lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Yyw0JskGMbGE1lHK@kroah.com>
Date:   Thu, 22 Sep 2022 12:08:38 +0200
From:   Greg KH <gregkh@...uxfoundation.org>
To:     cgel.zte@...il.com
Cc:     ast@...nel.org, daniel@...earbox.net, andrii@...nel.org,
        martin.lau@...ux.dev, song@...nel.org, yhs@...com,
        john.fastabend@...il.com, kpsingh@...nel.org, sdf@...gle.com,
        haoluo@...gle.com, jolsa@...nel.org, bpf@...r.kernel.org,
        linux-kernel@...r.kernel.org, Xu Panda <xu.panda@....com.cn>,
        Zeal Robot <zealci@....com.cn>
Subject: Re: [PATCH linu-next] samples/bpf: use absolute path for dd

On Thu, Sep 22, 2022 at 09:02:31AM +0000, cgel.zte@...il.com wrote:
> From: Xu Panda <xu.panda@....com.cn>
> 
> Not using absolute path when invoking dd can lead to serious security
> issues.
> 
> Reported-by: Zeal Robot <zealci@....com.cn>
> Signed-off-by: Xu Panda <xu.panda@....com.cn>
> ---
>  samples/bpf/trace_event_user.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/samples/bpf/trace_event_user.c b/samples/bpf/trace_event_user.c
> index 9664749bf618..d841918accc9 100644
> --- a/samples/bpf/trace_event_user.c
> +++ b/samples/bpf/trace_event_user.c
> @@ -126,7 +126,7 @@ static void print_stacks(void)
> 
>  static inline int generate_load(void)
>  {
> -       if (system("dd if=/dev/zero of=/dev/null count=5000k status=none") < 0) {
> +       if (system("/usr/bin/dd if=/dev/zero of=/dev/null count=5000k status=none") < 0) {
>                 printf("failed to generate some load with dd: %s\n", strerror(errno));
>                 return -1;
>         }
> -- 
> 2.15.2

Again, please stop submitting patches for Linux kernel development at
this point in time until your company has fixed their development
process.

You have been warned many times about this, and we have heard nothing
back from you at all.  I'll go ask for your email address to now be
banned from our lists, sorry.

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ