| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Feb 2018 19:58:53 +0000
From: "Luck, Tony" <tony.luck@...el.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
CC: Andi Kleen <ak@...ux.intel.com>,
Ard Biesheuvel <ard.biesheuvel@...aro.org>,
Joe Konno <joe.konno@...ux.intel.com>,
"linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>,
"Linux Kernel Mailing List" <linux-kernel@...r.kernel.org>,
Jeremy Kerr <jk@...abs.org>,
"Matthew Garrett" <mjg59@...gle.com>,
Peter Jones <pjones@...hat.com>,
Andy Lutomirski <luto@...nel.org>,
James Bottomley <james.bottomley@...senpartnership.com>
Subject: RE: [PATCH 1/2] fs/efivarfs: restrict inode permissions
> It's not about slowing down.
>
> It's about "user Xyz is messing with the system and reading efi vars
> all the time" resulting in "user 'torvalds' is installing a kernel,
> and actually wants to read efi vars, but can't".
>
> if you don't make it per-user, you're just replacing one DoS attack
> with another one!
How are you envisioning this rate-limiting to be implemented? Are
you going to fail an EFI call if the rate is too high? I'm thinking that
we just add a delay to each call so that we can't exceed the limit.
That means your kernel install will complete, just slower than it
would without the delays.
I think I want a small random delay anyway to prevent users from
causing an SMI at the precise moment of their choosing.
-Tony
Powered by blists - more mailing lists