| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 May 2009 00:50:11 -0500 From: Matt Mackall <mpm@...enic.com> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: "Eric W. Biederman" <ebiederm@...ssion.com>, Arjan van de Ven <arjan@...radead.org>, Jake Edge <jake@....net>, security@...nel.org, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, James Morris <jmorris@...ei.org>, linux-security-module@...r.kernel.org, Eric Paris <eparis@...hat.com>, Alan Cox <alan@...rguk.ukuu.org.uk>, Roland McGrath <roland@...hat.com>, mingo@...hat.com, Andrew Morton <akpm@...ux-foundation.org>, Greg KH <greg@...ah.com> Subject: Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes On Mon, May 04, 2009 at 03:24:15PM -0700, Linus Torvalds wrote: > > > On Mon, 4 May 2009, Eric W. Biederman wrote: > > > Arjan van de Ven <arjan@...radead.org> writes: > > > > > On Mon, 4 May 2009 12:00:12 -0700 (PDT) > > > Linus Torvalds <torvalds@...ux-foundation.org> wrote: > > > > > >> > > >> > > >> On Mon, 4 May 2009, Jake Edge wrote: > > >> > > > >> > This is essentially v2 of "[PATCH] proc: avoid leaking eip, esp, or > > >> > wchan to non-privileged processes", adding some of Eric Biederman's > > >> > suggestions as well as the start_stack change (only give out that > > >> > address if the process is ptrace()-able). This has been tested > > >> > with ps and top without any ill effects being seen. > > >> > > >> Looks sane to me. Anybody objects? > > >> > > > > > > Acked-by: Arjan van de Ven <arjan@...ux.intel.com> > > > > Looks sane here. > > > > Acked-by: "Eric W. Biederman" <ebiederm@...ssion.com> > > Ok, applied. > > Also, does anybody have any commentary or opinion on the patch by Matt > Mackall to use stronger random numbers than "get_random_int()". I wonder > what the performance impact of that is - "get_random_int()" is very cheap > by design, and many users may consider calling "get_random_bytes()" to be > overkill and a potential performance issue. > > Quite frankly, the way "get_random_bytes()" works now (it does a _full_ > sha thing every time), I think it's insane overkill. But I do have to > admit that our current "get_random_int()" is insane _underkill_. > > I'd like to improve the latter without going to quie the extreme that > matt's patch did. ASLR aside, get_random_u32 is the right interface (strong, well-defined type) for random.c to export and get_random_int (weak, ambiguous type) is the wrong one. As to what's the appropriate sort of RNG for ASLR to use, finding a balance between too strong and too weak is tricky. I'd rather move things to a known safe point and back it off to acceptable performance from there if anyone complains. So let's do my patch now. Looking forward: A faster-but-weakened RNG for ASLR (and similar purposes) will still need to be strong in the cryptographic sense. Which probably means having secret state (per cpu?) that changes at every call via a strong cipher or hash (though lighter than the full RNG). Alternately, we use a weak primitive (eg halfmd4) with per-task secrets. Not really keen on the latter as a user may expose outputs across task boundaries that allow backtracking attacks against the ASLR. In other words, the latter requires disciplined users, while the former doesn't. -- Mathematics is the supreme nostalgia of our time. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists