From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932692AbbGGRk6 (ORCPT ); Tue, 7 Jul 2015 13:40:58 -0400 Received: from bear.ext.ti.com ([192.94.94.41]:59909 "EHLO bear.ext.ti.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932428AbbGGRk1 (ORCPT ); Tue, 7 Jul 2015 13:40:27 -0400 Date: Tue, 7 Jul 2015 12:39:51 -0500 From: Felipe Balbi To: Nicolas Iooss CC: Greg Kroah-Hartman , Felipe Balbi , Joel Becker , Andrew Morton , Subject: Re: [PATCH 2/2] configfs: fix kernel infoleak through user-controlled format string Message-ID: <20150707173951.GC24356@saruman.tx.rr.com> Reply-To: References: <1436279280-28492-1-git-send-email-nicolas.iooss_linux@m4x.org> <1436279280-28492-2-git-send-email-nicolas.iooss_linux@m4x.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1ccMZA6j1vT5UqiK" Content-Disposition: inline In-Reply-To: <1436279280-28492-2-git-send-email-nicolas.iooss_linux@m4x.org> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --1ccMZA6j1vT5UqiK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 07, 2015 at 10:28:00PM +0800, Nicolas Iooss wrote: > Some modules call config_item_init_type_name() and > config_group_init_type_name() with parameter "name" directly controlled > by userspace. These two functions call config_item_set_name() with this > name used as a format string, which can be used to leak information such > as content of the stack to userspace. >=20 > For example, make_netconsole_target() in netconsole module calls > config_item_init_type_name() with the name of a newly-created directory. > This means that the following commands give some unexpected output, with > configfs mounted in /sys/kernel/config/ and on a system with a > configured eth0 ethernet interface: >=20 > # modprobe netconsole > # mkdir /sys/kernel/config/netconsole/target_%lx > # echo eth0 > /sys/kernel/config/netconsole/target_%lx/dev_name > # echo 1 > /sys/kernel/config/netconsole/target_%lx/enabled > # echo eth0 > /sys/kernel/config/netconsole/target_%lx/dev_name > # dmesg |tail -n1 > [ 142.697668] netconsole: target (target_ffffffffc0ae8080) is > enabled, disable to update parameters >=20 > The directory name is correct but %lx has been interpreted in the > internal item name, displayed here in the error message used by > store_dev_name() in drivers/net/netconsole.c. >=20 > To fix this, update every caller of config_item_set_name to use "%s" > when operating on untrusted input. >=20 > This issue was found using -Wformat-security gcc flag, once a __printf > attribute has been added to config_item_set_name(). >=20 > Signed-off-by: Nicolas Iooss > --- > drivers/usb/gadget/configfs.c | 2 +- > fs/configfs/item.c | 4 ++-- > 2 files changed, 3 insertions(+), 3 deletions(-) >=20 > diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c > index 0495c94a23d7..289e20119fea 100644 > --- a/drivers/usb/gadget/configfs.c > +++ b/drivers/usb/gadget/configfs.c > @@ -571,7 +571,7 @@ static struct config_group *function_make( > if (IS_ERR(fi)) > return ERR_CAST(fi); > =20 > - ret =3D config_item_set_name(&fi->group.cg_item, name); > + ret =3D config_item_set_name(&fi->group.cg_item, "%s", name); No objections from me: Acked-by: Felipe Balbi > if (ret) { > usb_put_function_instance(fi); > return ERR_PTR(ret); > diff --git a/fs/configfs/item.c b/fs/configfs/item.c > index 4d6a30e76168..b863a09cd2f1 100644 > --- a/fs/configfs/item.c > +++ b/fs/configfs/item.c > @@ -115,7 +115,7 @@ void config_item_init_type_name(struct config_item *i= tem, > const char *name, > struct config_item_type *type) > { > - config_item_set_name(item, name); > + config_item_set_name(item, "%s", name); > item->ci_type =3D type; > config_item_init(item); > } > @@ -124,7 +124,7 @@ EXPORT_SYMBOL(config_item_init_type_name); > void config_group_init_type_name(struct config_group *group, const char = *name, > struct config_item_type *type) > { > - config_item_set_name(&group->cg_item, name); > + config_item_set_name(&group->cg_item, "%s", name); > group->cg_item.ci_type =3D type; > config_group_init(group); > } > --=20 > 2.4.5 >=20 --=20 balbi --1ccMZA6j1vT5UqiK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVnA7nAAoJEIaOsuA1yqREikoP/jCG13EcWBn1EnwEFL9jMK2y CUw96/t348Ajz/kLqFxAGSIgRi7RDKXRdFW5brvkhi9pthDZ/VMXSWBejxf6Kifd O/ZDdBrOE7fDVHFmT1dztgQyBtN8vmRXWrj34nJvGY90tyKoDsMOHVkHudZxKtmS oXjBdFH02xAQ6ngX/nvU8HvpHBlDG5p1koY4sL2XAnwdmrkAfAm+CkE7Hi17SnnY 178N3uMOtpiTRr0lgoogJWSe0DunmvfhEFfDjapbFeU7KXJsXSk06SdUeyjzWtj1 +rOG4GKSlMkhWbV8a9/FotkZlldCYdpayMwSAWFr9U6Rd7303xT65biXI26q4BWp F73rk19HFai7p54yTfEkbtzI0nKHWVGLImsisIiT/1bnBUmiSyafOknYb3+nkHh8 KsGSdu0sK+dtjdoGZjh/dRXUvTgAnOISRpsVk3i2nszp7pX5ZSLFQcMebbw2FsEF plRvAQvp9D1jUVjEDCngjY3mD14XIZ34MY99c2/ECsWr9PFSBD+HhcdLSQPUtyTq 8OuDz/YYqMHwjNeTQ+hfwANHZOs2OaTmaqZPMcsGh+anivX6iqNVijBYZ8T4ILV0 dsdRK1eeD0/hxK7Fbrgm55TCRep+E10yRbRgiveKN0HauxWgIU3N/BGn+bY6rNph 5Xj4iBLnWegWqpffIhxI =hQRC -----END PGP SIGNATURE----- --1ccMZA6j1vT5UqiK--