On Tue, 2014-04-08 at 10:57 -0300, Ezequiel Garcia wrote: > Hello Kees, > > Thanks for the patch. > > On Apr 07, Kees Cook wrote: > > When building the name for the workqueue thread, make sure a format > > string cannot leak in from the disk name. > > > > Could you enlighten me and explain why you want to avoid the name leak? > Is it a security concern? > > I'd like to understad this better, so I can avoid making such mistakes > in the future.
Well, the basics seem to be simple, attacker makes sure gd->disk_name contains a bunch of "%s" and other placeholders, and this leads "workqueue_alloc()" to read kernel memory and form the workqueue name. I did not think it through further, though, but that was enough for me to apply the patch right away. But yeah, curios parts are: 1. How attacker could end up with a crafted "gd->disk_name" 2. How attacker gets the workqueue name then, I guess there is a sysfs file or something, but I do not know off the top of my head. Yeah, I am interested to get educated on this a too. -- Best Regards, Artem Bityutskiy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
