| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAPAsAGzNcGpf+TPcqymGNdB7POoz3Oj=VLwvvtz6yWJf1UX0=g@mail.gmail.com>
Date: Tue, 23 Aug 2016 19:38:28 +0300
From: Andrey Ryabinin <ryabinin.a.a@...il.com>
To: Eric Dumazet <eric.dumazet@...il.com>
Cc: Joe Perches <joe@...ches.com>,
Luis Henriques <luis.henriques@...onical.com>,
Avijit Kanti Das <avijitnsec@...eaurora.org>,
"David S . Miller" <davem@...emloft.net>,
Ben Hutchings <ben@...adent.org.uk>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol()
2016-08-23 18:36 GMT+03:00 Eric Dumazet <eric.dumazet@...il.com>:
> On Tue, 2016-08-23 at 08:05 -0700, Joe Perches wrote:
>
>> A compiler does not have a standards based requirement to
>> initialize arbitrary padding bytes.
>>
>> I believe gcc always does zero all padding anyway.
>
> I would not worry for kernel code, because the amount of scrutiny there
> will be enough to 'fix potential bugs' [1], but a lot of user land code
> would suffer from various bugs as well that might sit there forever.
>
> [1] Also, most call sites in the kernel are using same call stack, so
> the offset of '1-7 leaked bytes' vs kernel stack is constant, making
> exploits quite challenging.
>
> Even if the current standards are lazy (are they, I did not check ?),
> security needs would call for a sane compiler behavior and changing the
> standards accordingly.
>
C11 guarantees zeroed padding.
Powered by blists - more mailing lists