Commit 227d1a61 authored by Tobin C. Harding's avatar Tobin C. Harding Committed by Jonathan Corbet

doc: add documentation on printing kernel addresses

Hashing addresses printed with printk specifier %p was implemented
recently. During development a number of issues were raised regarding
leaking kernel addresses to userspace. Other documentation was updated but
security/self-protection missed out.

Add self-protection documentation regarding printing kernel addresses.
Signed-off-by: default avatarTobin C. Harding <me@tobin.cc>
Signed-off-by: default avatarJonathan Corbet <corbet@lwn.net>
parent da271403
...@@ -270,6 +270,21 @@ attacks, it is important to defend against exposure of both kernel memory ...@@ -270,6 +270,21 @@ attacks, it is important to defend against exposure of both kernel memory
addresses and kernel memory contents (since they may contain kernel addresses and kernel memory contents (since they may contain kernel
addresses or other sensitive things like canary values). addresses or other sensitive things like canary values).
Kernel addresses
----------------
Printing kernel addresses to userspace leaks sensitive information about
the kernel memory layout. Care should be exercised when using any printk
specifier that prints the raw address, currently %px, %p[ad], (and %p[sSb]
in certain circumstances [*]). Any file written to using one of these
specifiers should be readable only by privileged processes.
Kernels 4.14 and older printed the raw address using %p. As of 4.15-rc1
addresses printed with the specifier %p are hashed before printing.
[*] If KALLSYMS is enabled and symbol lookup fails, the raw address is
printed. If KALLSYMS is not enabled the raw address is printed.
Unique identifiers Unique identifiers
------------------ ------------------
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment