On Wed, Jun 18, 2025 at 10:24:19AM -0400, Jeff Layton wrote:
> [...]
> The file is given the name "class@%px", as having the unmodified address
> is helpful for debugging. This should be safe since this directory is only
> accessible by root
> [...]
> +void ref_tracker_dir_debugfs(struct ref_tracker_dir *dir)
> +{
> + char name[NAME_MAX + 1];
> + struct dentry *dentry;
> + int ret;
> +
> + /* No-op if already created */
> + dentry = xa_load(&debugfs_dentries, (unsigned long)dir);
> + if (dentry && !xa_is_err(dentry))
> + return;
> +
> + ret = snprintf(name, sizeof(name), "%s@%px", dir->class, dir);
> + name[sizeof(name) - 1] = '\0';
Yikes! Never use %px, and especially don't use it for a stable
identifier nor expose it to userspace like this. If you absolutely must,
use %p, but never %px. This is a kernel address leak:
https://docs.kernel.org/process/deprecated.html#p-format-specifier
"helpful for debugging" is not a sufficiently good reason; and "only
accessible by root" has nothing to do with kernel address integrity.
Those kinds of things are (roughly) managed by various capabilities,
not DAC uid==0.
--
Kees Cook
