Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d4bf6e277e1fc5dbd9026a8fdd705599de87ba6b.camel@gmail.com>
Date: Mon, 15 Nov 2021 13:42:12 +0530
From: Kaiwan N Billimoria <kaiwan.billimoria@...il.com>
To: Alexander Popov <alex.popov@...ux.com>, Jonathan Corbet
 <corbet@....net>,  Linus Torvalds <torvalds@...ux-foundation.org>, Paul
 McKenney <paulmck@...nel.org>, Andrew Morton <akpm@...ux-foundation.org>,
 Thomas Gleixner <tglx@...utronix.de>, Peter Zijlstra
 <peterz@...radead.org>, Joerg Roedel <jroedel@...e.de>, Maciej Rozycki
 <macro@...am.me.uk>,  Muchun Song <songmuchun@...edance.com>, Viresh Kumar
 <viresh.kumar@...aro.org>, Robin Murphy <robin.murphy@....com>, Randy
 Dunlap <rdunlap@...radead.org>, Lu Baolu <baolu.lu@...ux.intel.com>, Petr
 Mladek <pmladek@...e.com>, Kees Cook <keescook@...omium.org>, Luis
 Chamberlain <mcgrof@...nel.org>, Wei Liu <wl@....org>, John Ogness
 <john.ogness@...utronix.de>, Andy Shevchenko
 <andriy.shevchenko@...ux.intel.com>, Alexey Kardashevskiy <aik@...abs.ru>, 
 Christophe Leroy <christophe.leroy@...roup.eu>, Jann Horn
 <jannh@...gle.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Mark
 Rutland <mark.rutland@....com>, Andy Lutomirski <luto@...nel.org>, Dave
 Hansen <dave.hansen@...ux.intel.com>, Steven Rostedt <rostedt@...dmis.org>,
 Will Deacon <will@...nel.org>, Ard Biesheuvel <ardb@...nel.org>, Laura
 Abbott <labbott@...nel.org>, David S Miller <davem@...emloft.net>, Borislav
 Petkov <bp@...en8.de>, Arnd Bergmann <arnd@...db.de>, Andrew Scull
 <ascull@...gle.com>, Marc Zyngier <maz@...nel.org>,  Jessica Yu
 <jeyu@...nel.org>, Iurii Zaikin <yzaikin@...gle.com>, Rasmus Villemoes
 <linux@...musvillemoes.dk>, Wang Qing <wangqing@...o.com>, Mel Gorman
 <mgorman@...e.de>, Mauro Carvalho Chehab <mchehab+huawei@...nel.org>,
 Andrew Klychkov <andrew.a.klychkov@...il.com>, Mathieu Chouquet-Stringer
 <me@...hieu.digital>, Daniel Borkmann <daniel@...earbox.net>, Stephen Kitt
 <steve@....org>, Stephen Boyd <sboyd@...nel.org>,  Thomas Bogendoerfer
 <tsbogend@...ha.franken.de>, Mike Rapoport <rppt@...nel.org>, Bjorn
 Andersson <bjorn.andersson@...aro.org>,
 kernel-hardening@...ts.openwall.com,  linux-hardening@...r.kernel.org,
 linux-doc@...r.kernel.org,  linux-arch@...r.kernel.org,
 linux-kernel@...r.kernel.org,  linux-fsdevel@...r.kernel.org
Cc: notify@...nel.org
Subject: Re: [PATCH v2 0/2] Introduce the pkill_on_warn parameter

On Thu, 2021-10-28 at 02:32 +0300, Alexander Popov wrote:
> [...]
> 
> From a security point of view, kernel warning messages provide a lot of
> useful information for attackers. Many GNU/Linux distributions allow
> unprivileged users to read the kernel log, so attackers use kernel
> warning infoleak in vulnerability exploits. 
At the risk of being too simplistic, if the intention is to cut down infoleaks,
why not simply have a config (and/or sysctl) to toggle it - both at kernel build
as well as at runtime via a sysctl.

A minimal starting attempt at this, definitely incomplete (i've not actually written
the config anywhere, sorry, I'd just like to propose this as an idea for now) could
be something like this? (Am calling the kconfig CONFIG_TERSE_DIAGS_ONWARN):

---
 kernel/panic.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/kernel/panic.c b/kernel/panic.c
index cefd7d82366f..bbf00b0a8110 100644
--- a/kernel/panic.c
+++ b/kernel/panic.c
@@ -587,10 +587,8 @@ void __warn(const char *file, int line, void *caller, unsigned taint,
    if (args)
        vprintk(args->fmt, args->args);
 
-   print_modules();
-
-   if (regs)
-       show_regs(regs);
+   if (IS_ENABLED(CONFIG_TERSE_DIAGS_ONWARN))
+       return;
 
    if (panic_on_warn) {
        /*
@@ -603,6 +601,11 @@ void __warn(const char *file, int line, void *caller, unsigned taint,
        panic("panic_on_warn set ...\n");
    }   
 
+   print_modules();
+
+   if (regs)
+       show_regs(regs);
+
    if (!regs)
        dump_stack();
 
-- 
2.25.1


Further, am unsure precisely which portions of diagnostic output would be useful
to retain when the config's on. Of course, this "patch" is very premature. Of course,
am open to suggestions on all of this,
Regards

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.