On Wed, 2015-01-14 at 01:40 -0800, Christoph Hellwig wrote:
> On Tue, Jan 13, 2015 at 05:30:20PM +0000, James Bottomley wrote:
> > Just for everyone's sake the problem is printk format strings (and all
> > the things that indirect there, like pr_xxx and dev_printk). We must
> > never pass a mutable string directly to printk because of the mayhem
> > that would result if its contents were altered by the user (because some
> > of the things we do in string format parsing are very dangerous), making
> > this a potential security issue. Only ever pass static strings (in the
> > ro section) to printk formats.
> >
> > So this is wrong:
> >
> > dev_printk(KERN_INFO, dev, logbuf);
> >
> > This is correct:
> >
> > dev_printk(KERN_INFO, dev, "%s", logbuf);
>
> In this case the logbug comes from actually doing just that string
> formatting earlier in the function, so it practice it's harmles.
However, it's a wrong pattern which we need to avoid. Otherwise we get
one patch every few months "fixing" it and a couple of annoyed emails
from security people who re-did the analysis.
> It would be useful to have a dev_puts to avoid that reinterpretation again,
> though.
I'm fairly certain, given a lot of what has gone on in our string
processors that dev_puts() would get implemented via dev_printk ...
James
��.n��������+%�������w��{.n�����{������ܨ}���Ơz�j:+v�����w����ޙ��&�)ߡ�a����z�ޗ���ݢj��w�f
