public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Ingo Molnar <mingo@elte.hu>
To: Vasiliy Kulikov <segoon@openwall.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	James Morris <jmorris@namei.org>,
	Namhyung Kim <namhyung@gmail.com>,
	Greg Kroah-Hartman <gregkh@suse.de>,
	kernel-hardening@lists.openwall.com,
	linux-kernel@vger.kernel.org, Alan Cox <alan@lxorguk.ukuu.org.uk>,
	Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [PATCH v2] kernel: escape non-ASCII and control characters in printk()
Date: Sun, 26 Jun 2011 21:46:18 +0200	[thread overview]
Message-ID: <20110626194618.GA21740@elte.hu> (raw)
In-Reply-To: <20110626190622.GB4217@albatros>


* Vasiliy Kulikov <segoon@openwall.com> wrote:

> On Sun, Jun 26, 2011 at 20:26 +0200, Ingo Molnar wrote:
>
> > > > Also, i think it would be better to make this opt-out, i.e. 
> > > > exclude the handful of control characters that are harmful 
> > > > (such as backline and console escape), instead of trying to 
> > > > include the known-useful ones.
> > > 
> > > Do you see any issue with the check above?
> > 
> > There were clear problems with the first version you posted and 
> > that's enough proof to request the exclusion of known-dangerous 
> > characters instead of including known-useful characters.
> 
> It doesn't proof anything.  If I/someone else did a mistake with 
> blacklisting would you say it is enough proof to request the 
> inclusion of well-known allowed characters?

No, because the problems such a mistake causes are not equivalent: it 
would have been far more harmful to not print out the *very real* 
product names written in some non-US language than to accidentally 
include some control character you did not think of.

> > A black list is well-defined: it disables the display of certain 
> > characters because they are *known to be dangerous*.
> 
> What do you do with dangerous characters that are *not yet known* 
> to be dangerous?

I'm ready to act on facts only. Also, i really prefer the policy of 
acting on known dangers instead of being afraid of the unknown.

The whole 'trust but verify' thing.

> > A white list on the other hand does it the wrong way around: it 
> > tries to put the 'burden of proof' on the useful, good guys - and 
> > that's counter-productive really.
> 
> Really?  I think strict API definition is productive, unlike using 
> it in cases where it looks like working, but creating tricky and 
> obscure bugs.

You werent really creating a well-defined API here, were you?

> Yes, drawing multicolor logs is funny, but ...egrrr...  printk() is 
> not written for these things.

maybe, but i still think that such a change works better, has fewer 
unintended side effects and is better documented if it excludes known 
dangers instead of trying to include known useful bits imperfectly.

Thanks,

	Ingo

  reply	other threads:[~2011-06-26 19:47 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-06-23 15:21 [PATCH v2] kernel: escape non-ASCII and control characters in printk() Vasiliy Kulikov
2011-06-26 10:39 ` Ingo Molnar
2011-06-26 16:54   ` Vasiliy Kulikov
2011-06-26 18:26     ` Ingo Molnar
2011-06-26 19:06       ` Vasiliy Kulikov
2011-06-26 19:46         ` Ingo Molnar [this message]
2011-06-26 20:25           ` Vasiliy Kulikov
2011-06-26 22:01             ` Ingo Molnar
2011-06-27  8:36               ` Vasiliy Kulikov
2011-06-27  9:20                 ` Vasiliy Kulikov
2011-06-27  9:40                 ` Alan Cox
2011-06-27 18:38                   ` Vasiliy Kulikov
2011-06-28 19:30                     ` Linus Torvalds
2011-07-01 12:00                       ` Ingo Molnar
2011-07-01 12:54                         ` [kernel-hardening] " Vasiliy Kulikov
2011-07-01 14:20                           ` Alan Cox
2011-07-02 16:42                             ` Solar Designer
2011-07-02 19:33                               ` Alan Cox
2011-07-02 20:34                                 ` Linus Torvalds
2011-07-01 14:37                       ` Vasiliy Kulikov
2011-07-01 14:49                         ` Alan Cox
2011-07-02  8:10                           ` Vasiliy Kulikov
2011-07-02 15:08                             ` Greg KH
2011-07-03 10:01                           ` Vasiliy Kulikov
2011-07-03 11:42                             ` Vasiliy Kulikov
2011-07-03 12:23                             ` Alan Cox
2011-07-03 17:42                             ` Linus Torvalds
2011-07-03 21:10                               ` Alan Cox
2011-07-03 21:34                                 ` Linus Torvalds
2011-07-05 17:49                               ` [kernel-hardening] " Vasiliy Kulikov
2011-07-01 12:12                 ` Ingo Molnar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110626194618.GA21740@elte.hu \
    --to=mingo@elte.hu \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=gregkh@suse.de \
    --cc=jmorris@namei.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=namhyung@gmail.com \
    --cc=segoon@openwall.com \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox