lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <YS0OWFnzLHJViamF@casper.infradead.org>
Date:   Mon, 30 Aug 2021 17:59:04 +0100
From:   Matthew Wilcox <willy@...radead.org>
To:     Suren Baghdasaryan <surenb@...gle.com>
Cc:     Rasmus Villemoes <linux@...musvillemoes.dk>,
        Kees Cook <keescook@...omium.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Colin Cross <ccross@...gle.com>,
        Sumit Semwal <sumit.semwal@...aro.org>,
        Michal Hocko <mhocko@...e.com>,
        Dave Hansen <dave.hansen@...el.com>,
        "Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
        Vlastimil Babka <vbabka@...e.cz>,
        Johannes Weiner <hannes@...xchg.org>,
        Jonathan Corbet <corbet@....net>,
        Al Viro <viro@...iv.linux.org.uk>,
        Randy Dunlap <rdunlap@...radead.org>,
        Kalesh Singh <kaleshsingh@...gle.com>,
        Peter Xu <peterx@...hat.com>, rppt@...nel.org,
        Peter Zijlstra <peterz@...radead.org>,
        Catalin Marinas <catalin.marinas@....com>,
        vincenzo.frascino@....com,
        Chinwen Chang (張錦文) 
        <chinwen.chang@...iatek.com>,
        Axel Rasmussen <axelrasmussen@...gle.com>,
        Andrea Arcangeli <aarcange@...hat.com>,
        Jann Horn <jannh@...gle.com>, apopple@...dia.com,
        John Hubbard <jhubbard@...dia.com>,
        Yu Zhao <yuzhao@...gle.com>, Will Deacon <will@...nel.org>,
        fenghua.yu@...el.com, thunder.leizhen@...wei.com,
        Hugh Dickins <hughd@...gle.com>, feng.tang@...el.com,
        Jason Gunthorpe <jgg@...pe.ca>, Roman Gushchin <guro@...com>,
        Thomas Gleixner <tglx@...utronix.de>, krisman@...labora.com,
        chris.hyser@...cle.com, Peter Collingbourne <pcc@...gle.com>,
        "Eric W. Biederman" <ebiederm@...ssion.com>,
        Jens Axboe <axboe@...nel.dk>, legion@...nel.org,
        Rolf Eike Beer <eb@...ix.com>,
        Muchun Song <songmuchun@...edance.com>,
        Viresh Kumar <viresh.kumar@...aro.org>,
        Thomas Cedeno <thomascedeno@...gle.com>, sashal@...nel.org,
        cxfcosmos@...il.com, LKML <linux-kernel@...r.kernel.org>,
        linux-fsdevel@...r.kernel.org, linux-doc@...r.kernel.org,
        linux-mm <linux-mm@...ck.org>,
        kernel-team <kernel-team@...roid.com>
Subject: Re: [PATCH v8 2/3] mm: add a field to store names for private
 anonymous memory

On Mon, Aug 30, 2021 at 09:16:14AM -0700, Suren Baghdasaryan wrote:
> On Mon, Aug 30, 2021 at 1:12 AM Rasmus Villemoes
> <linux@...musvillemoes.dk> wrote:
> >
> > On 28/08/2021 23.47, Suren Baghdasaryan wrote:
> > > On Fri, Aug 27, 2021 at 10:52 PM Kees Cook <keescook@...omium.org> wrote:
> > >>
> > >>>> +   case PR_SET_VMA_ANON_NAME:
> > >>>> +           name = strndup_user((const char __user *)arg,
> > >>>> +                               ANON_VMA_NAME_MAX_LEN);
> > >>>> +
> > >>>> +           if (IS_ERR(name))
> > >>>> +                   return PTR_ERR(name);
> > >>>> +
> > >>>> +           for (pch = name; *pch != '\0'; pch++) {
> > >>>> +                   if (!isprint(*pch)) {
> > >>>> +                           kfree(name);
> > >>>> +                           return -EINVAL;
> > >>>
> > >>> I think isprint() is too weak a check.  For example, I would suggest
> > >>> forbidding the following characters: ':', ']', '[', ' '.  Perhaps
> >
> > Indeed. There's also the issue that the kernel's ctype actually
> > implements some almost-but-not-quite latin1, so (some) chars above 0x7f
> > would also pass isprint() - while everybody today expects utf-8, so the
> > ability to put almost arbitrary sequences of chars with the high bit set
> > could certainly confuse some parsers. IOW, don't use isprint() at all,
> > just explicitly check for the byte values that we and up agreeing to
> > allow/forbid.
> >
> > >>> isalnum() would be better?  (permit a-zA-Z0-9)  I wouldn't necessarily
> > >>> be opposed to some punctuation characters, but let's avoid creating
> > >>> confusion.  Do you happen to know which characters are actually in use
> > >>> today?
> > >>
> > >> There's some sense in refusing [, ], and :, but removing " " seems
> > >> unhelpful for reasonable descriptors. As long as weird stuff is escaped,
> > >> I think it's fine. Any parser can just extract with m|\[anon:(.*)\]$|
> > >
> > > I see no issue in forbidding '[' and ']' but whitespace and ':' are
> > > currently used by Android. Would forbidding or escaping '[' and ']' be
> > > enough?
> >
> > how about allowing [0x20, 0x7e] except [0x5b, 0x5d], i.e. all printable
> > (including space) ascii characters, except [ \ ] - the brackets as
> > already discussed, and backslash because then there's nobody who can get
> > confused about whether there's some (and then which?) escaping mechanism
> > in play - "\n" is simply never going to appear. Simple rules, easy to
> > implement, easy to explain in a man page.
> 
> Thanks for the suggestion, Rasmus. I'm all for keeping it simple.
> Kees, Matthew, would that be acceptable?

Yes, I think so.  It permits all kinds of characters that might
be confusing if passed on to something else, but we can't prohibit
everything, and forbidding just these three should remove any confusion
for any parser of /proc.  Little Bobby Tables thanks you.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ