Commit fd7060f6 authored by Mathias Krause's avatar Mathias Krause Committed by Luis Henriques

printk: prevent userland from spoofing kernel messages

commit 3824657c upstream.

The following statement of ABI/testing/dev-kmsg is not quite right:

   It is not possible to inject messages from userspace with the
   facility number LOG_KERN (0), to make sure that the origin of the
   messages can always be reliably determined.

Userland actually can inject messages with a facility of 0 by abusing the
fact that the facility is stored in a u8 data type.  By using a facility
which is a multiple of 256 the assignment of msg->facility in log_store()
implicitly truncates it to 0, i.e.  LOG_KERN, allowing users of /dev/kmsg
to spoof kernel messages as shown below:

The following call...
   # printf '<%d>Kernel panic - not syncing: beer empty\n' 0 >/dev/kmsg
...leads to the following log entry (dmesg -x | tail -n 1):
   user  :emerg : [   66.137758] Kernel panic - not syncing: beer empty

However, this call...
   # printf '<%d>Kernel panic - not syncing: beer empty\n' 0x800 >/dev/kmsg
...leads to the slightly different log entry (note the kernel facility):
   kern  :emerg : [   74.177343] Kernel panic - not syncing: beer empty

Fix that by limiting the user provided facility to 8 bit right from the
beginning and catch the truncation early.

Fixes: 7ff9554b ("printk: convert byte-buffer to variable-length...")
Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Petr Mladek <pmladek@suse.cz>
Cc: Alex Elder <elder@linaro.org>
Cc: Joe Perches <joe@perches.com>
Cc: Kay Sievers <kay@vrfy.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
[ kamal: backport to 3.13-stable: retain local 'int i' ]
Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
parent cd21931f
...@@ -259,6 +259,9 @@ static u32 clear_idx; ...@@ -259,6 +259,9 @@ static u32 clear_idx;
#define PREFIX_MAX 32 #define PREFIX_MAX 32
#define LOG_LINE_MAX 1024 - PREFIX_MAX #define LOG_LINE_MAX 1024 - PREFIX_MAX
#define LOG_LEVEL(v) ((v) & 0x07)
#define LOG_FACILITY(v) ((v) >> 3 & 0xff)
/* record buffer */ /* record buffer */
#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
#define LOG_ALIGN 4 #define LOG_ALIGN 4
...@@ -547,12 +550,13 @@ static ssize_t devkmsg_writev(struct kiocb *iocb, const struct iovec *iv, ...@@ -547,12 +550,13 @@ static ssize_t devkmsg_writev(struct kiocb *iocb, const struct iovec *iv,
line = buf; line = buf;
if (line[0] == '<') { if (line[0] == '<') {
char *endp = NULL; char *endp = NULL;
unsigned int u;
i = simple_strtoul(line+1, &endp, 10); u = simple_strtoul(line + 1, &endp, 10);
if (endp && endp[0] == '>') { if (endp && endp[0] == '>') {
level = i & 7; level = LOG_LEVEL(u);
if (i >> 3) if (LOG_FACILITY(u) != 0)
facility = i >> 3; facility = LOG_FACILITY(u);
endp++; endp++;
len -= endp - line; len -= endp - line;
line = endp; line = endp;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment