Commit 71338aa7 authored by Dan Rosenberg's avatar Dan Rosenberg Committed by David S. Miller
Browse files

net: convert %p usage to %pK 



The %pK format specifier is designed to hide exposed kernel pointers,
specifically via /proc interfaces.  Exposing these pointers provides an
easy target for kernel write vulnerabilities, since they reveal the
locations of writable structures containing easily triggerable function
pointers.  The behavior of %pK depends on the kptr_restrict sysctl.

If kptr_restrict is set to 0, no deviation from the standard %p behavior
occurs.  If kptr_restrict is set to 1, the default, if the current user
(intended to be a reader via seq_printf(), etc.) does not have CAP_SYSLOG
(currently in the LSM tree), kernel pointers using %pK are printed as 0's.
 If kptr_restrict is set to 2, kernel pointers using %pK are printed as
0's regardless of privileges.  Replacing with 0's was chosen over the
default "(null)", which cannot be parsed by userland %p, which expects
"(nil)".

The supporting code for kptr_restrict and %pK are currently in the -mm
tree.  This patch converts users of %p in net/ to %pK.  Cases of printing
pointers to the syslog are not covered, since this would eliminate useful
information for postmortem debugging and the reading of the syslog is
already optionally protected by the dmesg_restrict sysctl.

Signed-off-by: default avatarDan Rosenberg <drosenberg@vsecurity.com>
Cc: James Morris <jmorris@namei.org>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Thomas Graf <tgraf@infradead.org>
Cc: Eugene Teo <eugeneteo@kernel.org>
Cc: Kees Cook <kees.cook@canonical.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: David S. Miller <davem@davemloft.net>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Eric Paris <eparis@parisplace.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 229de618

net/atm/proc.c

+2 −2
Original line number Diff line number Diff line
@@ -191,7 +191,7 @@ static void vcc_info(struct seq_file *seq, struct atm_vcc *vcc) 
{

	struct sock *sk = sk_atm(vcc);



	seq_printf(seq, "%p ", vcc);

	seq_printf(seq, "%pK ", vcc);

	if (!vcc->dev)

		seq_printf(seq, "Unassigned    ");

	else
@@ -218,7 +218,7 @@ static void svc_info(struct seq_file *seq, struct atm_vcc *vcc) 
{

	if (!vcc->dev)

		seq_printf(seq, sizeof(void *) == 4 ?

			   "N/A@%p%10s" : "N/A@%p%2s", vcc, "");

			   "N/A@%pK%10s" : "N/A@%pK%2s", vcc, "");

	else

		seq_printf(seq, "%3d %3d %5d         ",

			   vcc->dev->number, vcc->vpi, vcc->vci);

net/can/bcm.c

+3 −3
Original line number Diff line number Diff line
@@ -165,9 +165,9 @@ static int bcm_proc_show(struct seq_file *m, void *v) 
	struct bcm_sock *bo = bcm_sk(sk);

	struct bcm_op *op;



	seq_printf(m, ">>> socket %p", sk->sk_socket);

	seq_printf(m, " / sk %p", sk);

	seq_printf(m, " / bo %p", bo);

	seq_printf(m, ">>> socket %pK", sk->sk_socket);

	seq_printf(m, " / sk %pK", sk);

	seq_printf(m, " / bo %pK", bo);

	seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);

	seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));

	seq_printf(m, " <<<\n");

net/ipv4/raw.c

+1 −1
Original line number Diff line number Diff line
@@ -979,7 +979,7 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i) 
	      srcp  = inet->inet_num;



	seq_printf(seq, "%4d: %08X:%04X %08X:%04X"

		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d\n",

		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d\n",

		i, src, srcp, dest, destp, sp->sk_state,

		sk_wmem_alloc_get(sp),

		sk_rmem_alloc_get(sp),

net/ipv4/tcp_ipv4.c

+3 −3
Original line number Diff line number Diff line
@@ -2371,7 +2371,7 @@ static void get_openreq4(struct sock *sk, struct request_sock *req, 
	int ttd = req->expires - jiffies;



	seq_printf(f, "%4d: %08X:%04X %08X:%04X"

		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %u %d %p%n",

		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %u %d %pK%n",

		i,

		ireq->loc_addr,

		ntohs(inet_sk(sk)->inet_sport),
@@ -2426,7 +2426,7 @@ static void get_tcp4_sock(struct sock *sk, struct seq_file *f, int i, int *len) 
		rx_queue = max_t(int, tp->rcv_nxt - tp->copied_seq, 0);



	seq_printf(f, "%4d: %08X:%04X %08X:%04X %02X %08X:%08X %02X:%08lX "

			"%08X %5d %8d %lu %d %p %lu %lu %u %u %d%n",

			"%08X %5d %8d %lu %d %pK %lu %lu %u %u %d%n",

		i, src, srcp, dest, destp, sk->sk_state,

		tp->write_seq - tp->snd_una,

		rx_queue,
@@ -2461,7 +2461,7 @@ static void get_timewait4_sock(struct inet_timewait_sock *tw, 
	srcp  = ntohs(tw->tw_sport);



	seq_printf(f, "%4d: %08X:%04X %08X:%04X"

		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",

		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK%n",

		i, src, srcp, dest, destp, tw->tw_substate, 0, 0,

		3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,

		atomic_read(&tw->tw_refcnt), tw, len);

net/ipv4/udp.c

+1 −1
Original line number Diff line number Diff line
@@ -2090,7 +2090,7 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f, 
	__u16 srcp	  = ntohs(inet->inet_sport);



	seq_printf(f, "%5d: %08X:%04X %08X:%04X"

		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d%n",

		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d%n",

		bucket, src, srcp, dest, destp, sp->sk_state,

		sk_wmem_alloc_get(sp),

		sk_rmem_alloc_get(sp),

CRA Git | Maintained and supported by SUSTech CRA and CCSE