linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Vasiliy Kulikov <segoon@openwall.com>
To: Andrew Morton <akpm@linux-foundation.org>,
	James Morris <jmorris@namei.org>, Ingo Molnar <mingo@elte.hu>,
	Namhyung Kim <namhyung@gmail.com>,
	Greg Kroah-Hartman <gregkh@suse.de>,
	kernel-hardening@lists.openwall.com,
	linux-kernel@vger.kernel.org, Alan Cox <alan@lxorguk.ukuu.org.uk>
Subject: [PATCH v2] kernel: escape non-ASCII and control characters in printk()
Date: Thu, 23 Jun 2011 19:21:37 +0400	[thread overview]
Message-ID: <20110623152137.GA2536@albatros> (raw)

This patch escapes control characters fed to printk() except '\n' and '\t'.

There are numerous printk() instances with user supplied input as "%s"
data, and unprivileged user may craft log messages with substrings
containing control characters via these printk()s.  Control characters
might fool root viewing the logs via tty, e.g. using ^[1A to suppress
the previous log line.

On the testing Samsung Q310 laptop there are no users of chars outside
of the restricted charset. 

v2 - Allow chars with code >127.  Allow tabs.

Reported-by: Solar Designer <solar@openwall.com>
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
---
 kernel/printk.c |   17 ++++++++++++++++-
 1 files changed, 16 insertions(+), 1 deletions(-)

---
diff --git a/kernel/printk.c b/kernel/printk.c
index 3518539..727ff7d 100644
--- a/kernel/printk.c
+++ b/kernel/printk.c
@@ -41,6 +41,7 @@
 #include <linux/cpu.h>
 #include <linux/notifier.h>
 #include <linux/rculist.h>
+#include <linux/ctype.h>
 
 #include <asm/uaccess.h>
 
@@ -671,6 +672,20 @@ static void emit_log_char(char c)
 		logged_chars++;
 }
 
+static void emit_log_char_escaped(char c)
+{
+	char buffer[8];
+	int i, len;
+
+	if (!iscntrl(c) || (c == '\n') || (c == '\t'))
+		emit_log_char(c);
+	else {
+		len = sprintf(buffer, "#x%02x", c);
+		for (i = 0; i < len; i++)
+			emit_log_char(buffer[i]);
+	}
+}
+
 /*
  * Zap console related locks when oopsing. Only zap at most once
  * every 10 seconds, to leave time for slow consoles to print a
@@ -938,7 +953,7 @@ asmlinkage int vprintk(const char *fmt, va_list args)
 				break;
 		}
 
-		emit_log_char(*p);
+		emit_log_char_escaped(*p);
 		if (*p == '\n')
 			new_text_line = 1;
 	}
---

             reply	other threads:[~2011-06-23 15:21 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-06-23 15:21 Vasiliy Kulikov [this message]
2011-06-26 10:39 ` [PATCH v2] kernel: escape non-ASCII and control characters in printk() Ingo Molnar
2011-06-26 16:54   ` Vasiliy Kulikov
2011-06-26 18:26     ` Ingo Molnar
2011-06-26 19:06       ` Vasiliy Kulikov
2011-06-26 19:46         ` Ingo Molnar
2011-06-26 20:25           ` Vasiliy Kulikov
2011-06-26 22:01             ` Ingo Molnar
2011-06-27  8:36               ` Vasiliy Kulikov
2011-06-27  9:20                 ` Vasiliy Kulikov
2011-06-27  9:40                 ` Alan Cox
2011-06-27 18:38                   ` Vasiliy Kulikov
2011-06-28 19:30                     ` Linus Torvalds
2011-07-01 12:00                       ` Ingo Molnar
2011-07-01 12:54                         ` [kernel-hardening] " Vasiliy Kulikov
2011-07-01 14:20                           ` Alan Cox
2011-07-02 16:42                             ` Solar Designer
2011-07-02 19:33                               ` Alan Cox
2011-07-02 20:34                                 ` Linus Torvalds
2011-07-01 14:37                       ` Vasiliy Kulikov
2011-07-01 14:49                         ` Alan Cox
2011-07-02  8:10                           ` Vasiliy Kulikov
2011-07-02 15:08                             ` Greg KH
2011-07-03 10:01                           ` Vasiliy Kulikov
2011-07-03 11:42                             ` Vasiliy Kulikov
2011-07-03 12:23                             ` Alan Cox
2011-07-03 17:42                             ` Linus Torvalds
2011-07-03 21:10                               ` Alan Cox
2011-07-03 21:34                                 ` Linus Torvalds
2011-07-05 17:49                               ` [kernel-hardening] " Vasiliy Kulikov
2011-07-01 12:12                 ` Ingo Molnar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110623152137.GA2536@albatros \
    --to=segoon@openwall.com \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=gregkh@suse.de \
    --cc=jmorris@namei.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=namhyung@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).