[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <23921.1317315452@turing-police.cc.vt.edu>
Date: Thu, 29 Sep 2011 12:57:32 -0400
From: Valdis.Kletnieks@...edu
To: Vasiliy Kulikov <segoon@...nwall.com>
Cc: David Rientjes <rientjes@...gle.com>,
Christoph Lameter <cl@...two.org>,
kernel-hardening@...ts.openwall.com,
Pekka Enberg <penberg@...nel.org>,
Matt Mackall <mpm@...enic.com>,
Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org,
Kees Cook <kees@...ntu.com>,
Dave Hansen <dave@...ux.vnet.ibm.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Alan Cox <alan@...ux.intel.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] mm: restrict access to /proc/meminfo
On Thu, 29 Sep 2011 20:18:48 +0400, Vasiliy Kulikov said:
> As `new' is just increased, it means it is known with KB granularity,
> not MB. By counting used slab objects he learns filled_obj_size_sum.
>
> So, rounding gives us nothing, but obscurity.
Yes, but if he has an exploit that requires using up (for example) exactly 31
objects in the slab, he may now know that a new slab got allocated to push it
over the MB boundary. So he knows there's exactly one object in that new slab.
But now he has to fly blind for the next 30 because the numbers will display
exactly the same, and he can't correct for somebody else allocating one so he
needs to only allocate 29...
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists