lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1471391462.13300.56.camel@decadent.org.uk>
Date:	Wed, 17 Aug 2016 00:51:02 +0100
From:	Ben Hutchings <ben@...adent.org.uk>
To:	Florian Westphal <fw@...len.de>
Cc:	linux-kernel@...r.kernel.org, stable@...r.kernel.org,
	akpm@...ux-foundation.org, Pablo Neira Ayuso <pablo@...filter.org>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: Re: [PATCH 3.16 289/305] netfilter: x_tables: validate targets of
 jumps

On Sat, 2016-08-13 at 22:35 +0200, Florian Westphal wrote:
> > Ben Hutchings <ben@...adent.org.uk> wrote:
> > 
> > On Sat, 2016-08-13 at 20:30 +0200, Florian Westphal wrote:
> > > 
> > > > 
> > > > > > > > Ben Hutchings <ben@...adent.org.uk> wrote:
> > > > 
> > > > 3.16.37-rc1 review patch.  If anyone has any objections, please let me know.
> > > > 
> > > > ------------------
> > > > 
> > > > > 
> > > > > > 
> > > > > > > > > > > > From: Florian Westphal <fw@...len.de>
> > > > 
> > > > commit 36472341017529e2b12573093cc0f68719300997 upstream.
> > > 
> > > [..]
> > > 
> > > > 
> > > > 
> > > > The extra overhead is negible, even with absurd cases.
> > > 
> > > Not true, the overhead is huge and increases restore time for
> > > large rulesets from mere seconds to minutes, see
> > > 
> > > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f4dc77713f8016d2e8a3295e1c9c53a21f296def
> > 
> > So do you think I should add that to this update or defer the netfilter
> > changes to the next update?
> 
> Depends on what your focus is for 3.16.
> 
> If your focus is to better not break anything I would just drop
> this patch and apply it for the next round with the fix
> (f4dc77713f8016d2e8a3295e1c9c53a21f296def) on top once it had more
> soak time.

I thought there were more that depended on this one, but in fact
dropping just this seems to work.  So that's what I've done for now.
Thanks.

Ben.

-- 
Ben Hutchings
If at first you don't succeed, you're doing about average.

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ