From owner-freebsd-hackers@freebsd.org Mon Jun 17 17:25:05 2019 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B11FD15C01BC for ; Mon, 17 Jun 2019 17:25:05 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E08B5730EB for ; Mon, 17 Jun 2019 17:25:03 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mail-qk1-x72d.google.com with SMTP id a27so6654891qkk.5 for ; Mon, 17 Jun 2019 10:25:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3BJRPkmeKdtEB8CNUqF+J0/pHwIQNIfj/OFOmWGnvTc=; b=RR22C3srAlan3uexPjmCN1dDJ/Y6LQN8kTSnCs/oFzv9/fpquZYekl9qPZwFR2qg7l cNpnFcOZyuaZUk83Ld1CFbGSWN+A4PKHp3OKwe2ELf36SbU753WUrrWnYWdkU5HGEVxk b7d82vNtgF9+D2AsR/0C31tG+Qlhef2Y/egzhenVz5gfw5LjD9waD1pEYfhVFfe6Fs7H O4nOj17HwJDE/MYrKmWqW/u7qZ5xUEVW2EGtVmkoQSahPSI9/eB9V1Fov2BzvlK+hm1w dDp1oL9l1zfN0ey27w+AtPrYfxbHvDicRGP8G6og39LdQJfCkoOhjjRqCfPmxhhZuy4T MHpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3BJRPkmeKdtEB8CNUqF+J0/pHwIQNIfj/OFOmWGnvTc=; b=ZORRQjsTpUrjrqeQ97z0Oiyy5E/95V/eNY7DJgy4x5MsVkT7+EP90f7008dIXXabBs CPv98u+cJhw/yUUG4mnb73YI67qfJb5MYTEUyQOw3c+3mdydwLbvaOxgtvvFy5NMVitt 2shJv1uuwasAAcFXCnRHe4X+iqTj0VTQt/smewIGk5D/5OvBJexbSMOx2nJZcE9WZiEZ L4THPlouYFs1FCPUNf0ky0XCrlA9PfNSyYUno9XKhCW8jakW0w8JMP9WJmK7Un7I0wRQ PNgBoIfzbtsrV3cd/qJyS3/2qeuKCe4xPoH1NXnvtkrsIZAa5ZyTE7GWjMeE7so2Hhxz Vr8w== X-Gm-Message-State: APjAAAXljOWICmOV+NpTvgUieLV5Kevoxu7UTI+QpCpZkC3fIp1P8N7Q 1YlauCCZsdVRZryy9Jh+VxoOxQnpU3qhK1p0xEnQWA== X-Google-Smtp-Source: APXvYqwW6+7cVc5i6OX54rg90UzeAFir04kgGY+kvf4gcSO6QyfNFExDOOya0nJvs0IHP4Qf92aLCSIeb+Gi7u2R+6I= X-Received: by 2002:a05:620a:1519:: with SMTP id i25mr57515922qkk.331.1560792303050; Mon, 17 Jun 2019 10:25:03 -0700 (PDT) MIME-Version: 1.0 References: <20190617162514.GC64731@raichu> In-Reply-To: <20190617162514.GC64731@raichu> From: Warner Losh Date: Mon, 17 Jun 2019 10:24:50 -0700 Message-ID: Subject: Re: dev:md: A kernel address leakage in sys/dev/md/md.c To: Mark Johnston Cc: Fuqian Huang , FreeBSD Hackers X-Rspamd-Queue-Id: E08B5730EB X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=bsdimp-com.20150623.gappssmtp.com header.s=20150623 header.b=RR22C3sr X-Spamd-Result: default: False [-5.94 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[bsdimp-com.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; RCVD_COUNT_TWO(0.00)[2]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; DMARC_NA(0.00)[bsdimp.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[bsdimp-com.20150623.gappssmtp.com:+]; MX_GOOD(-0.01)[ALT1.aspmx.l.google.com,aspmx.l.google.com,ALT2.aspmx.l.google.com]; RCVD_IN_DNSWL_NONE(0.00)[d.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; NEURAL_HAM_SHORT(-0.93)[-0.932,0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[imp@bsdimp.com,wlosh@bsdimp.com]; MIME_TRACE(0.00)[0:+,1:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[imp@bsdimp.com,wlosh@bsdimp.com]; IP_SCORE(-2.99)[ip: (-9.44), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.31), country: US(-0.06)]; FREEMAIL_CC(0.00)[gmail.com] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jun 2019 17:25:05 -0000 On Mon, Jun 17, 2019, 9:26 AM Mark Johnston wrote: > On Thu, Jun 13, 2019 at 02:52:24PM +0800, Fuqian Huang wrote: > > In freebsd/sys/dev/md/md.c > > if the kernel is created with option MD_ROOT, > > g_md_init will call md_preload and use mfs_root as the image. > > In function md_preload, address of image will be printed out, > > in this case, the address of image is the address of a global object > mfs_root. > > A kernel address leakage happens. > > We have many such leaks. For example, netstat and fstat will print > the kernel addresses of various structures. We currently do not perform > any randomization of the kernel address space, so guessing is easy even > in the absence of these leaks. In light of this I'm not sure it's worth > the churn to update individual printf()s. > If we are serious about this, we'd just implement %p so we can turn it off for cases that matter. Since we can turn off dmesg already, I'm not worried about these for people running a randomized kernel: they can preclude this disclosure today. Warner _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >