|
Message-ID: <20110623133605.GA28333@srcf.ucam.org> Date: Thu, 23 Jun 2011 14:36:05 +0100 From: Matthew Garrett <mjg59@...f.ucam.org> To: Greg KH <gregkh@...e.de> Cc: Vasiliy Kulikov <segoon@...nwall.com>, Andrew Morton <akpm@...ux-foundation.org>, James Morris <jmorris@...ei.org>, Ingo Molnar <mingo@...e.hu>, Namhyung Kim <namhyung@...il.com>, kernel-hardening@...ts.openwall.com, linux-kernel@...r.kernel.org, security@...nel.org Subject: Re: [PATCH] kernel: escape non-ASCII and control characters in printk() On Wed, Jun 22, 2011 at 08:37:42AM -0700, Greg KH wrote: > On Wed, Jun 22, 2011 at 01:53:41PM +0400, Vasiliy Kulikov wrote: > > This patch escapes all characters outside of allowed '\n' plus 0x20-0x7E > > charset passed to printk(). > > > > There are numerous printk() instances with user supplied input as "%s" > > data, and unprivileged user may craft log messages with substrings > > containing control characters via these printk()s. Control characters > > might fool root viewing the logs via tty. > > There are "numerous" places this could happen? USB product identifiers? -- Matthew Garrett | mjg59@...f.ucam.org
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.