lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 13 Dec 2019 12:56:34 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     Alexey Dobriyan <adobriyan@...il.com>
Cc:     Willy Tarreau <w@....eu>,
        Andrew Morton <akpm@...ux-foundation.org>, will@...nel.org,
        ebiederm@...ssion.com, linux-arch@...r.kernel.org,
        security@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] execve: warn if process starts with executable stack

On Fri, Dec 13, 2019 at 12:25:20AM +0300, Alexey Dobriyan wrote:
> On Wed, Dec 11, 2019 at 07:24:01PM +0100, Willy Tarreau wrote:
> > On Wed, Dec 11, 2019 at 09:19:33PM +0300, Alexey Dobriyan wrote:
> > > Reports are better be done by people who know what they are doing, as in
> > > understand what executable stack is and what does it mean in reality.
> > > 
> > > > Otherwise it will just go to /dev/null with all warning about bad blocks
> > > > on USB sticks and CPU core throttling under high temperature.
> > > 
> > > That's fine. You don't want bugreports from people who don't know what
> > > is executable stack. Every security bug bounty program is flooded by
> > > such people. This is why message is worded in a neutral way.
> > 
> > Well we definitely don't have the same experience with user reports. I
> > was just suggesting, but since you apparently already have all the
> > responses you needed, I'm even wondering why the warning remains.
> 
> Willy, whatever instructions for users you have in mind must be
> different for different people. Developer should be told to add
> "-Wl,-z,noexecstack" and more. Regular user (define "regular") should be
> told to send bugreport if the program really needs executable stack
> which again splits into two situations: exec stack was added knowingly
> because it is some old program with lost source code or it was readded
> by mistake.
> 
> "Complain to linux-kernel" is meaningless, kernel is not responsible.
> 
> What the message is even supposed to say?
> 

You could direct people to a website and then update the instructions
as needed.

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ