lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sat, 21 Oct 2017 02:27:37 +0100 (WEST)
From:   David Miller <davem@...emloft.net>
To:     lucien.xin@...il.com
Cc:     netdev@...r.kernel.org, edumazet@...gle.com,
        marcelo.leitner@...il.com, sd@...asysnail.net
Subject: Re: [PATCH net 0/2] net: diag: fix a potential security issue

From: Xin Long <lucien.xin@...il.com>
Date: Thu, 19 Oct 2017 15:32:23 +0800

> This patch is to void the potential security issue that the family
> or protocol modules are autoloaded when requesting _diag module by
> not requesting _diag module if the family or protocol is not added
> or registered in sock_diag and inet_diag.
> 
> As the repost of the patch '[PATCH net] sock_diag: request _diag
> module only when the family or proto has been registered', this
> patchset fixes the compiling errors when INET is not set, and
> also split into two patches to make it clear to review.

This makes no sense to me.

Any user can just open a socket() in the appropriate protocol
family to cause the module to be loaded.

If someone wants modules to not be loaded, block them using
traditional module loading infrastructure mechanisms.  Or
don't load the module at all.

Sorry I am not applying this.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ