Bug 679263
| Summary: | [RFE] kernel: kptr_restrict for hiding kernel pointers from unprivileged users [mrg-2.1] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise MRG | Reporter: | Eugene Teo (Security Response) <eteo> |
| Component: | realtime-kernel | Assignee: | Luis Claudio R. Goncalves <lgoncalv> |
| Status: | CLOSED ERRATA | QA Contact: | David Sommerseth <davids> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 1.3 | CC: | bhu, iboverma, jkacur, lgoncalv, mhusnain, ovasik, security-response-team, williams |
| Target Milestone: | 2.1 | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
The %pK printk format specifier and the /proc/sys/kernel/kptr_restrict sysctl are now added to the realtime-kernel component. The %pK format specifier uses /proc interfaces to hide exposed kernel pointers and the kptr_restrict can be set to 0, 1 or 2 to determine how kernel pointers using %pK are printed.
--------------------------------------------------------------
Cause: /proc/kallsyms and /proc/modules not also printed with %pK
Consequence: Potential for kernel address leaks.
Fix: use %pK for /proc/kallsyms and /proc/module
Result: The chances for kernel address leaks are reduced, and the printing behaviour can be controlled via kptr_restrict sysctl
|
Story Points: | --- |
| Clone Of: | 679261 | Environment: | |
| Last Closed: | 2012-01-23 18:37:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 679261 | ||
| Bug Blocks: | 679262 | ||
|
Description
Eugene Teo (Security Response)
2011-02-22 04:42:45 UTC
> [PATCH v2] use %pK for /proc/kallsyms and /proc/modules > http://marc.info/?l=linux-kernel&m=129608894604282&w=2 (not upstream yet) http://git.kernel.org/linus/9f36e2c448007b54851e7e4fa48da97d1477a175 This one requires a number of changes beyond the ones listed above. I'm going to push it to be a follow-on to MRG 2.0 release.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
The %pK printk format specifier and the /proc/sys/kernel/kptr_restrict sysctl are now added to the realtime-kernel component. The %pK format specifier uses /proc interfaces to hide exposed kernel pointers and the kptr_restrict can be set to 0, 1 or 2 to determine how kernel pointers using %pK are printed.
Technical note can be viewed in the release notes for 2.0 at the documentation stage here: http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2.0/html-single/MRG_Release_Notes/index.html#tabl-MRG_Release_Notes-RT_Update_Notes-RT_Update_Notes All of the above listed commits are available in the kernel-rt-3.0.4-rt14+ series
Technical note updated. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Diffed Contents:
@@ -1 +1,7 @@
-The %pK printk format specifier and the /proc/sys/kernel/kptr_restrict sysctl are now added to the realtime-kernel component. The %pK format specifier uses /proc interfaces to hide exposed kernel pointers and the kptr_restrict can be set to 0, 1 or 2 to determine how kernel pointers using %pK are printed.+The %pK printk format specifier and the /proc/sys/kernel/kptr_restrict sysctl are now added to the realtime-kernel component. The %pK format specifier uses /proc interfaces to hide exposed kernel pointers and the kptr_restrict can be set to 0, 1 or 2 to determine how kernel pointers using %pK are printed.
+
+--------------------------------------------------------------
+Cause: /proc/kallsyms and /proc/modules not also printed with %pK
+Consequence: Potential for kernel address leaks.
+Fix: use %pK for /proc/kallsyms and /proc/module
+Result: The chances for kernel address leaks are reduced, and the printing behaviour can be controlled via kptr_restrict sysctl
Verified by testing the feature:
Logging in as an unprivileged user:
[test@hp-nehalem-01 ~]$ hostname
hp-nehalem-01.rhts.eng.bos.redhat.com
[test@hp-nehalem-01 ~]$ uname -r
3.0.9-rt26.42.el6rt.x86_64
[test@hp-nehalem-01 ~]$ cat /proc/sys/kernel/kptr_restrict
0
[test@hp-nehalem-01 ~]$ cat /proc/kallsyms | head
0000000000000000 D irq_stack_union
0000000000000000 D __per_cpu_start
0000000000004000 D gdt_page
0000000000005000 d exception_stacks
0000000000009000 d tlb_vector_offset
0000000000009080 d is_idle
0000000000009088 D old_rsp
0000000000009090 D irq_regs
00000000000090a0 D vector_irq
00000000000094a0 d cpu_devices
[test@hp-nehalem-01 ~]$ cat /proc/kallsyms | tail
ffffffffa0002061 t dm_path_uevent [dm_mod]
ffffffffa000990b t dm_interface_exit [dm_mod]
ffffffffa000a245 T dm_io [dm_mod]
ffffffffa000640e T dm_get_device [dm_mod]
ffffffffa0002473 t dm_set_mdptr [dm_mod]
ffffffffa00057bd t dm_table_any_busy_target [dm_mod]
ffffffffa00024f8 t dm_suspended_md [dm_mod]
ffffffffa0005702 t dm_table_postsuspend_targets [dm_mod]
ffffffffa0007034 t dm_target_iterate [dm_mod]
ffffffffa0007cd4 t dm_copy_name_and_uuid [dm_mod]
### Switching kptr_restrict value
[test@hp-nehalem-01 ~]$ echo 1 > /proc/sys/kernel/kptr_restrict
-bash: /proc/sys/kernel/kptr_restrict: Permission denied
[root@hp-nehalem-01 ~]# echo 1 > /proc/sys/kernel/kptr_restrict
[root@hp-nehalem-01 ~]# cat /proc/sys/kernel/kptr_restrict
1
### Testing with kptr_restrict = 1
[test@hp-nehalem-01 ~]$ cat /proc/sys/kernel/kptr_restrict
1
[test@hp-nehalem-01 ~]$ cat /proc/kallsyms | head
0000000000000000 D irq_stack_union
0000000000000000 D __per_cpu_start
0000000000000000 D gdt_page
0000000000000000 d exception_stacks
0000000000000000 d tlb_vector_offset
0000000000000000 d is_idle
0000000000000000 D old_rsp
0000000000000000 D irq_regs
0000000000000000 D vector_irq
0000000000000000 d cpu_devices
[test@hp-nehalem-01 ~]$ cat /proc/kallsyms | tail
0000000000000000 t dm_path_uevent [dm_mod]
0000000000000000 t dm_interface_exit [dm_mod]
0000000000000000 T dm_io [dm_mod]
0000000000000000 T dm_get_device [dm_mod]
0000000000000000 t dm_set_mdptr [dm_mod]
0000000000000000 t dm_table_any_busy_target [dm_mod]
0000000000000000 t dm_suspended_md [dm_mod]
0000000000000000 t dm_table_postsuspend_targets [dm_mod]
0000000000000000 t dm_target_iterate [dm_mod]
0000000000000000 t dm_copy_name_and_uuid [dm_mod]
[test@hp-nehalem-01 ~]$ awk '{print $1}' < /proc/kallsyms | sort | uniq -c
57129 0000000000000000
[test@hp-nehalem-01 ~]$ echo 0 > /proc/sys/kernel/kptr_restrict
-bash: /proc/sys/kernel/kptr_restrict: Permission denied
[test@hp-nehalem-01 ~]$
-> VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0044.html |