lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20170421001650.6f7g74tcs2h5hmuj@kafai-mba.dhcp.thefacebook.com>
Date:   Thu, 20 Apr 2017 17:16:50 -0700
From:   Martin KaFai Lau <kafai@...com>
To:     Cong Wang <xiyou.wangcong@...il.com>
CC:     David Ahern <dsa@...ulusnetworks.com>,
        Linux Kernel Network Developers <netdev@...r.kernel.org>,
        Andrey Konovalov <andreyknvl@...gle.com>
Subject: Re: [PATCH net] net: ipv6: RTF_PCPU should not be settable from
 userspace

On Thu, Apr 20, 2017 at 04:37:18PM -0700, Cong Wang wrote:
> On Thu, Apr 20, 2017 at 3:43 PM, David Ahern <dsa@...ulusnetworks.com> wrote:
> >
> > I scanned the others. It is not clear that others should fail with
> > EINVAL. Certainly a mask of unused flags can be added, but to me that is
> > on top of this bug fix.
> >
>
> If we want to preserve those unused bits, we should reject them too.
>
> RTF_PCPU is special here, it is used but only internally, so it makes
> sense to silently clear it since we don't care whether people set it to
> 1 or 0. We should clear it for dumping too since it is internal only.
I agree with DavidA. The existing bits (including RTF_PCPU) during dumping
is part of the uapi already.  We cannot stop displaying them now.

Silently accepting something instead of telling the userspace program
has a bug seems to be a dis-service to the end-user.

If there are other bits should be rejected too, they can be
done in the follow up patches.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ