lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 15 Feb 2017 15:52:28 +0100 (CET)
From:   Thomas Gleixner <tglx@...utronix.de>
To:     Alan Cox <alan@...ux.intel.com>
cc:     Peter Zijlstra <peterz@...radead.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Gabriel C <nix.or.die@...il.com>,
        Ingo Molnar <mingo@...nel.org>, Peter Anvin <hpa@...or.com>,
        Borislav Petkov <bp@...en8.de>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Mike Galbraith <efault@....de>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Ruslan Ruslichenko <rruslich@...co.com>, stable@...r.kernel.org
Subject: Re: [patch 1/2] x86/platform/goldfish: Prevent unconditional
 loading

On Wed, 15 Feb 2017, Alan Cox wrote:

> > > > I'm seriously grumpy about this engineering trainwreck, which has
> > > > seven
> > > > SOBs from Intel developers for 50 lines of code. And none of them
> > > > figured
> > > > out that this is broken. Impressive fail!
> 
> It was discussed at the time, documented at the time.

I just have a hard time to find that documentation. It's definitely not in
the kernel source, unless you qualify the help text of CONFIG_GOLDFISH as
such:

     Enable support for the Goldfish virtual platform used primarily
     for Android development. Unless you are building for the Android
     Goldfish emulator say N here.

which does not help for randconfig and other builds and does not prevent
users from enabling it accidentaly. That all wouldn't be as bad if at least
the minimal provisioning of damage prevention would have been done.

> Unfortunately the people who did the emulator didn't feel the urge to
> provide a way to detect the platform was Goldfish.

Sure, and the people shoving it into the kernel didn't feel the urge to
enforce that.

> Historically it also used its own custom device discovery scheme. Given
> the limited use of older versions of Goldfish it might well make sense
> to remove support for the older emulator versions.

I'm all for it.

Thanks,

	tglx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ