From: Willy Tarreau <w@1wt.eu>
To: Vasiliy Kulikov <segoon@openwall.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>,
security@kernel.org, kernel-hardening@lists.openwall.com,
Namhyung Kim <namhyung@gmail.com>,
Greg Kroah-Hartman <gregkh@suse.de>,
James Morris <jmorris@namei.org>,
linux-kernel@vger.kernel.org, Joe Perches <joe@perches.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [Security] [PATCH] kernel: escape non-ASCII and control characters in printk()
Date: Sat, 25 Jun 2011 22:52:34 +0200 [thread overview]
Message-ID: <20110625205234.GA8743@1wt.eu> (raw)
In-Reply-To: <20110622190739.GB14351@albatros>
Hi Vasiliy,
On Wed, Jun 22, 2011 at 11:07:39PM +0400, Vasiliy Kulikov wrote:
> The final check should be:
>
> if (iscntrl(c) && (c != '\n') && (c != '\t'))
>
> Any comments against this variant?
In fact, I'm not sure we're adding that much protection with such a check
because as long as the '\n' is allowed, it's easy to fake logs. For instance :
$ cd /tmp
$ echo "main() { *(int*)0=0; }" | gcc -xc -o fail -
$ ln -s fail $'Oops: 000\nklogd'
$ ./Oops*
$ dmesg|tail -2
Oops: 000
klogd[1927]: segfault at 0 ip 0000000008048337 sp 00000000ffb54ba4 error 6 in fail[8048000+1000]
$
In an ideal world, only \n should be escaped since it's the only delimitor,
and klogd would get the raw logs with lines correctly sequenced. Other
characters should probably be escaped before going to log files if those
files are supposed to be readable on a terminal.
But I recall it was not possible to escape \n when we worked on the subject
several years ago on 2.4, because some drivers used to send multi-line logs
in a single printk().
The fundamental issue we're facing is that neither inputs nor outputs have
been clearly typed in the past. I tend to consider that a log file is readable
by "tail -f" and a such should not contain dangerous chars, however I also
tend to prefer sending raw logs over the network when they are archived by
different means. In the end it makes sense for the kernel and klogd to
exchange raw logs and syslogd should encode them when pushing them to a
file.
Best regards,
Willy
prev parent reply other threads:[~2011-06-25 20:53 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-22 9:53 [PATCH] kernel: escape non-ASCII and control characters in printk() Vasiliy Kulikov
2011-06-22 15:37 ` Greg KH
2011-06-22 16:13 ` Vasiliy Kulikov
2011-06-23 13:36 ` Matthew Garrett
2011-06-23 21:44 ` Greg KH
2011-07-11 6:37 ` Pavel Machek
2011-06-22 16:38 ` Joe Perches
2011-06-22 16:53 ` Vasiliy Kulikov
2011-06-22 17:14 ` Joe Perches
2011-06-22 17:48 ` Vasiliy Kulikov
2011-06-22 18:10 ` Alan Cox
2011-06-22 19:07 ` Vasiliy Kulikov
2011-06-23 18:11 ` Geert Uytterhoeven
2011-06-25 20:52 ` Willy Tarreau [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110625205234.GA8743@1wt.eu \
--to=w@1wt.eu \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=gregkh@suse.de \
--cc=jmorris@namei.org \
--cc=joe@perches.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=namhyung@gmail.com \
--cc=security@kernel.org \
--cc=segoon@openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox