lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 13 Dec 2019 00:25:20 +0300
From:   Alexey Dobriyan <adobriyan@...il.com>
To:     Willy Tarreau <w@....eu>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        dan.carpenter@...cle.com, will@...nel.org, ebiederm@...ssion.com,
        linux-arch@...r.kernel.org, security@...nel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] execve: warn if process starts with executable stack

On Wed, Dec 11, 2019 at 07:24:01PM +0100, Willy Tarreau wrote:
> On Wed, Dec 11, 2019 at 09:19:33PM +0300, Alexey Dobriyan wrote:
> > Reports are better be done by people who know what they are doing, as in
> > understand what executable stack is and what does it mean in reality.
> > 
> > > Otherwise it will just go to /dev/null with all warning about bad blocks
> > > on USB sticks and CPU core throttling under high temperature.
> > 
> > That's fine. You don't want bugreports from people who don't know what
> > is executable stack. Every security bug bounty program is flooded by
> > such people. This is why message is worded in a neutral way.
> 
> Well we definitely don't have the same experience with user reports. I
> was just suggesting, but since you apparently already have all the
> responses you needed, I'm even wondering why the warning remains.

Willy, whatever instructions for users you have in mind must be
different for different people. Developer should be told to add
"-Wl,-z,noexecstack" and more. Regular user (define "regular") should be
told to send bugreport if the program really needs executable stack
which again splits into two situations: exec stack was added knowingly
because it is some old program with lost source code or it was readded
by mistake.

"Complain to linux-kernel" is meaningless, kernel is not responsible.

What the message is even supposed to say?

It is not even pr_err.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ