lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YUygdDGXQhSZRqoo@jeremy-acer>
Date:   Thu, 23 Sep 2021 08:42:44 -0700
From:   Jeremy Allison <jra@...ba.org>
To:     Steve French <smfrench@...il.com>
Cc:     Kees Cook <keescook@...omium.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        CIFS <linux-cifs@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Namjae Jeon <linkinjeon@...nel.org>
Subject: Re: [GIT PULL] ksmbd server security fixes

On Wed, Sep 22, 2021 at 10:20:01PM -0500, Steve French wrote:
>On Wed, Sep 22, 2021 at 9:47 PM Kees Cook <keescook@...omium.org> wrote:
>>
>> Hi Steve,
>>
>> I was looking through the history[1] of the ksmbd work, and I'm kind
>> of surprised at some of the flaws being found here.
>
>I was also surprised that a couple of these weren't found by smbtorture,
>although to be fair it is more focused on functional testing of the protocol
>(and is quite detailed).  Most of my analysis of the code had been
>focused on functional coverage, and protocol features (and removing

Steve, you should have been surprised they weren't
caught by smbtorture, especially if your "analysis of the code
had been focused on functional coverage".

No one has been looking at the logic for this, and IMHO
that's a problem. It's good they are looking now, but
I think this code needs additional maintainers.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ