| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AANLkTimC01SViEOObgf2N2VcLTYO59rOAbHaKf2RM54w@mail.gmail.com>
Date: Sat, 6 Nov 2010 13:50:32 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Dan Rosenberg <drosenberg@...curity.com>
Cc: "chas@....nrl.navy.mil" <chas@....nrl.navy.mil>,
"davem@...emloft.net" <davem@...emloft.net>,
"kuznet@....inr.ac.ru" <kuznet@....inr.ac.ru>,
"pekkas@...core.fi" <pekkas@...core.fi>,
"jmorris@...ei.org" <jmorris@...ei.org>,
"yoshfuji@...ux-ipv6.org" <yoshfuji@...ux-ipv6.org>,
"kaber@...sh.net" <kaber@...sh.net>,
"remi.denis-courmont@...ia.com" <remi.denis-courmont@...ia.com>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"security@...nel.org" <security@...nel.org>
Subject: Re: [Security] [SECURITY] Fix leaking of kernel heap addresses via /proc
On Saturday, November 6, 2010, Dan Rosenberg <drosenberg@...curity.com> wrote:
>
> Clearly, in most cases we cannot just remove the field from the /proc
> output, as this would break a number of userspace programs that rely on
> consistency. However, I propose that we replace the address with a "0"
> rather than leaking this information.
I really think it would be much better to use the unidentified number
or similar.
Just replacing with zeroes is annoying, and has the potential of
losing actual information.
Linus
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists