lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKwiHFjqiK3HM2ZK-HUvKeGtbMdvGf6JQYF+SREZnDtaBqOJ2w@mail.gmail.com>
Date:   Thu, 9 Nov 2017 15:08:39 +0100
From:   Rasmus Villemoes <linux@...musvillemoes.dk>
To:     Kees Cook <keescook@...omium.org>
Cc:     kernel-hardening@...ts.openwall.com,
        LKML <linux-kernel@...r.kernel.org>,
        Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [RFC 0/6] some compile- and run-time format checking

On 9 November 2017 at 02:11, Kees Cook <keescook@...omium.org> wrote:
> On Wed, Nov 8, 2017 at 2:30 PM, Rasmus Villemoes
> <linux@...musvillemoes.dk> wrote:
>>
>> Rasmus Villemoes (6):
>>   plugins: implement format_template attribute
>>   compiler.h: add __format_template
>
> Could you split these two off and send separately? This seems like a
> fine thing to get in now.

Will do.

> Probably the second patch should be split up
> between adding __format_template, and additions of its usage.

Yeah.

> Do you have any good ways to find and extract all the dynamic format strings
> we need to mark?

IIRC, I just did a git grep for designated initializers where the RHS
was a string literal containing a % char. Not sure that counts as a
good way :)

Doing that now finds stuff like
drivers/scsi/hisi_sas/hisi_sas_v2_hw.c, where the .msg member cannot
be annotated with a single template. Maybe one can work around that by
replacing .msg with an anon union of msg_onebit/msg_multibit, with
each their own template; I don't know if that will work, or if it will
be deemed too much churn (it doesn't provide that much safety, since
it would then just rely on accessing the right union member). Maybe
the run-time checking is best for that case.

Rasmus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ