lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <0ff1d6c8-d56d-4f73-b5be-d0ce2a223d28@oracle.com>
Date: Wed, 10 Apr 2024 01:36:01 -0700
From: Rao Shoaib <rao.shoaib@...cle.com>
To: Kuniyuki Iwashima <kuniyu@...zon.com>
Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
        kuni1840@...il.com, netdev@...r.kernel.org, pabeni@...hat.com
Subject: Re: [PATCH v1 net 3/3] af_unix: Prepare MSG_OOB deprecation.

It is used by Oracle products. File bugs and someone from Oracle will 
fix it (most likely me). Oracle has addressed any bugs reported in a 
very timely manner. So in summary the feature is being used and is 
actively maintained.

You can also turn off the feature in your private/closed distro and not 
worry about it.

That is all I have to say on this subject.

Shoaib

On 4/9/24 23:01, Kuniyuki Iwashima wrote:
> From: Rao Shoaib <rao.shoaib@...cle.com>
> Date: Tue, 9 Apr 2024 17:48:37 -0700
>> On 4/9/24 17:27, Kuniyuki Iwashima wrote:
>>> From: Rao Shoaib <rao.shoaib@...cle.com>
>>> Date: Tue, 9 Apr 2024 17:09:24 -0700
>>>> This feature was added because it was needed by Oracle products.
>>>
>>> I know.  What's about now ?
> 
> Why do you ingore this again ?
> 
> If it's really used in Oracle products, you can just say yes,
> but it seems no ?
> 
> 
>>>
>>> I just took the silence as no here.
>>> https://urldefense.com/v3/__https://lore.kernel.org/netdev/472044aa-4427-40f0-9b9a-bce75d5c8aac@oracle.com/__;!!ACWV5N9M2RV99hQ!Nk1WvCk4-rstASn7PUW4QiAejf0gQ7ktNz-AhuB2UHt9Vx7yUVcfcJ82f9XM3tsDanwnWusycGdUfF4$
>>>
>>> As I noted in the cover letter, I'm fine to drop this patch if there's
>>> a real user.
>>>
>>>
>>>> The
>>>> bugs found are corner cases and happen with new feature, at the time all
>>>> tests passed.
>>>
>>> Yes, but the test was not sufficient.
>>>
>>
>> Yes they were not but we ran the tests that were required and available.
>> If bugs are found later we are responsible for fixing them and we will.
> 
> This is nice,
> 
> 
>>
>>>
>>>> If you do not feel like fixing these bugs that is fine,
>>>> let me know and I will address them,
>>>
>>> Please do even if I don't let you know.
>>>
>>
>> The way we use it we have not run into these unusual test cases. If you
>> or anyone runs into any bugs please report and I personally will debug
>> and fix the issue, just like open source is suppose to work.
> 
> but why personally ?  because Oracle products no longer use it ?
> If so, why do you want to keep the feature with no user ?
> 
> 
>>>
>>>> but removing the feature completely
>>>> should not be an option.
>>>>
>>>> Plus Amazon has it's own closed/proprietary distribution. If this is an
>>>> issue please configure your repo to not include this feature. Many
>>>> distributions choose not to include several features.
>>>
>>> The problem is that the buggy feature risks many distributions.
>>> If not-well-maintained feature is really needed only for a single
>>> distro, it should be rather maintained as downstream patch.
>>>
>>> If no one is using it, no reason to keep the attack sarface alive.
>>
>> Tell me one feature in Linux that does not have bugs?
> 
> I'm not talking about features with no bug.  It's fine to have bugs
> if it's maintained and fixed in timely manner.
> 
> I'm talking about a feature with bugs that seems not to be used by
> anyone nor maintained.
> 
> 
>> The feature if used normally works just fine, the bugs that have been
>> found do not cause any stability issue, may be functional issue at best.
> 
> It caused memory leaks in some ways easily without admin privilege.
> 
> 
>> How many applications do you know use MSG_PEEK that these tests are
>> exploiting.
> 
> Security is not that way of thinking.  Even when the bug is triggered
> with unusual sequence of calls, it must be fixed, especially on a host
> that could execute untrusted code.
> 
> 
>>
>> Plus if it is annoying to you just remove the feature from your private
>> distribution and let the others decide for them selves.
> 
> If no one uses the feature that has bugs without maintenance,
> it's natural to deprecate it.  Then, no one need to be burdened
> by unnecessary bug fixes.
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ