Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20110612131543.GB3994@albatros>
Date: Sun, 12 Jun 2011 17:15:45 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Cc: Willy Tarreau <w@....eu>
Subject: Re: printk()s of user-supplied strings

Solar,

On Sun, Jun 12, 2011 at 06:31 +0400, Solar Designer wrote:
> You could want to review this thread:
> 
> http://lists.openwall.net/linux-kernel/2006/08/22/29
> 
> (click "thread-next" for further messages).
> 
> I don't know (or don't recall) what the outcome of it was, if any.

I don't see any log spoofing protection in the current code.


As a primary threat is \n and \n<X> spoofing, I think the more simple
and bloodless solution would be escaping \n by some string like ">>".  So,
the initial

printk(PR_ERR, "Suspicious string: %s\n",
 "something\n<1>[  2533.035243] TCP: possible syn-flood from google.com")

- would result in -

[  2533.111111] Suspicious string: something
>> <1>[  2533.035243] TCP: possible syn-flood from google.com

Also all non-printable characters should be escaped on their own (1-31,
possibly, 127-255).  \xYYY or similar?

This parsing should be done in "%s" substitution only and in printk()
substitutions only (there are many other users of vscnprintf() and
similar).


An escaping has one drawback - escaped \n looses information about the
log severity.  So, this prefixed ">> .." string will be printed as it
would has emergency log severities.  It is better than simple log
spoofing, though.

Fully filter "\n" is not a solution as, IIRC, there are legitimate users
of such a multiline feature in the kernel.

Thanks,

-- 
Vasiliy

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.