From: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
To: Kees Cook <keescook@chromium.org>
Cc: artem.bityutskiy@linux.intel.com,
David Woodhouse <dwmw2@infradead.org>,
Brian Norris <computersforpeace@gmail.com>,
Linux mtd <linux-mtd@lists.infradead.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] ubi: avoid workqueue format string leak
Date: Tue, 8 Apr 2014 15:09:15 -0300 [thread overview]
Message-ID: <20140408180915.GA1221@arch.cereza> (raw)
In-Reply-To: <CAGXu5j+-1o9TmqLrq2ZPhoRvOmiv4Do5wvGkasxHb+Frm7hutA@mail.gmail.com>
On Apr 08, Kees Cook wrote:
> On Tue, Apr 8, 2014 at 7:43 AM, Artem Bityutskiy
> <artem.bityutskiy@linux.intel.com> wrote:
> > On Tue, 2014-04-08 at 10:57 -0300, Ezequiel Garcia wrote:
> >> Hello Kees,
> >>
> >> Thanks for the patch.
> >>
> >> On Apr 07, Kees Cook wrote:
> >> > When building the name for the workqueue thread, make sure a format
> >> > string cannot leak in from the disk name.
> >> >
> >>
> >> Could you enlighten me and explain why you want to avoid the name leak?
> >> Is it a security concern?
> >>
> >> I'd like to understad this better, so I can avoid making such mistakes
> >> in the future.
> >
> > Well, the basics seem to be simple, attacker makes sure gd->disk_name
> > contains a bunch of "%s" and other placeholders, and this leads
> > "workqueue_alloc()" to read kernel memory and form the workqueue name.
>
> Right. I don't think there is an actual exploitable vulnerability
> here, but it's a best-practice to not pass variable strings in as a
> potential format string.
>
I see, thanks for explanation. I'll certainly try to keep this in mind!
> > I did not think it through further, though, but that was enough for me
> > to apply the patch right away. But yeah, curios parts are:
> >
> > 1. How attacker could end up with a crafted "gd->disk_name"
>
> At present, the only way I know how to set that is via some special
> controls in md, but I assume that would not work via ubi.
>
I guess it's not possible in our case, given we are hard-setting the name
to ubiblock%d_%d:
sprintf(gd->disk_name, "ubiblock%d_%d", dev->ubi_num, dev->vol_id);
Nevertheless the fix is valid, so thanks a lot and keep them coming!
--
Ezequiel García, Free Electrons
Embedded Linux, Kernel and Android Engineering
http://free-electrons.com
prev parent reply other threads:[~2014-04-08 18:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-08 4:44 [PATCH] ubi: avoid workqueue format string leak Kees Cook
2014-04-08 13:52 ` Artem Bityutskiy
2014-04-08 13:57 ` Ezequiel Garcia
2014-04-08 14:43 ` Artem Bityutskiy
2014-04-08 15:59 ` Kees Cook
2014-04-08 18:09 ` Ezequiel Garcia [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140408180915.GA1221@arch.cereza \
--to=ezequiel.garcia@free-electrons.com \
--cc=artem.bityutskiy@linux.intel.com \
--cc=computersforpeace@gmail.com \
--cc=dwmw2@infradead.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox