lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <18463054-abcf-4809-870c-051b16234e9c@gmail.com>
Date: Tue, 12 Nov 2024 07:44:09 +0100
From: Heiner Kallweit <hkallweit1@...il.com>
To: Stephen Hemminger <stephen@...workplumber.org>,
 Bjorn Helgaas <helgaas@...nel.org>
Cc: Leon Romanovsky <leon@...nel.org>, Leon Romanovsky <leonro@...dia.com>,
 Krzysztof WilczyƄski <kw@...ux.com>,
 linux-pci@...r.kernel.org, Ariel Almog <ariela@...dia.com>,
 Aditya Prabhune <aprabhune@...dia.com>, Hannes Reinecke <hare@...e.de>,
 Arun Easi <aeasi@...vell.com>, Jonathan Chocron <jonnyc@...zon.com>,
 Bert Kenward <bkenward@...arflare.com>, Matt Carlson
 <mcarlson@...adcom.com>, Kai-Heng Feng <kai.heng.feng@...onical.com>,
 Jean Delvare <jdelvare@...e.de>, Alex Williamson
 <alex.williamson@...hat.com>, linux-kernel@...r.kernel.org,
 netdev@...r.kernel.org
Subject: Re: [PATCH v1 1/2] PCI/sysfs: Change read permissions for VPD
 attributes

On 12.11.2024 01:34, Stephen Hemminger wrote:
> On Mon, 11 Nov 2024 14:41:04 -0600
> Bjorn Helgaas <helgaas@...nel.org> wrote:
> 
>> On Thu, Nov 07, 2024 at 08:56:56PM +0200, Leon Romanovsky wrote:
>>> From: Leon Romanovsky <leonro@...dia.com>
>>>
>>> The Vital Product Data (VPD) attribute is not readable by regular
>>> user without root permissions. Such restriction is not really needed
>>> for many devices in the world, as data presented in that VPD is not
>>> sensitive and access to the HW is safe and tested.
>>>
>>> This change aligns the permissions of the VPD attribute to be accessible
>>> for read by all users, while write being restricted to root only.
>>>
>>> For the driver, there is a need to opt-in in order to allow this
>>> functionality.  
>>
>> I don't think the use case is very strong (and not included at all
>> here).
>>
>> If we do need to do this, I think it's a property of the device, not
>> the driver.
> 
> I remember some broken PCI devices, which will crash if VPD is read.
> Probably not worth opening this can of worms.

These crashes shouldn't occur any longer. There are two problematic cases:
1. Reading past end of VPD
   This used to crash certain devices and was fixed by stop reading at
   the VPD end tag.
2. Accessing VPD if device firmware isn't correctly loaded and initialized
   This affects certain LSI devices, which are blacklisted so that PCI core
   prevents VPD access.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ