Re: [PATCH V8 0/2] printk: hash addresses printed with %p

From: Kees Cook
Date: Mon Oct 30 2017 - 18:03:28 EST

Next message: Kees Cook: "Re: [PATCH] drm: gma500: Convert timers to use timer_setup()"
Previous message: Boris Ostrovsky: "Re: [PATCH v7 13/13] xen: introduce a Kconfig option to enable the pvcalls frontend"
In reply to: Tobin C. Harding: "Re: [PATCH V8 0/2] printk: hash addresses printed with %p"
Next in thread: Tobin C. Harding: "Re: [PATCH V8 0/2] printk: hash addresses printed with %p"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Oct 25, 2017 at 7:53 PM, Tobin C. Harding <me@xxxxxxxx> wrote:
> Here is the behaviour that this set implements.
>
> For kpt_restrict==0
>
> Randomness not ready:
> printed with %p: (pointer) # NOTE: with padding
> Valid pointer:
> printed with %pK: deadbeefdeadbeef
> printed with %p: 0xdeadbeef
> malformed specifier (eg %i): 0xdeadbeef

I really think we can't include SPECIAL unless _every_ callsite of %p
is actually doing "0x%p", and then we're replacing all of those. We're
not doing that, though...

$ git grep '%p\b' | wc -l
12766
$ git grep '0x%p\b' | wc -l
1837

If we need some kind of special marking that this is a hashed
variable, that should be something other than "0x". If we're using the
existing "(null)" and new "(pointer)" text, maybe "(hash:xxxxxx)"
should be used instead? Then the (rare) callers with 0x become
"0x(hash:xxxx)" and naked callers produce "(hash:xxxx)".

I think the first step for this is to just leave SPECIAL out.

-Kees

--
Kees Cook
Pixel Security

Next message: Kees Cook: "Re: [PATCH] drm: gma500: Convert timers to use timer_setup()"
Previous message: Boris Ostrovsky: "Re: [PATCH v7 13/13] xen: introduce a Kconfig option to enable the pvcalls frontend"
In reply to: Tobin C. Harding: "Re: [PATCH V8 0/2] printk: hash addresses printed with %p"
Next in thread: Tobin C. Harding: "Re: [PATCH V8 0/2] printk: hash addresses printed with %p"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]