From: Steve Grubb <sgrubb@redhat.com>
To: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Stefani Seibold <stefani@seibold.net>,
Kees Cook <kees.cook@canonical.com>,
linux-kernel@vger.kernel.org,
"Greg Kroah-Hartman" <gregkh@suse.de>,
Andrew Morton <akpm@linux-foundation.org>,
Tejun Heo <tj@kernel.org>, Veaceslav Falico <vfalico@redhat.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Oleg Nesterov <oleg@redhat.com>,
Neil Horman <nhorman@tuxdriver.com>,
Roland McGrath <roland@redhat.com>, Ingo Molnar <mingo@elte.hu>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>,
Thomas Gleixner <tglx@linutronix.de>,
Eric Paris <eparis@redhat.com>, James Morris <jmorris@namei.org>,
"Andrew G. Morgan" <morgan@kernel.org>,
Dhaval Giani <dhaval.giani@gmail.com>,
"Serge E. Hallyn" <serue@us.ibm.com>,
Christoph Hellwig <hch@lst.de>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v2] sanitize task->comm to avoid leaking escape codes
Date: Tue, 29 Jun 2010 08:58:49 -0400 [thread overview]
Message-ID: <201006290858.50387.sgrubb@redhat.com> (raw)
In-Reply-To: <20100629115957.38BF.A69D9226@jp.fujitsu.com>
On Monday, June 28, 2010 11:05:56 pm KOSAKI Motohiro wrote:
> > Am Freitag, den 25.06.2010, 08:56 +0900 schrieb KOSAKI Motohiro:
> > > > Through get_task_comm() and many direct uses of task->comm in the
> > > > kernel, it is possible for escape codes and other non-printables to
> > > > leak into dmesg, syslog, etc. In the worst case, these strings
> > > > could be used to attack administrators using vulnerable terminal
> > > > emulators, and at least cause confusion through the injection of \r
> > > > characters.
> > > >
> > > > This patch sanitizes task->comm to only contain printable characters
> > > > when it is set. Additionally, it redefines get_task_comm so that it
> > > > is more obvious when misused by callers (presently nothing was
> > > > incorrectly calling get_task_comm's unsafe use of strncpy).
For the audit system, we want the real, unsanitized task->comm. We record it
in a special format to the audit logs such that unprintable characters are
included. We want it exactly this way for certification purposes as well as
forensic evidence if someone was playing games. If you do sanitize it for
other areas of the kernel, please give us a way to get the unsanitized text.
-Steve
> > > > Signed-off-by: Kees Cook <kees.cook@canonical.com>
> > >
> > > I've reviewed this patch briefly, Here is my personal concern...
> > >
> > > On Linux, non-printable leaking is fundamental, only fixing task->comm
> > > doesn't solve syslog exploit issue. Probably all /proc/kmsg user should
> > > have escaping non-pritables code.
> > >
> > > However, task->comm is one of most easy injection data of kernel,
> > > because we have prctl(PR_SET_NAME), attacker don't need root
> > > privilege. So, conservative assumption seems guard from crappy fault.
> > > Plus, this patch is very small and our small TASK_COMM_LEN lead that
> > > we don't need big performance concern.
> > >
> > > So, I don't find demerit in this proposal. but I'm not security
> > > specialist, it's only personal thinking.
> >
> > Agree. I think a escaped printk should be a more generic solution.
>
> Is this possible? printk() doesn't know userland locale. how do it escape
> correctly? When we only concern task->comm, assuming ascii-only string is
> enough practical. but printk generic logic should allow non-ascii, I
> think.
>
> I think userland reader process only know correct escaping way.
next prev parent reply other threads:[~2010-06-29 12:58 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-24 19:05 [PATCH v2] sanitize task->comm to avoid leaking escape codes Kees Cook
2010-06-24 23:56 ` KOSAKI Motohiro
2010-06-28 17:48 ` Stefani Seibold
2010-06-28 18:04 ` Kees Cook
2010-06-29 3:05 ` KOSAKI Motohiro
2010-06-29 12:58 ` Steve Grubb [this message]
2010-06-30 0:16 ` KOSAKI Motohiro
2010-06-30 0:22 ` Steve Grubb
2010-06-30 0:28 ` KOSAKI Motohiro
2010-06-29 9:36 ` Alan Cox
2010-06-29 14:51 ` Kees Cook
2010-06-30 9:13 ` Alan Cox
2010-06-30 0:31 ` KOSAKI Motohiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201006290858.50387.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=dhaval.giani@gmail.com \
--cc=eparis@redhat.com \
--cc=gregkh@suse.de \
--cc=hch@lst.de \
--cc=jmorris@namei.org \
--cc=kees.cook@canonical.com \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=morgan@kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=oleg@redhat.com \
--cc=roland@redhat.com \
--cc=serue@us.ibm.com \
--cc=seto.hidetoshi@jp.fujitsu.com \
--cc=stefani@seibold.net \
--cc=tglx@linutronix.de \
--cc=tj@kernel.org \
--cc=vfalico@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).