Re: unsafe printk

[Richard B. Johnson]

On Thu, 16 Oct 2003, Albert Cahalan wrote:

> Suppose I name an executable this:
> "\n<0>Oops: EIP=0"
>
> That comes out as a KERN_EMERG log message,
> hitting the console and maybe a pager even.
>
> There seem to be a number of places in the
> kernel that printk current->comm without
> concern for what it may contain.
>
> Escape codes and non-ASCII can make for some
> interesting log messages as well. Terminals
> may have some programmable keys or answerback
> messages. So one day root is using grep on
> the log files, and they program the answerback
> string to contain a "\r\nrm -r /\r\n"...
>
> BTW, the 0x9b character is often an escape.

I remember this from VAX/VMS "system manager school"!
"Don't ever read anybody's data from the SYSTEM account...."

The text read could write a whole command-procedure to
the answer-back buffer, then tell it to answer-back! The
result would be the execution of anything from a privileged
account.

I don't think the built-in VT100-220 emulation has an
answer-back buffer, but there still are RS-232C terminals
out there........


Cheers,
Dick Johnson
Penguin : Linux version 2.4.22 on an i686 machine (797.90 BogoMips).
            Note 96.31% of all statistics are fiction.


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/