Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp8103247ybi; Thu, 6 Jun 2019 06:47:54 -0700 (PDT) X-Google-Smtp-Source: APXvYqwlYdcV8n8mSSVccjfD1tthN6WHs06DH4XWPA9IcgEhyrQ6qw9jjUzJpC1tlK/3yeQeLpAL X-Received: by 2002:a17:90a:192:: with SMTP id 18mr51597845pjc.107.1559828874427; Thu, 06 Jun 2019 06:47:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559828874; cv=none; d=google.com; s=arc-20160816; b=NDzO1XsEtkRWok+88pzxGwhckEUTD8CQKE8zlytJmbcZ3e6MqMYy6xr0XWO2FeIphW FobAtaUqkXtYlArD6be3eYE/uNtuJUzRK5x6w1Q8OLNkmS2mXUDBa/NPqjiKoS6ilsbJ NUMlS8ZTR0isS//q3ZFibS4ILR2FWm/Uji6OgFmgJJXdGz/q2zyD109eAbLcuvFm3PcN Se06kSK4oaXfyeBBrtNuy39+fYJMWFrUMAo3D8Au06VDyAoM3Ng9Pvi8rWw0mhZnYEwe YJJWarqlNdfg+m+rALPAPPUO35mvtgIZ0H4XfYZnSc1VuOG+u2ogSTEJOjonmwjdYZAW W95g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=q00SUxE33Rg9Du3o0J3AqosMAdc+BkTeMlxZjdfWmV0=; b=aQY4v97Y26B4hZA/79wuzY9hISciIcHifl2nX2cWMkMM0Ev6quNN3UeDQEYq3uXyLA DNy88j5jbgHbhPiXCFPSvlBI6lTNmNEcrgviZVnw6aPULEImIHl0VXQu/Hvn6GcMvisZ K2w3ooJg+Yp5VsejdEqznIOd3hKM5haHk31uMoIZL5fYqUj0lAC8Hxe0EECyNE3PNUDw zOFxssToGuYpgCQUHaNQUBCc9nzkFao3a/bHUwNBKMPIU+sFmywoss9eeLmAZtjvPuAY 71IONN8/3ssG/f6XKgHiMfrJoE+UcfA7mypbSsmOahtVYbhB7xS8k5Mo4jgZJOVw2u5F cHUw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g30si1860248plg.400.2019.06.06.06.47.38; Thu, 06 Jun 2019 06:47:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728236AbfFFNpA (ORCPT + 99 others); Thu, 6 Jun 2019 09:45:00 -0400 Received: from charlotte.tuxdriver.com ([70.61.120.58]:40092 "EHLO smtp.tuxdriver.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726762AbfFFNpA (ORCPT ); Thu, 6 Jun 2019 09:45:00 -0400 Received: from cpe-2606-a000-111b-405a-0-0-0-162e.dyn6.twc.com ([2606:a000:111b:405a::162e] helo=localhost) by smtp.tuxdriver.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1hYshJ-00031p-HE; Thu, 06 Jun 2019 09:44:56 -0400 Date: Thu, 6 Jun 2019 09:44:26 -0400 From: Neil Horman To: Paul Wise Cc: Alexander Viro , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Andrew Morton , Jakub Wilk Subject: Re: [PATCH v3] coredump: Split pipe command whitespace before expanding template Message-ID: <20190606134426.GD29521@hmswarspite.think-freely.org> References: <20190521003756.5236-1-pabs3@bonedaddy.net> <20190528051142.24939-1-pabs3@bonedaddy.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190528051142.24939-1-pabs3@bonedaddy.net> User-Agent: Mutt/1.11.3 (2019-02-01) X-Spam-Score: -2.9 (--) X-Spam-Status: No Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 28, 2019 at 01:11:42PM +0800, Paul Wise wrote: > Save the offsets of the start of each argument to avoid having to > update pointers to each argument after every corename krealloc and > to avoid having to duplicate the memory for the dump command. > > Executable names containing spaces were previously being expanded from > %e or %E and then split in the middle of the filename. This is incorrect > behaviour since an argument list can represent arguments with spaces. > > The splitting could lead to extra arguments being passed to the core dump > handler that it might have interpreted as options or ignored completely. > > Core dump handlers that are not aware of this Linux kernel issue will be > using %e or %E without considering that it may be split and so they will > be vulnerable to processes with spaces in their names breaking their > argument list. If their internals are otherwise well written, such as > if they are written in shell but quote arguments, they will work better > after this change than before. If they are not well written, then there > is a slight chance of breakage depending on the details of the code but > they will already be fairly broken by the split filenames. > > Core dump handlers that are aware of this Linux kernel issue will be > placing %e or %E as the last item in their core_pattern and then > aggregating all of the remaining arguments into one, separated by > spaces. Alternatively they will be obtaining the filename via other > methods. Both of these will be compatible with the new arrangement. > > A side effect from this change is that unknown template types > (for example %z) result in an empty argument to the dump handler > instead of the argument being dropped. This is a desired change as: > > It is easier for dump handlers to process empty arguments than dropped > ones, especially if they are written in shell or don't pass each template > item with a preceding command-line option in order to differentiate > between individual template types. Most core_patterns in the wild do not > use options so they can confuse different template types (especially > numeric ones) if an earlier one gets dropped in old kernels. If the > kernel introduces a new template type and a core_pattern uses it, the > core dump handler might not expect that the argument can be dropped in > old kernels. > > For example, this can result in security issues when %d is dropped in old > kernels. This happened with the corekeeper package in Debian and resulted > in the interface between corekeeper and Linux having to be rewritten to > use command-line options to differentiate between template types. > > The core_pattern for most core dump handlers is written by the handler > author who would generally not insert unknown template types so this > change should be compatible with all the core dump handlers that exist. > > Fixes: 74aadce98605 > Reported-by: Jakub Wilk > Reported-in: https://bugs.debian.org/924398 > Reported-by: Paul Wise > Reported-in: https://lore.kernel.org/linux-fsdevel/c8b7ecb8508895bf4adb62a748e2ea2c71854597.camel@bonedaddy.net/ > Suggested-by: Jakub Wilk > Signed-off-by: Paul Wise > --- > fs/coredump.c | 44 +++++++++++++++++++++++++++++++++++++++----- > 1 file changed, 39 insertions(+), 5 deletions(-) > > Changelog: > v3 Adjust footer fields, drop obvious comment > v2 Fix build failure due to typo after variable renaming > > diff --git a/fs/coredump.c b/fs/coredump.c > index e42e17e55bfd..b1ea7dfbd149 100644 > --- a/fs/coredump.c > +++ b/fs/coredump.c > @@ -7,6 +7,7 @@ > #include > #include > #include > +#include > #include > #include > #include > @@ -187,11 +188,13 @@ static int cn_print_exe_file(struct core_name *cn) > * name into corename, which must have space for at least > * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator. > */ > -static int format_corename(struct core_name *cn, struct coredump_params *cprm) > +static int format_corename(struct core_name *cn, struct coredump_params *cprm, > + size_t **argv, int *argc) > { > const struct cred *cred = current_cred(); > const char *pat_ptr = core_pattern; > int ispipe = (*pat_ptr == '|'); > + bool was_space = false; > int pid_in_pattern = 0; > int err = 0; > > @@ -201,12 +204,35 @@ static int format_corename(struct core_name *cn, struct coredump_params *cprm) > return -ENOMEM; > cn->corename[0] = '\0'; > > - if (ispipe) > + if (ispipe) { > + int argvs = sizeof(core_pattern) / 2; > + (*argv) = kmalloc_array(argvs, sizeof(**argv), GFP_KERNEL); > + if (!(*argv)) > + return -ENOMEM; > + (*argv)[(*argc)++] = 0; > ++pat_ptr; > + } > > /* Repeat as long as we have more pattern to process and more output > space */ > while (*pat_ptr) { > + /* > + * Split on spaces before doing template expansion so that > + * %e and %E don't get split if they have spaces in them > + */ > + if (ispipe) { > + if (isspace(*pat_ptr)) { > + was_space = true; > + pat_ptr++; > + continue; > + } else if (was_space) { > + was_space = false; > + err = cn_printf(cn, "%c", '\0'); > + if (err) > + return err; > + (*argv)[(*argc)++] = cn->used; > + } > + } > if (*pat_ptr != '%') { > err = cn_printf(cn, "%c", *pat_ptr++); > } else { > @@ -546,6 +572,8 @@ void do_coredump(const kernel_siginfo_t *siginfo) > struct cred *cred; > int retval = 0; > int ispipe; > + size_t *argv = NULL; > + int argc = 0; > struct files_struct *displaced; > /* require nonrelative corefile path and be extra careful */ > bool need_suid_safe = false; > @@ -592,9 +620,10 @@ void do_coredump(const kernel_siginfo_t *siginfo) > > old_cred = override_creds(cred); > > - ispipe = format_corename(&cn, &cprm); > + ispipe = format_corename(&cn, &cprm, &argv, &argc); > > if (ispipe) { > + int argi; > int dump_count; > char **helper_argv; > struct subprocess_info *sub_info; > @@ -637,12 +666,16 @@ void do_coredump(const kernel_siginfo_t *siginfo) > goto fail_dropcount; > } > > - helper_argv = argv_split(GFP_KERNEL, cn.corename, NULL); > + helper_argv = kmalloc_array(argc + 1, sizeof(*helper_argv), > + GFP_KERNEL); > if (!helper_argv) { > printk(KERN_WARNING "%s failed to allocate memory\n", > __func__); > goto fail_dropcount; > } > + for (argi = 0; argi < argc; argi++) > + helper_argv[argi] = cn.corename + argv[argi]; > + helper_argv[argi] = NULL; > > retval = -ENOMEM; > sub_info = call_usermodehelper_setup(helper_argv[0], > @@ -652,7 +685,7 @@ void do_coredump(const kernel_siginfo_t *siginfo) > retval = call_usermodehelper_exec(sub_info, > UMH_WAIT_EXEC); > > - argv_free(helper_argv); > + kfree(helper_argv); > if (retval) { > printk(KERN_INFO "Core dump to |%s pipe failed\n", > cn.corename); > @@ -766,6 +799,7 @@ void do_coredump(const kernel_siginfo_t *siginfo) > if (ispipe) > atomic_dec(&core_dump_count); > fail_unlock: > + kfree(argv); > kfree(cn.corename); > coredump_finish(mm, core_dumped); > revert_creds(old_cred); > -- > 2.20.1 > > Acked-by: Neil Horman