Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <476DC76E7D1DF2438D32BFADF679FC5623063C51@ORSMSX103.amr.corp.intel.com>
Date: Wed, 15 Feb 2017 17:31:27 +0000
From: "Roberts, William C" <william.c.roberts@...el.com>
To: Kees Cook <keescook@...omium.org>, Laura Abbott <labbott@...hat.com>
CC: "kernel-hardening@...ts.openwall.com"
	<kernel-hardening@...ts.openwall.com>, "nicolas.iooss_linux@....org"
	<nicolas.iooss_linux@....org>
Subject: RE: Format string gcc-plugin?



> -----Original Message-----
> From: keescook@...gle.com [mailto:keescook@...gle.com] On Behalf Of Kees
> Cook
> Sent: Tuesday, February 14, 2017 11:08 AM
> To: Laura Abbott <labbott@...hat.com>
> Cc: kernel-hardening@...ts.openwall.com
> Subject: Re: [kernel-hardening] Format string gcc-plugin?
> 
> On Tue, Feb 14, 2017 at 10:01 AM, Laura Abbott <labbott@...hat.com> wrote:
> > Hi,
> >
> > The recent discussions about %pk led me to start playing around with
> > writing a gcc plugin (notes about writing a gcc plugin are
> > forthcoming). My idea was to expand checking of the kernel's
> > additional formats (%pK, %pR etc.) or possibly even change the format
> > strings. The big issue is that most of vsprintf.c would end up in the
> > plugin which would be ugly to maintain. This concept could be used for
> > some of the problems with kernel pointer leaks
> > https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
> > but I'm interested if anyone else has thoughts or ideas about how
> > better to do this (or even not to do this).
> 
> If we can leverage common code between the plugin and vsprintf.c, it should be
> doable. I haven't looked at processing format strings at all, though I assume the
> plugin would need to check the __printf-generated attributes.
> 
> In my related notes was a hint that looking at how gcc does it normally is gcc/c-
> family/c-format.c:
> http://stackoverflow.com/a/16336175
> 
> And while not strictly part of format type checking, I talked a bit about dealing
> with const strings here:
> http://www.openwall.com/lists/kernel-hardening/2016/12/07/16
> 
> -Kees
> 
> --
> Kees Cook
> Pixel Security

gcc would be nice since it's the compiler most often used for building linux kernel (does clang work fully yet?)

Nicolas Iooss was able to use UBSan to find one:

commit 901d805c33fc4c029fc6b2d94ee5fb7d30278045
Author: Nicolas Iooss <nicolas.iooss_linux@....org>
Date:   Tue Aug 2 14:03:10 2016 -0700

    UBSAN: fix typo in format string

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.