lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20201119173543.8821881942022fc4f39c4c73@linux-foundation.org>
Date:   Thu, 19 Nov 2020 17:35:43 -0800
From:   Andrew Morton <akpm@...ux-foundation.org>
To:     laniel_francis@...vacyrequired.com
Cc:     linux-hardening@...r.kernel.org, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org, dja@...ens.net, keescook@...omium.org
Subject: Re: [PATCH v6 0/5] Fortify strscpy()

On Thu, 19 Nov 2020 17:49:10 +0100 laniel_francis@...vacyrequired.com wrote:

> From: Francis Laniel <laniel_francis@...vacyrequired.com>
> 
> Hi.
> 
> 
> I hope your families, friends and yourselves are fine.

Thanks.  You too ;)

> This patch set answers to this issue:
> https://github.com/KSPP/linux/issues/46

I fail to understand what this patchset has to do with that
one-element-array issue :(

> I based my modifications on top of two patches from Daniel Axtens which modify
> calls to __builtin_object_size to ensure the true size of char * are returned
> and not the surrounding structure size.
> 
> To sum up, in my first patch I implemented a fortified version of strscpy.
> This new version ensures the following before calling vanilla strscpy:
> 1. There is no read overflow because either size is smaller than src length
> or we shrink size to src length by calling fortified strnlen.
> 2. There is no write overflow because we either failed during compilation or at
> runtime by checking that size is smaller than dest size.
> The second patch brings a new file in LKDTM driver to test this new version.
> The test ensures the fortified version still returns the same value as the
> vanilla one while panic'ing when there is a write overflow.
> The third just corrects some typos in LKDTM related file.
> 
> If you see any problem or way to improve the code, feel free to share it.

Could you please send along a reworked [0/n] cover letter?  Explain in
your own words, without requiring that readers go off and read web
pages

- What problem the patchset solves
- How it solves it
- The value of the patchset (to kernel developers or to end-users) so that we
  can understand why it should be merged.

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ