On Wed, Dec 06, 2017 at 04:43:40PM -0800, Kees Cook wrote: > On Wed, Dec 6, 2017 at 4:26 PM, Tobin C. Harding <me@xxxxxxxx> wrote: > > Hashing addresses printed with printk specifier %p was implemented > > recently. During development a number of issues were raised regarding > > leaking kernel addresses to userspace. We should update the > > documentation appropriately. > > > > Add documentation regarding printing kernel addresses. > > > > Signed-off-by: Tobin C. Harding <me@xxxxxxxx> > > Acked-by: Kees Cook <keescook@xxxxxxxxxxxx> > > > --- > > > > Is there a proffered method for subscripts in sphinx kernel docs? Here > > we use '[*]' > > Great question... I can't find an answer to this. :P > > > > > thanks, > > Tobin. > > > > Documentation/security/self-protection.rst | 14 ++++++++++++++ > > 1 file changed, 14 insertions(+) > > > > diff --git a/Documentation/security/self-protection.rst b/Documentation/security/self-protection.rst > > index 60c8bd8b77bf..e711280cfdd7 100644 > > --- a/Documentation/security/self-protection.rst > > +++ b/Documentation/security/self-protection.rst > > @@ -270,6 +270,20 @@ attacks, it is important to defend against exposure of both kernel memory > > addresses and kernel memory contents (since they may contain kernel > > addresses or other sensitive things like canary values). > > > > +Kernel addresses > > +---------------- > > + > > +Printing kernel addresses to userspace leaks sensitive information about > > +the kernel memory layout. Care should be exercised when using any printk > > +specifier that prints the raw address, currently %px, %p[ad], (and %p[sSb] > > +in certain circumstances [*]). Any file written to using one of these > > +specifiers should be readable only by privileged processes. > > + > > +Kernels 4.14 and older printed the raw address using %p. As of 4.15-rc1 > > +addresses printed with the specifier %p are hashed before printing. > > + > > +[*] If symbol lookup fails, the raw address is currently printed. > > Is there a plan to adjust this case? RFC is in flight at the moment [RFC 0/3] kallsyms: don't leak address when printing symbol You commented already that you liked it. Had no response from Steve, I was intending to give him two weeks and then put in the patch for real. Or I could put it in without the ftrace stuff and just break tracing - just kidding, I wouldn't do that :) thanks, Tobin. -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
