• Mathias Krause's avatar
    printk: prevent userland from spoofing kernel messages · 3824657c
    Mathias Krause authored
    The following statement of ABI/testing/dev-kmsg is not quite right:
    
       It is not possible to inject messages from userspace with the
       facility number LOG_KERN (0), to make sure that the origin of the
       messages can always be reliably determined.
    
    Userland actually can inject messages with a facility of 0 by abusing the
    fact that the facility is stored in a u8 data type.  By using a facility
    which is a multiple of 256 the assignment of msg->facility in log_store()
    implicitly truncates it to 0, i.e.  LOG_KERN, allowing users of /dev/kmsg
    to spoof kernel messages as shown below:
    
    The following call...
       # printf '<%d>Kernel panic - not syncing: beer empty\n' 0 >/dev/kmsg
    ...leads to the following log entry (dmesg -x | tail -n 1):
       user  :emerg : [   66.137758] Kernel panic - not syncing: beer empty
    
    However, this call...
       # printf '<%d>Kernel panic - not syncing: beer empty\n' 0x800 >/dev/kmsg
    ...leads to the slightly different log entry (note the kernel facility):
       kern  :emerg : [   74.177343] Kernel panic - not syncing: beer empty
    
    Fix that by limiting the user provided facility to 8 bit right from the
    beginning and catch the truncation early.
    
    Fixes: 7ff9554b ("printk: convert byte-buffer to variable-length...")
    Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Petr Mladek <pmladek@suse.cz>
    Cc: Alex Elder <elder@linaro.org>
    Cc: Joe Perches <joe@perches.com>
    Cc: Kay Sievers <kay@vrfy.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    3824657c
printk.c 79 KB