| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1289151634.2478.191.camel@edumazet-laptop> Date: Sun, 07 Nov 2010 18:40:34 +0100 From: Eric Dumazet <eric.dumazet@...il.com> To: Dan Rosenberg <drosenberg@...curity.com> Cc: chas@....nrl.navy.mil, davem@...emloft.net, kuznet@....inr.ac.ru, pekkas@...core.fi, jmorris@...ei.org, yoshfuji@...ux-ipv6.org, kaber@...sh.net, remi.denis-courmont@...ia.com, netdev@...r.kernel.org, security@...nel.org, stable@...nel.org Subject: Re: [PATCH 0/9] Fix leaking of kernel heap addresses in net/ Le dimanche 07 novembre 2010 à 12:25 -0500, Dan Rosenberg a écrit : > > NACK > > > > Thats a pretty stupid patch series, sorry. > > > > I think it might be more constructive to avoid childish name-calling and > instead try to guide the conversation in a way that produces a patch > that would better fit your needs. Even if you don't agree with the > approach, it's certainly not "stupid". > It is stupid. Really Dan. The idea is stupid, not you. > > You are basically ruining a lot of debugging facilities we use every day > > to find and fix _real_ bugs. The bugs that happen to crash machines of > > our customers. > > I'm going to give you the benefit of the doubt and assume you're not > implying that security issues aren't "real" bugs, because that would be > utterly ridiculous. > So what ? Because of security, we must accept even stupid patches ? > > > > If you want to avoid a user reading kernel syslog, why dont you fix the > > problem for non root users able to "dmesg" ? I personally dont care. > > > > This is simply the reality of the current situation. At least while the > kernel syslog is available to unprivileged users, we need to be more > careful of what is visible through there. > So instead of fixing the problem, you are going to change thousand of kernel printk() ? > > I am a root user on my machine, I _want_ to have some pretty basic > > informations so that I can work on it, and I believe my work is useful. > > > > There are pretty easy ways to not disclose "information", but your way > > of using '0' for all values is the dumbest idea one could ever had. > > I'm glad I'm capable of producing "the dumbest idea one could ever had". > You seem to be quite set on convincing unpaid volunteers such as myself > to stop sending in patches. > I am unpaid volunteer too. I also had stupid ideas, and other guys said so. So what ? Should I continue contributing to Linux, or assume I am stupid and stop ? > > > > A single XOR with a "root only visible, random value chosen at boot" > > would be OK. At least we could continue our work, with litle burden. > > Finally, a useful contribution. I'll consider this option after hearing > from a few more people on the subject. I am glad you like it. But it also may a _very_ stupid idea. You really want to have a _lot_ of agreement before even considering it. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists