| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Feb 2018 12:27:07 -0800
From: Andrew Morton <akpm@...ux-foundation.org>
To: Rasmus Villemoes <rasmus.villemoes@...vas.dk>
Cc: Andy Shevchenko <andy.shevchenko@...il.com>,
Alexey Dobriyan <adobriyan@...il.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 2/2] proc: use set_puts() at /proc/*/wchan
On Wed, 21 Feb 2018 09:57:49 +0100 Rasmus Villemoes <rasmus.villemoes@...vas.dk> wrote:
> On 2018-02-21 01:02, Andrew Morton wrote:
> > On Sat, 17 Feb 2018 16:06:42 +0200 Andy Shevchenko <andy.shevchenko@...il.com> wrote:
> >
> >> On Sat, Feb 17, 2018 at 9:20 AM, Alexey Dobriyan <adobriyan@...il.com> wrote:
> >>> Signed-off-by: Alexey Dobriyan <adobriyan@...il.com>
> >>
> >>
> >>> - seq_printf(m, "%s", symname);
> >>> + seq_puts(m, symname);
> >>
> >> While this might have no security concerns, the pattern might be
> >> brainlessly used by some janitors and there would have security
> >> implications.
> >
> > And I'd like to see a changelog, please. One which explains why
> > `symname' cannot have a %s (etc) in it, and never will.
>
> OK, since #youtoo: It doesn't _matter_ if symname is "%pHAHAHA %fooled
> you <unicode for evil grin emoji>", seq_puts does not interpret it at
> all. There are _never_ security implications with the above replacement.
> Sure, seq_printf(m, symname) would be bad, but that's not what is being
> done.
doh, OK, sorry. RTFP, Andrew.
Powered by blists - more mailing lists