From owner-freebsd-hackers@freebsd.org  Mon Jun 17 16:25:19 2019
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4A44C15BE8CF
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Mon, 17 Jun 2019 16:25:19 +0000 (UTC)
 (envelope-from markjdb@gmail.com)
Received: from mail-io1-xd43.google.com (mail-io1-xd43.google.com
 [IPv6:2607:f8b0:4864:20::d43])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 67BF870B82
 for <freebsd-hackers@freebsd.org>; Mon, 17 Jun 2019 16:25:18 +0000 (UTC)
 (envelope-from markjdb@gmail.com)
Received: by mail-io1-xd43.google.com with SMTP id e5so22583697iok.4
 for <freebsd-hackers@freebsd.org>; Mon, 17 Jun 2019 09:25:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=sender:date:from:to:cc:subject:message-id:references:mime-version
 :content-disposition:in-reply-to:user-agent;
 bh=u1Y1w/Kzr2PwS8/pepaku45N8SMelwjxicCBklXrO6s=;
 b=m6bg4inmjgW6XA0MPQ0U/d8F1WicCtiCuIdbCsjTH0n/CqARuNWY3oFrlboO7vkK8y
 iycNmSWepN9jVC6WdANpC+Hyoob8q+nicYLr70LCg5c1LjFEMwT5eQFJGH8NH7qZYT1K
 AmEuoosPHKwfPkFCP8ArL1lE1U3oxS7o2sjRjRqgNKWMgUR+PYJ2NYPCmU/W0bMzzbCD
 SwicUHvfieIBcS154gIIRd3+q/cfd7PnD4h5BR31XRtpqdsjo5h4bwUyFam4Y2DEsVta
 jwxQf0Tzcizf6LgBE+2oR8aKM6sFXXV2aX6oXqAk1irGWU96UdOxOkg++KI0F1wM9uD5
 Ziaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:date:from:to:cc:subject:message-id
 :references:mime-version:content-disposition:in-reply-to:user-agent;
 bh=u1Y1w/Kzr2PwS8/pepaku45N8SMelwjxicCBklXrO6s=;
 b=rT63SGZhQQzRAu6AYEfsjRNhSyIFH8ibVU2f/o1Ip49Rftm/aIBI/UBihzDx9KdJf6
 Gax4vElY47uWL1aRSRXUV8osLo3fNuBR72yJiK9LqND0JlSQFX9vctaMowJiL82Tluva
 KDbJo4KS0idHqLboptEmONfZJUhV/qdTVdrreM5dAOg7Ykh82INZa5JLMx7dmKOPj7Hx
 h3jH86zjtEewPIPsbPk4QYEFbqi1fyek8ptAvLTsJUx142lO51/3lJdWcuRLL3e+5MR+
 Zu14JTV72IF10q41Ip15IRSd7UCjxgXz30dSyXJkhEV6+bA63WcS0CJETNc46pcE6Tnr
 7E7g==
X-Gm-Message-State: APjAAAXC8T7DriVCPReyfRl8abeCd5a7AwaTglJzWM/TjdwhH9Wo1W9U
 mVcCBluwVdxCh/t1uvlG6Ss=
X-Google-Smtp-Source: APXvYqxF3cWvjrNcKyFhO1CtP2kxd0xNUmgF7/dePCedk8hsdgweIq816yZb9sHgyQlSL8Fild8lTg==
X-Received: by 2002:a6b:b804:: with SMTP id i4mr62314189iof.119.1560788717696; 
 Mon, 17 Jun 2019 09:25:17 -0700 (PDT)
Received: from raichu (toroon0560w-lp140-05-70-29-85-38.dsl.bell.ca.
 [70.29.85.38])
 by smtp.gmail.com with ESMTPSA id a2sm9133908iod.57.2019.06.17.09.25.16
 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
 Mon, 17 Jun 2019 09:25:16 -0700 (PDT)
Sender: Mark Johnston <markjdb@gmail.com>
Date: Mon, 17 Jun 2019 12:25:14 -0400
From: Mark Johnston <markj@freebsd.org>
To: Fuqian Huang <huangfq.daxian@gmail.com>
Cc: freebsd-hackers@freebsd.org
Subject: Re: dev:md: A kernel address leakage in sys/dev/md/md.c
Message-ID: <20190617162514.GC64731@raichu>
References: <CABXRUiSGuH-dLX3mJhmMTfm4qs+YsnCTimQkh=uxuaA8=U0Xcg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CABXRUiSGuH-dLX3mJhmMTfm4qs+YsnCTimQkh=uxuaA8=U0Xcg@mail.gmail.com>
User-Agent: Mutt/1.12.0 (2019-05-25)
X-Rspamd-Queue-Id: 67BF870B82
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=m6bg4inm;
 spf=pass (mx1.freebsd.org: domain of markjdb@gmail.com designates
 2607:f8b0:4864:20::d43 as permitted sender) smtp.mailfrom=markjdb@gmail.com
X-Spamd-Result: default: False [-3.35 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
 RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+];
 RCPT_COUNT_TWO(0.00)[2];
 MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com];
 FREEMAIL_TO(0.00)[gmail.com];
 FORGED_SENDER(0.30)[markj@freebsd.org,markjdb@gmail.com];
 MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 FROM_NEQ_ENVFROM(0.00)[markj@freebsd.org,markjdb@gmail.com];
 ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[];
 NEURAL_HAM_SHORT(-0.86)[-0.862,0];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org];
 DMARC_NA(0.00)[freebsd.org]; MIME_GOOD(-0.10)[text/plain];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 RCVD_IN_DNSWL_NONE(0.00)[3.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org
 : 127.0.5.0]; 
 IP_SCORE(-0.78)[ip: (1.63), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.31),
 country: US(-0.06)]; MID_RHS_NOT_FQDN(0.50)[]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jun 2019 16:25:19 -0000

On Thu, Jun 13, 2019 at 02:52:24PM +0800, Fuqian Huang wrote:
> In freebsd/sys/dev/md/md.c
> if the kernel is created with option MD_ROOT,
> g_md_init will call md_preload and use mfs_root as the image.
> In function md_preload, address of image will be printed out,
> in this case, the address of image is the address of a global object mfs_root.
> A kernel address leakage happens.

We have many such leaks.  For example, netstat and fstat will print
the kernel addresses of various structures.  We currently do not perform
any randomization of the kernel address space, so guessing is easy even
in the absence of these leaks.  In light of this I'm not sure it's worth
the churn to update individual printf()s.