lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 6 Nov 2017 09:41:09 -0800
From:   Linus Torvalds <torvalds@...ux-foundation.org>
To:     "Tobin C. Harding" <me@...in.cc>,
        Network Development <netdev@...r.kernel.org>,
        David Miller <davem@...emloft.net>
Cc:     "kernel-hardening@...ts.openwall.com" 
        <kernel-hardening@...ts.openwall.com>,
        "Jason A. Donenfeld" <Jason@...c4.com>,
        "Theodore Ts'o" <tytso@....edu>, Kees Cook <keescook@...omium.org>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Tycho Andersen <tycho@...ker.com>,
        "Roberts, William C" <william.c.roberts@...el.com>,
        Tejun Heo <tj@...nel.org>,
        Jordan Glover <Golden_Miller83@...tonmail.ch>,
        Greg KH <gregkh@...uxfoundation.org>,
        Petr Mladek <pmladek@...e.com>, Joe Perches <joe@...ches.com>,
        Ian Campbell <ijc@...lion.org.uk>,
        Sergey Senozhatsky <sergey.senozhatsky@...il.com>,
        Catalin Marinas <catalin.marinas@....com>,
        Will Deacon <wilal.deacon@....com>,
        Steven Rostedt <rostedt@...dmis.org>,
        Chris Fries <cfries@...gle.com>,
        Dave Weinstein <olorin@...gle.com>,
        Daniel Micay <danielmicay@...il.com>,
        Djalal Harouni <tixxdz@...il.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v3] scripts: add leaking_addresses.pl

On Mon, Nov 6, 2017 at 9:27 AM, Linus Torvalds
<torvalds@...ux-foundation.org> wrote:
>
> Lovely. This is great. It shows just how much totally pointless stuff
> we leak, and to normal users that really shouldn't need it.

Side note: it would be good to have some summary view, and perhaps
some way to limit duplicates.

I ended up running this command line from hell to summarize the
different sources:

    perl leaking_addresses.pl |
            cut -d: -f1 |
            sed 's:/[0-9]*/:/X/:g' |
            sed 's:/module/[^/]*/:/module/X/:g' |
            sort | uniq | less -S

and maybe that kind of duplicate culling could be part of the script
itself if you pass it some summary line.

In particular, if would be nice to have a summary report that

 - only shows the first address for a particular source

 - have some logic to collapse repeated entries of "same file, just
different instance"

my sed-invocations there are obviously very ad-hoc, I'm  not actually
advocating that crap, it's only meant as hacky example of what I'm
talking about. Something smarter would be much better.

Because right now if some developer runs it, they might miss some case
that they should care about, simply because it's hidden among all the
thousands of essentially duplicate cases.

                 Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ