Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20110702081022.GA2755@albatros>
Date: Sat, 2 Jul 2011 12:10:22 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: Alan Cox <alan@...rguk.ukuu.org.uk>,
	Greg Kroah-Hartman <gregkh@...e.de>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
	Ingo Molnar <mingo@...e.hu>,
	Andrew Morton <akpm@...ux-foundation.org>,
	James Morris <jmorris@...ei.org>, Namhyung Kim <namhyung@...il.com>,
	kernel-hardening@...ts.openwall.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] kernel: escape non-ASCII and control characters in
 printk()

On Fri, Jul 01, 2011 at 15:49 +0100, Alan Cox wrote:
> >  of the multiline feature.  Intoducing new "%S" format for single lines
> >  makes little sense as there are tons of printk() calls that should be
> >  already restricted to one line.
> 
> You don't need a new format string surely. Your expectation for printk is 
> 
> "multiple new lines are cool providing they are in the format string"
> 
> So that bit isn't hard to deal with, 
> 
> You make vprintk take an extra arg (trusted/untrusted args)

Not vprintk, but vscnprintf(), vsnprintf() and string() because
vprintk() is used in tens of places besides of printk().  Or better
implement _vscnprintf(.., bool untrusted) and 

vscnprintf(...) { return _vscnprintf(..., false); }

to leave current users of it as is.

But yes, I got the idea.


> You make printk pass 'untrusted'
> You make %s quote the arguments for control codes

What to do with CSI?  It is a valid byte inside of a UTF-8 string.
Parsing a supplied string assuming it is UTF-8 string and filtering CSI
iff it is not a part of UTF-8 symbol is something a bit ugly IMO.


Greg - do you know any devices supplying multibyte strings, but not in
UTF-8 encoding?  If yes, then CSI filtering is a bad idea :\


> At which point your attacker has more work to do but given a long string
> yawns and stars using the right number of spaces for the likely 80 col
> screen :)

Yeah, but introducing some artificial limit for string length is IMO
more harmfull: there is no universal limit for all situations, somewhere
the resulting string is already 70 chars and even 20 bytes would
overflow the col;  in rare cases a string of 50 bytes might be still
acceptable.


Thanks,

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.