lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 07 Nov 2010 12:25:14 -0500
From:	Dan Rosenberg <drosenberg@...curity.com>
To:	Eric Dumazet <eric.dumazet@...il.com>
Cc:	chas@....nrl.navy.mil, davem@...emloft.net, kuznet@....inr.ac.ru,
	pekkas@...core.fi, jmorris@...ei.org, yoshfuji@...ux-ipv6.org,
	kaber@...sh.net, remi.denis-courmont@...ia.com,
	netdev@...r.kernel.org, security@...nel.org, stable@...nel.org
Subject: Re: [PATCH 0/9] Fix leaking of kernel heap addresses in net/


> NACK
> 
> Thats a pretty stupid patch series, sorry.
> 

I think it might be more constructive to avoid childish name-calling and
instead try to guide the conversation in a way that produces a patch
that would better fit your needs.  Even if you don't agree with the
approach, it's certainly not "stupid".

> You are basically ruining a lot of debugging facilities we use every day
> to find and fix _real_ bugs. The bugs that happen to crash machines of
> our customers.

I'm going to give you the benefit of the doubt and assume you're not
implying that security issues aren't "real" bugs, because that would be
utterly ridiculous.

> 
> If you want to avoid a user reading kernel syslog, why dont you fix the
> problem for non root users able to "dmesg" ? I personally dont care.
> 

This is simply the reality of the current situation.  At least while the
kernel syslog is available to unprivileged users, we need to be more
careful of what is visible through there.

> I am a root user on my machine, I _want_ to have some pretty basic
> informations so that I can work on it, and I believe my work is useful.
> 
> There are pretty easy ways to not disclose "information", but your way
> of using '0' for all values is the dumbest idea one could ever had.

I'm glad I'm capable of producing "the dumbest idea one could ever had".
You seem to be quite set on convincing unpaid volunteers such as myself
to stop sending in patches.

> 
> A single XOR with a "root only visible, random value chosen at boot"
> would be OK. At least we could continue our work, with litle burden.

Finally, a useful contribution.  I'll consider this option after hearing
from a few more people on the subject.

-Dan

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ