sanitize task->comm to avoid leaking escape codes
in [Kernel]
|
From: Kees Cook on 29 Jun 2010 15:20 On Tue, Jun 29, 2010 at 11:59:56AM -0700, Andrew Morton wrote: > On Tue, 29 Jun 2010 08:09:52 -0700 > Kees Cook <kees.cook(a)canonical.com> wrote: > > > On Tue, Jun 29, 2010 at 11:45:14AM +0300, Alexey Dobriyan wrote: > > > On Tue, Jun 29, 2010 at 12:03 AM, Kees Cook <kees.cook(a)canonical.com> wrote: > > > > On Mon, Jun 28, 2010 at 01:00:28PM -0700, Andrew Morton wrote: > > > >> Surely it would be better to fix the tools which display this info > > > >> rather than making the kernel tell fibs. > > > > > > > > The strncpy in get_task_comm() is totally wrong -- it's testing the length > > > > of task->comm. > > > > > > It also fills not just any buffer but buffer which is TASK_COMM_LEN byte wide. > > > > > > > Why should get_task_comm not take a destination buffer length argument? > > > > > > If you pass too small, you needlessly truncate output. > > > > If you pass too small a buffer, get_task_comm will happily write all over > > the caller's stack past the end of the buffer if the contents of task->comm > > are large enough: > > > > strncpy(buf, tsk->comm, sizeof(tsk->comm)); > > > > The "n" argument to get_task_comm's use of strncpy is totally wrong -- > > it needs to be the size of the destination, not the size of the source. > > Luckily, everyone using get_task_comm currently uses buffers that are > > sizeof(task->comm). > > It's not "totally wrong" at all. get_task_comm() *requires* that it be Using strncpy with n as the source buffer length is meaningless here (tsk->comm is always null terminated at TASK_COMM_LEN or earlier). > passed a buffer of at least TASK_COMM_LEN bytes. sizeof(tsk->comm) > equals TASK_COMM_LEN and always will do so. We could replace the > sizeof with TASK_COMM_LEN for cosmetic reasons but that's utter > nitpicking. But then, the comment right there says "buf must be at > least sizeof(tsk->comm) in size". That's so simple that even a kernel > developer could understand it? If so, strncpy should just be replaced with strcpy. You're assuming buf will always be at least TASK_COMM_LEN. We know the source buffer size is TASK_COMM_LEN because it's already defined that way. There is nothing in the build or runtime that makes sure that buf is at least TASK_COMM_LEN. > Do we need a runtime check every time to make sure that some developer > didn't misunderstand such a simple thing? Seems pretty pointless - > there are a zillion such runtime checks we could add. It'd be better > to do > > #define get_task_comm(buf, tsk) { \ > BUILD_BUG_ON(sizeof(buf) < TASK_COMM_LEN); \ > __get_task_comm(buf, tsk); \ > } > > and save the runtime bloat. But again, what was special about this > particular programmer error? There are five or six instances of > strcpy(foo, current->comm). Do we need runtime checks there as well?? I can't see how it could be a bad thing. Why not try to do some defensive programming here? It's a trivial fix and your define would block this from ever being a problem. As I said before, either get_task_comm() is considered sensitive or it's not. If it is, I've sent a few patches that might help. If it's not, then code should not be criticised for using it. -Kees -- Kees Cook Ubuntu Security Team -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: john stultz on 29 Jun 2010 18:40 On Tue, 2010-06-29 at 07:58 +0300, Artem Bityutskiy wrote: > On Wed, 2010-06-23 at 21:41 +0200, Oleg Nesterov wrote: > > On 06/23, Kees Cook wrote: > > > > > > @@ -956,7 +957,15 @@ void set_task_comm(struct task_struct *tsk, char *buf) > > > */ > > > memset(tsk->comm, 0, TASK_COMM_LEN); > > > wmb(); > > > > Off-topic. I'd wish I could understand this barrier. Since the lockless > > reader doesn't do rmb() I don't see how this can help. > > This wmb() looks wrong to me as well. To achieve what the comment in > this function says, it should be smp_wmb() and we should have smp_rmb() > in the reading side, AFAIU. > > > OTOH, I don't > > understand why it is needed, we never change ->comm[TASK_COMM_LEN-1] == '0'. > > I think the idea was that readers can see incomplete names, but not > messed up names, consisting of old and new ones. Yes, that was the intent, but I do see how it is unnecessary. So I'm fine with it and the memset being removed. Thanks for catching this! -john -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: KOSAKI Motohiro on 29 Jun 2010 20:20 > On Monday, June 28, 2010 11:05:56 pm KOSAKI Motohiro wrote: > > > Am Freitag, den 25.06.2010, 08:56 +0900 schrieb KOSAKI Motohiro: > > > > > Through get_task_comm() and many direct uses of task->comm in the > > > > > kernel, it is possible for escape codes and other non-printables to > > > > > leak into dmesg, syslog, etc. In the worst case, these strings > > > > > could be used to attack administrators using vulnerable terminal > > > > > emulators, and at least cause confusion through the injection of \r > > > > > characters. > > > > > > > > > > This patch sanitizes task->comm to only contain printable characters > > > > > when it is set. Additionally, it redefines get_task_comm so that it > > > > > is more obvious when misused by callers (presently nothing was > > > > > incorrectly calling get_task_comm's unsafe use of strncpy). > > For the audit system, we want the real, unsanitized task->comm. We record it > in a special format to the audit logs such that unprintable characters are > included. We want it exactly this way for certification purposes as well as > forensic evidence if someone was playing games. If you do sanitize it for > other areas of the kernel, please give us a way to get the unsanitized text. Probably this mail is offtopic. I think audit is unrelated with this discusstion. because when forensic, admins shouldn't believe task->comm at all. because 1) no path information, perhaps "ls" might mean "/home/attackers-dir/evil-script/ls" 2) easily obscured by prctl(PR_SET_NAME). That said, audit have to logged following two point if task name is necessary. 1) exec 2) prctl(PRT_SET_NAME) Thought ? -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: KOSAKI Motohiro on 29 Jun 2010 20:30 > On Tuesday, June 29, 2010 08:16:08 pm KOSAKI Motohiro wrote: > > > For the audit system, we want the real, unsanitized task->comm. We record > > > it in a special format to the audit logs such that unprintable > > > characters are included. We want it exactly this way for certification > > > purposes as well as forensic evidence if someone was playing games. If > > > you do sanitize it for other areas of the kernel, please give us a way > > > to get the unsanitized text. > > > > Probably this mail is offtopic. I think audit is unrelated with this > > discusstion. because when forensic, admins shouldn't believe task->comm > > at all. because 1) no path information, perhaps "ls" might mean > > "/home/attackers-dir/evil-script/ls" 2) easily obscured by > > prctl(PR_SET_NAME). > > No, its on-topic and we want that information unchanged. Why? I think I've described why admins should't see task->comm during forensic. Do you disagree this? or Do you have another viewpoint? Can you help us clarify your point? > > That said, audit have to logged following two point if task name is > > necessary. 1) exec > > 2) prctl(PRT_SET_NAME) > > > > Thought ? > > The audit system is capable of grabbing that information, too. ok. thanks good information :) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Steve Grubb on 29 Jun 2010 20:30
On Tuesday, June 29, 2010 08:16:08 pm KOSAKI Motohiro wrote: > > For the audit system, we want the real, unsanitized task->comm. We record > > it in a special format to the audit logs such that unprintable > > characters are included. We want it exactly this way for certification > > purposes as well as forensic evidence if someone was playing games. If > > you do sanitize it for other areas of the kernel, please give us a way > > to get the unsanitized text. > > Probably this mail is offtopic. I think audit is unrelated with this > discusstion. because when forensic, admins shouldn't believe task->comm > at all. because 1) no path information, perhaps "ls" might mean > "/home/attackers-dir/evil-script/ls" 2) easily obscured by > prctl(PR_SET_NAME). No, its on-topic and we want that information unchanged. > That said, audit have to logged following two point if task name is > necessary. 1) exec > 2) prctl(PRT_SET_NAME) > > Thought ? The audit system is capable of grabbing that information, too. -Steve -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |