dev:md: A kernel address leakage in sys/dev/md/md.c

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

dev:md: A kernel address leakage in sys/dev/md/md.c

Fuqian Huang
In freebsd/sys/dev/md/md.c
if the kernel is created with option MD_ROOT,
g_md_init will call md_preload and use mfs_root as the image.
In function md_preload, address of image will be printed out,
in this case, the address of image is the address of a global object mfs_root.
A kernel address leakage happens.
Patch suggestion: use macro like #ifdef DEBUG to wrap the printf statement.

u_char mfs_root[MD_ROOT_SIZE*1024] __attribute__ ((section("oldmfs")));

static void
g_md_init(struct g_class *mp __unused)
{
    ...
#ifdef MD_ROOT
    ...
#ifdef MD_ROOT_MEM
    md_preload(mfs_root, mfs_root_size, NULL);
#else
    md_preload(__DEVOLATILE(u_char *, &mfs_root), mfs_root_size,
                NULL);
#endif
    ...
#endif
}

static void
md_preload(u_char *image, size_t length, const char *name)
{
    ...
    if (name != NULL) {
        printf("%s%d: Preloaded image <%s> %zd bytes at %p\n",
            MD_NAME, sc->unit, name, length, image);
    } else {
        printf("%s%d: Embedded image %zd bytes at %p\n",
            MD_NAME, sc->unit, length, image);
    }
}
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: dev:md: A kernel address leakage in sys/dev/md/md.c

Mark Johnston-2
On Thu, Jun 13, 2019 at 02:52:24PM +0800, Fuqian Huang wrote:
> In freebsd/sys/dev/md/md.c
> if the kernel is created with option MD_ROOT,
> g_md_init will call md_preload and use mfs_root as the image.
> In function md_preload, address of image will be printed out,
> in this case, the address of image is the address of a global object mfs_root.
> A kernel address leakage happens.

We have many such leaks.  For example, netstat and fstat will print
the kernel addresses of various structures.  We currently do not perform
any randomization of the kernel address space, so guessing is easy even
in the absence of these leaks.  In light of this I'm not sure it's worth
the churn to update individual printf()s.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: dev:md: A kernel address leakage in sys/dev/md/md.c

Warner Losh
On Mon, Jun 17, 2019, 9:26 AM Mark Johnston <[hidden email]> wrote:

> On Thu, Jun 13, 2019 at 02:52:24PM +0800, Fuqian Huang wrote:
> > In freebsd/sys/dev/md/md.c
> > if the kernel is created with option MD_ROOT,
> > g_md_init will call md_preload and use mfs_root as the image.
> > In function md_preload, address of image will be printed out,
> > in this case, the address of image is the address of a global object
> mfs_root.
> > A kernel address leakage happens.
>
> We have many such leaks.  For example, netstat and fstat will print
> the kernel addresses of various structures.  We currently do not perform
> any randomization of the kernel address space, so guessing is easy even
> in the absence of these leaks.  In light of this I'm not sure it's worth
> the churn to update individual printf()s.
>

If we are serious about this, we'd just implement %p so we can turn it off
for cases that matter. Since we can turn off dmesg already, I'm not worried
about these for people running a randomized kernel: they can preclude this
disclosure today.

Warner

_______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "[hidden email]"
>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: dev:md: A kernel address leakage in sys/dev/md/md.c

Poul-Henning Kamp
--------
In message <CANCZdfrK2V9AEzeib8GV=[hidden email]>
, Warner Losh writes:

>If we are serious about this, [...]

then sysctl kern.geom "leaks" a lot of pointers...

--
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
[hidden email]         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: dev:md: A kernel address leakage in sys/dev/md/md.c

Oliver Pinter-4
On Monday, June 17, 2019, Poul-Henning Kamp <[hidden email]> wrote:

> --------
> In message <CANCZdfrK2V9AEzeib8GV=
> [hidden email]>
> , Warner Losh writes:
>
> >If we are serious about this, [...]
>
> then sysctl kern.geom "leaks" a lot of pointers...


Or just run sysctl -a ¦ grep -i 0xff on a  fully configured system.


>
> --
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> [hidden email]         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "[hidden email]"
>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: dev:md: A kernel address leakage in sys/dev/md/md.c

Nathan Whitehorn-8
In reply to this post by Mark Johnston-2


On 2019-06-17 09:25, Mark Johnston wrote:

> On Thu, Jun 13, 2019 at 02:52:24PM +0800, Fuqian Huang wrote:
>> In freebsd/sys/dev/md/md.c
>> if the kernel is created with option MD_ROOT,
>> g_md_init will call md_preload and use mfs_root as the image.
>> In function md_preload, address of image will be printed out,
>> in this case, the address of image is the address of a global object mfs_root.
>> A kernel address leakage happens.
> We have many such leaks.  For example, netstat and fstat will print
> the kernel addresses of various structures.  We currently do not perform
> any randomization of the kernel address space, so guessing is easy even
> in the absence of these leaks.  In light of this I'm not sure it's worth
> the churn to update individual printf()s.

We do on some lower-tier platforms. On PowerNV, for instance, the kernel
will end up at a hard-to-predict address. I agree with the general
point, thouh.
-Nathan
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"