public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed
From: Eric Dumazet <eric.dumazet@gmail.com>
To: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: chas@cmf.nrl.navy.mil, davem@davemloft.net, kuznet@ms2.inr.ac.ru,
	pekkas@netcore.fi, jmorris@namei.org, yoshfuji@linux-ipv6.org,
	kaber@trash.net, remi.denis-courmont@nokia.com,
	netdev@vger.kernel.org, security@kernel.org, stable@kernel.org
Subject: Re: [PATCH 0/9] Fix leaking of kernel heap addresses in net/
Date: Sun, 07 Nov 2010 18:03:36 +0100	[thread overview]
Message-ID: <1289149416.2478.143.camel@edumazet-laptop> (raw)
In-Reply-To: <1289147492.3090.137.camel@Dan>

Le dimanche 07 novembre 2010 à 11:31 -0500, Dan Rosenberg a écrit :
> This patch series resolves the leakage of kernel heap addresses to
> userspace via network protocol /proc interfaces and public error
> messages.  Revealing this information is a bad idea from a security
> perspective for a number of reasons, the most obvious of which is it
> provides unprivileged users a mechanism by which to create a structure
> in the kernel heap containing function pointers, obtain the address of
> that structure, and overwrite those function pointers by leveraging
> other vulnerabilities.  It is my hope that by eliminating this
> information leakage, in conjunction with making statically-declared
> function pointer tables read-only (to be done in a separate patch
> series), we can at least add a small hurdle for the exploitation of a
> subset of kernel vulnerabilities.
> 
> To maintain compatibility with userspace programs relying on
> consistent /proc output, the output descriptions and number of fields
> are not changed.  When a unique identifier for the socket is desired,
> the socket address has been replaced with the socket inode number.  When
> the inode number is already present in the output, the address has been
> replaced with a 0.  In these cases, the format specifier has been
> changed to %d, because a %p output of 0 from kernel space is written as
> "(null)", while userspace %p can only parse "(nil)".
> 

NACK

Thats a pretty stupid patch series, sorry.

You are basically ruining a lot of debugging facilities we use every day
to find and fix _real_ bugs. The bugs that happen to crash machines of
our customers.

If you want to avoid a user reading kernel syslog, why dont you fix the
problem for non root users able to "dmesg" ? I personally dont care.

I am a root user on my machine, I _want_ to have some pretty basic
informations so that I can work on it, and I believe my work is useful.

There are pretty easy ways to not disclose "information", but your way
of using '0' for all values is the dumbest idea one could ever had.

A single XOR with a "root only visible, random value chosen at boot"
would be OK. At least we could continue our work, with litle burden.



  reply	other threads:[~2010-11-07 17:03 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-11-07 16:31 [PATCH 0/9] Fix leaking of kernel heap addresses in net/ Dan Rosenberg
2010-11-07 17:03 ` Eric Dumazet [this message]
2010-11-07 17:25   ` Dan Rosenberg
2010-11-07 17:40     ` Eric Dumazet
2010-11-07 21:53   ` Urs Thuermann
2010-11-08  8:04 ` Rémi Denis-Courmont
2010-11-08 13:13   ` Dan Rosenberg
2010-11-08 13:36     ` Rémi Denis-Courmont
2010-11-08 13:41       ` Dan Rosenberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1289149416.2478.143.camel@edumazet-laptop \
    --to=eric.dumazet@gmail.com \
    --cc=chas@cmf.nrl.navy.mil \
    --cc=davem@davemloft.net \
    --cc=drosenberg@vsecurity.com \
    --cc=jmorris@namei.org \
    --cc=kaber@trash.net \
    --cc=kuznet@ms2.inr.ac.ru \
    --cc=netdev@vger.kernel.org \
    --cc=pekkas@netcore.fi \
    --cc=remi.denis-courmont@nokia.com \
    --cc=security@kernel.org \
    --cc=stable@kernel.org \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox