[PATCH 0/4] os/log: fixes for timestamps and malicious devices
Daniel Stone
daniel at fooishbar.org
Wed Apr 18 05:33:42 PDT 2012
Hi,
On 18 April 2012 13:14, Daniel Kurtz <djkurtz at chromium.org> wrote:
> On Wed, Apr 18, 2012 at 7:42 PM, Daniel Stone <daniel at fooishbar.org> wrote:
>> On 18 April 2012 10:51, Daniel Kurtz <djkurtz at chromium.org> wrote:
>> > Input drivers like to prepend the device name to logging messages using
>> > LogVHdrMessageVerb(). The current implementation of this function used
>> > the
>> > output of a snprintf() as the format string of another snprintf(). This
>> > is a
>> > big no-no, as a device name containing format strings could cause "Bad
>> > Things"
>> > to happen.
>>
>> ... really? If the kernel, root (given that /dev/input is 600
>> root:root by default) or your keyboard hardware is trying to attack
>> you, I'm pretty sure format strings in device names are the least of
>> your worries.
>
> Bluetooth device names are commonly assigned by users.
> Including the possible name "%n%n%n%n".
> That name may crash X.
Wow, that's pretty obnoxious - I'm surprised BlueZ even allows that to
be honest ...
Cheers,
Daniel
More information about the xorg-devel
mailing list