kernel-hardening - Re: Re: [PATCH V8 0/2] printk: hash addresses printed with %p

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <8c9fdb9f-4b1d-a21d-8ed8-f5cf7656aafb@blackberry.com>
Date: Thu, 2 Nov 2017 11:11:10 -0700
From: Petr Nejedlý <pnejedly@...ckberry.com>
To: <kernel-hardening@...ts.openwall.com>
Subject: Re: Re: [PATCH V8 0/2] printk: hash addresses
 printed with %p

On 11/02/2017 09:04 AM, Sergey Senozhatsky wrote:
>>> hm... just a huge pile of if's
>>>
>>> 	if (is_vmalloc_addr(addr))
>>> 		do_hashing(addr);
>>> 	else if (__module_address(addr))
>>> 		do_hashing(addr);
>>> 	else if (is_kernel(addr) || is_kernel_inittext(addr))
>>> 	...
>>>
>>> but that's going to be really messy and "iffy".
>> This is the only suggestion we have so far.
>>
> well... one more: check if we can safely dereference it. if so
> it's a pointer, probably :)
>
> 	if (!probe_kernel_address(addr, p))
> 		do_hashing(addr);
None of that would fly - you'd open a side channel.
Just find a place where kernel prints userland provided value with %x
(quite easy I suppose) and check if it got hashed. A trivial and 
super-reliable
way to probe the kernel address space....

-- 
Petr

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.