Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 2 Jul 2011 12:10:22 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: Alan Cox <alan@...rguk.ukuu.org.uk>,
	Greg Kroah-Hartman <gregkh@...e.de>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
	Ingo Molnar <mingo@...e.hu>,
	Andrew Morton <akpm@...ux-foundation.org>,
	James Morris <jmorris@...ei.org>, Namhyung Kim <namhyung@...il.com>,
	kernel-hardening@...ts.openwall.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] kernel: escape non-ASCII and control characters in
 printk()

On Fri, Jul 01, 2011 at 15:49 +0100, Alan Cox wrote:
> >  of the multiline feature.  Intoducing new "%S" format for single lines
> >  makes little sense as there are tons of printk() calls that should be
> >  already restricted to one line.
> 
> You don't need a new format string surely. Your expectation for printk is 
> 
> "multiple new lines are cool providing they are in the format string"
> 
> So that bit isn't hard to deal with, 
> 
> You make vprintk take an extra arg (trusted/untrusted args)

Not vprintk, but vscnprintf(), vsnprintf() and string() because
vprintk() is used in tens of places besides of printk().  Or better
implement _vscnprintf(.., bool untrusted) and 

vscnprintf(...) { return _vscnprintf(..., false); }

to leave current users of it as is.

But yes, I got the idea.


> You make printk pass 'untrusted'
> You make %s quote the arguments for control codes

What to do with CSI?  It is a valid byte inside of a UTF-8 string.
Parsing a supplied string assuming it is UTF-8 string and filtering CSI
iff it is not a part of UTF-8 symbol is something a bit ugly IMO.


Greg - do you know any devices supplying multibyte strings, but not in
UTF-8 encoding?  If yes, then CSI filtering is a bad idea :\


> At which point your attacker has more work to do but given a long string
> yawns and stars using the right number of spaces for the likely 80 col
> screen :)

Yeah, but introducing some artificial limit for string length is IMO
more harmfull: there is no universal limit for all situations, somewhere
the resulting string is already 70 chars and even 20 bytes would
overflow the col;  in rare cases a string of 50 bytes might be still
acceptable.


Thanks,

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.