Re: printk()s of user-supplied strings (Re: [PATCH] binfmt_elf.c : the BAD_ADDR macro again)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Solar Designer <solar@openwall.com>
To: Ernie Petrides <petrides@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>, linux-kernel@vger.kernel.org
Subject: Re: printk()s of user-supplied strings (Re: [PATCH] binfmt_elf.c : the BAD_ADDR macro again)
Date: Thu, 24 Aug 2006 20:44:25 +0400	[thread overview]
Message-ID: <20060824164425.GA17692@openwall.com> (raw)
In-Reply-To: <200608222023.k7MKNHpH018036@pasta.boston.redhat.com>

On Tue, Aug 22, 2006 at 04:23:17PM -0400, Ernie Petrides wrote:
> On Tuesday, 22-Aug-2006 at 7:7 +0400, Solar Designer wrote:
> > > -			printk(KERN_ERR "Unable to load interpreter %.128s\n",
> > > -				elf_interpreter);
> >
> > I'd rather have this message rate-limited, not dropped completely.
> 
> I consider any printk() that can be arbitrarily triggered by an
> unprivileged user to be inappropriate, rate-limited or not.  I
> recommend that it be removed entirely.

Some of them are quite useful.  For example, the presence of this one in
dmesg and the logs typically (although not necessarily) indicates that
there was an OOM condition - and the interpreter name is useful to know
that the message indeed applied to /lib/ld-linux.so.2 rather than to
some user-supplied ELF interpreter (that could simply be non-existent).
Alan has recently suggested that another rate-limited user triggerable
message be introduced for set*uid() failing on transient errors.  Then,
what about warnings of emulated unaligned accesses on Alpha?  Those were
useful to me on many occasions.  There can be many other examples.

Also, for some printk()s it is difficult to say whether they're user
triggerable.  A printk() indicating a "machine check" or an ECC error
may well be user triggerable on a particular system.

> > Another long-time concern that I had is that we've got some printk()s
> > of user-supplied string data.  What about embedded linefeeds - can this
> > be used to produce fake kernel messages with arbitrary log level (syslog
> > priority)?  It certainly seems so.
> >
> > Also, there are terminal controls...
> 
> These are valid concerns.  Allowing the kernel to print user-fabricated
> strings is a terrible idea.

Yet there are lots of such printk()s - and I suggest that we make a
determination on all of them before we possibly start fixing individual
ones.  In fact, perhaps there are too many of them to be fixing any in
2.4, unless we determine to somehow harden printk() itself.

Even current->comm is untrusted user input, but there are at least 58
printk()s of it in 2.4.33.  (58 is the number spotted by a grep that
would only match those that have current->comm on the same line with
printk itself.)

Alexander

next prev parent reply	other threads:[~2006-08-24 16:47 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-08-20  2:04 [PATCH x7] misc fixes from 2.4.33-ow1 Solar Designer
2006-08-20  9:15 ` [PATCH] binfmt_elf.c : the BAD_ADDR macro again Willy Tarreau
2006-08-20 15:51   ` Solar Designer
2006-08-20 16:23     ` Willy Tarreau
2006-08-21 20:35       ` Ernie Petrides
2006-08-21 21:11         ` Willy Tarreau
2006-08-21 23:36           ` Ernie Petrides
2006-08-22  3:07             ` printk()s of user-supplied strings (Re: [PATCH] binfmt_elf.c : the BAD_ADDR macro again) Solar Designer
2006-08-22 20:23               ` Ernie Petrides
2006-08-22 20:34                 ` printk()s of user-supplied strings Willy Tarreau
2006-08-24 16:44                 ` Solar Designer [this message]
2006-08-24 16:46                   ` printk()s of user-supplied strings (Re: [PATCH] binfmt_elf.c : the BAD_ADDR macro again) Willy Tarreau
2006-08-26  2:29                     ` Solar Designer
2006-08-26  8:22                       ` Willy Tarreau
2006-08-26 23:13                         ` Solar Designer
2006-08-27 20:04                           ` printk()s of user-supplied strings Willy Tarreau
2006-08-28  1:52                             ` Solar Designer
1970-01-01  0:16                               ` Pavel Machek
2006-08-28  8:02                               ` Willy Tarreau
2006-08-28 11:17                                 ` Krzysztof Halasa
2006-08-30  6:15                                   ` Willy Tarreau
2006-08-28 17:35                               ` Valdis.Kletnieks
2006-08-22  4:36             ` [PATCH] binfmt_elf.c : the BAD_ADDR macro again Willy Tarreau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20060824164425.GA17692@openwall.com \
    --to=solar@openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=petrides@redhat.com \
    --cc=w@1wt.eu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.