lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+55aFy2nSv0-dH68DvemiF4RLvGpMcJ9WzKwmnXAvaJ+9QCmA@mail.gmail.com>
Date:   Fri, 17 Nov 2017 09:35:03 -0800
From:   Linus Torvalds <torvalds@...ux-foundation.org>
To:     Kees Cook <keescook@...omium.org>
Cc:     David Windsor <dave@...lcore.net>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [GIT PULL] usercopy whitelisting for v4.15-rc1

On Fri, Nov 17, 2017 at 8:54 AM, Kees Cook <keescook@...omium.org> wrote:
>
> (Sorry if this pull request is a duplicate: I just don't want to miss
> the merge window, given its potential for being shorter than usual.)

Honestly, these things always end up waiting to the end for me, simply
because they are scary, and I don't trust them, so I feel I need to
spend time on them.

And when I pull 20+ other pull requests a day, I don't have _time_ to
spend time on them.

They are scary because:

 - they touch core stuff

 - I don't trust security people to do sane things

 - they tend to come in as a "fait accompli" with a shit-ton of random
arbitrary rules, and are still likely to not be complete.

which just makes these pull requests very painful.

We had a ton of issues with the original hardened usercopy just doing
bad things.

We _still_ have outstanding issues with the structure randomization
corrupting the kernel.

These "hardening" things really seem to be a source of random bugs,
and they haven't been extensively tested, and the people involved
quite often don't seem to care about basic cleanliness (because
"security is so important that nothing else matters").

Honestly, I'm unlikely to pull this at all this merge window, simply
because I won't have time for it. This merge window is not going to be
one where I can take a leisurely look at something like this.

If you can make a smaller pull request that introduces the
infrastructure, but that _obviously_ cannot actually break anything,
that would be more likely to be palatable.

Because right now I'm in "the last hardening feature has an unknown
breakage that nobody knows how to even get to the bottom of, I'm _so_
not interested in another of these things" mode.

                 Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ