lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 24 Sep 2007 13:14:58 -0700
From:	Stephen Hemminger <shemminger@...ux-foundation.org>
To:	linux-kernel@...r.kernel.org
Subject:  Re: [PATCH] Remove broken netfilter binary sysctls from bridging
 code

On Mon, 24 Sep 2007 18:55:38 +0200
Patrick McHardy <kaber@...sh.net> wrote:

> Eric W. Biederman wrote:
> > jfannin@...il.com (Joseph Fannin) writes:
> > 
> > 
> >>The netfilter sysctls in the bridging code don't set strategy routines:
> >>
> >> sysctl table check failed: /net/bridge/bridge-nf-call-arptables .3.10.1 Missing
> >>strategy
> >> sysctl table check failed: /net/bridge/bridge-nf-call-iptables .3.10.2 Missing
> >>strategy
> >> sysctl table check failed: /net/bridge/bridge-nf-call-ip6tables .3.10.3 Missing
> >>strategy
> >> sysctl table check failed: /net/bridge/bridge-nf-filter-vlan-tagged .3.10.4
> >>Missing strategy
> >> sysctl table check failed: /net/bridge/bridge-nf-filter-pppoe-tagged .3.10.5
> >>Missing strategy
> >>
> >>    These binary sysctls can't work. The binary sysctl numbers of
> >>other netfilter sysctls with this problem are being removed.  These
> >>need to go as well.
> >>
> >>Signed-off-by: Joseph Fannin <jfannin@...il.com>
> > 
> > 
> > Acked-by: "Eric W. Biederman" <ebiederm@...ssion.com>
> 
> 
> Queued for 2.6.24, thanks.
> 
> > Hmm.  This is an interesting case.  The proc method is forcing
> > the integer to be either 0 or 1 in a racy fashion.  But none of the
> > users appear to depend upon that.
> > 
> > So this is the least broken set of binary sysctls I have seen caught
> > by my check.
> > 
> > A really good fix would be to remove the binary side and then to
> > modify brnf_sysctl_call_tables to allocate a temporary ctl_table and
> > integer on the stack and only set ctl->data after we have normalized
> > the written value.  But since in practice nothing cares about
> > the race a better fix probably isn't worth it.
> 
> 
> I seem to be missing something, the entire brnf_sysctl_call_tables
> thing looks purely cosmetic to me, wouldn't it be better to simply
> remove it?


I agree, removing seems like a better option.  But probably need to go
through a 3-6mo warning period, since sysctl's are technically an API.



-- 
Stephen Hemminger <shemminger@...ux-foundation.org>

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ