Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp744126ybv;
        Thu, 13 Feb 2020 08:43:33 -0800 (PST)
X-Google-Smtp-Source: APXvYqwWP7jc5ZI0RwOMhZT/vRG+0Lt2yejIGs3jKGXeJrq2ELAFahi2t6Wbtu9VdaeCXdd7NEhD
X-Received: by 2002:a05:6808:1:: with SMTP id u1mr3611117oic.74.1581612213765;
        Thu, 13 Feb 2020 08:43:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1581612213; cv=none;
        d=google.com; s=arc-20160816;
        b=DLb+mfYWNblHGuRwdC4XQqZ4Qso7wg2KecxjbMDuYnl5OasZj0LiNUKrDL+IMFQ35g
         3YNfV9M1/mC103/33djiEpriB3UNGuChzHKNeDr7gh3aGmAqi2jHEqjfgvuco1ZTh+EX
         bKvD64S+LHMrjBSFKQYDHDPBMMyWOoMYvbzZRoobGJvGmO6SdLiFtjVFaFOUBWpy6Ax+
         J8cdQAZDJmPKLqZ4iykBdmNUuXi7NFxEOI3qnxD2bdFjK1eXzETXQ22acYodpvRD9pof
         yY6/lfNQofa5lSb5+g7f9WjyQUu3DVuRsxcW4ox128BSH02pOnoYm3APqee2DMWgaFun
         zk5Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=bhsGWp5ne3QnPpqxRlkmT7D4Kf4En5d9ZglTG1EbOnk=;
        b=nk1cMlsOuYPILnfiOhWQi1wuTSRo4srOXVFoTzkOvmoVyEv5MGNyj6X/Mxfq+itjtI
         V+cTYtZwPCh4ByNPQrmghaM3dgPx2Cj+acnY9Ag4qV6ILAhBmTVUBh94J3V/HvSVWHM8
         DpIOIyBrNxXUpH0lTydQ0xUY4mYWEdTQZqszXJ47ZnqG6BoyiY4u8JrGQzkh6k2PnpED
         cqvGGODwDDtzv0JuzusFM+Qfi6He9aZiTCQQWl26a6Mor6pqF6e1slfwV8GfWAkq8Kdj
         XuUqiu/IOoGugbF4j281kaRMIrAySN9C0CpcWOJeW1pe4gqdic7u6oHjd9RyHn4tvGni
         qBAA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=m8NYusRz;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k128si1453778oih.274.2020.02.13.08.43.21;
        Thu, 13 Feb 2020 08:43:33 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=m8NYusRz;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727785AbgBMQmI (ORCPT <rfc822;kernelgary@gmail.com>
        + 99 others); Thu, 13 Feb 2020 11:42:08 -0500
Received: from mail-wr1-f68.google.com ([209.85.221.68]:42409 "EHLO
        mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727436AbgBMQmI (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 13 Feb 2020 11:42:08 -0500
Received: by mail-wr1-f68.google.com with SMTP id k11so7497058wrd.9
        for <linux-kernel@vger.kernel.org>; Thu, 13 Feb 2020 08:42:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=bhsGWp5ne3QnPpqxRlkmT7D4Kf4En5d9ZglTG1EbOnk=;
        b=m8NYusRz6pGqHOIbtp/UK78XKjqljtr184HPe9b+etmJlQW5bOC0mqRml3sp3A2Nex
         N9KUVzKA/H6LA57hd/WtL2VYTogSF+e5X26N9Asa0oqItBCe9w+TUW3A2kGEytUCAOD4
         6rFqWl2yOLpJLp1uNWXRV1ynAwxNB/iZFrbk6gFXpgUzJYYaetcphvbT2Xdlvm3AHYo4
         Y8xCiIKAkjS6D9Uh9wSpED1US3WCBkrs4amLxNRKzPpVQnDzUUUMIw67I85IBjoV0yp8
         JLsaF3tMPDbO6nD1dEbIxfITuTMegxy42BdnsKnyTucmzuDRSFW7cuD8Dr4LGBexGAX0
         JLDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=bhsGWp5ne3QnPpqxRlkmT7D4Kf4En5d9ZglTG1EbOnk=;
        b=qA0EnWGMFy17h8GLZSbR0vC1QlZddgtVOG2TapcDNvKz58qRKXdqTxGCsop20ihk4T
         tRMJYNBNhOIiDBojTXsTNh2/FmUJ+DJnjcW+9Pg0Z79HCvWccScs6lEHlm5BuPBI0CpG
         w6vjbf8sbcTVOFZ+yj9nR+pBdK/3WztcT3J1dkMI40/BIrma5oQAOMb7JwzF7un6NWmy
         tgrf6DwNdV/Ej9j6AMHq9dGYYgMd46YAfmOvYqFWsj+a49B19th0pvjJqljZy9cQCmps
         bkmevcti83ew8gVSSjZ+zuk18ViqZHfW2y66AApyWTxCiCu82F35n7M9QivD63GyCEDR
         K5Pg==
X-Gm-Message-State: APjAAAUgcTnROdpDHsxEa+yJeDA/KDEpzrqpEzllz6jj33VtPuJ1YS/K
        gZ455OC5nJxpmPi8/WBiZY8Bww==
X-Received: by 2002:a5d:438c:: with SMTP id i12mr21947668wrq.51.1581612124532;
        Thu, 13 Feb 2020 08:42:04 -0800 (PST)
Received: from wychelm.lan (cpc141214-aztw34-2-0-cust773.18-1.cable.virginm.net. [86.9.19.6])
        by smtp.gmail.com with ESMTPSA id o4sm3461402wrx.25.2020.02.13.08.42.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 13 Feb 2020 08:42:04 -0800 (PST)
From:   Daniel Thompson <daniel.thompson@linaro.org>
To:     Jason Wessel <jason.wessel@windriver.com>,
        Daniel Thompson <daniel.thompson@linaro.org>,
        Douglas Anderson <dianders@chromium.org>
Cc:     kgdb-bugreport@lists.sourceforge.net, linux-kernel@vger.kernel.org,
        patches@linaro.org, Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
Subject: [PATCH] kdb: Censor attempts to set PROMPT without ENABLE_MEM_READ
Date:   Thu, 13 Feb 2020 16:41:46 +0000
Message-Id: <20200213164146.366251-1-daniel.thompson@linaro.org>
X-Mailer: git-send-email 2.23.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Currently the PROMPT variable could be abused to provoke the printf()
machinery to read outside the current stack frame. Normally this
doesn't matter becaues md is already a much better tool for reading
from memory.

However the md command can be disabled by not setting KDB_ENABLE_MEM_READ.
Let's also prevent PROMPT from being modified in these circumstances.

Whilst adding a comment to help future code reviewers we also remove
the #ifdef where PROMPT in consumed. There is no problem passing an
unused (0) to snprintf when !CONFIG_SMP.
argument

Reported-by: Wang Xiayang <xywang.sjtu@sjtu.edu.cn>
Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
---
 kernel/debug/kdb/kdb_main.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
index ba12e9f4661e..8dae08792641 100644
--- a/kernel/debug/kdb/kdb_main.c
+++ b/kernel/debug/kdb/kdb_main.c
@@ -398,6 +398,13 @@ int kdb_set(int argc, const char **argv)
 	if (argc != 2)
 		return KDB_ARGCOUNT;

+	/*
+	 * Censor sensitive variables
+	 */
+	if (strcmp(argv[1], "PROMPT") == 0 &&
+	    !kdb_check_flags(KDB_ENABLE_MEM_READ, kdb_cmd_enabled, false))
+		return KDB_NOPERM;
+
 	/*
 	 * Check for internal variables
 	 */
@@ -1298,12 +1305,9 @@ static int kdb_local(kdb_reason_t reason, int error, struct pt_regs *regs,
 		*(cmd_hist[cmd_head]) = '\0';

 do_full_getstr:
-#if defined(CONFIG_SMP)
+		/* PROMPT can only be set if we have MEM_READ permission. */
 		snprintf(kdb_prompt_str, CMD_BUFLEN, kdbgetenv("PROMPT"),
 			 raw_smp_processor_id());
-#else
-		snprintf(kdb_prompt_str, CMD_BUFLEN, kdbgetenv("PROMPT"));
-#endif
 		if (defcmd_in_progress)
 			strncat(kdb_prompt_str, "[defcmd]", CMD_BUFLEN);


base-commit: bb6d3fb354c5ee8d6bde2d576eb7220ea09862b9
--
2.23.0