[1/6] serial: sh-sci: Reveal ptrval in dev_dbg

Message ID	20190504004258.23574-2-erosca@de.adit-jv.com (mailing list archive)
State	Rejected
Delegated to:	Geert Uytterhoeven
Headers	show Return-Path: <linux-renesas-soc-owner@kernel.org> From: Eugeniu Rosca <roscaeugeniu@gmail.com> To: Geert Uytterhoeven <geert+renesas@glider.be>, Simon Horman <horms+renesas@verge.net.au>, Chris Brandt <chris.brandt@renesas.com>, Wolfram Sang <wsa+renesas@sang-engineering.com>, Ulrich Hecht <ulrich.hecht+renesas@gmail.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: "George G . Davis" <george_davis@mentor.com>, Andy Lowe <andy_lowe@mentor.com>, linux-renesas-soc@vger.kernel.org, devicetree@vger.kernel.org, linux-kernel@vger.kernel.org, Magnus Damm <magnus.damm@gmail.com>, Rob Herring <robh+dt@kernel.org>, Mark Rutland <mark.rutland@arm.com>, Eugeniu Rosca <erosca@de.adit-jv.com>, Eugeniu Rosca <roscaeugeniu@gmail.com> Subject: [PATCH 1/6] serial: sh-sci: Reveal ptrval in dev_dbg Date: Sat, 4 May 2019 02:42:53 +0200 Message-Id: <20190504004258.23574-2-erosca@de.adit-jv.com> In-Reply-To: <20190504004258.23574-1-erosca@de.adit-jv.com> References: <20190504004258.23574-1-erosca@de.adit-jv.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-renesas-soc-owner@vger.kernel.org Precedence: bulk
Series	Zap SCIF2 DMA configuration in R-Car Gen3 DTS \| expand [0/6] Zap SCIF2 DMA configuration in R-Car Gen3 DTS [1/6] serial: sh-sci: Reveal ptrval in dev_dbg [2/6] Revert "arm64: dts: renesas: r8a7796: Enable DMA for SCIF2" [3/6] arm64: dts: renesas: r8a7795: zap dma configuration in scif2 [4/6] Revert "arm64: dts: renesas: r8a77965: Enable DMA for SCIF2" [5/6] Revert "arm64: dts: renesas: r8a77990: Enable DMA for SCIF2" [6/6] Revert "arm64: dts: renesas: r8a77995: add DMA for SCIF2"

Message ID

20190504004258.23574-2-erosca@de.adit-jv.com (mailing list archive)

State

Rejected

Delegated to:

Geert Uytterhoeven

Headers

From: Eugeniu Rosca <roscaeugeniu@gmail.com>
To: Geert Uytterhoeven <geert+renesas@glider.be>,
        Simon Horman <horms+renesas@verge.net.au>,
        Chris Brandt <chris.brandt@renesas.com>,
        Wolfram Sang <wsa+renesas@sang-engineering.com>,
        Ulrich Hecht <ulrich.hecht+renesas@gmail.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "George G . Davis" <george_davis@mentor.com>,
        Andy Lowe <andy_lowe@mentor.com>,
        linux-renesas-soc@vger.kernel.org, devicetree@vger.kernel.org,
        linux-kernel@vger.kernel.org, Magnus Damm <magnus.damm@gmail.com>,
        Rob Herring <robh+dt@kernel.org>,
        Mark Rutland <mark.rutland@arm.com>,
        Eugeniu Rosca <erosca@de.adit-jv.com>,
        Eugeniu Rosca <roscaeugeniu@gmail.com>
Subject: [PATCH 1/6] serial: sh-sci: Reveal ptrval in dev_dbg
Date: Sat,  4 May 2019 02:42:53 +0200
Message-Id: <20190504004258.23574-2-erosca@de.adit-jv.com>
In-Reply-To: <20190504004258.23574-1-erosca@de.adit-jv.com>
References: <20190504004258.23574-1-erosca@de.adit-jv.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-renesas-soc-owner@vger.kernel.org
Precedence: bulk

Series

Zap SCIF2 DMA configuration in R-Car Gen3 DTS | expand

Commit Message

Eugeniu Rosca May 4, 2019, 12:42 a.m. UTC

Starting with v4.15-rc2 commit ad67b74d2469d9 ("printk: hash addresses
printed with %p"), enabling debug prints in sh-sci.c would generate
output like below confusing the users who try to sneak into the
internals of the driver:

sh-sci e6e88000.serial: sci_request_dma: TX: got channel (____ptrval____)
sh-sci e6e88000.serial: sci_request_dma: mapped 4096@(____ptrval____) to 0x00000006798bf000
sh-sci e6e88000.serial: sci_request_dma: RX: got channel (____ptrval____)
sh-sci e6e88000.serial: sci_dma_tx_work_fn: (____ptrval____): 0...2, cookie 2

There are two possible fixes for that:
 - get rid of '%p' prints if they don't reveal any useful information
 - s/%p/%px/, since it is unlikely we have any concerns leaking the
   pointer values when running a debug/non-production kernel

Go second route to preserve original debug output and minimize the diff.

Fixes: ad67b74d2469d9 ("printk: hash addresses printed with %p")
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
---
 drivers/tty/serial/sh-sci.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Comments

Simon Horman May 6, 2019, 1:47 p.m. UTC | #1

On Sat, May 04, 2019 at 02:42:53AM +0200, Eugeniu Rosca wrote:
> Starting with v4.15-rc2 commit ad67b74d2469d9 ("printk: hash addresses
> printed with %p"), enabling debug prints in sh-sci.c would generate
> output like below confusing the users who try to sneak into the
> internals of the driver:
> 
> sh-sci e6e88000.serial: sci_request_dma: TX: got channel (____ptrval____)
> sh-sci e6e88000.serial: sci_request_dma: mapped 4096@(____ptrval____) to 0x00000006798bf000
> sh-sci e6e88000.serial: sci_request_dma: RX: got channel (____ptrval____)
> sh-sci e6e88000.serial: sci_dma_tx_work_fn: (____ptrval____): 0...2, cookie 2
> 
> There are two possible fixes for that:
>  - get rid of '%p' prints if they don't reveal any useful information
>  - s/%p/%px/, since it is unlikely we have any concerns leaking the
>    pointer values when running a debug/non-production kernel

I am concerned that this may expose information in circumstances
where it is undesirable. Is it generally accepted practice to
use %px in conjunction with dev_dbg() ?

...

Eugeniu Rosca May 6, 2019, 3:24 p.m. UTC | #2

On Mon, May 06, 2019 at 03:47:05PM +0200, Simon Horman wrote:
> On Sat, May 04, 2019 at 02:42:53AM +0200, Eugeniu Rosca wrote:
> > Starting with v4.15-rc2 commit ad67b74d2469d9 ("printk: hash addresses
> > printed with %p"), enabling debug prints in sh-sci.c would generate
> > output like below confusing the users who try to sneak into the
> > internals of the driver:
> > 
> > sh-sci e6e88000.serial: sci_request_dma: TX: got channel (____ptrval____)
> > sh-sci e6e88000.serial: sci_request_dma: mapped 4096@(____ptrval____) to 0x00000006798bf000
> > sh-sci e6e88000.serial: sci_request_dma: RX: got channel (____ptrval____)
> > sh-sci e6e88000.serial: sci_dma_tx_work_fn: (____ptrval____): 0...2, cookie 2
> > 
> > There are two possible fixes for that:
> >  - get rid of '%p' prints if they don't reveal any useful information
> >  - s/%p/%px/, since it is unlikely we have any concerns leaking the
> >    pointer values when running a debug/non-production kernel
> 
> I am concerned that this may expose information in circumstances
> where it is undesirable. Is it generally accepted practice to
> use %px in conjunction with dev_dbg() ?
> 
> ...

Below commits performed a similar s/%p/%px/ update in debug context:

Authors (CC-ed)   Commit         Subject
----------------------------------------
Christophe Leroy  b18f0ae92b0a1d ("powerpc/prom: fix early DEBUG messages")
Helge Deller      3847dab7742186 ("parisc: Add alternative coding infrastructure")
Michael Neuling   51c3c62b58b357 ("powerpc: Avoid code patching freed init sections")
Kuninori Morimoto dabdbe3ae0cb9a ("ASoC: rsnd: don't use %p for dev_dbg()")
Philip Yang       fa7e65147e5dca ("drm/amdkfd: use %px to print user space address instead of %p")
Matthew Wilcox    68c1f08203f2b0 ("lib/list_debug.c: print unmangled addresses")
Borislav Petkov   0e6c16c652cada ("x86/alternative: Print unadorned pointers")
Darrick J. Wong   c96900435fa9fd ("xfs: use %px for data pointers when debugging")
Helge Deller      04903c06b4854d ("parisc: Show unhashed HPA of Dino chip")

To quote Matthew, with respect to any debug prints:
If an attacker can force this message to be printed, we've already lost.

In any case, I won't be affected much if the change is not accepted,
since it doesn't resolve any major issue on my end. Thanks!

Geert Uytterhoeven May 6, 2019, 4:46 p.m. UTC | #3

Hi Eugeniu,

On Mon, May 6, 2019 at 5:24 PM Eugeniu Rosca <erosca@de.adit-jv.com> wrote:
> On Mon, May 06, 2019 at 03:47:05PM +0200, Simon Horman wrote:
> > On Sat, May 04, 2019 at 02:42:53AM +0200, Eugeniu Rosca wrote:
> > > Starting with v4.15-rc2 commit ad67b74d2469d9 ("printk: hash addresses
> > > printed with %p"), enabling debug prints in sh-sci.c would generate
> > > output like below confusing the users who try to sneak into the
> > > internals of the driver:
> > >
> > > sh-sci e6e88000.serial: sci_request_dma: TX: got channel (____ptrval____)
> > > sh-sci e6e88000.serial: sci_request_dma: mapped 4096@(____ptrval____) to 0x00000006798bf000
> > > sh-sci e6e88000.serial: sci_request_dma: RX: got channel (____ptrval____)
> > > sh-sci e6e88000.serial: sci_dma_tx_work_fn: (____ptrval____): 0...2, cookie 2
> > >
> > > There are two possible fixes for that:
> > >  - get rid of '%p' prints if they don't reveal any useful information
> > >  - s/%p/%px/, since it is unlikely we have any concerns leaking the
> > >    pointer values when running a debug/non-production kernel
> >
> > I am concerned that this may expose information in circumstances
> > where it is undesirable. Is it generally accepted practice to
> > use %px in conjunction with dev_dbg() ?
> >
> > ...
>
> Below commits performed a similar s/%p/%px/ update in debug context:
>
> Authors (CC-ed)   Commit         Subject
> ----------------------------------------
> Christophe Leroy  b18f0ae92b0a1d ("powerpc/prom: fix early DEBUG messages")
> Helge Deller      3847dab7742186 ("parisc: Add alternative coding infrastructure")
> Michael Neuling   51c3c62b58b357 ("powerpc: Avoid code patching freed init sections")
> Kuninori Morimoto dabdbe3ae0cb9a ("ASoC: rsnd: don't use %p for dev_dbg()")
> Philip Yang       fa7e65147e5dca ("drm/amdkfd: use %px to print user space address instead of %p")
> Matthew Wilcox    68c1f08203f2b0 ("lib/list_debug.c: print unmangled addresses")
> Borislav Petkov   0e6c16c652cada ("x86/alternative: Print unadorned pointers")
> Darrick J. Wong   c96900435fa9fd ("xfs: use %px for data pointers when debugging")
> Helge Deller      04903c06b4854d ("parisc: Show unhashed HPA of Dino chip")
>
> To quote Matthew, with respect to any debug prints:
> If an attacker can force this message to be printed, we've already lost.

I think the issue with using %px in debug code is that a distro may enable
CONFIG_DYNAMIC_DEBUG (it is enabled in several defconfigs), after which
an attacker just has to convince/trick the system into enabling debug for that
particular driver.

> In any case, I won't be affected much if the change is not accepted,
> since it doesn't resolve any major issue on my end. Thanks!

OK.

Gr{oetje,eeting}s,

                        Geert

Eugeniu Rosca May 6, 2019, 5:12 p.m. UTC | #4

On Mon, May 06, 2019 at 06:46:57PM +0200, Geert Uytterhoeven wrote:
> Hi Eugeniu,
> 
> On Mon, May 6, 2019 at 5:24 PM Eugeniu Rosca <erosca@de.adit-jv.com> wrote:
> > On Mon, May 06, 2019 at 03:47:05PM +0200, Simon Horman wrote:
> > > On Sat, May 04, 2019 at 02:42:53AM +0200, Eugeniu Rosca wrote:
> > > > Starting with v4.15-rc2 commit ad67b74d2469d9 ("printk: hash addresses
> > > > printed with %p"), enabling debug prints in sh-sci.c would generate
> > > > output like below confusing the users who try to sneak into the
> > > > internals of the driver:
> > > >
> > > > sh-sci e6e88000.serial: sci_request_dma: TX: got channel (____ptrval____)
> > > > sh-sci e6e88000.serial: sci_request_dma: mapped 4096@(____ptrval____) to 0x00000006798bf000
> > > > sh-sci e6e88000.serial: sci_request_dma: RX: got channel (____ptrval____)
> > > > sh-sci e6e88000.serial: sci_dma_tx_work_fn: (____ptrval____): 0...2, cookie 2
> > > >
> > > > There are two possible fixes for that:
> > > >  - get rid of '%p' prints if they don't reveal any useful information
> > > >  - s/%p/%px/, since it is unlikely we have any concerns leaking the
> > > >    pointer values when running a debug/non-production kernel
> > >
> > > I am concerned that this may expose information in circumstances
> > > where it is undesirable. Is it generally accepted practice to
> > > use %px in conjunction with dev_dbg() ?
> > >
> > > ...
> >
> > Below commits performed a similar s/%p/%px/ update in debug context:
> >
> > Authors (CC-ed)   Commit         Subject
> > ----------------------------------------
> > Christophe Leroy  b18f0ae92b0a1d ("powerpc/prom: fix early DEBUG messages")
> > Helge Deller      3847dab7742186 ("parisc: Add alternative coding infrastructure")
> > Michael Neuling   51c3c62b58b357 ("powerpc: Avoid code patching freed init sections")
> > Kuninori Morimoto dabdbe3ae0cb9a ("ASoC: rsnd: don't use %p for dev_dbg()")
> > Philip Yang       fa7e65147e5dca ("drm/amdkfd: use %px to print user space address instead of %p")
> > Matthew Wilcox    68c1f08203f2b0 ("lib/list_debug.c: print unmangled addresses")
> > Borislav Petkov   0e6c16c652cada ("x86/alternative: Print unadorned pointers")
> > Darrick J. Wong   c96900435fa9fd ("xfs: use %px for data pointers when debugging")
> > Helge Deller      04903c06b4854d ("parisc: Show unhashed HPA of Dino chip")
> >
> > To quote Matthew, with respect to any debug prints:
> > If an attacker can force this message to be printed, we've already lost.
> 
> I think the issue with using %px in debug code is that a distro may enable
> CONFIG_DYNAMIC_DEBUG (it is enabled in several defconfigs), after which
> an attacker just has to convince/trick the system into enabling debug for that
> particular driver.

How about going the route of commit c96900435fa9fd ("xfs: use %px for
data pointers when debugging"), i.e. s/%p/"PTR_FMT"/ like below (this
would enable the expected debug output only on manually defining DEBUG
in the *.c file, while still keeping the output hashed on
DYNAMIC_DEBUG=y if DEBUG is undefined).

diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
index 3cd139752d3f..69cd87c5ef0c 100644
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -56,6 +56,12 @@
 #include <asm/sh_bios.h>
 #endif
 
+#ifdef DEBUG
+#define PTR_FMT "%px"
+#else
+#define PTR_FMT "%p"
+#endif
+
 #include "serial_mctrl_gpio.h"
 #include "sh-sci.h"
 
@@ -1434,7 +1440,7 @@ static void sci_dma_tx_work_fn(struct work_struct *work)
 		goto switch_to_pio;
 	}
 
-	dev_dbg(port->dev, "%s: %p: %d...%d, cookie %d\n",
+	dev_dbg(port->dev, "%s: "PTR_FMT": %d...%d, cookie %d\n",
 		__func__, xmit->buf, xmit->tail, xmit->head, s->cookie_tx);
 
 	dma_async_issue_pending(chan);

> 
> > In any case, I won't be affected much if the change is not accepted,
> > since it doesn't resolve any major issue on my end. Thanks!
> 
> OK.
> 
> Gr{oetje,eeting}s,
> 
>                         Geert
> 
> -- 
> Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
> 
> In personal conversations with technical people, I call myself a hacker. But
> when I'm talking to journalists I just say "programmer" or something like that.
>                                 -- Linus Torvalds

diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
index 3cd139752d3f..82660f8e6d86 100644
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -1434,7 +1434,7 @@  static void sci_dma_tx_work_fn(struct work_struct *work)
 		goto switch_to_pio;
 	}
 
-	dev_dbg(port->dev, "%s: %p: %d...%d, cookie %d\n",
+	dev_dbg(port->dev, "%s: %px: %d...%d, cookie %d\n",
 		__func__, xmit->buf, xmit->tail, xmit->head, s->cookie_tx);
 
 	dma_async_issue_pending(chan);
@@ -1570,7 +1570,7 @@  static void sci_request_dma(struct uart_port *port)
 		return;
 
 	chan = sci_request_dma_chan(port, DMA_MEM_TO_DEV);
-	dev_dbg(port->dev, "%s: TX: got channel %p\n", __func__, chan);
+	dev_dbg(port->dev, "%s: TX: got channel %px\n", __func__, chan);
 	if (chan) {
 		/* UART circular tx buffer is an aligned page. */
 		s->tx_dma_addr = dma_map_single(chan->device->dev,
@@ -1581,7 +1581,7 @@  static void sci_request_dma(struct uart_port *port)
 			dev_warn(port->dev, "Failed mapping Tx DMA descriptor\n");
 			dma_release_channel(chan);
 		} else {
-			dev_dbg(port->dev, "%s: mapped %lu@%p to %pad\n",
+			dev_dbg(port->dev, "%s: mapped %lu@%px to %pad\n",
 				__func__, UART_XMIT_SIZE,
 				port->state->xmit.buf, &s->tx_dma_addr);
 
@@ -1591,7 +1591,7 @@  static void sci_request_dma(struct uart_port *port)
 	}
 
 	chan = sci_request_dma_chan(port, DMA_DEV_TO_MEM);
-	dev_dbg(port->dev, "%s: RX: got channel %p\n", __func__, chan);
+	dev_dbg(port->dev, "%s: RX: got channel %px\n", __func__, chan);
 	if (chan) {
 		unsigned int i;
 		dma_addr_t dma;

[1/6] serial: sh-sci: Reveal ptrval in dev_dbg

Commit Message

Comments

Patch