| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Feb 2021 14:17:13 -0800
From: Kees Cook <keescook@...omium.org>
To: Pavel Machek <pavel@....cz>
Cc: Timur Tabi <timur@...nel.org>,
Steven Rostedt <rostedt@...dmis.org>,
Petr Mladek <pmladek@...e.com>,
Sergey Senozhatsky <sergey.senozhatsky@...il.com>,
linux-kernel@...r.kernel.org, linux-mm@...ck.org,
willy@...radead.org, akpm@...ux-foundation.org,
torvalds@...ux-foundation.org, roman.fietze@...na.com,
john.ogness@...utronix.de, akinobu.mita@...il.com
Subject: Re: [PATCH] lib/vsprintf: make-printk-non-secret printks all
addresses as unhashed
On Thu, Feb 04, 2021 at 11:11:43PM +0100, Pavel Machek wrote:
> On Thu 2021-02-04 15:59:21, Timur Tabi wrote:
> > On 2/4/21 3:49 PM, Pavel Machek wrote:
> > >This machine is insecure. Yet I don't see ascii-art *** all around..
> > >
> > >"Kernel memory addresses are exposed, which is bad for security."
> >
> > I'll use whatever wording everyone can agree on, but I really don't see much
> > difference between "which may compromise security on your system" and "which
> > is bad for security". "may compromise" doesn't see any more alarmist than
> > "bad". Frankly, "bad" is a very generic term.
>
> Well, I agree that "bad" is vague.... but original wording is simply
> untrue, as printing addresses decreases robustness but can't introduce
> security problem on its own.
>
> Being alarmist is not my complaint; being untrue is.
It's just semantics. Printing addresses DOES weaken the security of a
system, especially when we know attackers have and do use stuff from dmesg
to tune their attacks. How about "reduces the security of your system"?
--
Kees Cook
Powered by blists - more mailing lists