lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 19 Jan 2008 05:55:52 +0100 From: Andi Kleen <andi@...stfloor.org> To: sfrench@...ba.org, linux-kernel@...r.kernel.org, linux-cifs-client@...ts.samba.org, samba-technical@...ts.samba.org Subject: [PATCH] Remove information leak in Linux CIFS client Fix information leak in CIFS client lookup Putting arbitary file names on lookup failures into the system log is not a good idea, because usually everybody can read dmesg and that is thus an information leak if a directory was read protected. Also changed the error printout for this case to a signed number, because it is normally negative and that makes it easier to read. I'm not sure the message is all that useful anyways. Perhaps it should be just removed completely? Or at least rate limited because it allows to spam the kernel log nicely. Signed-off-by: Andi Kleen <ak@...e.de> Index: linux/fs/cifs/dir.c =================================================================== --- linux.orig/fs/cifs/dir.c +++ linux/fs/cifs/dir.c @@ -518,7 +518,7 @@ cifs_lookup(struct inode *parent_dir_ino /* if it was once a directory (but how can we tell?) we could do shrink_dcache_parent(direntry); */ } else { - cERROR(1, ("Error 0x%x on cifs_get_inode_info in lookup of %s", + cERROR(1, ("Error %d on cifs_get_inode_info in lookup of file", rc, full_path)); /* BB special case check for Access Denied - watch security exposure of returning dir info implicitly via different rc -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists