net: convert %p usage to %pK

The %pK format specifier is designed to hide exposed kernel pointers, specifically via /proc interfaces. Exposing these pointers provides an easy target for kernel write vulnerabilities, since they reveal the locations of writable structures containing easily triggerable function pointers. The behavior of %pK depends on the kptr_restrict sysctl. If kptr_restrict is set to 0, no deviation from the standard %p behavior occurs. If kptr_restrict is set to 1, the default, if the current user (intended to be a reader via seq_printf(), etc.) does not have CAP_SYSLOG (currently in the LSM tree), kernel pointers using %pK are printed as 0's. If kptr_restrict is set to 2, kernel pointers using %pK are printed as 0's regardless of privileges. Replacing with 0's was chosen over the default "(null)", which cannot be parsed by userland %p, which expects "(nil)". The supporting code for kptr_restrict and %pK are currently in the -mm tree. This patch converts users of %p in net/ to %pK. Cases of printing pointers to the syslog are not covered, since this would eliminate useful information for postmortem debugging and the reading of the syslog is already optionally protected by the dmesg_restrict sysctl. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: James Morris <jmorris@namei.org> Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: Thomas Graf <tgraf@infradead.org> Cc: Eugene Teo <eugeneteo@kernel.org> Cc: Kees Cook <kees.cook@canonical.com> Cc: Ingo Molnar <mingo@elte.hu> Cc: David S. Miller <davem@davemloft.net> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Eric Paris <eparis@parisplace.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>

net: convert %p usage to %pK
The %pK format specifier is designed to hide exposed kernel pointers, specifically via /proc interfaces. Exposing these pointers provides an easy target for kernel write vulnerabilities, since they reveal the locations of writable structures containing easily triggerable function pointers. The behavior of %pK depends on the kptr_restrict sysctl. If kptr_restrict is set to 0, no deviation from the standard %p behavior occurs. If kptr_restrict is set to 1, the default, if the current user (intended to be a reader via seq_printf(), etc.) does not have CAP_SYSLOG (currently in the LSM tree), kernel pointers using %pK are printed as 0's. If kptr_restrict is set to 2, kernel pointers using %pK are printed as 0's regardless of privileges. Replacing with 0's was chosen over the default "(null)", which cannot be parsed by userland %p, which expects "(nil)". The supporting code for kptr_restrict and %pK are currently in the -mm tree. This patch converts users of %p in net/ to %pK. Cases of printing pointers to the syslog are not covered, since this would eliminate useful information for postmortem debugging and the reading of the syslog is already optionally protected by the dmesg_restrict sysctl. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: James Morris <jmorris@namei.org> Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: Thomas Graf <tgraf@infradead.org> Cc: Eugene Teo <eugeneteo@kernel.org> Cc: Kees Cook <kees.cook@canonical.com> Cc: Ingo Molnar <mingo@elte.hu> Cc: David S. Miller <davem@davemloft.net> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Eric Paris <eparis@parisplace.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Rosenberg · David S. Miller
1 parent 229de618ba
Showing 14 changed files with 22 additions and 22 deletions Side-by-side Diff
net/atm/proc.c
net/can/bcm.c
net/ipv4/raw.c
net/ipv4/tcp_ipv4.c
net/ipv4/udp.c
net/ipv6/raw.c
net/ipv6/tcp_ipv6.c
net/ipv6/udp.c
net/key/af_key.c
net/netlink/af_netlink.c
net/packet/af_packet.c
net/phonet/socket.c
net/sctp/proc.c
net/unix/af_unix.c
@@ -191,7 +191,7 @@
 {
 	struct sock *sk = sk_atm(vcc);
  
-	seq_printf(seq, "%p ", vcc);
+	seq_printf(seq, "%pK ", vcc);
 	if (!vcc->dev)
 		seq_printf(seq, "Unassigned    ");
 	else
@@ -218,7 +218,7 @@
 {
 	if (!vcc->dev)
 		seq_printf(seq, sizeof(void *) == 4 ?
-			   "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
+			   "N/A@%pK%10s" : "N/A@%pK%2s", vcc, "");
 	else
 		seq_printf(seq, "%3d %3d %5d         ",
 			   vcc->dev->number, vcc->vpi, vcc->vci);
@@ -165,9 +165,9 @@
 	struct bcm_sock *bo = bcm_sk(sk);
 	struct bcm_op *op;
  
-	seq_printf(m, ">>> socket %p", sk->sk_socket);
-	seq_printf(m, " / sk %p", sk);
-	seq_printf(m, " / bo %p", bo);
+	seq_printf(m, ">>> socket %pK", sk->sk_socket);
+	seq_printf(m, " / sk %pK", sk);
+	seq_printf(m, " / bo %pK", bo);
 	seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
 	seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
 	seq_printf(m, " <<<\n");
@@ -979,7 +979,7 @@
 	      srcp  = inet->inet_num;
  
 	seq_printf(seq, "%4d: %08X:%04X %08X:%04X"
-		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d\n",
+		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d\n",
 		i, src, srcp, dest, destp, sp->sk_state,
 		sk_wmem_alloc_get(sp),
 		sk_rmem_alloc_get(sp),
@@ -2371,7 +2371,7 @@
 	int ttd = req->expires - jiffies;
  
 	seq_printf(f, "%4d: %08X:%04X %08X:%04X"
-		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %u %d %p%n",
+		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %u %d %pK%n",
 		i,
 		ireq->loc_addr,
 		ntohs(inet_sk(sk)->inet_sport),
@@ -2426,7 +2426,7 @@
 		rx_queue = max_t(int, tp->rcv_nxt - tp->copied_seq, 0);
  
 	seq_printf(f, "%4d: %08X:%04X %08X:%04X %02X %08X:%08X %02X:%08lX "
-			"%08X %5d %8d %lu %d %p %lu %lu %u %u %d%n",
+			"%08X %5d %8d %lu %d %pK %lu %lu %u %u %d%n",
 		i, src, srcp, dest, destp, sk->sk_state,
 		tp->write_seq - tp->snd_una,
 		rx_queue,
@@ -2461,7 +2461,7 @@
 	srcp  = ntohs(tw->tw_sport);
  
 	seq_printf(f, "%4d: %08X:%04X %08X:%04X"
-		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
+		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK%n",
 		i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
 		3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
 		atomic_read(&tw->tw_refcnt), tw, len);
@@ -2090,7 +2090,7 @@
 	__u16 srcp	  = ntohs(inet->inet_sport);
  
 	seq_printf(f, "%5d: %08X:%04X %08X:%04X"
-		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d%n",
+		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d%n",
 		bucket, src, srcp, dest, destp, sp->sk_state,
 		sk_wmem_alloc_get(sp),
 		sk_rmem_alloc_get(sp),
@@ -1240,7 +1240,7 @@
 	srcp  = inet_sk(sp)->inet_num;
 	seq_printf(seq,
 		   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
-		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d\n",
+		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d\n",
 		   i,
 		   src->s6_addr32[0], src->s6_addr32[1],
 		   src->s6_addr32[2], src->s6_addr32[3], srcp,
@@ -2036,7 +2036,7 @@
  
 	seq_printf(seq,
 		   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
-		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p\n",
+		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK\n",
 		   i,
 		   src->s6_addr32[0], src->s6_addr32[1],
 		   src->s6_addr32[2], src->s6_addr32[3],
@@ -2087,7 +2087,7 @@
  
 	seq_printf(seq,
 		   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
-		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %lu %lu %u %u %d\n",
+		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %lu %lu %u %u %d\n",
 		   i,
 		   src->s6_addr32[0], src->s6_addr32[1],
 		   src->s6_addr32[2], src->s6_addr32[3], srcp,
@@ -2129,7 +2129,7 @@
  
 	seq_printf(seq,
 		   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
-		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p\n",
+		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK\n",
 		   i,
 		   src->s6_addr32[0], src->s6_addr32[1],
 		   src->s6_addr32[2], src->s6_addr32[3], srcp,
@@ -1391,7 +1391,7 @@
 	srcp  = ntohs(inet->inet_sport);
 	seq_printf(seq,
 		   "%5d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
-		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d\n",
+		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d\n",
 		   bucket,
 		   src->s6_addr32[0], src->s6_addr32[1],
 		   src->s6_addr32[2], src->s6_addr32[3], srcp,
@@ -3656,7 +3656,7 @@
 	if (v == SEQ_START_TOKEN)
 		seq_printf(f ,"sk       RefCnt Rmem   Wmem   User   Inode\n");
 	else
-		seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
+		seq_printf(f, "%pK %-6d %-6u %-6u %-6u %-6lu\n",
 			       s,
 			       atomic_read(&s->sk_refcnt),
 			       sk_rmem_alloc_get(s),
@@ -1985,7 +1985,7 @@
 		struct sock *s = v;
 		struct netlink_sock *nlk = nlk_sk(s);
  
-		seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
+		seq_printf(seq, "%pK %-3d %-6d %08x %-8d %-8d %pK %-8d %-8d %-8lu\n",
 			   s,
 			   s->sk_protocol,
 			   nlk->pid,
@@ -2706,7 +2706,7 @@
 		const struct packet_sock *po = pkt_sk(s);
  
 		seq_printf(seq,
-			   "%p %-6d %-4d %04x   %-5d %1d %-6u %-6u %-6lu\n",
+			   "%pK %-6d %-4d %04x   %-5d %1d %-6u %-6u %-6lu\n",
 			   s,
 			   atomic_read(&s->sk_refcnt),
 			   s->sk_type,
@@ -607,7 +607,7 @@
 		struct pn_sock *pn = pn_sk(sk);
  
 		seq_printf(seq, "%2d %04X:%04X:%02X %02X %08X:%08X %5d %lu "
-			"%d %p %d%n",
+			"%d %pK %d%n",
 			sk->sk_protocol, pn->sobject, pn->dobject,
 			pn->resource, sk->sk_state,
 			sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
@@ -212,7 +212,7 @@
 	sctp_for_each_hentry(epb, node, &head->chain) {
 		ep = sctp_ep(epb);
 		sk = epb->sk;
-		seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
+		seq_printf(seq, "%8pK %8pK %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
 			   sctp_sk(sk)->type, sk->sk_state, hash,
 			   epb->bind_addr.port,
 			   sock_i_uid(sk), sock_i_ino(sk));
@@ -316,7 +316,7 @@
 		assoc = sctp_assoc(epb);
 		sk = epb->sk;
 		seq_printf(seq,
-			   "%8p %8p %-3d %-3d %-2d %-4d "
+			   "%8pK %8pK %-3d %-3d %-2d %-4d "
 			   "%4d %8d %8d %7d %5lu %-5d %5d ",
 			   assoc, sk, sctp_sk(sk)->type, sk->sk_state,
 			   assoc->state, hash,
@@ -2254,7 +2254,7 @@
 		struct unix_sock *u = unix_sk(s);
 		unix_state_lock(s);
  
-		seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
+		seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
 			s,
 			atomic_read(&s->sk_refcnt),
 			0,
...	...	@@ -191,7 +191,7 @@
191	191	{
192	192	struct sock *sk = sk_atm(vcc);
193	193
194		- seq_printf(seq, "%p ", vcc);
	194	+ seq_printf(seq, "%pK ", vcc);
195	195	if (!vcc->dev)
196	196	seq_printf(seq, "Unassigned ");
197	197	else
...	...	@@ -218,7 +218,7 @@
218	218	{
219	219	if (!vcc->dev)
220	220	seq_printf(seq, sizeof(void *) == 4 ?
221		- "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
	221	+ "N/A@%pK%10s" : "N/A@%pK%2s", vcc, "");
222	222	else
223	223	seq_printf(seq, "%3d %3d %5d ",
224	224	vcc->dev->number, vcc->vpi, vcc->vci);
...	...	@@ -165,9 +165,9 @@
165	165	struct bcm_sock *bo = bcm_sk(sk);
166	166	struct bcm_op *op;
167	167
168		- seq_printf(m, ">>> socket %p", sk->sk_socket);
169		- seq_printf(m, " / sk %p", sk);
170		- seq_printf(m, " / bo %p", bo);
	168	+ seq_printf(m, ">>> socket %pK", sk->sk_socket);
	169	+ seq_printf(m, " / sk %pK", sk);
	170	+ seq_printf(m, " / bo %pK", bo);
171	171	seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
172	172	seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
173	173	seq_printf(m, " <<<\n");
...	...	@@ -979,7 +979,7 @@
979	979	srcp = inet->inet_num;
980	980
981	981	seq_printf(seq, "%4d: %08X:%04X %08X:%04X"
982		- " %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d\n",
	982	+ " %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d\n",
983	983	i, src, srcp, dest, destp, sp->sk_state,
984	984	sk_wmem_alloc_get(sp),
985	985	sk_rmem_alloc_get(sp),
...	...	@@ -2371,7 +2371,7 @@
2371	2371	int ttd = req->expires - jiffies;
2372	2372
2373	2373	seq_printf(f, "%4d: %08X:%04X %08X:%04X"
2374		- " %02X %08X:%08X %02X:%08lX %08X %5d %8d %u %d %p%n",
	2374	+ " %02X %08X:%08X %02X:%08lX %08X %5d %8d %u %d %pK%n",
2375	2375	i,
2376	2376	ireq->loc_addr,
2377	2377	ntohs(inet_sk(sk)->inet_sport),
...	...	@@ -2426,7 +2426,7 @@
2426	2426	rx_queue = max_t(int, tp->rcv_nxt - tp->copied_seq, 0);
2427	2427
2428	2428	seq_printf(f, "%4d: %08X:%04X %08X:%04X %02X %08X:%08X %02X:%08lX "
2429		- "%08X %5d %8d %lu %d %p %lu %lu %u %u %d%n",
	2429	+ "%08X %5d %8d %lu %d %pK %lu %lu %u %u %d%n",
2430	2430	i, src, srcp, dest, destp, sk->sk_state,
2431	2431	tp->write_seq - tp->snd_una,
2432	2432	rx_queue,
...	...	@@ -2461,7 +2461,7 @@
2461	2461	srcp = ntohs(tw->tw_sport);
2462	2462
2463	2463	seq_printf(f, "%4d: %08X:%04X %08X:%04X"
2464		- " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
	2464	+ " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK%n",
2465	2465	i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
2466	2466	3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
2467	2467	atomic_read(&tw->tw_refcnt), tw, len);
...	...	@@ -2090,7 +2090,7 @@
2090	2090	__u16 srcp = ntohs(inet->inet_sport);
2091	2091
2092	2092	seq_printf(f, "%5d: %08X:%04X %08X:%04X"
2093		- " %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d%n",
	2093	+ " %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d%n",
2094	2094	bucket, src, srcp, dest, destp, sp->sk_state,
2095	2095	sk_wmem_alloc_get(sp),
2096	2096	sk_rmem_alloc_get(sp),
...	...	@@ -1240,7 +1240,7 @@
1240	1240	srcp = inet_sk(sp)->inet_num;
1241	1241	seq_printf(seq,
1242	1242	"%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
1243		- "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d\n",
	1243	+ "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d\n",
1244	1244	i,
1245	1245	src->s6_addr32[0], src->s6_addr32[1],
1246	1246	src->s6_addr32[2], src->s6_addr32[3], srcp,
...	...	@@ -2036,7 +2036,7 @@
2036	2036
2037	2037	seq_printf(seq,
2038	2038	"%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
2039		- "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p\n",
	2039	+ "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK\n",
2040	2040	i,
2041	2041	src->s6_addr32[0], src->s6_addr32[1],
2042	2042	src->s6_addr32[2], src->s6_addr32[3],
...	...	@@ -2087,7 +2087,7 @@
2087	2087
2088	2088	seq_printf(seq,
2089	2089	"%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
2090		- "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %lu %lu %u %u %d\n",
	2090	+ "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %lu %lu %u %u %d\n",
2091	2091	i,
2092	2092	src->s6_addr32[0], src->s6_addr32[1],
2093	2093	src->s6_addr32[2], src->s6_addr32[3], srcp,
...	...	@@ -2129,7 +2129,7 @@
2129	2129
2130	2130	seq_printf(seq,
2131	2131	"%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
2132		- "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p\n",
	2132	+ "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK\n",
2133	2133	i,
2134	2134	src->s6_addr32[0], src->s6_addr32[1],
2135	2135	src->s6_addr32[2], src->s6_addr32[3], srcp,
...	...	@@ -1391,7 +1391,7 @@
1391	1391	srcp = ntohs(inet->inet_sport);
1392	1392	seq_printf(seq,
1393	1393	"%5d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
1394		- "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %d\n",
	1394	+ "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d\n",
1395	1395	bucket,
1396	1396	src->s6_addr32[0], src->s6_addr32[1],
1397	1397	src->s6_addr32[2], src->s6_addr32[3], srcp,
...	...	@@ -3656,7 +3656,7 @@
3656	3656	if (v == SEQ_START_TOKEN)
3657	3657	seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
3658	3658	else
3659		- seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
	3659	+ seq_printf(f, "%pK %-6d %-6u %-6u %-6u %-6lu\n",
3660	3660	s,
3661	3661	atomic_read(&s->sk_refcnt),
3662	3662	sk_rmem_alloc_get(s),
...	...	@@ -1985,7 +1985,7 @@
1985	1985	struct sock *s = v;
1986	1986	struct netlink_sock *nlk = nlk_sk(s);
1987	1987
1988		- seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
	1988	+ seq_printf(seq, "%pK %-3d %-6d %08x %-8d %-8d %pK %-8d %-8d %-8lu\n",
1989	1989	s,
1990	1990	s->sk_protocol,
1991	1991	nlk->pid,