Re: [PATCH] sysctl: terminate strings also on \r

From: Andrew Morton
Date: Wed Oct 22 2014 - 22:00:48 EST


On Wed, 22 Oct 2014 16:43:10 -0700 Kees Cook <keescook@xxxxxxxxxxxx> wrote:

> On Wed, Oct 22, 2014 at 4:26 PM, Andrew Morton
> <akpm@xxxxxxxxxxxxxxxxxxxx> wrote:
> > On Tue, 21 Oct 2014 13:21:37 -0700 Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> >
> >> From: Paul Wise <pabs3@xxxxxxxxxxxxx>
> >>
> >> This partially mitigates a common strategy used by attackers for hiding
> >> the full contents of strings in procfs from naive sysadmins who use cat,
> >> more or sysctl to inspect the contents of strings in procfs.
> >>
> >> ...
> >>
> >> --- a/kernel/sysctl.c
> >> +++ b/kernel/sysctl.c
> >> @@ -1739,7 +1739,7 @@ static int _proc_do_string(char *data, int maxlen, int write,
> >> while ((p - buffer) < *lenp && len < maxlen - 1) {
> >> if (get_user(c, p++))
> >> return -EFAULT;
> >> - if (c == 0 || c == '\n')
> >> + if (c == 0 || c == '\n' || c == '\r')
> >> break;
> >> data[len++] = c;
> >> }
> >
> > There are no valid uses of \r in a procfs write?
>
> I struggle to imagine one; everything I found that uses proc_dostring
> seems to be names, paths, and commands.
>

You're insufficiently pessimistic.

I wonder if the chances of damage would be lower if we were to continue
to accept the \r, but turn it into something else ("\r"?) when it is
read.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/