[3.13.y-ckt stable] Patch "printk: prevent userland from spoofing kernel messages" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Wed Dec 2 22:53:43 UTC 2015 

This is a note to let you know that I have just added a patch titled

    printk: prevent userland from spoofing kernel messages

to the linux-3.13.y-queue branch of the 3.13.y-ckt extended stable tree 
which can be found at:

    http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.13.y-queue

This patch is scheduled to be released in version 3.13.11-ckt31.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.13.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 4c2e341527e783d8c899eac926af4c902a682e78 Mon Sep 17 00:00:00 2001
From: Mathias Krause <minipli at googlemail.com>
Date: Fri, 6 Nov 2015 16:30:38 -0800
Subject: printk: prevent userland from spoofing kernel messages

commit 3824657c522f19f85a76bd932821174a5557a382 upstream.

The following statement of ABI/testing/dev-kmsg is not quite right:

   It is not possible to inject messages from userspace with the
   facility number LOG_KERN (0), to make sure that the origin of the
   messages can always be reliably determined.

Userland actually can inject messages with a facility of 0 by abusing the
fact that the facility is stored in a u8 data type.  By using a facility
which is a multiple of 256 the assignment of msg->facility in log_store()
implicitly truncates it to 0, i.e.  LOG_KERN, allowing users of /dev/kmsg
to spoof kernel messages as shown below:

The following call...
   # printf '<%d>Kernel panic - not syncing: beer empty\n' 0 >/dev/kmsg
...leads to the following log entry (dmesg -x | tail -n 1):
   user  :emerg : [   66.137758] Kernel panic - not syncing: beer empty

However, this call...
   # printf '<%d>Kernel panic - not syncing: beer empty\n' 0x800 >/dev/kmsg
...leads to the slightly different log entry (note the kernel facility):
   kern  :emerg : [   74.177343] Kernel panic - not syncing: beer empty

Fix that by limiting the user provided facility to 8 bit right from the
beginning and catch the truncation early.

Fixes: 7ff9554bb578 ("printk: convert byte-buffer to variable-length...")
Signed-off-by: Mathias Krause <minipli at googlemail.com>
Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
Cc: Petr Mladek <pmladek at suse.cz>
Cc: Alex Elder <elder at linaro.org>
Cc: Joe Perches <joe at perches.com>
Cc: Kay Sievers <kay at vrfy.org>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
[ kamal: backport to 3.13-stable: retain local 'int i' ]
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 kernel/printk/printk.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index 9b6f5d2..322df13 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -239,6 +239,9 @@ static u32 clear_idx;
 #define PREFIX_MAX		32
 #define LOG_LINE_MAX		1024 - PREFIX_MAX

+#define LOG_LEVEL(v)		((v) & 0x07)
+#define LOG_FACILITY(v)		((v) >> 3 & 0xff)
+
 /* record buffer */
 #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
 #define LOG_ALIGN 4
@@ -452,12 +455,13 @@ static ssize_t devkmsg_writev(struct kiocb *iocb, const struct iovec *iv,
 	line = buf;
 	if (line[0] == '<') {
 		char *endp = NULL;
+		unsigned int u;

-		i = simple_strtoul(line+1, &endp, 10);
+		u = simple_strtoul(line + 1, &endp, 10);
 		if (endp && endp[0] == '>') {
-			level = i & 7;
-			if (i >> 3)
-				facility = i >> 3;
+			level = LOG_LEVEL(u);
+			if (LOG_FACILITY(u) != 0)
+				facility = LOG_FACILITY(u);
 			endp++;
 			len -= endp - line;
 			line = endp;
--
1.9.1

More information about the kernel-team mailing list