Re: [PATCH v2] sanitize task->comm to avoid leaking escape codes
From: KOSAKI Motohiro
Date: Tue Jun 29 2010 - 20:16:21 EST
> On Monday, June 28, 2010 11:05:56 pm KOSAKI Motohiro wrote:
> > > Am Freitag, den 25.06.2010, 08:56 +0900 schrieb KOSAKI Motohiro:
> > > > > Through get_task_comm() and many direct uses of task->comm in the
> > > > > kernel, it is possible for escape codes and other non-printables to
> > > > > leak into dmesg, syslog, etc. In the worst case, these strings
> > > > > could be used to attack administrators using vulnerable terminal
> > > > > emulators, and at least cause confusion through the injection of \r
> > > > > characters.
> > > > >
> > > > > This patch sanitizes task->comm to only contain printable characters
> > > > > when it is set. Additionally, it redefines get_task_comm so that it
> > > > > is more obvious when misused by callers (presently nothing was
> > > > > incorrectly calling get_task_comm's unsafe use of strncpy).
>
> For the audit system, we want the real, unsanitized task->comm. We record it
> in a special format to the audit logs such that unprintable characters are
> included. We want it exactly this way for certification purposes as well as
> forensic evidence if someone was playing games. If you do sanitize it for
> other areas of the kernel, please give us a way to get the unsanitized text.
Probably this mail is offtopic. I think audit is unrelated with this discusstion. because when
forensic, admins shouldn't believe task->comm at all. because 1) no path information,
perhaps "ls" might mean "/home/attackers-dir/evil-script/ls" 2) easily obscured by
prctl(PR_SET_NAME).
That said, audit have to logged following two point if task name is necessary.
1) exec
2) prctl(PRT_SET_NAME)
Thought ?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/