Re: [PATCH 2/2] proc: use set_puts() at /proc/*/wchan
From: Andrew Morton
Date: Wed Feb 21 2018 - 15:27:13 EST
On Wed, 21 Feb 2018 09:57:49 +0100 Rasmus Villemoes <rasmus.villemoes@xxxxxxxxx> wrote:
> On 2018-02-21 01:02, Andrew Morton wrote:
> > On Sat, 17 Feb 2018 16:06:42 +0200 Andy Shevchenko <andy.shevchenko@xxxxxxxxx> wrote:
> >
> >> On Sat, Feb 17, 2018 at 9:20 AM, Alexey Dobriyan <adobriyan@xxxxxxxxx> wrote:
> >>> Signed-off-by: Alexey Dobriyan <adobriyan@xxxxxxxxx>
> >>
> >>
> >>> - seq_printf(m, "%s", symname);
> >>> + seq_puts(m, symname);
> >>
> >> While this might have no security concerns, the pattern might be
> >> brainlessly used by some janitors and there would have security
> >> implications.
> >
> > And I'd like to see a changelog, please. One which explains why
> > `symname' cannot have a %s (etc) in it, and never will.
>
> OK, since #youtoo: It doesn't _matter_ if symname is "%pHAHAHA %fooled
> you <unicode for evil grin emoji>", seq_puts does not interpret it at
> all. There are _never_ security implications with the above replacement.
> Sure, seq_printf(m, symname) would be bad, but that's not what is being
> done.
doh, OK, sorry. RTFP, Andrew.