lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <534120846@web.de>
Date:	Sun, 07 Dec 2008 18:13:52 +0100
From:	devzero@....de
To:	Pavel Machek <pavel@...e.cz>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: odd habits with binary blobs.....

>>On Wed 2008-12-03 22:40:51, devzero@....de wrote:
>> hello, 
>> 
>> i gave r1soft`s new/free "hot copy" a try today and .... failed:
>> 
>> vserver2:/tmp/usr/sbin # ./hcp-setup
>> Gathering kernel information
>> Gathering kernel information complete.
>> Error: A network error occurred connecting to 'kmod32.r1soft.com'
>> 
>> what a pain....trying to setup a linux kernel module, the installer wants to phone \
>> home - and fails. 
>> but it`s even worse - http://wiki.r1soft.com/display/LTR1D/hcp-setup tells:
>> 
>> BUILDING HOT COPY DRIVER FROM SOURCE
>> 
>> hcp-setup will tar up your kernel source tree or headers and upload them to an \
>> R1Soft build server over HTTPS using XML-RPC. Once your system's kernel headers or \
>> source have been uploaded the R1Soft build server will compile a Hot Copy device \
>> driver as a kernel module and hcp-setup will automatically download it to your \
>> system. 
>> In order for hcp-setup to work your Linux server must have HTTPS Internet access to \
>> kmod32.r1soft.com (32-bit systems) and kmod64.r1soft.com (64-bit systems) 
>> 
>> how weird is THAT?
>> 
>> did anybody ever come across such "build binary blobs remotely" system ?
>> 
>> 
>> ok, disqualified.  won`t touch it again, as i also don`t know what REALLY is \
>> transferred to the vendor - but i wonder what kernel devs think about such build \
>> system and what in-kernel alternative exists for this. (i think it doesn`t exist - \
>> but maybe somebody working on that ?) 

>Hmm. Gcc was not really designed to prevent .c source from exploiting
>it.
>
>So I guess you could have some phun :-).
>
>									Pavel

I already thought of that.
but isn`t it that not just a matter of gcc exploitability ?
what about uploading specially crafted makefiles, setup-scripts or kernel-source 
containing backdoors.....?

besides hacking into the build servers - the problem i see is that other users download 
binary code from a such potentially compromised system and/or may download kernel-
modules which could (!?) contain binary code compiled from untrusted sourcecode....
maybe BugTraq ML is a better place to discuss.....

roland
_______________________________________________________________________
Sensationsangebot verlängert: WEB.DE FreeDSL - Telefonanschluss + DSL
für nur 16,37 Euro/mtl.!* http://dsl.web.de/?ac=OM.AD.AD008K13805B7069a

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ