lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87h9ii5nd7.fsf@gamma.ozlabs.ibm.com>
Date:	Wed, 13 Jan 2016 11:33:56 +1100
From:	Daniel Axtens <dja@...ens.net>
To:	Solar Designer <solar@...nwall.com>
Cc:	Jann Horn <jann@...jh.net>, kernel-hardening@...ts.openwall.com,
	linux-kernel@...r.kernel.org,
	Andrew Morton <akpm@...ux-foundation.org>,
	HATAYAMA Daisuke <d.hatayama@...fujitsu.com>,
	Vitaly Kuznetsov <vkuznets@...hat.com>,
	Baoquan He <bhe@...hat.com>,
	Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>
Subject: Re: [RFC] kernel/panic: place an upper limit on number of oopses

Solar Designer <solar@...nwall.com> writes:

> Jann Horn <jann@...jh.net> wrote:
>> To prevent an attacker from turning a mostly harmless oops into an
>> exploitable issue using a refcounter wraparound caused by repeated
>> oopsing, limit the number of oopses.
>
> This may also reduce the likelihood of successful exploitation of some
> other vulnerabilities involving memory corruption, where an unsuccessful
> attempt may inadvertently trigger an Oops.  The attacker would then need
> to succeed in fewer than the maximum allowed number of Oops'es.  Jann's
> currently proposed default of 0x100000 is too high to make a difference
> in that respect, but people may set it differently.
>
> On Wed, Jan 13, 2016 at 10:34:39AM +1100, Daniel Axtens wrote:
>> I'm torn between making the limit configurable and not adding to the
>> massive proliferation of config options.
>
> What about reusing panic_on_oops for the configurable limit?  The
> currently supported values of 0 and 1 would retain their meaning,
> 2 would panic after 2nd Oops, and so on.

I thought about this, then I looked at where panic_on_oops was used and
I thought it would be a pretty invasive change. I'm also nervous about
changing the semantics of panic_on_oops under people...

>
> There's overlap with grsecurity's banning of users on Oops, but I think
> it makes sense to have both the trivial change proposed by Jann (perhaps
> with the reuse of panic_on_oops for configuration) and grsecurity-style
> banning (maybe with a low configurable limit, rather than always on
> first Oops).
>
> Alexander

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ