| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 1 Jul 2011 15:49:47 +0100 From: Alan Cox <alan@...rguk.ukuu.org.uk> To: Vasiliy Kulikov <segoon@...nwall.com> Cc: Linus Torvalds <torvalds@...ux-foundation.org>, Ingo Molnar <mingo@...e.hu>, Andrew Morton <akpm@...ux-foundation.org>, James Morris <jmorris@...ei.org>, Namhyung Kim <namhyung@...il.com>, Greg Kroah-Hartman <gregkh@...e.de>, kernel-hardening@...ts.openwall.com, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2] kernel: escape non-ASCII and control characters in printk() > of the multiline feature. Intoducing new "%S" format for single lines > makes little sense as there are tons of printk() calls that should be > already restricted to one line. You don't need a new format string surely. Your expectation for printk is "multiple new lines are cool providing they are in the format string" So that bit isn't hard to deal with, You make vprintk take an extra arg (trusted/untrusted args) You make printk pass 'untrusted' You make %s quote the arguments for control codes if untrusted is set but you don't mangle format string controls. End of problem ? At which point your attacker has more work to do but given a long string yawns and stars using the right number of spaces for the likely 80 col screen :) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists