| Message ID | 20200213164146.366251-1-daniel.thompson@linaro.org |
|---|---|
| State | Accepted |
| Commit | ad99b5105c0823ff02126497f4366e6a8009453e |
| Headers | show |
| Series | kdb: Censor attempts to set PROMPT without ENABLE_MEM_READ | expand |
Hi, On Thu, Feb 13, 2020 at 8:42 AM Daniel Thompson <daniel.thompson@linaro.org> wrote: > > Currently the PROMPT variable could be abused to provoke the printf() > machinery to read outside the current stack frame. Normally this > doesn't matter becaues md is already a much better tool for reading > from memory. > > However the md command can be disabled by not setting KDB_ENABLE_MEM_READ. > Let's also prevent PROMPT from being modified in these circumstances. > > Whilst adding a comment to help future code reviewers we also remove > the #ifdef where PROMPT in consumed. There is no problem passing an > unused (0) to snprintf when !CONFIG_SMP. > argument > > Reported-by: Wang Xiayang <xywang.sjtu@sjtu.edu.cn> > Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org> > --- > kernel/debug/kdb/kdb_main.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) I can't say I'm an expert on the kdb permissions model since I wasn't really even aware of it before reading this patch, but your change seems reasonable to me. Reviewed-by: Douglas Anderson <dianders@chromium.org>
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c index ba12e9f4661e..8dae08792641 100644 --- a/kernel/debug/kdb/kdb_main.c +++ b/kernel/debug/kdb/kdb_main.c @@ -398,6 +398,13 @@ int kdb_set(int argc, const char **argv) if (argc != 2) return KDB_ARGCOUNT; + /* + * Censor sensitive variables + */ + if (strcmp(argv[1], "PROMPT") == 0 && + !kdb_check_flags(KDB_ENABLE_MEM_READ, kdb_cmd_enabled, false)) + return KDB_NOPERM; + /* * Check for internal variables */ @@ -1298,12 +1305,9 @@ static int kdb_local(kdb_reason_t reason, int error, struct pt_regs *regs, *(cmd_hist[cmd_head]) = '\0'; do_full_getstr: -#if defined(CONFIG_SMP) + /* PROMPT can only be set if we have MEM_READ permission. */ snprintf(kdb_prompt_str, CMD_BUFLEN, kdbgetenv("PROMPT"), raw_smp_processor_id()); -#else - snprintf(kdb_prompt_str, CMD_BUFLEN, kdbgetenv("PROMPT")); -#endif if (defcmd_in_progress) strncat(kdb_prompt_str, "[defcmd]", CMD_BUFLEN);
Currently the PROMPT variable could be abused to provoke the printf() machinery to read outside the current stack frame. Normally this doesn't matter becaues md is already a much better tool for reading from memory. However the md command can be disabled by not setting KDB_ENABLE_MEM_READ. Let's also prevent PROMPT from being modified in these circumstances. Whilst adding a comment to help future code reviewers we also remove the #ifdef where PROMPT in consumed. There is no problem passing an unused (0) to snprintf when !CONFIG_SMP. argument Reported-by: Wang Xiayang <xywang.sjtu@sjtu.edu.cn> Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org> --- kernel/debug/kdb/kdb_main.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) base-commit: bb6d3fb354c5ee8d6bde2d576eb7220ea09862b9 -- 2.23.0