From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 03974C369B2 for ; Mon, 14 Apr 2025 12:31:49 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1EFD728004E; Mon, 14 Apr 2025 08:31:48 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 19C80280036; Mon, 14 Apr 2025 08:31:48 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 03BFC28004E; Mon, 14 Apr 2025 08:31:48 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id D96E4280036 for ; Mon, 14 Apr 2025 08:31:47 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id BCF181A19E6 for ; Mon, 14 Apr 2025 12:31:48 +0000 (UTC) X-FDA: 83332585896.20.0E4C44A Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) by imf11.hostedemail.com (Postfix) with ESMTP id 889D640007 for ; Mon, 14 Apr 2025 12:31:46 +0000 (UTC) Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=suse.com header.s=google header.b=JAR9uXcu; dmarc=pass (policy=quarantine) header.from=suse.com; spf=pass (imf11.hostedemail.com: domain of pmladek@suse.com designates 209.85.221.50 as permitted sender) smtp.mailfrom=pmladek@suse.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1744633907; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=UzE4G1qxViP6T7whIrLBrJ/GtgCmUCswBCy5CnSYKK8=; b=GVx7WAuzF1TIT2iLtXH65jiNokNSLjxEbeC4lRwIv0kiocWV1qNmWkZklcQOf4ryOmOhQb of65c3yKqGLPJhMvbAlSwApY9yrKxROuo7zOPbEKt2G6Nfw/66KEdI7tdrXrH5igK5sxLt B5EAy8t77PLqNvgvtn5TLykhSaAXXjI= ARC-Authentication-Results: i=1; imf11.hostedemail.com; dkim=pass header.d=suse.com header.s=google header.b=JAR9uXcu; dmarc=pass (policy=quarantine) header.from=suse.com; spf=pass (imf11.hostedemail.com: domain of pmladek@suse.com designates 209.85.221.50 as permitted sender) smtp.mailfrom=pmladek@suse.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1744633907; a=rsa-sha256; cv=none; b=00TQh2PS4DZyrKKBuzMwcRxbvf2XHb0WmE00s4Z6ZZxvvhOwV9M41XJmZ5TNcbw5KVPC4i xAQxQN/TeEBy9wx5IlELwNpg4dXHIKz7cbwavrwnxZgKUHFdRShKU88T33CKfaXzMsB6AO RjCTPhmzH8vkJUaiqk9EX0UVT9KgiyE= Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-3912d2c89ecso3962933f8f.2 for ; Mon, 14 Apr 2025 05:31:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1744633905; x=1745238705; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=UzE4G1qxViP6T7whIrLBrJ/GtgCmUCswBCy5CnSYKK8=; b=JAR9uXcuJVDTGaO6H3dNnPEjU6U4z6DxeSjWgeVxg7/l+IpqfJAd+zvoRVv8Ax1nEJ DM5yR0Qk8kyxi0KK5Z5qnt3ALi6UpL2Kw9390CCUjzcCC04NXD/QXY0eGhXg3ktvZwFs 1mskVc7EwvimV16tAGbd9w4M5eVrA5KQ2l5/VWa7y6rLcPjvt5Xh6enaa/8nBjbAY3/E 7CvCzBZwZzlPahdRAVvw05ogI4/6JCext7KF9zr0kYA5xiMmbTaF1YnMRTLd9/nn/8Ts a5RzH4GwjV0Dhpy3Xu2OWa5+hh00E3cv1bIoQHnae6Ph9ZChENUSJYMLTIPUceVRLYj7 d5sA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744633905; x=1745238705; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=UzE4G1qxViP6T7whIrLBrJ/GtgCmUCswBCy5CnSYKK8=; b=S2KeGZvppmRfIngYHzZeT+opb4pNijP4E2ktti8BrS7iue8tdgSac9F/zxRynPE7Jb nhAVDsXviG+/teBZGArrblho8DuzTqAGwZ3Hkc/SPuIOQp015k3KTMf1/AePJ5MAm9JE JxgiTWt8VRjpmM9TjW1haxCeCFw4fxseLysDhOogkcPacgBHAnIY/ut4mI1R0ETWYdaZ qDZ9au0wY/zKq5gLDUxlN0Htfbbj0n5aPWS4zdJSmI0pMw1ky29TpMFpJ7g6kIFBLUWA vTNMLjiK0zmGPmWvfSOY805jnZqsgob9Fz+6gligEIzhuM7FSfEi5hLWR83BIUk2lfKY +Qug== X-Forwarded-Encrypted: i=1; AJvYcCWYJ0GCRzy1lqZy8MjyBeZ55fHRYM83BdSzedq/dA/t8k8XMlXXQJXJXg6toa2lcsHl4yiwXikKKg==@kvack.org X-Gm-Message-State: AOJu0YyBfANIkRcx73dx19p51YV6D/SmAzGMStUIV9Ijvodr2AZzC2Vi Ql5zMkcC7P9JxpjZwIwk8akoyjVKKv2V8ywDB8Qad7VltyKIskQ4XAiEB/RaSVg= X-Gm-Gg: ASbGncuv6onFGgtQJZusxdBf9Z0Ovj21Ijezr2K6PPBbv3/zYwoTlzONKC70JQjFzrQ XzAMLaIpONMmVglpw2VMJq1v13WeXNu8rsfm8DIMI58OlfZzB47ABvuDvPexHYqSufcVkG/yAxN 7a7d9Q7Wxpri/PoZQcGLnU7SyUA0IW0RzS85yAtoBJASQMsJVJI/IEyuIfZ/hgSqFpRaOB6IInz fY8IutAtTKT7OmkSahZWUi8Bm2jeF6d/BzY8uGGNS5YRb/Vh6/UIvl5GRB8xDv8Tq6dteUg/w3E KQPRV2+AT+3TbVGAsJnKWLaRCkbAgkjyjSrHKiKZHKE= X-Google-Smtp-Source: AGHT+IGPx3FekDQBH+w1DRIhnhl/LKSHQTM4c3o3SlHgBBWG1pxWWapk3NPpkMv5AAzM/asN/sLGnA== X-Received: by 2002:a05:6000:2911:b0:391:1652:f0bf with SMTP id ffacd0b85a97d-39eaaea8c84mr8884498f8f.33.1744633904685; Mon, 14 Apr 2025 05:31:44 -0700 (PDT) Received: from pathway.suse.cz ([176.114.240.130]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-39eaf43d053sm11008797f8f.68.2025.04.14.05.31.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Apr 2025 05:31:44 -0700 (PDT) Date: Mon, 14 Apr 2025 14:31:42 +0200 From: Petr Mladek To: Kees Cook Cc: Vlastimil Babka , Sergio Perez Gonzalez , Jonathan Corbet , Steven Rostedt , Andy Shevchenko , Rasmus Villemoes , Sergey Senozhatsky , Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Roman Gushchin , Harry Yoo , "Paul E. McKenney" , Randy Dunlap , Tamir Duberstein , Miguel Ojeda , Alice Ryhl , linux-doc@vger.kernel.org, linux-mm@kvack.org, Thomas Huth , "Borislav Petkov (AMD)" , Ard Biesheuvel , Greg Kroah-Hartman , Andreas Hindborg , Stephen Boyd , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] slab: Decouple slab_debug and no_hash_pointers Message-ID: References: <20250410174428.work.488-kees@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20250410174428.work.488-kees@kernel.org> X-Rspamd-Server: rspam01 X-Stat-Signature: kda8wipnod9mnx4kncbnuoxxf8g9ke6k X-Rspam-User: X-Rspamd-Queue-Id: 889D640007 X-HE-Tag: 1744633906-29633 X-HE-Meta: U2FsdGVkX19PeaUV0/hgsSgZdcoRUqa6J8VBBdQb9NVSAItbwlwV5oON5dw1TArW0jU384z0/mLMnxYqn8hxShnmRSgoS9jsrR3eQFSCHpA36Tn6MqW59GEVV06HJEBpjMlLPVcLoVZy/R2C6mlSIEC4Kx/ELv5Ar8PET9k6ldFXqTBQtPHPkXXTd2ua1P3IPMYNU2PNrH0A1rYTf/XdUtLi+l1dSSb6fVDqLdXrNyvBwrowtDDNJ4mRFR+9FQOZK9UivAq1qOjw+rMMr7TlJQTaD95N3wm7TUZp4Lf43Jz4Cox9f/oCyITinaXQhBwE+kf6lpKstBaGLwgw+qSwaYflDMfrc1NLjwXE4qbM2kXnF36lAuA1tAe4KS1AQI63XpHS41uYRi/RlqkRZY/rhQWD3xRa+kHU3SDEfgklidNwHagVnF43GIsc86mTjgRcABMCicwxdwx6VTLX8/JBwaONLZrZQDb9SajD+qNbmQprZ8WdhOkk3Z6Q2QBlHZp/xupfV1Q4QD9zwfjvXM3S0k3/CVLhcV0R5natTKwMyGR7PO+GdhQ7NURhBv4N2ADJx093E7qM3NeoENsmGcCxI+4WYInEkJ77Z8IQBlLNAcGromtght1QJJNSBTuH2kkN5CBG7v4F24yDI4RNuWSw3t57a5dScyI6OhYOxy24D6D0xt0gJphrXYLsnzt+wwovo56GlwqHKRLFNymlldXrikrxA/ha3AhXurnGWoScLZAE/ZvUDwaRaYffcHzIWhYhPUUEoTzLZsA+FVX/u4GY2en6y1WqJDySQxxsQlG8vpb0rJmMH3UqbKbbFIhfqCmS9E6jaA7+fFbxJp2F5YjxmBi4cv5o6GR+L0ZC5arXSD4CFr2bv3lhIBkyhrvAfFu8TCWA2xUj3+ttROvbiRLz5Sd6kalkJltzaoTp4bgcKXSGP/cuO3ATyUsnS5nv2U8NMSYxGkRfkK2gkd7NcSu Dn6XDXTD 4EekTQcDhXD7pRGe6wNdf3sBSRQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu 2025-04-10 10:44:31, Kees Cook wrote: > Some system owners use slab_debug=FPZ (or similar) as a hardening option, > but do not want to be forced into having kernel addresses exposed due > to the implicit "no_hash_pointers" boot param setting.[1] > > Introduce the "hash_pointers" boot param, which defaults to "auto" > (the current behavior), but also includes "always" (forcing on hashing > even when "slab_debug=..." is defined), and "never". The existing > "no_hash_pointers" boot param becomes an alias for "hash_pointers=never". > > This makes it possible to boot with "slab_debug=FPZ hash_pointers=always". The idea makes sense. But it seems that the patch did not handle the "always" mode correctly, see below. > --- a/lib/vsprintf.c > +++ b/lib/vsprintf.c > @@ -60,6 +60,20 @@ > bool no_hash_pointers __ro_after_init; > EXPORT_SYMBOL_GPL(no_hash_pointers); > > +/* > + * Hashed pointers policy selected by "hash_pointers=..." boot param > + * > + * `auto` - Hashed pointers enabled unless disabled by slub_debug_enabled=true > + * `always` - Hashed pointers enabled unconditionally > + * `never` - Hashed pointers disabled unconditionally > + */ > +enum hash_pointers_policy { > + HASH_PTR_AUTO = 0, > + HASH_PTR_ALWAYS, > + HASH_PTR_NEVER > +}; > +static enum hash_pointers_policy hash_pointers_mode __initdata; > + > noinline > static unsigned long long simple_strntoull(const char *startp, char **endp, unsigned int base, size_t max_chars) > { > @@ -2271,12 +2285,13 @@ char *resource_or_range(const char *fmt, char *buf, char *end, void *ptr, > return resource_string(buf, end, ptr, spec, fmt); > } > > -int __init no_hash_pointers_enable(char *str) > +void __init hash_pointers_finalize(bool slub_debug) > { > - if (no_hash_pointers) > - return 0; > + if (hash_pointers_mode == HASH_PTR_AUTO && slub_debug) > + no_hash_pointers = true; > > - no_hash_pointers = true; > + if (!no_hash_pointers) > + return; > > pr_warn("**********************************************************\n"); > pr_warn("** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **\n"); The mode/policy is generic but this function is ready to be called only once. And we might actually want to call it twice, see below. I would suggest to use a generic names and allow to call it more times, something like: /** * hash_pointers_update() - update the decision whether to hash * printed pointers * @auto_disable: Disable hashing in auto mode * * The function allows to disable hashing printed pointers either * when the global mode is HASH_PTR_NEVER or when the caller * wants to disable it and the mode is HASH_PTR_AUTO. */ void __init hash_pointers_update(bool auto_disable) { bool disable_hashing = false; switch(hash_pointers_mode) { case HASH_PTR_AUTO: disable_hashing = auto_disable; break; case HASH_PTR_ALWAYS: disable_hashing = true; break; case HASH_PTR_NEVER: if (no_hash_pointers) { pr_warn("Pointers were temporary printed without hashing. Force hashing again.\n"); no_hash_pointers = false; } break; default: pr_warn("Unknown hash_pointers mode '%d' specified; assuming auto.\n", hash_pointers_mode); disable_hashing = auto_disable; } /* Nope when no change requested. */ if (no_hash_pointers || !disable_hashing) return; no_hash_pointers = true; pr_warn("**********************************************************\n"); pr_warn("** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **\n"); pr_warn("** **\n"); pr_warn("** This system shows unhashed kernel memory addresses **\n"); pr_warn("** via the console, logs, and other interfaces. This **\n"); pr_warn("** might reduce the security of your system. **\n"); pr_warn("** **\n"); pr_warn("** If you see this message and you are not debugging **\n"); pr_warn("** the kernel, report this immediately to your system **\n"); pr_warn("** administrator! **\n"); pr_warn("** **\n"); pr_warn("** Use hash_pointers=always to force this mode off **\n"); pr_warn("** **\n"); pr_warn("** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **\n"); pr_warn("**********************************************************\n"); } > @@ -2289,11 +2304,39 @@ int __init no_hash_pointers_enable(char *str) > pr_warn("** the kernel, report this immediately to your system **\n"); > pr_warn("** administrator! **\n"); > pr_warn("** **\n"); > + pr_warn("** Use hash_pointers=always to force this mode off **\n"); > + pr_warn("** **\n"); > pr_warn("** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **\n"); > pr_warn("**********************************************************\n"); > +} > + > +static int __init hash_pointers_mode_parse(char *str) > +{ > + if (!str) { > + pr_warn("Hash pointers mode empty; falling back to auto.\n"); > + hash_pointers_mode = HASH_PTR_AUTO; > + } else if (strncmp(str, "auto", 4) == 0) { > + pr_info("Hash pointers mode set to auto.\n"); > + hash_pointers_mode = HASH_PTR_AUTO; > + } else if (strncmp(str, "never", 5) == 0) { > + pr_info("Hash pointers mode set to never.\n"); > + hash_pointers_mode = HASH_PTR_NEVER; > + } else if (strncmp(str, "always", 6) == 0) { > + pr_info("Hash pointers mode set to always.\n"); > + hash_pointers_mode = HASH_PTR_ALWAYS; This mode is not handled anywhere, see below. > + } else { > + pr_warn("Unknown hash_pointers mode '%s' specified; assuming auto.\n", str); > + hash_pointers_mode = HASH_PTR_AUTO; > + } We might handle HASH_PTR_ALWAYS by calling: hash_pointers_update(false); > return 0; > } > +early_param("hash_pointers", hash_pointers_mode_parse); > + > +static int __init no_hash_pointers_enable(char *str) > +{ > + return hash_pointers_mode_parse("never"); > +} > early_param("no_hash_pointers", no_hash_pointers_enable); > > /* Best Regards, Petr