lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+55aFwmVdeLFs1-HJGXeOBz5WgJinCDNAu7mcr+fJhjQp+mEg@mail.gmail.com>
Date:   Wed, 4 Oct 2017 09:29:16 -0700
From:   Linus Torvalds <torvalds@...ux-foundation.org>
To:     Boris Lukashev <blukashev@...pervictus.com>
Cc:     "Tobin C. Harding" <me@...in.cc>,
        Greg KH <gregkh@...uxfoundation.org>,
        Petr Mladek <pmladek@...e.com>, Joe Perches <joe@...ches.com>,
        Ian Campbell <ijc@...lion.org.uk>,
        Sergey Senozhatsky <sergey.senozhatsky@...il.com>,
        "kernel-hardening@...ts.openwall.com" 
        <kernel-hardening@...ts.openwall.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Catalin Marinas <catalin.marinas@....com>,
        Will Deacon <will.deacon@....com>,
        Steven Rostedt <rostedt@...dmis.org>,
        William Roberts <william.c.roberts@...el.com>,
        Chris Fries <cfries@...gle.com>,
        Dave Weinstein <olorin@...gle.com>
Subject: Re: [kernel-hardening] [RFC V2 0/6] add more kernel pointer filter options

On Wed, Oct 4, 2017 at 9:22 AM, Boris Lukashev
<blukashev@...pervictus.com> wrote:
>
> When adding modules from outside the mainline tree (zfs, aufs, scst,
> etc), we would not be able to audit the source, and risk leaking
> sensitive pointers from those components if we dont filter them out
> this way or in a similar programmatic manner.

I call *COMPLETE* bullshit on that argument.

Non-mainlined source code is insecure, and printing some random
address is the *least* of the problems in it.

And the way to make it secure has absolutely nothing to do with printk strings.

Ask somebody about Android camera drivers some day.

Go away. Don't use this specious idiotic argument, all it does is to
make all your other arguments look stupid.

That said, they didn't need much help: ttalking about FDA and medical
equipment as an argument for some particular default value is another
sign that your arguments are UTTER SHIT.

If this is seriously the quality of excuses for this patch-series, I
never ever want to see those patches again.

                Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ