[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190628163358.GA31800@fieldses.org>
Date: Fri, 28 Jun 2019 12:33:58 -0400
From: "J. Bruce Fields" <bfields@...ldses.org>
To: Kees Cook <keescook@...omium.org>
Cc: linux-nfs@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 08/16] nfsd: escape high characters in binary data
On Thu, Jun 27, 2019 at 08:58:22PM -0700, Kees Cook wrote:
> On Thu, Jun 27, 2019 at 04:21:24PM -0400, J. Bruce Fields wrote:
> > No, I was confused: "\n" is non-printable according to isprint(), so
> > ESCAPE_ANY_NP *will* escape it. So this isn't quite so bad. SSIDs are
> > usually printed as '%*pE', so arguably we should be escaping the single
> > quote character too, but at least we're not allowing line breaks
> > through. I don't know about non-ascii.
>
> Okay, cool. Given that most things are just trying to log, it seems like
> it should be safe to have %pE escape non-ascii, non-printable, \, ', and "?
>
> And if we changing that, we're likely changing
> string_escape_mem(). Looking at callers of string_escape_mem() makes my
> head spin...
kstrdup_quotable:
- only a few callers, mostly just logging, but
msm_gpu_crashstate_capture uses it to generate some data that
looks like it goes in a crashdump. Dunno if there might be
some utility depending on the current escaping. On the other
hand, kstrdup_quotable uses ESCAPE_HEX, "\f\n\r\t\v\a\e\\\""
so those characters are all escaped as \xNN, so I'd hope
any parser would be prepared to unescape any hex character,
they'd have to go out of their way to do anything else.
string_escape_str:
- proc_task_name: ESCAPE_SPACE|ESCAPE_SPECIAL, "\n\\", used for
command name in /proc/<pid>/stat{us}. No way do I want to
change the format of those files at all.
- seq_escape: ESCAPE_OCTAL, esc: haven't surveyed callers
carefully, but this probably shouldn't be changed.
- qword_add: ESCAPE_OCTAL, "\\ \n\t", some nfsd upcalls. Fine
as they are, but the other side will happily accept any octal
or hex escaping.
string_escape_mem_any_np, string_escape_str_any_np:
- totally unused.
escaped_string: this is the vsnprintf logic. Tons of users, haven't had
a chance to look at them all. Almost all %*pE, the exceptions
don't look important.
So the only flag values we care about are ESCAPE_HEX, ESCAPE_OCTAL,
ESCAPE_SPACE|ESCAPE_SPECIAL, and ESCAPE_ANY_NP.
So this could be cleaned up some if we wanted.
> Anyway, I don't want to block you needlessly. What would like to have
> be next steps here?
I might still be interested in some cleanup, I find the current logic
unnecessarily confusing.
But I may just give up and go with my existing patch and put
off that project indefinitely, especially if there's no real need to fix
the existing callers.
I don't know....
--b.
Powered by blists - more mailing lists