kdb: Censor attempts to set PROMPT without ENABLE_MEM_READ

Currently the PROMPT variable could be abused to provoke the printf()
machinery to read outside the current stack frame. Normally this
doesn't matter becaues md is already a much better tool for reading
from memory.

However the md command can be disabled by not setting KDB_ENABLE_MEM_READ.
Let's also prevent PROMPT from being modified in these circumstances.

Whilst adding a comment to help future code reviewers we also remove
the #ifdef where PROMPT in consumed. There is no problem passing an
unused (0) to snprintf when !CONFIG_SMP.
argument

Reported-by: Wang Xiayang <[email protected]>
Signed-off-by: Daniel Thompson <[email protected]>
Reviewed-by: Douglas Anderson <[email protected]>

diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
index a4641be4123c22ebf6218ba2c62f7a862eb33665..515379cbf20925caf95f43dbc88086bc812a6542 100644 (file)
--- a/kernel/debug/kdb/kdb_main.c
+++ b/kernel/debug/kdb/kdb_main.c
@@ -398,6 +398,13 @@ int kdb_set(int argc, const char **argv)
        if (argc != 2)
                return KDB_ARGCOUNT;
 
+       /*
+        * Censor sensitive variables
+        */
+       if (strcmp(argv[1], "PROMPT") == 0 &&
+           !kdb_check_flags(KDB_ENABLE_MEM_READ, kdb_cmd_enabled, false))
+               return KDB_NOPERM;
+
        /*
         * Check for internal variables
         */
@@ -1298,12 +1305,9 @@ static int kdb_local(kdb_reason_t reason, int error, struct pt_regs *regs,
                *(cmd_hist[cmd_head]) = '\0';
 
 do_full_getstr:
-#if defined(CONFIG_SMP)
+               /* PROMPT can only be set if we have MEM_READ permission. */
                snprintf(kdb_prompt_str, CMD_BUFLEN, kdbgetenv("PROMPT"),
                         raw_smp_processor_id());
-#else
-               snprintf(kdb_prompt_str, CMD_BUFLEN, kdbgetenv("PROMPT"));
-#endif
                if (defcmd_in_progress)
                        strncat(kdb_prompt_str, "[defcmd]", CMD_BUFLEN);