[PATCH] ubi: avoid workqueue format string leak
Artem Bityutskiy
artem.bityutskiy at linux.intel.com
Tue Apr 8 07:43:27 PDT 2014
On Tue, 2014-04-08 at 10:57 -0300, Ezequiel Garcia wrote:
> Hello Kees,
>
> Thanks for the patch.
>
> On Apr 07, Kees Cook wrote:
> > When building the name for the workqueue thread, make sure a format
> > string cannot leak in from the disk name.
> >
>
> Could you enlighten me and explain why you want to avoid the name leak?
> Is it a security concern?
>
> I'd like to understad this better, so I can avoid making such mistakes
> in the future.
Well, the basics seem to be simple, attacker makes sure gd->disk_name
contains a bunch of "%s" and other placeholders, and this leads
"workqueue_alloc()" to read kernel memory and form the workqueue name.
I did not think it through further, though, but that was enough for me
to apply the patch right away. But yeah, curios parts are:
1. How attacker could end up with a crafted "gd->disk_name"
2. How attacker gets the workqueue name then, I guess there is a sysfs
file or something, but I do not know off the top of my head.
Yeah, I am interested to get educated on this a too.
--
Best Regards,
Artem Bityutskiy
More information about the linux-mtd
mailing list