | | ", "%-3.s|%-3.0s|%-3.*s", "a", "b", 0, "c"); } +#define PLAIN_BUF_SIZE 64 /* leave some space so we don't oops */ + +#if BITS_PER_LONG == 64 + +#define PTR_WIDTH 16 +#define PTR ((void *)0xffff0123456789ab) +#define PTR_STR "ffff0123456789ab" +#define ZEROS "00000000" /* hex 32 zero bits */ + +static int __init +plain_format(void) +{ + char buf[PLAIN_BUF_SIZE]; + int nchars; + + nchars = snprintf(buf, PLAIN_BUF_SIZE, "%p", PTR); + + if (nchars != PTR_WIDTH || strncmp(buf, ZEROS, strlen(ZEROS)) != 0) + return -1; + + return 0; +} + +#else + +#define PTR_WIDTH 8 +#define PTR ((void *)0x456789ab) +#define PTR_STR "456789ab" + +static int __init +plain_format(void) +{ + /* Format is implicitly tested for 32 bit machines by plain_hash() */ + return 0; +} + +#endif /* BITS_PER_LONG == 64 */ + +static int __init +plain_hash(void) +{ + char buf[PLAIN_BUF_SIZE]; + int nchars; + + nchars = snprintf(buf, PLAIN_BUF_SIZE, "%p", PTR); + + if (nchars != PTR_WIDTH || strncmp(buf, PTR_STR, PTR_WIDTH) == 0) + return -1; + + return 0; +} + +/* + * We can't use test() to test %p because we don't know what output to expect + * after an address is hashed. + */ static void __init plain(void) { - test(PTR1_ZEROES PTR1_STR " " PTR2_STR, "%p %p", PTR1, PTR2); - /* - * The field width is overloaded for some %p extensions to - * pass another piece of information. For plain pointers, the - * behaviour is slightly odd: One cannot pass either the 0 - * flag nor a precision to %p without gcc complaining, and if - * one explicitly gives a field width, the number is no longer - * zero-padded. - */ - test("|" PTR1_STR PTR1_SPACES " | " PTR1_SPACES PTR1_STR "|", - "|%-*p|%*p|", PTR_WIDTH+2, PTR1, PTR_WIDTH+2, PTR1); - test("|" PTR2_STR " | " PTR2_STR "|", - "|%-*p|%*p|", PTR_WIDTH+2, PTR2, PTR_WIDTH+2, PTR2); + int err; - /* - * Unrecognized %p extensions are treated as plain %p, but the - * alphanumeric suffix is ignored (that is, does not occur in - * the output.) - */ - test("|"PTR1_ZEROES PTR1_STR"|", "|%p0y|", PTR1); - test("|"PTR2_STR"|", "|%p0y|", PTR2); + err = plain_hash(); + if (err) { + pr_warn("plain 'p' does not appear to be hashed\n"); + failed_tests++; + return; + } + + err = plain_format(); + if (err) { + pr_warn("hashing plain 'p' has unexpected format\n"); + failed_tests++; + } } static void __init @@ -194,6 +225,7 @@ symbol_ptr(void) static void __init kernel_ptr(void) { + /* We can't test this without access to kptr_restrict. */ } static void __init diff --git a/lib/vsprintf.c b/lib/vsprintf.c index 646009db4198..3cfeeaf0518d 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -31,6 +31,13 @@ #include #include #include +#include +#include +#ifdef CONFIG_BLOCK +#include +#endif + +#include "../mm/internal.h" /* For the trace_print_flags arrays */ #include /* for PAGE_SIZE */ #include /* for dereference_function_descriptor() */ @@ -1360,6 +1367,73 @@ char *clock(char *buf, char *end, struct clk *clk, struct printf_spec spec, int kptr_restrict __read_mostly; +static bool have_filled_random_ptr_key __read_mostly; +static siphash_key_t ptr_key __read_mostly; + +static void fill_random_ptr_key(struct random_ready_callback *unused) +{ + get_random_bytes(&ptr_key, sizeof(ptr_key)); + /* + * have_filled_random_ptr_key==true is dependent on get_random_bytes(). + * ptr_to_id() needs to see have_filled_random_ptr_key==true + * after get_random_bytes() returns. + */ + smp_mb(); + WRITE_ONCE(have_filled_random_ptr_key, true); +} + +static struct random_ready_callback random_ready = { + .func = fill_random_ptr_key +}; + +static int __init initialize_ptr_random(void) +{ + int ret = add_random_ready_callback(&random_ready); + + if (!ret) { + return 0; + } else if (ret == -EALREADY) { + fill_random_ptr_key(&random_ready); + return 0; + } + + return ret; +} +early_initcall(initialize_ptr_random); + +/* Maps a pointer to a 32 bit unique identifier. */ +static char *ptr_to_id(char *buf, char *end, void *ptr, struct printf_spec spec) +{ + unsigned long hashval; + const int default_width = 2 * sizeof(ptr); + + if (unlikely(!have_filled_random_ptr_key)) { + spec.field_width = default_width; + /* string length must be less than default_width */ + return string(buf, end, "(ptrval)", spec); + } + +#ifdef CONFIG_64BIT + hashval = (unsigned long)siphash_1u64((u64)ptr, &ptr_key); + /* + * Mask off the first 32 bits, this makes explicit that we have + * modified the address (and 32 bits is plenty for a unique ID). + */ + hashval = hashval & 0xffffffff; +#else + hashval = (unsigned long)siphash_1u32((u32)ptr, &ptr_key); +#endif + + spec.flags |= SMALL; + if (spec.field_width == -1) { + spec.field_width = default_width; + spec.flags |= ZEROPAD; + } + spec.base = 16; + + return number(buf, end, hashval, spec); +} + /* * Show a '%p' thing. A kernel extension is that the '%p' is followed * by an extra set of alphanumeric characters that are extended format @@ -1451,6 +1525,9 @@ int kptr_restrict __read_mostly; * Note: The difference between 'S' and 'F' is that on ia64 and ppc64 * function pointers are really function descriptors, which contain a * pointer to the real address. + * + * Note: The default behaviour (unadorned %p) is to hash the address, + * rendering it useful as a unique identifier. */ static noinline_for_stack char *pointer(const char *fmt, char *buf, char *end, void *ptr, @@ -1598,14 +1675,9 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, ((const struct file *)ptr)->f_path.dentry, spec, fmt); } - spec.flags |= SMALL; - if (spec.field_width == -1) { - spec.field_width = default_width; - spec.flags |= ZEROPAD; - } - spec.base = 16; - return number(buf, end, (unsigned long) ptr, spec); + /* default is to _not_ leak addresses, hash before printing */ + return ptr_to_id(buf, end, ptr, spec); } /*