lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <22994084-e0a2-4829-b759-73e98418b510@oracle.com>
Date: Tue, 9 Apr 2024 17:48:37 -0700
From: Rao Shoaib <rao.shoaib@...cle.com>
To: Kuniyuki Iwashima <kuniyu@...zon.com>
Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
        kuni1840@...il.com, netdev@...r.kernel.org, pabeni@...hat.com
Subject: Re: [PATCH v1 net 3/3] af_unix: Prepare MSG_OOB deprecation.



On 4/9/24 17:27, Kuniyuki Iwashima wrote:
> From: Rao Shoaib <rao.shoaib@...cle.com>
> Date: Tue, 9 Apr 2024 17:09:24 -0700
>> This feature was added because it was needed by Oracle products.
> 
> I know.  What's about now ?
> 
> I just took the silence as no here.
> https://urldefense.com/v3/__https://lore.kernel.org/netdev/472044aa-4427-40f0-9b9a-bce75d5c8aac@oracle.com/__;!!ACWV5N9M2RV99hQ!Nk1WvCk4-rstASn7PUW4QiAejf0gQ7ktNz-AhuB2UHt9Vx7yUVcfcJ82f9XM3tsDanwnWusycGdUfF4$
> 
> As I noted in the cover letter, I'm fine to drop this patch if there's
> a real user.
> 
> 
>> The
>> bugs found are corner cases and happen with new feature, at the time all
>> tests passed.
> 
> Yes, but the test was not sufficient.
> 

Yes they were not but we ran the tests that were required and available.
If bugs are found later we are responsible for fixing them and we will.

> 
>> If you do not feel like fixing these bugs that is fine,
>> let me know and I will address them,
> 
> Please do even if I don't let you know.
> 

The way we use it we have not run into these unusual test cases. If you 
or anyone runs into any bugs please report and I personally will debug 
and fix the issue, just like open source is suppose to work.

> 
>> but removing the feature completely
>> should not be an option.
>>
>> Plus Amazon has it's own closed/proprietary distribution. If this is an
>> issue please configure your repo to not include this feature. Many
>> distributions choose not to include several features.
> 
> The problem is that the buggy feature risks many distributions.
> If not-well-maintained feature is really needed only for a single
> distro, it should be rather maintained as downstream patch.
> 
> If no one is using it, no reason to keep the attack sarface alive.

Tell me one feature in Linux that does not have bugs?
The feature if used normally works just fine, the bugs that have been 
found do not cause any stability issue, may be functional issue at best. 
How many applications do you know use MSG_PEEK that these tests are 
exploiting.

Plus if it is annoying to you just remove the feature from your private 
distribution and let the others decide for them selves.

Shoaib

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ