From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933281AbbGGWe6 (ORCPT ); Tue, 7 Jul 2015 18:34:58 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:59642 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933061AbbGGWet (ORCPT ); Tue, 7 Jul 2015 18:34:49 -0400 Date: Tue, 7 Jul 2015 15:34:48 -0700 From: Greg Kroah-Hartman To: Nicolas Iooss Cc: Felipe Balbi , Joel Becker , Andrew Morton , linux-kernel@vger.kernel.org Subject: Re: [PATCH 2/2] configfs: fix kernel infoleak through user-controlled format string Message-ID: <20150707223448.GA30548@kroah.com> References: <1436279280-28492-1-git-send-email-nicolas.iooss_linux@m4x.org> <1436279280-28492-2-git-send-email-nicolas.iooss_linux@m4x.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1436279280-28492-2-git-send-email-nicolas.iooss_linux@m4x.org> User-Agent: Mutt/1.5.23+89 (0255b37be491) (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 07, 2015 at 10:28:00PM +0800, Nicolas Iooss wrote: > Some modules call config_item_init_type_name() and > config_group_init_type_name() with parameter "name" directly controlled > by userspace. These two functions call config_item_set_name() with this > name used as a format string, which can be used to leak information such > as content of the stack to userspace. > > For example, make_netconsole_target() in netconsole module calls > config_item_init_type_name() with the name of a newly-created directory. > This means that the following commands give some unexpected output, with > configfs mounted in /sys/kernel/config/ and on a system with a > configured eth0 ethernet interface: > > # modprobe netconsole > # mkdir /sys/kernel/config/netconsole/target_%lx > # echo eth0 > /sys/kernel/config/netconsole/target_%lx/dev_name > # echo 1 > /sys/kernel/config/netconsole/target_%lx/enabled > # echo eth0 > /sys/kernel/config/netconsole/target_%lx/dev_name > # dmesg |tail -n1 > [ 142.697668] netconsole: target (target_ffffffffc0ae8080) is > enabled, disable to update parameters > > The directory name is correct but %lx has been interpreted in the > internal item name, displayed here in the error message used by > store_dev_name() in drivers/net/netconsole.c. > > To fix this, update every caller of config_item_set_name to use "%s" > when operating on untrusted input. > > This issue was found using -Wformat-security gcc flag, once a __printf > attribute has been added to config_item_set_name(). > > Signed-off-by: Nicolas Iooss > --- > drivers/usb/gadget/configfs.c | 2 +- > fs/configfs/item.c | 4 ++-- > 2 files changed, 3 insertions(+), 3 deletions(-) Nice catch: Acked-by: Greg Kroah-Hartman