lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1200730722.28706.70.camel@localhost.localdomain>
Date:	Sat, 19 Jan 2008 03:18:42 -0500
From:	simo <idra@...ba.org>
To:	Andi Kleen <andi@...stfloor.org>
Cc:	sfrench@...ba.org, linux-kernel@...r.kernel.org,
	linux-cifs-client@...ts.samba.org, samba-technical@...ts.samba.org
Subject: Re: [linux-cifs-client] [PATCH] Remove information leak in Linux
	CIFS client


On Sat, 2008-01-19 at 05:55 +0100, Andi Kleen wrote:
> Fix information leak in CIFS client lookup
> 
> Putting arbitary file names on lookup failures into the system log is not
> a good idea, because usually everybody can read dmesg and that is thus
> an information leak if a directory was read protected.
> 
> Also changed the error printout for this case to a signed number, because
> it is normally negative and that makes it easier to read.
> 
> I'm not sure the message is all that useful anyways. Perhaps it 
> should be just removed completely? Or at least rate limited because
> it allows to spam the kernel log nicely.
> 
> Signed-off-by: Andi Kleen <ak@...e.de>
> 
> Index: linux/fs/cifs/dir.c
> ===================================================================
> --- linux.orig/fs/cifs/dir.c
> +++ linux/fs/cifs/dir.c
> @@ -518,7 +518,7 @@ cifs_lookup(struct inode *parent_dir_ino
>  	/*	if it was once a directory (but how can we tell?) we could do
>  		shrink_dcache_parent(direntry); */
>  	} else {
> -		cERROR(1, ("Error 0x%x on cifs_get_inode_info in lookup of %s",
> +		cERROR(1, ("Error %d on cifs_get_inode_info in lookup of file",
>  			   rc, full_path));

then please remove also full_path here ^^^^

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo@...ba.org>
Senior Software Engineer at Red Hat Inc. <ssorce@...hat.com>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ