lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 11 Jan 2021 17:30:09 -0800
From:   Andrew Morton <akpm@...ux-foundation.org>
To:     Petr Mladek <pmladek@...e.com>
Cc:     Timur Tabi <timur@...i.org>, torvalds@...ux-foundation.org,
        linux-kernel@...r.kernel.org,
        Sergey Senozhatsky <sergey.senozhatsky@...il.com>,
        Roman Fietze <roman.fietze@...na.com>,
        Kees Cook <keescook@...omium.org>
Subject: Re: [PATCH] lib/hexdump: introduce DUMP_PREFIX_UNHASHED for
 unhashed addresses

On Mon, 11 Jan 2021 11:10:56 +0100 Petr Mladek <pmladek@...e.com> wrote:

> Adding Kees into CC because it is security related.
> Adding Andrew into CC because he usually takes patches for hexdump.
> 
> On Wed 2021-01-06 15:35:47, Timur Tabi wrote:
> > Hashed addresses are useless in hexdumps unless you're comparing
> > with other hashed addresses, which is unlikely.  However, there's
> > no need to break existing code, so introduce a new prefix type
> > that prints unhashed addresses.
> > 
> > Signed-off-by: Timur Tabi <timur@...i.org>
> > Cc: Roman Fietze <roman.fietze@...na.com>
> 
> I agree that there should be way to print the real address.
> 
> And it is sane to add a new mode so that the current
> users stay hashed.
> 

I doubt if Kees (or I or anyone else) can review this change because
there are no callers which actually use the new DUMP_PREFIX_UNHASHED. 
Is it intended that some other places in the kernel be changed to use
this?  If so, please describe where and why, so that others can better
understand both the requirement and the security implications.

If it is intended that this be used mainly for developer debug and not
to be shipped in the mainline kernel then let's get this info into the
changelog as well.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ