lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 7 Nov 2012 11:43:58 -0500
From:	Dave Jones <davej@...hat.com>
To:	Eric Dumazet <eric.dumazet@...il.com>
Cc:	Julius Werner <jwerner@...omium.org>, linux-kernel@...r.kernel.org,
	netdev@...r.kernel.org, Patrick McHardy <kaber@...sh.net>,
	Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
	James Morris <jmorris@...ei.org>,
	Alexey Kuznetsov <kuznet@....inr.ac.ru>,
	"David S. Miller" <davem@...emloft.net>,
	Sameer Nanda <snanda@...omium.org>,
	Mandeep Singh Baines <msb@...omium.org>,
	Eric Dumazet <edumazet@...omium.org>
Subject: Re: [PATCH] tcp: Replace infinite loop on recvmsg bug with proper
 crashusers

On Wed, Nov 07, 2012 at 08:29:12AM -0800, Eric Dumazet wrote:
 > On Wed, 2012-11-07 at 10:54 -0500, Dave Jones wrote:
 > 
 > > It sounds more appropriate to me, instead of silently wedging the box.
 > > At least with that approach we have a chance of finding out what happened.
 > 
 > Its quite the opposite.
 > 
 > If bug is still there 6 months after the commits that broke the drivers,
 > (making an old bug visible) that means that people never realized the
 > bug was there.

dude, look at the bug reports I just pointed you at.
People _are_ aware there are bugs there.

If you turn that into a BUG() those reports would never have been filed.
How is that increasing awareness ?  People are going to see wedged computers,
and hit the reset button. If we're lucky, we'll get photos of someone lucky
enough to have hit it while at the console, not in X. But this is a huge
step backwards for debugability.

 > I understand a distro maintainer has its own choices, but for upstream
 > kernel we want to have early reports.

I'm running out of ways to word this, but I'll try again.
You won't get those early reports if you turn this into a BUG().

 > This bug is fatal and a security issue. BUG() is appropriate.

turning a bug into a remote DoS is also a security issue.

	Dave

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists