From patchwork Mon Nov 27 22:30:17 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Tobin C. Harding" X-Patchwork-Id: 841885 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=tobin.cc header.i=@tobin.cc header.b="u6VtU5UH"; dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.b="Uo6inUCL"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3ym1jt0lL5z9s74 for ; Tue, 28 Nov 2017 09:31:30 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752759AbdK0Wak (ORCPT ); Mon, 27 Nov 2017 17:30:40 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:51781 "EHLO out4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752712AbdK0Wah (ORCPT ); Mon, 27 Nov 2017 17:30:37 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id B8FD120DAD; Mon, 27 Nov 2017 17:30:36 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Mon, 27 Nov 2017 17:30:36 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobin.cc; h=cc :date:from:in-reply-to:message-id:references:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=1Eu9/+Hv6nOfyH6LK 76zHnT/6pf9D0txRdknphWZpC4=; b=u6VtU5UHrMJiBR0+7S3ktP2bmn6agV6jE 3IjZ2Fp88GwXuSgcLlIHxdCvd1UpBAKlcEA8uxOaaJ3Gaa6S84k/DX5Jkx+sZ3g9 MZtSZp2Wt95RbOJnZpl5ObxS9qqCoXBkeZ7Kptn6w1Kymt6RUURWvBqAOWDj93RZ hBrmI8QDQdc9e91QU4DAjfI073FBW/dsNMed8+AGqZB7/ewqeFwcNxu5u9OaOOsr RRLdgnP3azMMH1fKB9sbIddIXoA8Q8OW4111L7gb/JNviGGnC95t6by9qjrAyTe4 OreV75mw9p7/tjIddMj9WcKd99y/LMLRgJk57uNJ5rFto5QfYeUEw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:date:from:in-reply-to:message-id :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; bh=1Eu9/+Hv6nOfyH6LK76zHnT/6pf9D0txRdknphWZpC4=; b=Uo6inUCL 9p/2EhwxIOKMVE80pT1oS2AEBwP66P8b0sZCVWTl34+wD0/quutGaVFQ14/1C6YT kVS4drRxKG0EBo4lO6gbfKRmTbDiVtAZtPUJ9mPKtMlQn4ckT8MmtxTJ4L0kLOzH r6N8eJtliLZRzShwJb/XJvWVluWfuLRxJLW5etQ2fR8wacua+hZn1ne2f63HJPbV RrmTnRmAVSaTiR+5FApVN63B9YTOuL6U5jNzLRt2wKVf5DlHtvAySsszoGWcXTu+ iY325ftqMxXoHR1KH47olx/rqCCyLaD+/26IA7YWQZhPHZAWP+7AhtmfVAhlTvyT 5kMgsssj4wld1A== X-ME-Sender: Received: from localhost (202-159-174-127.dyn.iinet.net.au [202.159.174.127]) by mail.messagingengine.com (Postfix) with ESMTPA id 04BF024740; Mon, 27 Nov 2017 17:30:35 -0500 (EST) From: "Tobin C. Harding" To: kernel-hardening@lists.openwall.com Cc: "Tobin C. Harding" , linux-kernel@vger.kernel.org, Network Development , Steven Rostedt , Tycho Andersen , Daniel Borkmann , Masahiro Yamada , "David S. Miller" , Alexei Starovoitov Subject: [RFC 1/3] kallsyms: don't leak address when symbol not found Date: Tue, 28 Nov 2017 09:30:17 +1100 Message-Id: <1511821819-5496-2-git-send-email-me@tobin.cc> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1511821819-5496-1-git-send-email-me@tobin.cc> References: <1511821819-5496-1-git-send-email-me@tobin.cc> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Currently if kallsyms_lookup() fails to find the symbol then the address is printed. This potentially leaks sensitive information. Instead of printing the address we can return an error, giving the calling code the option to print the address or print some sanitized message. Return error instead of printing address to argument buffer. Leave buffer in a sane state. Signed-off-by: Tobin C. Harding --- kernel/kallsyms.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c index 531ffa984bc2..4bfa4ee3ce93 100644 --- a/kernel/kallsyms.c +++ b/kernel/kallsyms.c @@ -394,8 +394,10 @@ static int __sprint_symbol(char *buffer, unsigned long address, address += symbol_offset; name = kallsyms_lookup(address, &size, &offset, &modname, buffer); - if (!name) - return sprintf(buffer, "0x%lx", address - symbol_offset); + if (!name) { + buffer[0] = '\0'; + return -1; + } if (name != buffer) strcpy(buffer, name); From patchwork Mon Nov 27 22:30:18 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Tobin C. Harding" X-Patchwork-Id: 841884 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=tobin.cc header.i=@tobin.cc header.b="enYpOJqI"; dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.b="F+PZ4eLL"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3ym1jc3kLSz9ryv for ; Tue, 28 Nov 2017 09:31:16 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752993AbdK0Waq (ORCPT ); Mon, 27 Nov 2017 17:30:46 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:60289 "EHLO out4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752940AbdK0Wao (ORCPT ); Mon, 27 Nov 2017 17:30:44 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id ED91A20DB0; Mon, 27 Nov 2017 17:30:42 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Mon, 27 Nov 2017 17:30:43 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobin.cc; h=cc :date:from:in-reply-to:message-id:references:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=XXbEgZ2/O7z/kk5sH ozJvTLzg6koKJS5QWQqvl0NCl0=; b=enYpOJqIpPTToCHgXPqTNmQIqDvCzWPfl hFFNY+NJkAZBS31tSwVZqg/mTsg7cmE954wEeuMsq7w59sw+tzska2jqdhjKj4za QzMdyJt4qHnda3S1TtrcOSjweoykBqMBUg3ZP3us6F0NMHaWYYz0jzU3ijZ1aPbv eSLsHWK+rYvcDMN+khxO58euV62oO4apzkEV323vW0ClSLZANnLeiE1+O6JhZsNi 2EhealQPpeCW8lqPnkcK1xjbXvcd/A+DTYo8frVBOYR9C0s9wyjQhOV6swcVer6q MS53Nv9noAdUGD0RvFKRR8gk3Shd/Qu/kGajkyA5gOcR7xaYJ6Mew== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:date:from:in-reply-to:message-id :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; bh=XXbEgZ2/O7z/kk5sHozJvTLzg6koKJS5QWQqvl0NCl0=; b=F+PZ4eLL ul2uyVJ0ecxbw1r+KNfII+7Ec7dTyRiqddzsali5hD7BLXfb12eq7jMmqGYEkhcy rCRQhmlXEg1qEje9D1X6QV3+QDP8bDhvPDTl1zAkN+9oYHpDZ1HPbBqCgqNuxoq/ ZO5cpY5IO8tgATdTyi/pWWaVaVeWD1LxVb8XKmiY0aDKucWPPnbBeoSZnVhatu1B ZMKFGItaI3yqkV4flzOPgMeVQxJLQTUiWzqrmdDEUB52gV5Wrtm1cmlCegtytd7O w4P/4D6MKJln4kAToXBF+bXGM91DnHyg75/pW0oK6q2VZoik+qwOSIu8w66/OKid 8UBzpyRPOQl0dA== X-ME-Sender: Received: from localhost (202-159-174-127.dyn.iinet.net.au [202.159.174.127]) by mail.messagingengine.com (Postfix) with ESMTPA id C430824751; Mon, 27 Nov 2017 17:30:41 -0500 (EST) From: "Tobin C. Harding" To: kernel-hardening@lists.openwall.com Cc: "Tobin C. Harding" , linux-kernel@vger.kernel.org, Network Development , Steven Rostedt , Tycho Andersen , Andrew Morton , Ingo Molnar , Kees Cook , Thomas Gleixner , Petr Mladek , Baoquan He , Krzysztof Kozlowski , Greg Kroah-Hartman , Randy Dunlap , Ian Abbott , =?utf-8?q?Niklas_S=C3=B6derlund?= , Masahiro Yamada , Larry Finger , Andy Shevchenko , Joe Perches , William Roberts , Rob Herring , Mark Rutland , Pantelis Antoniou , Alexey Dobriyan , Mauro Carvalho Chehab Subject: [RFC 2/3] vsprintf: print if symbol not found Date: Tue, 28 Nov 2017 09:30:18 +1100 Message-Id: <1511821819-5496-3-git-send-email-me@tobin.cc> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1511821819-5496-1-git-send-email-me@tobin.cc> References: <1511821819-5496-1-git-send-email-me@tobin.cc> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Depends on: commit bd6b239cdbb2 ("kallsyms: don't leak address when symbol not found") Currently vsprintf for specifiers %p[SsB] relies on the behaviour of kallsyms (sprint_symbol()) and prints the actual address if a symbol is not found. Previous patch changes this behaviour so tha sprint_symbol() returns an error if symbol not found. With this patch in place we can print a sanitized message '' instead of leaking the address. Future users of vsprintf may wish to know, after a call that uses specifier %p[sSB], whether or not a symbol was found. The actual sanitized string should be contained (isolated) within the vsprintf.c therefore we should provide a predicate function. This also allows the sanitized string to be updated at a later stage with minimal risk to calling code. Print '' for printk specifier %s[sSB] if no symbol is found. Provide predicate function string_is_no_symbol(). Signed-off-by: Tobin C. Harding --- include/linux/kernel.h | 2 ++ lib/vsprintf.c | 18 +++++++++++++++--- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/include/linux/kernel.h b/include/linux/kernel.h index ce51455e2adf..89e8ce79c2d1 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -460,6 +460,8 @@ char *kvasprintf(gfp_t gfp, const char *fmt, va_list args); extern __printf(2, 0) const char *kvasprintf_const(gfp_t gfp, const char *fmt, va_list args); +extern int string_is_no_symbol(const char *s); + extern __scanf(2, 3) int sscanf(const char *, const char *, ...); extern __scanf(2, 0) diff --git a/lib/vsprintf.c b/lib/vsprintf.c index 1746bae94d41..01e18a8c63fd 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -665,6 +665,8 @@ char *bdev_name(char *buf, char *end, struct block_device *bdev, } #endif +#define PRINTK_NO_SYMBOL_STR "" + static noinline_for_stack char *symbol_string(char *buf, char *end, void *ptr, struct printf_spec spec, const char *fmt) @@ -672,6 +674,7 @@ char *symbol_string(char *buf, char *end, void *ptr, unsigned long value; #ifdef CONFIG_KALLSYMS char sym[KSYM_SYMBOL_LEN]; + int ret; #endif if (fmt[1] == 'R') @@ -680,11 +683,14 @@ char *symbol_string(char *buf, char *end, void *ptr, #ifdef CONFIG_KALLSYMS if (*fmt == 'B') - sprint_backtrace(sym, value); + ret = sprint_backtrace(sym, value); else if (*fmt != 'f' && *fmt != 's') - sprint_symbol(sym, value); + ret = sprint_symbol(sym, value); else - sprint_symbol_no_offset(sym, value); + ret = sprint_symbol_no_offset(sym, value); + + if (ret == -1) + strcpy(sym, PRINTK_NO_SYMBOL_STR); return string(buf, end, sym, spec); #else @@ -692,6 +698,12 @@ char *symbol_string(char *buf, char *end, void *ptr, #endif } +int string_is_no_symbol(const char *s) +{ + return !!strstr(s, PRINTK_NO_SYMBOL_STR); +} +EXPORT_SYMBOL(string_is_no_symbol); + static noinline_for_stack char *resource_string(char *buf, char *end, struct resource *res, struct printf_spec spec, const char *fmt) From patchwork Mon Nov 27 22:30:19 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Tobin C. Harding" X-Patchwork-Id: 841883 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=tobin.cc header.i=@tobin.cc header.b="NUpUkZ2H"; dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.b="XjKG2gUy"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3ym1jK61QGz9ryv for ; Tue, 28 Nov 2017 09:31:01 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753153AbdK0Wat (ORCPT ); Mon, 27 Nov 2017 17:30:49 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:60785 "EHLO out4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753014AbdK0War (ORCPT ); Mon, 27 Nov 2017 17:30:47 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 5852120C0E; Mon, 27 Nov 2017 17:30:46 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Mon, 27 Nov 2017 17:30:46 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobin.cc; h=cc :date:from:in-reply-to:message-id:references:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=zxNtm9gAUcU/benW0 zdQ3UnutO1bdXMPyHB3RmH7zG0=; b=NUpUkZ2H8jAIbhu61dQpZfOayCFn/X+xg bwdUtLSV7ho6cQ+H+3yv1wDCK81N1c7/C6dc7dkjJPk0lwUaf/ZbQbR+YNsmj+Ig 72CLxY0dQKs5vOlnpWfG0kpDPBGm3wmW6cQmOhNMPODLtRdKlUUbcb8433KlvgDE 5Jmo7CoF8IwRANt/2tRH3wQlbcP0S82cC3e1eeRfRdyAd1oN8C25iVrnrBplvFaJ PlclFqnYdyTdNj4oFP6gveAiYZgi5CWVkDe+BXEJ6pFKrGzMoEjn+5die+chIuCu Bp5lg/fFos37VvxYaT6Nu+AJgPGgQAxC7t5/Y+YrApaY5qFjSDz4g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:date:from:in-reply-to:message-id :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; bh=zxNtm9gAUcU/benW0zdQ3UnutO1bdXMPyHB3RmH7zG0=; b=XjKG2gUy QAp1Mhb8jEjjx23/R6ENIWRrwIVbYn2nbgNjKYmCmSVcU5dfNZlLrKfLpu/TWzNg B8yAZcER8/yf3EyGKSQKHlkcsmGM8DLDkCOZ5RvtCbMA/AsixCBBn2ozgZQ5WzOq bptRY8kpDePt4fQDV36OiljAUCgImFw1QHH9kLX3vawqGrZgDHXAHJdXNVbwPtIJ r6wYGiyxUV043al0fd8XWVakcVtbfYML2vh3/koN510V6H5yYjETt7NKkEMgKDqI CQNhFw197aFZDGJbSoanBsM0u+5AJpG1QNy/XmKhvakN4ffCDA+r3d1w+DRJSmJ1 kmUaRtMDcsttdQ== X-ME-Sender: Received: from localhost (202-159-174-127.dyn.iinet.net.au [202.159.174.127]) by mail.messagingengine.com (Postfix) with ESMTPA id 9E496246AC; Mon, 27 Nov 2017 17:30:45 -0500 (EST) From: "Tobin C. Harding" To: kernel-hardening@lists.openwall.com Cc: "Tobin C. Harding" , linux-kernel@vger.kernel.org, Network Development , Steven Rostedt , Tycho Andersen , Ingo Molnar Subject: [RFC 3/3] trace: print address if symbol not found Date: Tue, 28 Nov 2017 09:30:19 +1100 Message-Id: <1511821819-5496-4-git-send-email-me@tobin.cc> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1511821819-5496-1-git-send-email-me@tobin.cc> References: <1511821819-5496-1-git-send-email-me@tobin.cc> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Fixes behaviour modified by: commit bd6b239cdbb2 ("kallsyms: don't leak address when symbol not found") Previous patch changed behaviour of kallsyms function sprint_symbol() to return an error code instead of printing the address if a symbol was not found. Ftrace relies on the original behaviour. We should not break tracing when applying the previous patch. We can maintain the original behaviour by checking the return code on calls to sprint_symbol() and friends. Check return code and print actual address on error (i.e symbol not found). Signed-off-by: Tobin C. Harding --- kernel/trace/trace.h | 24 ++++++++++++++++++++++++ kernel/trace/trace_events_hist.c | 6 +++--- 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h index 2a6d0325a761..881b1a577d75 100644 --- a/kernel/trace/trace.h +++ b/kernel/trace/trace.h @@ -1814,4 +1814,28 @@ static inline void trace_event_eval_update(struct trace_eval_map **map, int len) extern struct trace_iterator *tracepoint_print_iter; +static inline int +trace_sprint_symbol(char *buffer, unsigned long address) +{ + int ret; + + ret = sprint_symbol(buffer, address); + if (ret == -1) + ret = sprintf(buffer, "0x%lx", address); + + return ret; +} + +static inline int +trace_sprint_symbol_no_offset(char *buffer, unsigned long address) +{ + int ret; + + ret = sprint_symbol_no_offset(buffer, address); + if (ret == -1) + ret = sprintf(buffer, "0x%lx", address); + + return ret; +} + #endif /* _LINUX_KERNEL_TRACE_H */ diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c index 1e1558c99d56..3e28522a76f4 100644 --- a/kernel/trace/trace_events_hist.c +++ b/kernel/trace/trace_events_hist.c @@ -982,7 +982,7 @@ static void hist_trigger_stacktrace_print(struct seq_file *m, return; seq_printf(m, "%*c", 1 + spaces, ' '); - sprint_symbol(str, stacktrace_entries[i]); + trace_sprint_symbol_addr(str, stacktrace_entries[i]); seq_printf(m, "%s\n", str); } } @@ -1014,12 +1014,12 @@ hist_trigger_entry_print(struct seq_file *m, seq_printf(m, "%s: %llx", field_name, uval); } else if (key_field->flags & HIST_FIELD_FL_SYM) { uval = *(u64 *)(key + key_field->offset); - sprint_symbol_no_offset(str, uval); + trace_sprint_symbol_no_offset(str, uval); seq_printf(m, "%s: [%llx] %-45s", field_name, uval, str); } else if (key_field->flags & HIST_FIELD_FL_SYM_OFFSET) { uval = *(u64 *)(key + key_field->offset); - sprint_symbol(str, uval); + trace_sprint_symbol(str, uval); seq_printf(m, "%s: [%llx] %-55s", field_name, uval, str); } else if (key_field->flags & HIST_FIELD_FL_EXECNAME) {