lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 25 Mar 2019 18:28:58 -0700
From:   Brian Norris <briannorris@...omium.org>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     shuah <shuah@...nel.org>, David Valleau <valleau@...omium.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Linux USB Mailing List <linux-usb@...r.kernel.org>,
        Michael Grzeschik <m.grzeschik@...gutronix.de>,
        Valentina Manea <valentina.manea.m@...il.com>,
        Sasha Levin <alexander.levin@...rosoft.com>
Subject: Re: [PATCH] tools: usb: usbip: adding support for older kernel versions

On Mon, Mar 25, 2019 at 5:55 PM Greg Kroah-Hartman
<gregkh@...uxfoundation.org> wrote:
> To be honest, with the USB3 support added to usbip, no one noticed that
> things broke, and the fact that it took 4 years to notice implies that
> maybe it wasn't that big of a deal as no one used this.

Again, the last breaking change (USB3 support) was in v4.13 (2017 Sept
release date). One of the other changes was a security fix and went to
-stable, so I could imagine fewer people being upset.

> But, as you
> show, that assumption was not correct, so if we can fix things, we
> should.

Well, we "can" -- it's not too hard to parse the header to figure out
which version is in use -- but it's a bit ugly (see $subject patch). I
wonder if some of that should just be discarded and we give up on
sufficiently old kernels, since it's not immediately clear to me
whether David's patching to account for commit 0775a9cbc694 ("usbip:
vhci extension: modifications to vhci driver") is correct. (I'm not
that intimately familiar with usbip.)

> Did that help?

Yes, thanks. I was mostly hoping you weren't trying to say "vhci /
usbip are toys and shouldn't be treated seriously."

I think I mostly agree with what you're saying, and I don't think we
should place a lot of undue burden on maintaining old compatibility
for too many years, especially on stuff that wasn't very well thought
out in the first place. But I think it's a valid forward-looking goal
to avoid doing this sort of stuff again with no good reason.

Brian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ