From owner-freebsd-hackers@freebsd.org Tue Jun 18 00:34:06 2019 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1CC3E15C8BF1 for ; Tue, 18 Jun 2019 00:34:06 +0000 (UTC) (envelope-from nwhitehorn@freebsd.org) Received: from c.mail.sonic.net (c.mail.sonic.net [64.142.111.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 480C989432 for ; Tue, 18 Jun 2019 00:34:05 +0000 (UTC) (envelope-from nwhitehorn@freebsd.org) Received: from helicon.physics.ucla.edu (helicon.physics.ucla.edu [169.232.156.253]) (authenticated bits=0) by c.mail.sonic.net (8.15.1/8.15.1) with ESMTPSA id x5I0NjcS030775 (version=TLSv1.2 cipher=AES128-SHA bits=128 verify=NOT) for ; Mon, 17 Jun 2019 17:23:45 -0700 Subject: Re: dev:md: A kernel address leakage in sys/dev/md/md.c To: freebsd-hackers@freebsd.org References: <20190617162514.GC64731@raichu> From: Nathan Whitehorn Openpgp: preference=signencrypt Autocrypt: addr=nwhitehorn@freebsd.org; keydata= mQINBFuARN8BEADLKYsG3l1aq/M21R59I/5EsEfvtvd15ZJ9lDHcWPuxzIfGnu2LMpe5PrFP e/Y4bcsPrlB4S3I3ooIUDvoEEsDeqgqlZod3QevOK/RjLqiqx1i/4mKnobJ++3ppyVVIccgN sUrj786OYCFCI/W+uWw7cbKewNeaL//Z/TDKlHLkssiy6qmZbNQ0ZjcMLJKUesk4eVg2TtTD HNe42ZuxbUC9iLYieO4c7kQB4qiFhagDRiObXrLzvm2MQYeAaNVRqID+mfI75TWrQ+t98iVu mHvFu461eeteq59jg6H/IL07ACxL+HzEVM+D6tPtPrz7ppr3wiZL5Cu17yu0nAx0nhJTV8ZB qza1rOVun0x65S14L41XD2HkmBDxTaRlTg8ypnkLFo8kh+MEq4k67apL/DUGcaUjKy2TVUC7 3igLO/DwQHrkWx2RrOmS3xS0TgGXVmB47nq2Zveo3fcjporQK63n2sbLkS70cfAJAJ9KHEIx u9am44iW5Ku3+mVLgQYybtcUxlk/Jw/BA5V6KUcDQMd5kTm0MyagziqMaT+57ceYxwRBK4HC DCLRpSOHV81/YzyL5vnwfHsxADm3091rd0uwr8uRCQn7wLvlcFyp/JKSFkVnE1oo7UE4QQJZ GbSJyvj7GdXu0LdghALcMj/thdb+js4D3UuCaAMecgVSscxEIQARAQABtClOYXRoYW4gV2hp dGVob3JuIDxud2hpdGVob3JuQGZyZWVic2Qub3JnPokCTgQTAQgAOBYhBD1kIPqoIUk+gL8N YTi2TZRmhOh3BQJbgFJIAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEDi2TZRmhOh3 M6YP/RHkgLWCPGGBSKZ3an3GhRMO2B5qd+g5QGUt4gvvdMMgUqwvmUva4obvgS5qXbYOmFGM cP5myo1mcJ45Q06Qdy8pnFEBBm4dKlNZT8LHAz/lr0/I8FINJcIdwmyxHJzELW7nlBy+ZO0z rCJ4CK//MMCAlomj6s9ydaGF0Dnbj9LmE+CS/ZZaYqil5KgsXO2rbN1wa0QOpZjAc8I1NyDN 10nWTZSLeFcbfTWItc8bxVC8NOerG25OVMxjyvqp15ZSExL5NfxIMsrTAjk5AsLr0bCW3tGA A0eM2cwLBhAfdh3fdj+/8tzakafFwR8XrA6YWrvgFmIjCgXfbVGp058595SDHGM1BeCJ94Bm TJMbCTsGPTUbRsWXJ4ytjziqMPPYkXif+NdWNLX3/TTu4oGPGsPQjbTA2xTfLLjNFKLv0ieT XTMg3vMhiOsZnfKt65fwoJWh+mfBe9S4ImNiI2C6H/gr9rpjZZQ3f85+AUAQrVjZJwaOctTC wOr8o8odS5WrpwZVEQhJj8TdOiHKPsAS8+zsjdGucfkXBHnSctMS1uv9QMTTrMvWhuihzYlw 2pC3LHEvxUpv1lk+jH42uRqbMF0FfSPkundHalWXY/HZKWdukc5lhIcGYR9bcm+Eq5/P0Qyv 3q8Q6hIjx6pN4828q8aA0lDnQ1LOtGZjToGZUrcmuQINBFuARRkBEAC9SmeRBQpprN52L+js v29No0eITfSrXTbNhqLB4ikDcnGFDih9yunAQyKk+y++unxYute4NH70qnKpvHOzHENKrSNg uDgs0ga7/4iQMs2rWqTgSQ97JfmW6ilqJXbtKyKvLvK2Jt1lJo7I2uB3Sg3pupHc0WMElIyg EHm/goNnZA401BPGmkgwl9vD4UHxn4+om3CrqpcNWFIrJ/bHKjtg/CcINz3DA7KuyKTlg+jO IgH1Xf5cmCW8e4LeQoMqkXu5y9E+4/M+o6YKiLLplSk5pc0pep/+9S+5fVW2YTDjNXVIY1KK E5IqWZ5HsjxcsfEVEVgm/auR7iVreIi2dkJVrKczMMV0KBOqqwg3eXwfaUZo1NWL6FaHruYK tHkSblUWKSR2sLfDUnrFTj8/fRTHba6fDUhoxHPVnptEjCsSvUxCEVWZN9V64XjlFCO3cF72 e75ikbGp2R1PRPWgDFmmX0pHTGPKUImqKuF4krGrY64pf8iRUTyQvbNF49i6e4ycGwlAHhSq FBZkVBwvUZeDp9DFfL2Rht/QtjYH0yfcT5zRL0aI3oX6I7luCYvm4K4HG461BvTkvxZ2xmo3 dACzmwEyAClpseEaMOsbgwosnTFhehd4Qz1Kl4Yiry8/yqISEodt6vRjs5jAsT2okDBCc6qx +dww3ymXNvEGrf+AvQARAQABiQRsBBgBCAAgFiEEPWQg+qghST6Avw1hOLZNlGaE6HcFAluA RRkCGwICQAkQOLZNlGaE6HfBdCAEGQEIAB0WIQTTpX+yMt35tfRft49NUswkCJ+wagUCW4BF GQAKCRBNUswkCJ+waqoWEACAWq6YgCh4H+JPNxM33ENOmKZ+WmIfr7jgoy1UAhUz0OshLPHM dy4oyaPefNaio5jcp8rvuT7qxA19s1VOyA6NIvCBnMzs+x9bTkQdZ31mcBcESNltKShYO3mq JE8Iz665xUlY2U45x8oGO+pYvWXvZv1C4pXtqczzQQldRuYJ+zfHyGmJoDP6exj0ALVfApH1 RKrCHt51ZottN0gcy4fkmBF+D13hUWAEtq0TBXw+2m6Qwq5xQmWkItzw4x9CF+wE78hNodY5 TXoifJvMB78O/ltPUqUiiPn6FAmi7ErDA3Ue+b4dSBWCx/i+jhh08blrbTQeMr6yswQJzx3M m6BDvYsKZKC9WNI9YKJxopd/udikmcPSoBTyWgMhjm0FPMb3c9Ay9nlbV04LlaqT7DsG8WbL X6O8CZUEpsB8r2kptm4wjjkIywT5eyXbcoNMV449KRzobWDCLOzA50cqTCPwa+YaHUamcoXs 7f3g0AllZVg3J48tq3orQrbmd80/n6AK158fURHR4pPf1m7Z8LGvmfN5vSpw81IgJ0KQEg7P mBsrOZKXGRNvtiHipWvdC9+ex1OSHRNtKTL7bbBYV01atsw74pspBLwXbH/lWnUtFucwav41 wbtHYdfbhxpXZRL0YLcrJq6+oatJlUxzAjO3wz/EuU/5OAwMGJVptO80308ID/4jEYmXl0Ux PEXv2/FjHser/OdhzQNhLft9bBlMiSGwui5Rv0tWPZ7dB7gxsuJIBzvb/FoJXbFysmm+o4Bt go0xQqXqFBX4pD9KYKTDo9q4Bh+0k+NGKvBMJI9pwFu+Ix+u1dbrFnpi/q2nFRfYEKeZiKOD HOxMMcSeYEFaHqiiy5A7QDuW7i7e4uGY0Ls7vnxrNQTWpEIe9E6kIjIHtNWAOIypL8+tiuxr CckPYFEDEmJmp1XIIoFXOIgGceky7huMvtyWHAuE1RjrZpN34nuntpoPlYv0PpPNAIg20HBA eX+reoTCRquUz5F2yZuZRL4o2/sSbDwu4m1As4G0QNaWB7j3grTn6AEVhMbjLgA+QkPpvpN8 s3iEVlEyzuypuGhRR9sMMB/8itWKtCV4/TGoAGJkoK+LsVllfIuu2m9ekV9HAOg3583ame9L NQD0nD35egjdIv7PhbZDYVgPq1NS27b8wz8RqvYWlw+1kUSD62byWu/oFLLifHfUh66ImLCk kbJJBZ5XgGKb/mVpBRiyw7zJUJZgIyTB1NcCWr09n7X+44KuocAYM/hE7NKv8To/5PFmsWFu Y8m1Qh/j7U8/gOdAT7+Q4tLczRRU/ngcW8b/1ajWMY6UuZhrp/WfLoKHS79VYK39OClHRLSU hr911kye7XJLUdGr4S2k+enQb7kCDQRbgEVBARAA4soW2Dq6zQAsDsu2+PEiyQiCoUmMfDaR r9S10njfY/2S+YGrvPi/T6b+CTEI44bTIOLYK/8AsmhuzJvnq1tToxTRJGNOKjflLaOK3fr0 HUEMLZMs0XffuxSq5THSXjCQRcQF5+8tFii4XwFFuSCO96DuwDg2OyJ25DH3a88mcGhofY5b GoNuvlfqQXlzH2M+spQnhmof+toT9JIOG2jDhoo7SdZu15UZyTXlbVf9LwrOI9cprPEJDyqm tBFMB6Gx0b9tJtYP3mGndMCURuXg3hSqpLufiMJm6cJ6KLZMNkdW/H+WkUBPZ7PHrjqnY9SY fmGmJUyBtjm4dzJqHA1/54047uCi2c1iiJ6gvDh9R5Ng6r6zcg2KwIHiKi9Bxk4JhLObBGiV BGCBfS0FJ6dHo+CnfxiNUiRa8weHFtWJ8C6yO9Vub8ZB4DYxoK2SiDncjJ+juuL0N42lW5Fz /jsHEeLwm13LIaAs7XcCNzBzpXsot4ObD9JckAyyy5ZCVfOzw6Cyk2+3KYGHmurhOXEBjrkv di//KHSLMTO04k7c5v3LeAuuntN4MjQQ71LIa4VduBZj81eUPBYdaC4yA7sNYz8rF5oxjId+ d98h5Dq6EzbXLjYjs1XXWZbDJy/9cmQgPd93sZYF5xqR1idgj/sVgwMeaxRA+ZIyRuoKphxl 7jsAEQEAAYkCNgQYAQgAIBYhBD1kIPqoIUk+gL8NYTi2TZRmhOh3BQJbgEVBAhsMAAoJEDi2 TZRmhOh3ZFsQAJtDZvAnf75u+pyUStt6R/sFdiNrfv8fEYTrurf3F/byF6fy9Ya1fCrhtaZl PkfxsGpeKADhtRTic3hffEQN9PKqRAy4NOefBPtjrUHhASqGLhqrhp1/8o/SXVQKDgInQpL3 fUdqf5VuK5Rxtp27VlffsR/qD+Eb6a3n0V5cMxTSt6uzYGmvzMHzLCiMCxUL3aS84cuwJC10 Kw/ML5HoHVtjr9F72yUzU0F37aTgFRWFi7wVvwivfs6Y3RoZDNi5FzN+uZH85Xn/X6Dld5hI Vur/RDcqQVYsd+KZ9/yVv0ZFat285SljIaW6/j1v8bmj2VLE/BfIF9qhWL9YMN8n9cnD0f3R crrxNjE98RCR64sQTOD4HPdl527KjZnHhLlqkuoBu/RHN25eAgZhlU+7xHjJrydBYd5Smi3X uW3xIvvIWQwloBeTbtCpQBrGOqcYEufvRgxZcUbJJ++OBpHUW279L8dIqofubxoVhl+2qztm iNc12oYdkpGsjHqFFRi5lAzy7EcPB4XiMX5AjBghSa2vLmHyK2JKO30oeOmQfdbPmjWaTpxs U037CCkemUOX+JkxmMWyRMAl8SxgdVJKbbXNxi++iCtupi9yIxO3Lrn7QDwbP20xtw3H149o agz72N4V6GvNON1qJOIL66ZJ39jb0MJbg4EyvVV+59VUpt8B Message-ID: <95db8d0d-5434-b2e0-c09b-55a9e2a41038@freebsd.org> Date: Mon, 17 Jun 2019 17:23:43 -0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 MIME-Version: 1.0 In-Reply-To: <20190617162514.GC64731@raichu> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US X-Sonic-CAuth: UmFuZG9tSVaxb3IprwTfbkHP32eq+eGYnYHqUcdnBr6Gw7OcqyUJYHKl7/6qGkE019Gc+Z4k5hBQU5D2+5VT7qQCOoiYCBMbDu6dLsJ9jnE= X-Sonic-ID: C;0rJsVV+R6RGORv5tiXKSzw== M;JuWpVV+R6RGORv5tiXKSzw== X-Spam-Flag: No X-Sonic-Spam-Details: 0.0/5.0 by cerberusd X-Rspamd-Queue-Id: 480C989432 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.96)[-0.963,0]; ASN(0.00)[asn:7065, ipnet:64.142.96.0/19, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 00:34:06 -0000 On 2019-06-17 09:25, Mark Johnston wrote: > On Thu, Jun 13, 2019 at 02:52:24PM +0800, Fuqian Huang wrote: >> In freebsd/sys/dev/md/md.c >> if the kernel is created with option MD_ROOT, >> g_md_init will call md_preload and use mfs_root as the image. >> In function md_preload, address of image will be printed out, >> in this case, the address of image is the address of a global object mfs_root. >> A kernel address leakage happens. > We have many such leaks. For example, netstat and fstat will print > the kernel addresses of various structures. We currently do not perform > any randomization of the kernel address space, so guessing is easy even > in the absence of these leaks. In light of this I'm not sure it's worth > the churn to update individual printf()s. We do on some lower-tier platforms. On PowerNV, for instance, the kernel will end up at a hard-to-predict address. I agree with the general point, thouh. -Nathan