Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp3495858ybd; Fri, 28 Jun 2019 09:34:31 -0700 (PDT) X-Google-Smtp-Source: APXvYqwrKHAcydYEwTVIDEqBaJ8L940sONan+seuYCm3wR9KJ66xC8PYkqb25QjTzx/ieESPwT8i X-Received: by 2002:a17:90a:3724:: with SMTP id u33mr14121808pjb.19.1561739671232; Fri, 28 Jun 2019 09:34:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561739671; cv=none; d=google.com; s=arc-20160816; b=VRCL9L6/BMjm7ICG/8GgsVhp6veSuolXqIJpzOkd2p7VX4Q48ouSCokOj+3BUpxAnI R+7IpzEVlL++nH1JomjkzN2UBSCJp3VyvY2tILRraAJMcecIpqBG3WxCbJHFescNZd99 62nrpr0dB8ZuUv2rUIfTzyfLyG9F+0nzEwmRHEYmqJGDfu3Xgg+Vy6Ma4sriGVOpXymr j2H+FrrG8ZdWWsS+oO32RT3OlpFHoQ399t1zohTM+IABxAAoFDihSbq5K2djv5Ohzu40 0fLfXDxNFbDYmnbjnu4Nkrfg1auKZSB+uVkKmxTR2ezvU6WisdTEhNAtHldP4/2psPh3 gnUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=x2BYSM1Q+b9lnfPVFgdQDkkaSWai/tuotCFT9++Vk0g=; b=uznWCCfQofOFe5S9YSr7qMVHUrF22PVA9BX/abTJZIUe9q/1IAYZpN/YxtvnnIjYsM aW6w4y6tK5jsNalNPhyX0vGMAYnFyNUz/pCCEJnQa7n07lyGUwSOCs6xk0oIpXri1i4G Be/SXk84ZfCshWcsjLq0AyKGaXYOybl9Kjqq+oEHqKxHwPg/xrOUtEE6TCrrLCcyTJqr RnSk6Jge7RXrNynIt6DwHrQJN+Zb7rWbR1OZG+bfBy8bubsHIKphMpVjnCOg1p152Iy2 wXc6b3wq5fDCpmjo+HWtezov0gLHCgiT0CAln2oWELuaZ152g7Lz0TTu7Bcd5PqiRf5p LOfQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m63si2750802pjb.8.2019.06.28.09.34.08; Fri, 28 Jun 2019 09:34:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726795AbfF1Qd7 (ORCPT + 99 others); Fri, 28 Jun 2019 12:33:59 -0400 Received: from fieldses.org ([173.255.197.46]:37464 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726667AbfF1Qd7 (ORCPT ); Fri, 28 Jun 2019 12:33:59 -0400 Received: by fieldses.org (Postfix, from userid 2815) id A1FCA1CE6; Fri, 28 Jun 2019 12:33:58 -0400 (EDT) Date: Fri, 28 Jun 2019 12:33:58 -0400 From: "J. Bruce Fields" To: Kees Cook Cc: linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 08/16] nfsd: escape high characters in binary data Message-ID: <20190628163358.GA31800@fieldses.org> References: <1561042275-12723-1-git-send-email-bfields@redhat.com> <1561042275-12723-9-git-send-email-bfields@redhat.com> <20190621174544.GC25590@fieldses.org> <201906211431.E6552108@keescook> <20190622190058.GD5343@fieldses.org> <201906221320.5BFC134713@keescook> <20190624210512.GA20331@fieldses.org> <20190626162149.GB4144@fieldses.org> <20190627202124.GC16388@fieldses.org> <201906272054.6954C08FA@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201906272054.6954C08FA@keescook> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Thu, Jun 27, 2019 at 08:58:22PM -0700, Kees Cook wrote: > On Thu, Jun 27, 2019 at 04:21:24PM -0400, J. Bruce Fields wrote: > > No, I was confused: "\n" is non-printable according to isprint(), so > > ESCAPE_ANY_NP *will* escape it. So this isn't quite so bad. SSIDs are > > usually printed as '%*pE', so arguably we should be escaping the single > > quote character too, but at least we're not allowing line breaks > > through. I don't know about non-ascii. > > Okay, cool. Given that most things are just trying to log, it seems like > it should be safe to have %pE escape non-ascii, non-printable, \, ', and "? > > And if we changing that, we're likely changing > string_escape_mem(). Looking at callers of string_escape_mem() makes my > head spin... kstrdup_quotable: - only a few callers, mostly just logging, but msm_gpu_crashstate_capture uses it to generate some data that looks like it goes in a crashdump. Dunno if there might be some utility depending on the current escaping. On the other hand, kstrdup_quotable uses ESCAPE_HEX, "\f\n\r\t\v\a\e\\\"" so those characters are all escaped as \xNN, so I'd hope any parser would be prepared to unescape any hex character, they'd have to go out of their way to do anything else. string_escape_str: - proc_task_name: ESCAPE_SPACE|ESCAPE_SPECIAL, "\n\\", used for command name in /proc//stat{us}. No way do I want to change the format of those files at all. - seq_escape: ESCAPE_OCTAL, esc: haven't surveyed callers carefully, but this probably shouldn't be changed. - qword_add: ESCAPE_OCTAL, "\\ \n\t", some nfsd upcalls. Fine as they are, but the other side will happily accept any octal or hex escaping. string_escape_mem_any_np, string_escape_str_any_np: - totally unused. escaped_string: this is the vsnprintf logic. Tons of users, haven't had a chance to look at them all. Almost all %*pE, the exceptions don't look important. So the only flag values we care about are ESCAPE_HEX, ESCAPE_OCTAL, ESCAPE_SPACE|ESCAPE_SPECIAL, and ESCAPE_ANY_NP. So this could be cleaned up some if we wanted. > Anyway, I don't want to block you needlessly. What would like to have > be next steps here? I might still be interested in some cleanup, I find the current logic unnecessarily confusing. But I may just give up and go with my existing patch and put off that project indefinitely, especially if there's no real need to fix the existing callers. I don't know.... --b.