On Fri, Aug 27, 2021 at 10:52 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>
> On Sat, Aug 28, 2021 at 02:47:03AM +0100, Matthew Wilcox wrote:
> > On Fri, Aug 27, 2021 at 12:18:57PM -0700, Suren Baghdasaryan wrote:
> > > + anon_name = vma_anon_name(vma);
> > > + if (anon_name) {
> > > + seq_pad(m, ' ');
> > > + seq_puts(m, "[anon:");
> > > + seq_write(m, anon_name, strlen(anon_name));
> > > + seq_putc(m, ']');
> > > + }
>
> Maybe after seq_pad, use: seq_printf(m, "[anon:%s]", anon_name);
Good idea. Will change.
>
> >
> > ...
> >
> > > + case PR_SET_VMA_ANON_NAME:
> > > + name = strndup_user((const char __user *)arg,
> > > + ANON_VMA_NAME_MAX_LEN);
> > > +
> > > + if (IS_ERR(name))
> > > + return PTR_ERR(name);
> > > +
> > > + for (pch = name; *pch != '\0'; pch++) {
> > > + if (!isprint(*pch)) {
> > > + kfree(name);
> > > + return -EINVAL;
> >
> > I think isprint() is too weak a check. For example, I would suggest
> > forbidding the following characters: ':', ']', '[', ' '. Perhaps
> > isalnum() would be better? (permit a-zA-Z0-9) I wouldn't necessarily
> > be opposed to some punctuation characters, but let's avoid creating
> > confusion. Do you happen to know which characters are actually in use
> > today?
>
> There's some sense in refusing [, ], and :, but removing " " seems
> unhelpful for reasonable descriptors. As long as weird stuff is escaped,
> I think it's fine. Any parser can just extract with m|\[anon:(.*)\]$|
I see no issue in forbidding '[' and ']' but whitespace and ':' are
currently used by Android. Would forbidding or escaping '[' and ']' be
enough?
>
> For example, just escape it here instead of refusing to take it. Something
> like:
>
> name = strndup_user((const char __user *)arg,
> ANON_VMA_NAME_MAX_LEN);
> escaped = kasprintf(GFP_KERNEL, "%pE", name);
Did you mean "%*pE" as in
https://www.kernel.org/doc/html/latest/core-api/printk-formats.html#raw-buffer-as-an-escaped-string
?
> if (escaped) {
> kfree(name);
> return -ENOMEM;
> }
> kfree(name);
> name = escaped;
>
> --
> Kees Cook
