| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110701121202.GB28008@elte.hu> Date: Fri, 1 Jul 2011 14:12:02 +0200 From: Ingo Molnar <mingo@...e.hu> To: Vasiliy Kulikov <segoon@...nwall.com> Cc: Andrew Morton <akpm@...ux-foundation.org>, James Morris <jmorris@...ei.org>, Namhyung Kim <namhyung@...il.com>, Greg Kroah-Hartman <gregkh@...e.de>, kernel-hardening@...ts.openwall.com, linux-kernel@...r.kernel.org, Alan Cox <alan@...rguk.ukuu.org.uk>, Linus Torvalds <torvalds@...ux-foundation.org> Subject: Re: [PATCH v2] kernel: escape non-ASCII and control characters in printk() * Vasiliy Kulikov <segoon@...nwall.com> wrote: > On Mon, Jun 27, 2011 at 00:01 +0200, Ingo Molnar wrote: > > * Vasiliy Kulikov <segoon@...nwall.com> wrote: > > > On Sun, Jun 26, 2011 at 21:46 +0200, Ingo Molnar wrote: > > > > No, because the problems such a mistake causes are not equivalent: it > > > > would have been far more harmful to not print out the *very real* > > > > product names written in some non-US language than to accidentally > > > > include some control character you did not think of. > > > > > > ??? > > > > > > Not "not print", but print in "crypted" form. The information > > > is still not lost, you can obviously restore it to the original > > > form, with some effort, but possible. Compare it with the harm > > > of log spoofing - it is not "restorable". > > > > The harm of 'potential' log spoofing affecting exactly zero known > > users right now, > > ??? > > A potential thing affects all users that *can be* affected by > actual log spoofing. This is what the word "potential" means. Yes, but there's a world of a difference between alleged harm and actual demonstrated harm. That is a not so fine distinction that is often missed in security circles! :-) So what i asked for before and what i ask for here is to protect against real, specific harm. If we just 'protect' against things that look dangerous it's easy to over-protect and cause colletaral damage. (like the UTF-8 details the v1 patch missed) > Analogy: if some privilege escalation bug is found in some very > core code then all users iteracting with an untrusted security > domains (local users, network, etc.) being able to exploit it would > be affected. It is silly to say that nobody is affected because you > just don't know any such cases of this bug exploitation in the > past. That analogy does not hold. If a security hole is obvious at first sight then we'll indeed fix it without waiting for someone to be exploited. But here the actual 'harm' is a lot less clear and what i'm trying to steer you towards is to be more fact-based and less belief-based. The only 'harm' that got demonstrated so far was collateral damage caused by the v1 patch ... Thanks, Ingo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists