Re: [PATCH V8 0/2] printk: hash addresses printed with %p
From: Kees Cook
Date: Mon Oct 30 2017 - 18:03:28 EST
On Wed, Oct 25, 2017 at 7:53 PM, Tobin C. Harding <me@xxxxxxxx> wrote:
> Here is the behaviour that this set implements.
>
> For kpt_restrict==0
>
> Randomness not ready:
> printed with %p: (pointer) # NOTE: with padding
> Valid pointer:
> printed with %pK: deadbeefdeadbeef
> printed with %p: 0xdeadbeef
> malformed specifier (eg %i): 0xdeadbeef
I really think we can't include SPECIAL unless _every_ callsite of %p
is actually doing "0x%p", and then we're replacing all of those. We're
not doing that, though...
$ git grep '%p\b' | wc -l
12766
$ git grep '0x%p\b' | wc -l
1837
If we need some kind of special marking that this is a hashed
variable, that should be something other than "0x". If we're using the
existing "(null)" and new "(pointer)" text, maybe "(hash:xxxxxx)"
should be used instead? Then the (rare) callers with 0x become
"0x(hash:xxxx)" and naked callers produce "(hash:xxxx)".
I think the first step for this is to just leave SPECIAL out.
-Kees
--
Kees Cook
Pixel Security