From: Alan Cox <alan@lxorguk.ukuu.org.uk>
To: Kees Cook <kees.cook@canonical.com>
Cc: linux-kernel@vger.kernel.org, Greg Kroah-Hartman <gregkh@suse.de>,
Andrew Morton <akpm@linux-foundation.org>,
Tejun Heo <tj@kernel.org>, Veaceslav Falico <vfalico@redhat.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Oleg Nesterov <oleg@redhat.com>,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
Neil Horman <nhorman@tuxdriver.com>,
Roland McGrath <roland@redhat.com>, Ingo Molnar <mingo@elte.hu>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>,
Stefani Seibold <stefani@seibold.net>,
Thomas Gleixner <tglx@linutronix.de>,
Eric Paris <eparis@redhat.com>, James Morris <jmorris@namei.org>,
"Andrew G. Morgan" <morgan@kernel.org>,
Dhaval Giani <dhaval.giani@gmail.com>,
"Serge E. Hallyn" <serue@us.ibm.com>,
Steve Grubb <sgrubb@redhat.com>, Christoph Hellwig <hch@lst.de>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v2] sanitize task->comm to avoid leaking escape codes
Date: Tue, 29 Jun 2010 10:36:50 +0100 [thread overview]
Message-ID: <20100629103650.3b80e09f@lxorguk.ukuu.org.uk> (raw)
In-Reply-To: <20100624190527.GD5917@outflux.net>
> Through get_task_comm() and many direct uses of task->comm in the kernel,
> it is possible for escape codes and other non-printables to leak into
> dmesg, syslog, etc. In the worst case, these strings could be used to
> attack administrators using vulnerable terminal emulators, and at least
> cause confusion through the injection of \r characters.
If an administrator has a vulnerable terminal emulator they have other
problems.
> This patch sanitizes task->comm to only contain printable characters
> when it is set. Additionally, it redefines get_task_comm so that it is
> more obvious when misused by callers (presently nothing was incorrectly
> calling get_task_comm's unsafe use of strncpy).
This is a regression for tools that correctly handle unmutilated data.
> + /* sanitize non-printable characters */
> + for (i = 0; buf[i] && i < (sizeof(tsk->comm) - 1); i++) {
> + if (!isprint(buf[i]))
> + tsk->comm[i] = '?';
The kernel "isprint" isn't adequate for this. comm is set by the shell
based on argv[0] usually which means that in normal situations it is a
UTF-8 string.
Please do any filtering you must in the yama security module where it
only affects that. One way to approach it without losing data within the
module might be to use HTML style encoding within Yama so your own tools
can undo the 'sanitizing' rather than losing information ?
Ideally you want to the dev/inode pair of the thing being executed
printed as well - that will give real information for security purposes,
while the ->comm data is much more convenient for general debugging and
investigation than having to keep looking them up.
Alan
next prev parent reply other threads:[~2010-06-29 9:33 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-24 19:05 [PATCH v2] sanitize task->comm to avoid leaking escape codes Kees Cook
2010-06-24 23:56 ` KOSAKI Motohiro
2010-06-28 17:48 ` Stefani Seibold
2010-06-28 18:04 ` Kees Cook
2010-06-29 3:05 ` KOSAKI Motohiro
2010-06-29 12:58 ` Steve Grubb
2010-06-30 0:16 ` KOSAKI Motohiro
2010-06-30 0:22 ` Steve Grubb
2010-06-30 0:28 ` KOSAKI Motohiro
2010-06-29 9:36 ` Alan Cox [this message]
2010-06-29 14:51 ` Kees Cook
2010-06-30 9:13 ` Alan Cox
2010-06-30 0:31 ` KOSAKI Motohiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100629103650.3b80e09f@lxorguk.ukuu.org.uk \
--to=alan@lxorguk.ukuu.org.uk \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=dhaval.giani@gmail.com \
--cc=eparis@redhat.com \
--cc=gregkh@suse.de \
--cc=hch@lst.de \
--cc=jmorris@namei.org \
--cc=kees.cook@canonical.com \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=morgan@kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=oleg@redhat.com \
--cc=roland@redhat.com \
--cc=serue@us.ibm.com \
--cc=seto.hidetoshi@jp.fujitsu.com \
--cc=sgrubb@redhat.com \
--cc=stefani@seibold.net \
--cc=tglx@linutronix.de \
--cc=tj@kernel.org \
--cc=vfalico@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).