From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.6 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 364F4C433DB for ; Fri, 5 Feb 2021 10:59:11 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 6891064F99 for ; Fri, 5 Feb 2021 10:59:10 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6891064F99 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 9F3256B0005; Fri, 5 Feb 2021 05:59:09 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 9A2896B006C; Fri, 5 Feb 2021 05:59:09 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8B98B6B006E; Fri, 5 Feb 2021 05:59:09 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 7443D6B0005 for ; Fri, 5 Feb 2021 05:59:09 -0500 (EST) Received: from smtpin21.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 2AE02348D for ; Fri, 5 Feb 2021 10:59:09 +0000 (UTC) X-FDA: 77783917218.21.wrist38_0615fb0275e4 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin21.hostedemail.com (Postfix) with ESMTP id 10B2B180442C3 for ; Fri, 5 Feb 2021 10:59:09 +0000 (UTC) X-HE-Tag: wrist38_0615fb0275e4 X-Filterd-Recvd-Size: 4850 Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) by imf41.hostedemail.com (Postfix) with ESMTP for ; Fri, 5 Feb 2021 10:59:08 +0000 (UTC) X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 3B180AD29; Fri, 5 Feb 2021 10:59:07 +0000 (UTC) To: Timur Tabi , Petr Mladek , Steven Rostedt , Sergey Senozhatsky , linux-kernel@vger.kernel.org, linux-mm@kvack.org, willy@infradead.org, akpm@linux-foundation.org, torvalds@linux-foundation.org, roman.fietze@magna.com, keescook@chromium.org, john.ogness@linutronix.de, akinobu.mita@gmail.com References: <20210202213633.755469-1-timur@kernel.org> From: Vlastimil Babka Subject: Re: [PATCH][RESEND] lib/vsprintf: make-printk-non-secret printks all addresses as unhashed Message-ID: <3baace45-38af-a59b-c376-9a4c39a17b2d@suse.cz> Date: Fri, 5 Feb 2021 11:59:06 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 In-Reply-To: <20210202213633.755469-1-timur@kernel.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 2/2/21 10:36 PM, Timur Tabi wrote: > If the make-printk-non-secret command-line parameter is set, then > printk("%p") will print addresses as unhashed. This is useful for > debugging purposes. >=20 > A large warning message is displayed if this option is enabled, > because unhashed addresses, while useful for debugging, exposes > kernel addresses which can be a security risk. >=20 > Signed-off-by: Timur Tabi Thanks a lot. Should this also affect %pK though? IIUC, there's currently= no way to achieve non-mangled %pK in all cases, even with the most permissive kptr_restrict=3D1 setting: - in IRQ, there's "pK-error" instead - in a context of non-CAP_SYSLOG process, nulls are printed Yes, neither should matter if %pK were only used for prints that generate content of some kind of /proc file read by a CAP_SYSLOG process, but that doesn't seem to be the case and there are %pK used for printing to dmesg = too... > --- > lib/vsprintf.c | 34 ++++++++++++++++++++++++++++++++-- > 1 file changed, 32 insertions(+), 2 deletions(-) >=20 > diff --git a/lib/vsprintf.c b/lib/vsprintf.c > index 3b53c73580c5..b9f87084afb0 100644 > --- a/lib/vsprintf.c > +++ b/lib/vsprintf.c > @@ -2090,6 +2090,30 @@ char *fwnode_string(char *buf, char *end, struct= fwnode_handle *fwnode, > return widen_string(buf, buf - buf_start, end, spec); > } > =20 > +/* Disable pointer hashing if requested */ > +static bool debug_never_hash_pointers __ro_after_init; > + > +static int __init debug_never_hash_pointers_enable(char *str) > +{ > + debug_never_hash_pointers =3D true; > + pr_warn("**********************************************************\n= "); > + pr_warn("** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **\n= "); > + pr_warn("** **\n= "); > + pr_warn("** All pointers that are printed to the console will **\n= "); > + pr_warn("** be printed as unhashed. **\n= "); > + pr_warn("** **\n= "); > + pr_warn("** Kernel memory addresses are exposed, which may **\n= "); > + pr_warn("** compromise security on your system. **\n= "); > + pr_warn("** **\n= "); > + pr_warn("** If you see this message and you are not debugging **\n= "); > + pr_warn("** the kernel, report this immediately to your vendor! **\n= "); > + pr_warn("** **\n= "); > + pr_warn("** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **\n= "); > + pr_warn("**********************************************************\n= "); > + return 0; > +} > +early_param("make-printk-non-secret", debug_never_hash_pointers_enable= ); > + > /* > * Show a '%p' thing. A kernel extension is that the '%p' is followed > * by an extra set of alphanumeric characters that are extended format > @@ -2297,8 +2321,14 @@ char *pointer(const char *fmt, char *buf, char *= end, void *ptr, > } > } > =20 > - /* default is to _not_ leak addresses, hash before printing */ > - return ptr_to_id(buf, end, ptr, spec); > + /* > + * default is to _not_ leak addresses, so hash before printing, unles= s > + * make-printk-non-secret is specified on the command line. > + */ > + if (unlikely(debug_never_hash_pointers)) > + return pointer_string(buf, end, ptr, spec); > + else > + return ptr_to_id(buf, end, ptr, spec); > } > =20 > /* >=20