From: Vasiliy Kulikov <segoon@openwall.com>
To: Andrew Morton <akpm@linux-foundation.org>,
James Morris <jmorris@namei.org>, Ingo Molnar <mingo@elte.hu>,
Namhyung Kim <namhyung@gmail.com>,
Greg Kroah-Hartman <gregkh@suse.de>,
kernel-hardening@lists.openwall.com,
linux-kernel@vger.kernel.org, Alan Cox <alan@lxorguk.ukuu.org.uk>
Subject: [PATCH v2] kernel: escape non-ASCII and control characters in printk()
Date: Thu, 23 Jun 2011 19:21:37 +0400 [thread overview]
Message-ID: <20110623152137.GA2536@albatros> (raw)
This patch escapes control characters fed to printk() except '\n' and '\t'.
There are numerous printk() instances with user supplied input as "%s"
data, and unprivileged user may craft log messages with substrings
containing control characters via these printk()s. Control characters
might fool root viewing the logs via tty, e.g. using ^[1A to suppress
the previous log line.
On the testing Samsung Q310 laptop there are no users of chars outside
of the restricted charset.
v2 - Allow chars with code >127. Allow tabs.
Reported-by: Solar Designer <solar@openwall.com>
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
---
kernel/printk.c | 17 ++++++++++++++++-
1 files changed, 16 insertions(+), 1 deletions(-)
---
diff --git a/kernel/printk.c b/kernel/printk.c
index 3518539..727ff7d 100644
--- a/kernel/printk.c
+++ b/kernel/printk.c
@@ -41,6 +41,7 @@
#include <linux/cpu.h>
#include <linux/notifier.h>
#include <linux/rculist.h>
+#include <linux/ctype.h>
#include <asm/uaccess.h>
@@ -671,6 +672,20 @@ static void emit_log_char(char c)
logged_chars++;
}
+static void emit_log_char_escaped(char c)
+{
+ char buffer[8];
+ int i, len;
+
+ if (!iscntrl(c) || (c == '\n') || (c == '\t'))
+ emit_log_char(c);
+ else {
+ len = sprintf(buffer, "#x%02x", c);
+ for (i = 0; i < len; i++)
+ emit_log_char(buffer[i]);
+ }
+}
+
/*
* Zap console related locks when oopsing. Only zap at most once
* every 10 seconds, to leave time for slow consoles to print a
@@ -938,7 +953,7 @@ asmlinkage int vprintk(const char *fmt, va_list args)
break;
}
- emit_log_char(*p);
+ emit_log_char_escaped(*p);
if (*p == '\n')
new_text_line = 1;
}
---
next reply other threads:[~2011-06-23 15:21 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-23 15:21 Vasiliy Kulikov [this message]
2011-06-26 10:39 ` [PATCH v2] kernel: escape non-ASCII and control characters in printk() Ingo Molnar
2011-06-26 16:54 ` Vasiliy Kulikov
2011-06-26 18:26 ` Ingo Molnar
2011-06-26 19:06 ` Vasiliy Kulikov
2011-06-26 19:46 ` Ingo Molnar
2011-06-26 20:25 ` Vasiliy Kulikov
2011-06-26 22:01 ` Ingo Molnar
2011-06-27 8:36 ` Vasiliy Kulikov
2011-06-27 9:20 ` Vasiliy Kulikov
2011-06-27 9:40 ` Alan Cox
2011-06-27 18:38 ` Vasiliy Kulikov
2011-06-28 19:30 ` Linus Torvalds
2011-07-01 12:00 ` Ingo Molnar
2011-07-01 12:54 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-01 14:20 ` Alan Cox
2011-07-02 16:42 ` Solar Designer
2011-07-02 19:33 ` Alan Cox
2011-07-02 20:34 ` Linus Torvalds
2011-07-01 14:37 ` Vasiliy Kulikov
2011-07-01 14:49 ` Alan Cox
2011-07-02 8:10 ` Vasiliy Kulikov
2011-07-02 15:08 ` Greg KH
2011-07-03 10:01 ` Vasiliy Kulikov
2011-07-03 11:42 ` Vasiliy Kulikov
2011-07-03 12:23 ` Alan Cox
2011-07-03 17:42 ` Linus Torvalds
2011-07-03 21:10 ` Alan Cox
2011-07-03 21:34 ` Linus Torvalds
2011-07-05 17:49 ` [kernel-hardening] " Vasiliy Kulikov
2011-07-01 12:12 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110623152137.GA2536@albatros \
--to=segoon@openwall.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=gregkh@suse.de \
--cc=jmorris@namei.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=namhyung@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).