+ vsprintf-ignore-arguments-to-%n.patch added to -mm tree

[akpm]

Subject: + vsprintf-ignore-arguments-to-%n.patch added to -mm tree
To: 
keesc...@chromium.org,dbork...@redhat.com,jkos...@suse.cz,j...@perches.com,o...@lixom.net,rmal...@gmail.com,stable@vger.kernel.org,step...@codeaurora.org,v...@zeniv.linux.org.uk
From: a...@linux-foundation.org
Date: Tue, 28 Jan 2014 12:05:40 -0800


The patch titled
     Subject: vsprintf: ignore arguments to %n
has been added to the -mm tree.  Its filename is
     vsprintf-ignore-arguments-to-%n.patch

This patch should soon appear at
    
http://ozlabs.org/~akpm/mmots/broken-out/vsprintf-ignore-arguments-to-%n.patch
and later at
    
http://ozlabs.org/~akpm/mmotm/broken-out/vsprintf-ignore-arguments-to-%n.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/SubmitChecklist when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

------------------------------------------------------
From: Kees Cook <keesc...@chromium.org>
Subject: vsprintf: ignore arguments to %n

If arguments are consumed without output when encountering %n, it could be
used to benefit or improve information leak attacks that were exposed via
a limited size buffer.  Since %n is not used by the kernel, there is no
reason to make an info leak attack any easier.

Signed-off-by: Kees Cook <keesc...@chromium.org>
Cc: Ryan Mallon <rmal...@gmail.com>
Cc: Jiri Kosina <jkos...@suse.cz>
Cc: Joe Perches <j...@perches.com>
Cc: Al Viro <v...@zeniv.linux.org.uk>
Cc: Olof Johansson <o...@lixom.net>
Cc: Stepan Moskovchenko <step...@codeaurora.org>
Cc: Daniel Borkmann <dbork...@redhat.com>
Cc: <stable@vger.kernel.org>    [3.13+]
Signed-off-by: Andrew Morton <a...@linux-foundation.org>
---

 lib/vsprintf.c |   10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff -puN lib/vsprintf.c~vsprintf-ignore-arguments-to-%n lib/vsprintf.c
--- a/lib/vsprintf.c~vsprintf-ignore-arguments-to-%n
+++ a/lib/vsprintf.c
@@ -1735,14 +1735,10 @@ int vsnprintf(char *buf, size_t size, co
                case FORMAT_TYPE_NRCHARS: {
                        /*
                         * Since %n poses a greater security risk than
-                        * utility, ignore %n and skip its argument.
+                        * utility, it should not be implemented. Instead,
+                        * when encountering %n, ignore the arguments.
                         */
-                       void *skip_arg;
-
-                       WARN_ONCE(1, "Please remove ignored %%n in '%s'\n",
-                                       old_fmt);
-
-                       skip_arg = va_arg(args, void *);
+                       WARN_ONCE(1, "Ignored %%n in '%s'\n", old_fmt);
                        break;
                }
 
_

Patches currently in -mm which might be from keesc...@chromium.org are

origin.patch
vsprintf-ignore-arguments-to-%n.patch
lib-vsprintf-add-%pt-format-specifier.patch
binfmt_elfc-use-get_random_int-to-fix-entropy-depleting.patch
linux-next.patch

--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html