unsafe printk

unsafe printk

[Albert Cahalan]

Suppose I name an executable this:
"\n<0>Oops: EIP=0"

That comes out as a KERN_EMERG log message,
hitting the console and maybe a pager even.

There seem to be a number of places in the
kernel that printk current->comm without
concern for what it may contain.

Escape codes and non-ASCII can make for some
interesting log messages as well. Terminals
may have some programmable keys or answerback
messages. So one day root is using grep on
the log files, and they program the answerback
string to contain a "\r\nrm -r /\r\n"...

BTW, the 0x9b character is often an escape.

Re: unsafe printk

[Pavel Machek]

Hi!

> Suppose I name an executable this:
> "\n<0>Oops: EIP=0"
> 
> That comes out as a KERN_EMERG log message,
> hitting the console and maybe a pager even.
> 
> There seem to be a number of places in the
> kernel that printk current->comm without
> concern for what it may contain.
> 
> Escape codes and non-ASCII can make for some
> interesting log messages as well. Terminals
> may have some programmable keys or answerback
> messages. So one day root is using grep on
> the log files, and they program the answerback
> string to contain a "\r\nrm -r /\r\n"...

Or at least you can make his terminal pink ;-). Unfortunately same
problem is with userland programs; root does ps and his terminal goes
pink. Sanitizing kernel messages would be good start, but ps&friends
and ls&friends need to be sanitized, too.
								Pavel

-- 
When do you have a heart between your knees?
[Johanka's followup: and *two* hearts?]

Re: unsafe printk

[Richard B. Johnson]

On Thu, 16 Oct 2003, Albert Cahalan wrote:

> Suppose I name an executable this:
> "\n<0>Oops: EIP=0"
>
> That comes out as a KERN_EMERG log message,
> hitting the console and maybe a pager even.
>
> There seem to be a number of places in the
> kernel that printk current->comm without
> concern for what it may contain.
>
> Escape codes and non-ASCII can make for some
> interesting log messages as well. Terminals
> may have some programmable keys or answerback
> messages. So one day root is using grep on
> the log files, and they program the answerback
> string to contain a "\r\nrm -r /\r\n"...
>
> BTW, the 0x9b character is often an escape.

I remember this from VAX/VMS "system manager school"!
"Don't ever read anybody's data from the SYSTEM account...."

The text read could write a whole command-procedure to
the answer-back buffer, then tell it to answer-back! The
result would be the execution of anything from a privileged
account.

I don't think the built-in VT100-220 emulation has an
answer-back buffer, but there still are RS-232C terminals
out there........


Cheers,
Dick Johnson
Penguin : Linux version 2.4.22 on an i686 machine (797.90 BogoMips).
            Note 96.31% of all statistics are fiction.

Re: unsafe printk

[Albert Cahalan]

On Fri, 2003-10-17 at 05:52, Pavel Machek wrote:
> Hi!
> 
> > Suppose I name an executable this:
> > "\n<0>Oops: EIP=0"
> > 
> > That comes out as a KERN_EMERG log message,
> > hitting the console and maybe a pager even.
> > 
> > There seem to be a number of places in the
> > kernel that printk current->comm without
> > concern for what it may contain.
> > 
> > Escape codes and non-ASCII can make for some
> > interesting log messages as well. Terminals
> > may have some programmable keys or answerback
> > messages. So one day root is using grep on
> > the log files, and they program the answerback
> > string to contain a "\r\nrm -r /\r\n"...
> 
> Or at least you can make his terminal pink ;-). Unfortunately same
> problem is with userland programs; root does ps and his terminal goes
> pink. Sanitizing kernel messages would be good start, but ps&friends
> and ls&friends need to be sanitized, too.

Both ps and ls are protected. At least with the
procps-3.1.xx code, w and top are also protected.

So anyway, what to do about the kernel messages?
One option is to just mangle comm up front. Another
option is to provide a formatting function for
safe printing.