[PATCH 0/4] os/log: fixes for timestamps and malicious devices

Daniel Kurtz djkurtz at chromium.org
Wed Apr 18 05:14:02 PDT 2012


On Wed, Apr 18, 2012 at 7:42 PM, Daniel Stone <daniel at fooishbar.org> wrote:

> Hi,
>
> On 18 April 2012 10:51, Daniel Kurtz <djkurtz at chromium.org> wrote:
> > Input drivers like to prepend the device name to logging messages using
> > LogVHdrMessageVerb().  The current implementation of this function used
> the
> > output of a snprintf() as the format string of another snprintf().  This
> is a
> > big no-no, as a device name containing format strings could cause "Bad
> Things"
> > to happen.
>
> ... really? If the kernel, root (given that /dev/input is 600
> root:root by default) or your keyboard hardware is trying to attack
> you, I'm pretty sure format strings in device names are the least of
> your worries.
>

Bluetooth device names are commonly assigned by users.
Including the possible name "%n%n%n%n".
That name may crash X.


> Cheers,
> Daniel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x.org/archives/xorg-devel/attachments/20120418/4e1a6e66/attachment.html>


More information about the xorg-devel mailing list