On Fri, Sep 03, 2021 at 02:56:21PM -0700, Suren Baghdasaryan wrote:

On Fri, Sep 3, 2021 at 2:47 PM Kees Cook [off-list ref] wrote:

quoted

(Sorry, a few more things jumped out at me when I looked again...)

On Thu, Sep 02, 2021 at 04:18:12PM -0700, Suren Baghdasaryan wrote:

quoted

[...]

diff --git a/kernel/sys.c b/kernel/sys.c
index 72c7639e3c98..25118902a376 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c

@@ -2299,6 +2299,64 @@ int __weak arch_prctl_spec_ctrl_set(struct task_struct *t, unsigned long which,

 #define PR_IO_FLUSHER (PF_MEMALLOC_NOIO | PF_LOCAL_THROTTLE)

+#ifdef CONFIG_MMU
+
+#define ANON_VMA_NAME_MAX_LEN        256
+
+static inline bool is_valid_name_char(char ch)
+{
+     /* printable ascii characters, except [ \ ] */
+     return (ch > 0x1f && ch < 0x5b) || (ch > 0x5d && ch < 0x7f);
+}

In the back of my mind, I feel like disallowing backtick would be nice,
but then if $, (, and ) are allowed, it doesn't matter, and that seems
too limiting. :)

It's not used by the only current user (Android) and we can always
allow more chars later. However going the other direction and
disallowing some of them I think would be harder (need to make sure
nobody uses them). WDYT if we keep it stricter and relax if needed?

I'd say, if we can also drop each of: ` $ ( )
then let's do it. Better to keep the obvious shell meta-characters out
of this, although I don't feel strongly about it. Anything that might
get confused by this would be similarly confused by binary names too:

$ cat /proc/3407216/maps
560bdafd4000-560bdafd6000 r--p 00000000 fd:02 2621909 /tmp/yay`wat

And it's probably easier to change a binary name than to call prctl. :P

I'm good either way. What you have now is great, but if we wanted to be
extra extra strict, we can add the other 4 above.

-- 
Kees Cook