kfence: report sensitive information based on no_hash_pointers

We cannot rely on CONFIG_DEBUG_KERNEL to decide if we're running a
"debug kernel" where we can safely show potentially sensitive
information in the kernel log.

Instead, simply rely on the newly introduced "no_hash_pointers" to print
unhashed kernel pointers, as well as decide if our reports can include
other potentially sensitive information such as registers and corrupted
bytes.

Cc: Timur Tabi <timur@kernel.org>
Signed-off-by: Marco Elver <elver@google.com>
[port kfence feature to rpi-5.10.95]
Signed-off-by: Sung-hun Kim <sfoon.kim@samsung.com>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Ie87a49f890db5a49503afe50e63d908247eb31a3

diff --git a/Documentation/dev-tools/kfence.rst b/Documentation/dev-tools/kfence.rst
index 06a454e..d2da644 100644 (file)
--- a/Documentation/dev-tools/kfence.rst
+++ b/Documentation/dev-tools/kfence.rst
@@ -87,8 +87,8 @@ A typical out-of-bounds access looks like this::
 
 The header of the report provides a short summary of the function involved in
 the access. It is followed by more detailed information about the access and
-its origin. Note that, real kernel addresses are only shown for
-``CONFIG_DEBUG_KERNEL=y`` builds.
+its origin. Note that, real kernel addresses are only shown when using the
+kernel command line option ``no_hash_pointers``.
 
 Use-after-free accesses are reported as::
 
@@ -183,8 +183,8 @@ invalidly written bytes (offset from the address) are shown; in this
 representation, '.' denote untouched bytes. In the example above ``0xac`` is
 the value written to the invalid address at offset 0, and the remaining '.'
 denote that no following bytes have been touched. Note that, real values are
-only shown for ``CONFIG_DEBUG_KERNEL=y`` builds; to avoid information
-disclosure for non-debug builds, '!' is used instead to denote invalidly
+only shown if the kernel was booted with ``no_hash_pointers``; to avoid
+information disclosure otherwise, '!' is used instead to denote invalidly
 written bytes.
 
 And finally, KFENCE may also report on invalid accesses to any protected page

diff --git a/mm/kfence/core.c b/mm/kfence/core.c
index 338ced5..e6d2e6e 100644 (file)
--- a/mm/kfence/core.c
+++ b/mm/kfence/core.c
@@ -631,13 +631,9 @@ void __init kfence_init(void)
 
        WRITE_ONCE(kfence_enabled, true);
        schedule_delayed_work(&kfence_timer, 0);
-       pr_info("initialized - using %lu bytes for %d objects", KFENCE_POOL_SIZE,
-               CONFIG_KFENCE_NUM_OBJECTS);
-       if (IS_ENABLED(CONFIG_DEBUG_KERNEL))
-               pr_cont(" at 0x%px-0x%px\n", (void *)__kfence_pool,
-                       (void *)(__kfence_pool + KFENCE_POOL_SIZE));
-       else
-               pr_cont("\n");
+       pr_info("initialized - using %lu bytes for %d objects at 0x%p-0x%p\n", KFENCE_POOL_SIZE,
+               CONFIG_KFENCE_NUM_OBJECTS, (void *)__kfence_pool,
+               (void *)(__kfence_pool + KFENCE_POOL_SIZE));
 }
 
 void kfence_shutdown_cache(struct kmem_cache *s)

diff --git a/mm/kfence/kfence.h b/mm/kfence/kfence.h
index 97282fa..b02aad2 100644 (file)
--- a/mm/kfence/kfence.h
+++ b/mm/kfence/kfence.h
@@ -10,13 +10,6 @@
 
 #include "../slab.h" /* for struct kmem_cache */
 
-/* For non-debug builds, avoid leaking kernel pointers into dmesg. */
-#ifdef CONFIG_DEBUG_KERNEL
-#define PTR_FMT "%px"
-#else
-#define PTR_FMT "%p"
-#endif
-
 /*
  * Get the canary byte pattern for @addr. Use a pattern that varies based on the
  * lower 3 bits of the address, to detect memory corruptions with higher

diff --git a/mm/kfence/kfence_test.c b/mm/kfence/kfence_test.c
index db1bb59..4acf425 100644 (file)
--- a/mm/kfence/kfence_test.c
+++ b/mm/kfence/kfence_test.c
@@ -146,7 +146,7 @@ static bool report_matches(const struct expect_report *r)
                break;
        }
 
-       cur += scnprintf(cur, end - cur, " 0x" PTR_FMT, (void *)r->addr);
+       cur += scnprintf(cur, end - cur, " 0x%p", (void *)r->addr);
 
        spin_lock_irqsave(&observed.lock, flags);
        if (!report_available())

diff --git a/mm/kfence/report.c b/mm/kfence/report.c
index 1996295..0365555 100644 (file)
--- a/mm/kfence/report.c
+++ b/mm/kfence/report.c
@@ -14,6 +14,8 @@
 
 #include "kfence.h"
 
+extern bool no_hash_pointers;
+
 /* Helper function to either print to a seq_file or to console. */
 __printf(2, 3)
 static void seq_con_printf(struct seq_file *seq, const char *fmt, ...)
@@ -113,7 +115,7 @@ void kfence_print_object(struct seq_file *seq, const struct kfence_metadata *met
        }
 
        seq_con_printf(seq,
-                      "kfence-#%zd [0x" PTR_FMT "-0x" PTR_FMT
+                      "kfence-#%zd [0x%p-0x%p"
                       ", size=%d, cache=%s] allocated by task %d:\n",
                       meta - kfence_metadata, (void *)start, (void *)(start + size - 1), size,
                       (cache && cache->name) ? cache->name : "<destroyed>", meta->alloc_track.pid);
@@ -143,7 +145,7 @@ static void print_diff_canary(unsigned long address, size_t bytes_to_show,
        for (cur = (const u8 *)address; cur < end; cur++) {
                if (*cur == KFENCE_CANARY_PATTERN(cur))
                        pr_cont(" .");
-               else if (IS_ENABLED(CONFIG_DEBUG_KERNEL))
+               else if (no_hash_pointers)
                        pr_cont(" 0x%02x", *cur);
                else /* Do not leak kernel memory in non-debug builds. */
                        pr_cont(" !");
@@ -196,7 +198,7 @@ void kfence_report_error(unsigned long address, bool is_write, struct pt_regs *r
 
                pr_err("BUG: KFENCE: out-of-bounds %s in %pS\n\n", get_access_type(is_write),
                       (void *)stack_entries[skipnr]);
-               pr_err("Out-of-bounds %s at 0x" PTR_FMT " (%luB %s of kfence-#%zd):\n",
+               pr_err("Out-of-bounds %s at 0x%p (%luB %s of kfence-#%zd):\n",
                       get_access_type(is_write), (void *)address,
                       left_of_object ? meta->addr - address : address - meta->addr,
                       left_of_object ? "left" : "right", object_index);
@@ -205,24 +207,24 @@ void kfence_report_error(unsigned long address, bool is_write, struct pt_regs *r
        case KFENCE_ERROR_UAF:
                pr_err("BUG: KFENCE: use-after-free %s in %pS\n\n", get_access_type(is_write),
                       (void *)stack_entries[skipnr]);
-               pr_err("Use-after-free %s at 0x" PTR_FMT " (in kfence-#%zd):\n",
+               pr_err("Use-after-free %s at 0x%p (in kfence-#%zd):\n",
                       get_access_type(is_write), (void *)address, object_index);
                break;
        case KFENCE_ERROR_CORRUPTION:
                pr_err("BUG: KFENCE: memory corruption in %pS\n\n", (void *)stack_entries[skipnr]);
-               pr_err("Corrupted memory at 0x" PTR_FMT " ", (void *)address);
+               pr_err("Corrupted memory at 0x%p ", (void *)address);
                print_diff_canary(address, 16, meta);
                pr_cont(" (in kfence-#%zd):\n", object_index);
                break;
        case KFENCE_ERROR_INVALID:
                pr_err("BUG: KFENCE: invalid %s in %pS\n\n", get_access_type(is_write),
                       (void *)stack_entries[skipnr]);
-               pr_err("Invalid %s at 0x" PTR_FMT ":\n", get_access_type(is_write),
+               pr_err("Invalid %s at 0x%p:\n", get_access_type(is_write),
                       (void *)address);
                break;
        case KFENCE_ERROR_INVALID_FREE:
                pr_err("BUG: KFENCE: invalid free in %pS\n\n", (void *)stack_entries[skipnr]);
-               pr_err("Invalid free of 0x" PTR_FMT " (in kfence-#%zd):\n", (void *)address,
+               pr_err("Invalid free of 0x%p (in kfence-#%zd):\n", (void *)address,
                       object_index);
                break;
        }
@@ -237,7 +239,7 @@ void kfence_report_error(unsigned long address, bool is_write, struct pt_regs *r
 
        /* Print report footer. */
        pr_err("\n");
-       if (IS_ENABLED(CONFIG_DEBUG_KERNEL) && regs)
+       if (no_hash_pointers && regs)
                show_regs(regs);
        else
                dump_stack_print_info(KERN_ERR);