Once in a while %p usage comes up, and I've needed to have a reference to point people to. Add %p details to deprecated.rst. Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> --- Documentation/process/deprecated.rst | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/Documentation/process/deprecated.rst b/Documentation/process/deprecated.rst index f9f196d3a69b..a4db119f4e09 100644 --- a/Documentation/process/deprecated.rst +++ b/Documentation/process/deprecated.rst @@ -109,6 +109,23 @@ the given limit of bytes to copy. This is inefficient and can lead to linear read overflows if a source string is not NUL-terminated. The safe replacement is :c:func:`strscpy`. +%p format specifier +------------------- +Using %p in format strings leads to a huge number of address exposures. +Instead of leaving these to be exploitable, "%p" should not be used in +the kernel. If used currently, it is a hashed value, rendering it +unusable for addressing. Paraphrasing Linus's current `guideance <https://lore.kernel.org/lkml/CA+55aFwQEd_d40g4mUCSsVRZzrFPUJt74vc6PPpb675hYNXcKw@xxxxxxxxxxxxxx/>`_: + +- Just use %p and get the hashed value. +- If the hashed value is pointless, ask yourself whether the pointer + itself is important. Maybe it should be removed entirely? +- As a last option, if you really think the true pointer value is + important, why is some system state or user privilege level considered + "special"? If it is well justified (in comments and commit log), maybe + you can use %px along with making sure you have sensible permissions. + +A system-wide toggle will `not be accepted <https://lore.kernel.org/lkml/CA+55aFwieC1-nAs+NFq9RTwaR8ef9hWa4MjNBWL41F-8wM49eA@xxxxxxxxxxxxxx/>`_. + Variable Length Arrays (VLAs) ----------------------------- Using stack VLAs produces much worse machine code than statically -- 2.20.1 -- Kees Cook
