+++ This bug was initially created as a clone of Bug #679261 +++ Description of problem: Add the %pK printk format specifier and the /proc/sys/kernel/kptr_restrict sysctl. The %pK format specifier is designed to hide exposed kernel pointers, specifically via /proc interfaces. Exposing these pointers provides an easy target for kernel write vulnerabilities, since they reveal the locations of writable structures containing easily triggerable function pointers. The behavior of %pK depends on the kptr_restrict sysctl. If kptr_restrict is set to 0, no deviation from the standard %p behavior occurs. If kptr_restrict is set to 1, the default, if the current user (intended to be a reader via seq_printf(), etc.) does not have CAP_SYSLOG (currently in the LSM tree), kernel pointers using %pK are printed as 0's. If kptr_restrict is set to 2, kernel pointers using %pK are printed as 0's regardless of privileges. Replacing with 0's was chosen over the default "(null)", which cannot be parsed by userland %p, which expects "(nil)". Upstream commit: http://git.kernel.org/linus/455cd5ab305c90ffc422dd2e0fb634730942b257 Also backport: drm: do not leak kernel addresses via /proc/dri/*/vma http://git.kernel.org/linus/01e2f533a234dc62d16c0d3d4fb9d71cf1ce50c3 timer debug: Hide kernel addresses via %pK in /proc/timer_list http://git.kernel.org/linus/f590308536db432e4747f562b29e5858123938e9 [PATCH v2] use %pK for /proc/kallsyms and /proc/modules http://marc.info/?l=linux-kernel&m=129608894604282&w=2 (not upstream yet)
> [PATCH v2] use %pK for /proc/kallsyms and /proc/modules > http://marc.info/?l=linux-kernel&m=129608894604282&w=2 (not upstream yet) http://git.kernel.org/linus/9f36e2c448007b54851e7e4fa48da97d1477a175
This one requires a number of changes beyond the ones listed above. I'm going to push it to be a follow-on to MRG 2.0 release.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: The %pK printk format specifier and the /proc/sys/kernel/kptr_restrict sysctl are now added to the realtime-kernel component. The %pK format specifier uses /proc interfaces to hide exposed kernel pointers and the kptr_restrict can be set to 0, 1 or 2 to determine how kernel pointers using %pK are printed.
Technical note can be viewed in the release notes for 2.0 at the documentation stage here: http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2.0/html-single/MRG_Release_Notes/index.html#tabl-MRG_Release_Notes-RT_Update_Notes-RT_Update_Notes
All of the above listed commits are available in the kernel-rt-3.0.4-rt14+ series
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1,7 @@ -The %pK printk format specifier and the /proc/sys/kernel/kptr_restrict sysctl are now added to the realtime-kernel component. The %pK format specifier uses /proc interfaces to hide exposed kernel pointers and the kptr_restrict can be set to 0, 1 or 2 to determine how kernel pointers using %pK are printed.+The %pK printk format specifier and the /proc/sys/kernel/kptr_restrict sysctl are now added to the realtime-kernel component. The %pK format specifier uses /proc interfaces to hide exposed kernel pointers and the kptr_restrict can be set to 0, 1 or 2 to determine how kernel pointers using %pK are printed. + +-------------------------------------------------------------- +Cause: /proc/kallsyms and /proc/modules not also printed with %pK +Consequence: Potential for kernel address leaks. +Fix: use %pK for /proc/kallsyms and /proc/module +Result: The chances for kernel address leaks are reduced, and the printing behaviour can be controlled via kptr_restrict sysctl
Verified by testing the feature: Logging in as an unprivileged user: [test@hp-nehalem-01 ~]$ hostname hp-nehalem-01.rhts.eng.bos.redhat.com [test@hp-nehalem-01 ~]$ uname -r 3.0.9-rt26.42.el6rt.x86_64 [test@hp-nehalem-01 ~]$ cat /proc/sys/kernel/kptr_restrict 0 [test@hp-nehalem-01 ~]$ cat /proc/kallsyms | head 0000000000000000 D irq_stack_union 0000000000000000 D __per_cpu_start 0000000000004000 D gdt_page 0000000000005000 d exception_stacks 0000000000009000 d tlb_vector_offset 0000000000009080 d is_idle 0000000000009088 D old_rsp 0000000000009090 D irq_regs 00000000000090a0 D vector_irq 00000000000094a0 d cpu_devices [test@hp-nehalem-01 ~]$ cat /proc/kallsyms | tail ffffffffa0002061 t dm_path_uevent [dm_mod] ffffffffa000990b t dm_interface_exit [dm_mod] ffffffffa000a245 T dm_io [dm_mod] ffffffffa000640e T dm_get_device [dm_mod] ffffffffa0002473 t dm_set_mdptr [dm_mod] ffffffffa00057bd t dm_table_any_busy_target [dm_mod] ffffffffa00024f8 t dm_suspended_md [dm_mod] ffffffffa0005702 t dm_table_postsuspend_targets [dm_mod] ffffffffa0007034 t dm_target_iterate [dm_mod] ffffffffa0007cd4 t dm_copy_name_and_uuid [dm_mod] ### Switching kptr_restrict value [test@hp-nehalem-01 ~]$ echo 1 > /proc/sys/kernel/kptr_restrict -bash: /proc/sys/kernel/kptr_restrict: Permission denied [root@hp-nehalem-01 ~]# echo 1 > /proc/sys/kernel/kptr_restrict [root@hp-nehalem-01 ~]# cat /proc/sys/kernel/kptr_restrict 1 ### Testing with kptr_restrict = 1 [test@hp-nehalem-01 ~]$ cat /proc/sys/kernel/kptr_restrict 1 [test@hp-nehalem-01 ~]$ cat /proc/kallsyms | head 0000000000000000 D irq_stack_union 0000000000000000 D __per_cpu_start 0000000000000000 D gdt_page 0000000000000000 d exception_stacks 0000000000000000 d tlb_vector_offset 0000000000000000 d is_idle 0000000000000000 D old_rsp 0000000000000000 D irq_regs 0000000000000000 D vector_irq 0000000000000000 d cpu_devices [test@hp-nehalem-01 ~]$ cat /proc/kallsyms | tail 0000000000000000 t dm_path_uevent [dm_mod] 0000000000000000 t dm_interface_exit [dm_mod] 0000000000000000 T dm_io [dm_mod] 0000000000000000 T dm_get_device [dm_mod] 0000000000000000 t dm_set_mdptr [dm_mod] 0000000000000000 t dm_table_any_busy_target [dm_mod] 0000000000000000 t dm_suspended_md [dm_mod] 0000000000000000 t dm_table_postsuspend_targets [dm_mod] 0000000000000000 t dm_target_iterate [dm_mod] 0000000000000000 t dm_copy_name_and_uuid [dm_mod] [test@hp-nehalem-01 ~]$ awk '{print $1}' < /proc/kallsyms | sort | uniq -c 57129 0000000000000000 [test@hp-nehalem-01 ~]$ echo 0 > /proc/sys/kernel/kptr_restrict -bash: /proc/sys/kernel/kptr_restrict: Permission denied [test@hp-nehalem-01 ~]$ -> VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0044.html