Re: [PATCH v2] sanitize task->comm to avoid leaking escape codes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <kees.cook@canonical.com>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: linux-kernel@vger.kernel.org, Greg Kroah-Hartman <gregkh@suse.de>,
	Andrew Morton <akpm@linux-foundation.org>,
	Tejun Heo <tj@kernel.org>, Veaceslav Falico <vfalico@redhat.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Oleg Nesterov <oleg@redhat.com>,
	KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
	Neil Horman <nhorman@tuxdriver.com>,
	Roland McGrath <roland@redhat.com>, Ingo Molnar <mingo@elte.hu>,
	Peter Zijlstra <a.p.zijlstra@chello.nl>,
	Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>,
	Stefani Seibold <stefani@seibold.net>,
	Thomas Gleixner <tglx@linutronix.de>,
	Eric Paris <eparis@redhat.com>, James Morris <jmorris@namei.org>,
	"Andrew G. Morgan" <morgan@kernel.org>,
	Dhaval Giani <dhaval.giani@gmail.com>,
	"Serge E. Hallyn" <serue@us.ibm.com>,
	Steve Grubb <sgrubb@redhat.com>, Christoph Hellwig <hch@lst.de>,
	linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v2] sanitize task->comm to avoid leaking escape codes
Date: Tue, 29 Jun 2010 07:51:37 -0700	[thread overview]
Message-ID: <20100629145137.GD4175@outflux.net> (raw)
In-Reply-To: <20100629103650.3b80e09f@lxorguk.ukuu.org.uk>

On Tue, Jun 29, 2010 at 10:36:50AM +0100, Alan Cox wrote:
> > Through get_task_comm() and many direct uses of task->comm in the kernel,
> > it is possible for escape codes and other non-printables to leak into
> > dmesg, syslog, etc.  In the worst case, these strings could be used to
> > attack administrators using vulnerable terminal emulators, and at least
> > cause confusion through the injection of \r characters.
> 
> If an administrator has a vulnerable terminal emulator they have other
> problems.

Totally agreed.

> Please do any filtering you must in the yama security module where it
> only affects that. One way to approach it without losing data within the
> module might be to use HTML style encoding within Yama so your own tools
> can undo the 'sanitizing' rather than losing information ?

I'm not interested in sanitizing this in Yama.  The use of task->comm via
printk was seen as a flaw.  I didn't agree (see above about terminal),
and suggested that if it was a flaw, it was a flaw with printk or
task->comm itself.  Since "fixing" both of those have been vetoed,
I have no more interest in the filtering.

What I do have interest in is fixing get_task_comm's use of buffers, which
is theoretically problematic in some future where someone accidentally
calls it with a buffer smaller than sizeof(task->comm).

I'll send a patch that only fixes that and leaves out the filtering.

-Kees

-- 
Kees Cook
Ubuntu Security Team

next prev parent reply	other threads:[~2010-06-29 14:53 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-06-24 19:05 [PATCH v2] sanitize task->comm to avoid leaking escape codes Kees Cook
2010-06-24 23:56 ` KOSAKI Motohiro
2010-06-28 17:48   ` Stefani Seibold
2010-06-28 18:04     ` Kees Cook
2010-06-29  3:05     ` KOSAKI Motohiro
2010-06-29 12:58       ` Steve Grubb
2010-06-30  0:16         ` KOSAKI Motohiro
2010-06-30  0:22           ` Steve Grubb
2010-06-30  0:28             ` KOSAKI Motohiro
2010-06-29  9:36 ` Alan Cox
2010-06-29 14:51   ` Kees Cook [this message]
2010-06-30  9:13     ` Alan Cox
2010-06-30  0:31   ` KOSAKI Motohiro

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100629145137.GD4175@outflux.net \
    --to=kees.cook@canonical.com \
    --cc=a.p.zijlstra@chello.nl \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=dhaval.giani@gmail.com \
    --cc=eparis@redhat.com \
    --cc=gregkh@suse.de \
    --cc=hch@lst.de \
    --cc=jmorris@namei.org \
    --cc=kosaki.motohiro@jp.fujitsu.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=morgan@kernel.org \
    --cc=nhorman@tuxdriver.com \
    --cc=oleg@redhat.com \
    --cc=roland@redhat.com \
    --cc=serue@us.ibm.com \
    --cc=seto.hidetoshi@jp.fujitsu.com \
    --cc=sgrubb@redhat.com \
    --cc=stefani@seibold.net \
    --cc=tglx@linutronix.de \
    --cc=tj@kernel.org \
    --cc=vfalico@redhat.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.