doc: add documentation on printing kernel addresses

Hashing addresses printed with printk specifier %p was implemented
recently. During development a number of issues were raised regarding
leaking kernel addresses to userspace. Other documentation was updated but
security/self-protection missed out.

Add self-protection documentation regarding printing kernel addresses.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
This commit is contained in:
Tobin C. Harding 2017-12-20 08:17:17 +11:00 коммит произвёл Jonathan Corbet
Родитель da271403a8
Коммит 227d1a61ed
1 изменённых файлов: 15 добавлений и 0 удалений

Просмотреть файл

@ -270,6 +270,21 @@ attacks, it is important to defend against exposure of both kernel memory
addresses and kernel memory contents (since they may contain kernel addresses and kernel memory contents (since they may contain kernel
addresses or other sensitive things like canary values). addresses or other sensitive things like canary values).
Kernel addresses
----------------
Printing kernel addresses to userspace leaks sensitive information about
the kernel memory layout. Care should be exercised when using any printk
specifier that prints the raw address, currently %px, %p[ad], (and %p[sSb]
in certain circumstances [*]). Any file written to using one of these
specifiers should be readable only by privileged processes.
Kernels 4.14 and older printed the raw address using %p. As of 4.15-rc1
addresses printed with the specifier %p are hashed before printing.
[*] If KALLSYMS is enabled and symbol lookup fails, the raw address is
printed. If KALLSYMS is not enabled the raw address is printed.
Unique identifiers Unique identifiers
------------------ ------------------