lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-id: <1432119588-22209-1-git-send-email-m.niesluchow@samsung.com>
Date:	Wed, 20 May 2015 12:59:48 +0200
From:	Marcin Niesluchowski <m.niesluchow@...sung.com>
To:	Andrew Morton <akpm@...ux-foundation.org>,
	Petr Mladek <pmladek@...e.cz>, Jan Kara <jack@...e.cz>,
	"Steven Rostedt (Red Hat)" <rostedt@...dmis.org>,
	Alex Elder <elder@...aro.org>,
	"Luis R. Rodriguez" <mcgrof@...e.com>,
	Peter Hurley <peter@...leysoftware.com>,
	Joe Perches <joe@...ches.com>, Kay Sievers <kay@...y.org>
Cc:	linux-kernel@...r.kernel.org,
	Ɓukasz Stelmach <l.stelmach@...sung.com>,
	Karol Lewandowski <k.lewandowsk@...sung.com>,
	Marcin Niesluchowski <m.niesluchow@...sung.com>
Subject: [PATCH] printk: Remove possible overflow in user read buffer

Reading message with dict may cause user buffer overflow due to
no limits of written dict and hardcoded user read buffer size.
As limits of dict are not clear, it may be possible in extreme
use case to trigger it (e.g. by driver passing some dict parameters
from userland or other module logging large key-value data).

Truncate dict read by user when its size would cause user read
buffer to overflow.

Bug was found during work on extension of kmsg enabling writing
dict from userspace.

Signed-off-by: Marcin Niesluchowski <m.niesluchow@...sung.com>
---
 kernel/printk/printk.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index c099b08..b61602d 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -505,6 +505,7 @@ int check_syslog_permissions(int type, bool from_file)
 	return security_syslog(type);
 }
 
+#define USER_READ_LOG_BUF_LEN	8192
 
 /* /dev/kmsg - userspace message inject/listen interface */
 struct devkmsg_user {
@@ -512,7 +513,7 @@ struct devkmsg_user {
 	u32 idx;
 	enum log_flags prev;
 	struct mutex lock;
-	char buf[8192];
+	char buf[USER_READ_LOG_BUF_LEN];
 };
 
 static ssize_t devkmsg_write(struct kiocb *iocb, struct iov_iter *from)
@@ -648,21 +649,29 @@ static ssize_t devkmsg_read(struct file *file, char __user *buf,
 			unsigned char c = log_dict(msg)[i];
 
 			if (line) {
+				if (len >= USER_READ_LOG_BUF_LEN-1)
+					break;
 				user->buf[len++] = ' ';
 				line = false;
 			}
 
 			if (c == '\0') {
+				if (len >= USER_READ_LOG_BUF_LEN-1)
+					break;
 				user->buf[len++] = '\n';
 				line = true;
 				continue;
 			}
 
 			if (c < ' ' || c >= 127 || c == '\\') {
+				if (len >= USER_READ_LOG_BUF_LEN-4)
+					break;
 				len += sprintf(user->buf + len, "\\x%02x", c);
 				continue;
 			}
 
+			if (len >= USER_READ_LOG_BUF_LEN-1)
+				break;
 			user->buf[len++] = c;
 		}
 		user->buf[len++] = '\n';
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ