From: Emrah Demir <ed@abdsec.com>
To: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Dan Rosenberg <dan.j.rosenberg@gmail.com>,
kernel-hardening@lists.openwall.com,
Dave Jones <davej@redhat.com>,
keescook@google.com
Subject: [kernel-hardening] Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file
Date: Thu, 14 Apr 2016 03:39:05 -0400 [thread overview]
Message-ID: <f8e523a05927eef49a9a3566d176aa62@abdsec.com> (raw)
In-Reply-To: <CAGXu5jLVDJcQKpY7w1MCPW5hvjY=s+KF54aHvb8WOJycJFhF4A@mail.gmail.com>
On 2016-04-14 00:27, Kees Cook wrote:
> On Wed, Apr 6, 2016 at 2:19 PM, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
>> On Wed, Apr 6, 2016 at 10:54 AM, Linus Torvalds
>> <torvalds@linux-foundation.org> wrote:
>>>
>>> So I'd find a patch like the attached to be perfectly acceptable (in
>>> fact, we should have done this long ago).
>>
>> I just committed it, let's see if some odd program uses the iomem
>> data. I doubt it, and I always enjoy improvements that remove more
>> lines of code than they add.
>
> Hrm, it looks like at least Ubuntu's kernel security test suite
> expects to find these entries (when it verifies that STRICT_DEVMEM
> hasn't regressed). Also, the commit only removed the entries on x86.
> Most (all?) of the other architectures still have them. Could you
> revert this for now, and I'll cook up a %pK-based solution for -next?
>
Actually, I have realized that this patch (Linus's patch) was for x86. I
was planning to code the same for other architectures.
It seems your method is better. %pK will zero other values in
/proc/iomem.
Perhaps Ubuntu patch might be a good option.
WARNING: multiple messages have this Message-ID (diff)
From: Emrah Demir <ed@abdsec.com>
To: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Dan Rosenberg <dan.j.rosenberg@gmail.com>,
kernel-hardening@lists.openwall.com,
Dave Jones <davej@redhat.com>,
keescook@google.com
Subject: Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file
Date: Thu, 14 Apr 2016 03:39:05 -0400 [thread overview]
Message-ID: <f8e523a05927eef49a9a3566d176aa62@abdsec.com> (raw)
In-Reply-To: <CAGXu5jLVDJcQKpY7w1MCPW5hvjY=s+KF54aHvb8WOJycJFhF4A@mail.gmail.com>
On 2016-04-14 00:27, Kees Cook wrote:
> On Wed, Apr 6, 2016 at 2:19 PM, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
>> On Wed, Apr 6, 2016 at 10:54 AM, Linus Torvalds
>> <torvalds@linux-foundation.org> wrote:
>>>
>>> So I'd find a patch like the attached to be perfectly acceptable (in
>>> fact, we should have done this long ago).
>>
>> I just committed it, let's see if some odd program uses the iomem
>> data. I doubt it, and I always enjoy improvements that remove more
>> lines of code than they add.
>
> Hrm, it looks like at least Ubuntu's kernel security test suite
> expects to find these entries (when it verifies that STRICT_DEVMEM
> hasn't regressed). Also, the commit only removed the entries on x86.
> Most (all?) of the other architectures still have them. Could you
> revert this for now, and I'll cook up a %pK-based solution for -next?
>
Actually, I have realized that this patch (Linus's patch) was for x86. I
was planning to code the same for other architectures.
It seems your method is better. %pK will zero other values in
/proc/iomem.
Perhaps Ubuntu patch might be a good option.
next prev parent reply other threads:[~2016-04-14 7:39 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-06 13:03 [kernel-hardening] [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file Emrah Demir
2016-04-06 13:03 ` Emrah Demir
2016-04-06 15:20 ` [kernel-hardening] " Linus Torvalds
2016-04-06 15:20 ` Linus Torvalds
2016-04-06 17:54 ` [kernel-hardening] " Linus Torvalds
2016-04-06 17:54 ` Linus Torvalds
2016-04-06 18:05 ` [kernel-hardening] " ed
2016-04-06 18:05 ` ed
2016-04-06 18:21 ` [kernel-hardening] " Kees Cook
2016-04-06 18:21 ` Kees Cook
2016-04-06 18:31 ` [kernel-hardening] " Linus Torvalds
2016-04-06 18:31 ` Linus Torvalds
2016-04-06 18:37 ` [kernel-hardening] " Kees Cook
2016-04-06 18:37 ` Kees Cook
2016-04-06 18:43 ` [kernel-hardening] " Linus Torvalds
2016-04-06 18:43 ` Linus Torvalds
2016-04-06 18:53 ` [kernel-hardening] " Yves-Alexis Perez
2016-04-06 19:02 ` Linus Torvalds
2016-04-06 19:11 ` Yves-Alexis Perez
2016-04-06 19:19 ` Borislav Petkov
2016-04-06 20:49 ` Ingo Molnar
2016-04-06 19:23 ` Bjørn Mork
2016-04-06 19:23 ` Bjørn Mork
2016-04-06 18:52 ` [kernel-hardening] " Christian Kujau
2016-04-06 18:52 ` Christian Kujau
2016-04-06 18:53 ` [kernel-hardening] " Kees Cook
2016-04-06 18:53 ` Kees Cook
2016-04-06 21:19 ` [kernel-hardening] " Linus Torvalds
2016-04-06 21:19 ` Linus Torvalds
2016-04-06 21:27 ` [kernel-hardening] " Kees Cook
2016-04-06 21:27 ` Kees Cook
2016-04-06 21:32 ` [kernel-hardening] " Linus Torvalds
2016-04-06 21:32 ` Linus Torvalds
2016-04-14 4:27 ` [kernel-hardening] " Kees Cook
2016-04-14 4:27 ` Kees Cook
2016-04-14 7:39 ` Emrah Demir [this message]
2016-04-14 7:39 ` Emrah Demir
2016-04-06 18:03 ` [kernel-hardening] " Kees Cook
2016-04-06 18:03 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f8e523a05927eef49a9a3566d176aa62@abdsec.com \
--to=ed@abdsec.com \
--cc=dan.j.rosenberg@gmail.com \
--cc=davej@redhat.com \
--cc=keescook@chromium.org \
--cc=keescook@google.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.