DescriptionEugene Teo (Security Response)
2011-02-22 04:36:50 UTC
Description of problem:
Add the %pK printk format specifier and the /proc/sys/kernel/kptr_restrict sysctl.
The %pK format specifier is designed to hide exposed kernel pointers, specifically via /proc interfaces. Exposing these pointers provides an easy target for kernel write vulnerabilities, since they reveal the locations of writable structures containing easily triggerable function pointers. The behavior of %pK depends on the kptr_restrict sysctl.
If kptr_restrict is set to 0, no deviation from the standard %p behavior occurs. If kptr_restrict is set to 1, the default, if the current user (intended to be a reader via seq_printf(), etc.) does not have CAP_SYSLOG (currently in the LSM tree), kernel pointers using %pK are printed as 0's. If kptr_restrict is set to 2, kernel pointers using %pK are printed as 0's regardless of privileges. Replacing with 0's was chosen over the default "(null)", which cannot be parsed by userland %p, which expects "(nil)".
Upstream commit:
http://git.kernel.org/linus/455cd5ab305c90ffc422dd2e0fb634730942b257
Also backport:
drm: do not leak kernel addresses via /proc/dri/*/vma
http://git.kernel.org/linus/01e2f533a234dc62d16c0d3d4fb9d71cf1ce50c3
timer debug: Hide kernel addresses via %pK in /proc/timer_list
http://git.kernel.org/linus/f590308536db432e4747f562b29e5858123938e9
[PATCH v2] use %pK for /proc/kallsyms and /proc/modules
http://marc.info/?l=linux-kernel&m=129608894604282&w=2 (not upstream yet)
Comment 3Eugene Teo (Security Response)
2011-04-05 01:18:05 UTC
Comment 5RHEL Program Management
2011-06-20 22:34:17 UTC
This request was evaluated by Red Hat Product Management for inclusion in Red Hat Enterprise Linux 5.7 and Red Hat does not plan to fix this issue the currently developed update.
Contact your manager or support representative in case you need to escalate this bug.
Comment 6RHEL Program Management
2012-01-09 14:20:00 UTC
This request was evaluated by Red Hat Product Management for inclusion in Red Hat Enterprise Linux 5.8 and Red Hat does not plan to fix this issue the currently developed update.
Contact your manager or support representative in case you need to escalate this bug.
Due to resource constraints or complexity, this issue could not be resolved in
the time frame of this release.
Kindly please try RHEL 6.3 Beta or 5.8 and see if the problem still happens in that
release. If it does please start a new bug.
If you feel you cannot move to that release, please contact your Global Support
Specialist for further escalation and prioritization.
Kind Regards.
Description of problem: Add the %pK printk format specifier and the /proc/sys/kernel/kptr_restrict sysctl. The %pK format specifier is designed to hide exposed kernel pointers, specifically via /proc interfaces. Exposing these pointers provides an easy target for kernel write vulnerabilities, since they reveal the locations of writable structures containing easily triggerable function pointers. The behavior of %pK depends on the kptr_restrict sysctl. If kptr_restrict is set to 0, no deviation from the standard %p behavior occurs. If kptr_restrict is set to 1, the default, if the current user (intended to be a reader via seq_printf(), etc.) does not have CAP_SYSLOG (currently in the LSM tree), kernel pointers using %pK are printed as 0's. If kptr_restrict is set to 2, kernel pointers using %pK are printed as 0's regardless of privileges. Replacing with 0's was chosen over the default "(null)", which cannot be parsed by userland %p, which expects "(nil)". Upstream commit: http://git.kernel.org/linus/455cd5ab305c90ffc422dd2e0fb634730942b257 Also backport: drm: do not leak kernel addresses via /proc/dri/*/vma http://git.kernel.org/linus/01e2f533a234dc62d16c0d3d4fb9d71cf1ce50c3 timer debug: Hide kernel addresses via %pK in /proc/timer_list http://git.kernel.org/linus/f590308536db432e4747f562b29e5858123938e9 [PATCH v2] use %pK for /proc/kallsyms and /proc/modules http://marc.info/?l=linux-kernel&m=129608894604282&w=2 (not upstream yet)