Re: [PATCH] vsprintf: BUG on %n

From: Andrew Morton
Date: Mon Jan 27 2014 - 18:17:14 EST


On Mon, 27 Jan 2014 15:12:34 -0800 Joe Perches <joe@xxxxxxxxxxx> wrote:

> On Mon, 2014-01-27 at 15:03 -0800, Kees Cook wrote:
> > Now that there has been a full release of the kernel, and all users
> > of %n have been dropped, switch to %n use triggering a BUG. Ignoring
> > arguments could be used to assist in information leaks if an arbitrary
> > format string was under the control of an attacker.
> []
> > diff --git a/lib/vsprintf.c b/lib/vsprintf.c
> []
> > @@ -1735,15 +1735,12 @@ int vsnprintf(char *buf, size_t size, const char *fmt, va_list args)
> > case FORMAT_TYPE_NRCHARS: {
> > /*
> > * Since %n poses a greater security risk than
> > - * utility, ignore %n and skip its argument.
> > + * utility, it should not be implemented. Instead,
> > + * BUG when encountering %n, since there are no
> > + * legitimate users and skipping arguments could
> > + * assist information leak attacks.
> > */
> > - void *skip_arg;
> > -
> > - WARN_ONCE(1, "Please remove ignored %%n in '%s'\n",
> > - old_fmt);
> > -
> > - skip_arg = va_arg(args, void *);
> > - break;
> > + BUG();
>
> BUGs should be avoided where possible.
>
> I think using BUG here isn't necessary or good.
>

Good point(s).

In fact the patch makes the kernel less secure - it provides a way for
people to make the kernel crash if they a) are able to inject printk
control strings and b) don't know about %s ;)

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/