| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 30 Nov 2016 21:33:01 +0000
From: Ben Hutchings <ben@...adent.org.uk>
To: Linus Torvalds <torvalds@...ux-foundation.org>,
Nicholas Piggin <npiggin@...il.com>
Cc: Michal Marek <mmarek@...e.com>,
Adam Borowski <kilobyte@...band.pl>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Linux Kbuild mailing list <linux-kbuild@...r.kernel.org>,
Debian kernel maintainers <debian-kernel@...ts.debian.org>,
"linux-arch@...r.kernel.org" <linux-arch@...r.kernel.org>,
Arnd Bergmann <arnd@...db.de>, Ingo Molnar <mingo@...nel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] x86/kbuild: enable modversions for symbols exported
from asm
On Wed, 2016-11-30 at 10:40 -0800, Linus Torvalds wrote:
> > On Wed, Nov 30, 2016 at 10:18 AM, Nicholas Piggin <npiggin@...il.com> wrote:
> >
> > Here's an initial rough hack at removing modversions. It gives an idea
> > of the complexity we're carrying for this feature (keeping in mind most
> > of the lines removed are generated parser).
>
> You definitely don't have to try to convince me. We've had many issues
> with modversions over the years. This was just the "last drop" as far
> as I'm concerned, we've had random odd crc generation failures due to
> some build races too.
>
> > In its place I just added a simple config option to override vermagic
> > so distros can manage it entirely themselves.
>
> So at least Fedora doesn't even enable CONFIG_MODVERSIONS as-is. I'm
> _hoping_ it's just Debian that wants this,
The last time I looked, RHEL and SLE did. They change the release
string for each new kernel version, but they will copy/link old out-of-
tree modules into the new version's "weak-updates" module subdirectory
if the symbol versions still match.
> and we'd need to get some
> input from the Debian people whether that "control vermagic" is
> sufficient? I suspect it isn't, but I can't come up with any simple
> alternate model either..
Allowing the vermagic to be changed separately doesn't help us, as we
already control the release string. If we were to change some of the
module tools to consider vermagic then it would allow us to report the
full version in the release string while not forcing rebuilds on every
kernel upgrade - but that's not a pressing problem.
One thing that could work for us would be:
- Stricter version matching for in-tree modules (maybe some extra
part in vermagic that is skipped for out-of-tree modules)
- Ability to blacklist use of a symbol, or all symbols in a module,
by out-of-tree modules
where the blacklist would be a matter of distribution policy. But this
would still require a fair amount of work by someone, and I doubt you'd
want this upstream.
> I'm also somewhat surprised that it's Debian that has this problem,
> considering how Debian is usually the distro that is _least_ receptive
> to various non-free binaries.
If this was just about non-free modules I wouldn't care. There are
also many freely licenced out-of-tree modules that for various reasons
don't get submitted or accepted upstream; also backports of new or
updated drivers.
Ben.
--
Ben Hutchings
Never attribute to conspiracy what can adequately be explained by
stupidity.
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists