Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 26 Jun 2011 19:57:23 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Vasiliy Kulikov <segoon@...nwall.com>,
        Andrew Morton <akpm@...ux-foundation.org>
Cc: oss-security@...ts.openwall.com, security@...nel.org
Subject: Re: [Security] CVE request: kernel: taskstats/procfs io infoleak
 (was: taskstats authorized_keys presence infoleak PoC)

On Fri, Jun 24, 2011 at 5:34 AM, Vasiliy Kulikov <segoon@...nwall.com> wrote:
>
> I think it needs 2 CVE, one for /proc/PID/io and another for taskstats.

Hmm. Should we just round them down to 1kB boundaries or something?
People *do* want to know about IO accounting, but I agree that giving
things at a byte granularity ends up giving way too much information.
When you can see how many bytes something read off a tty, that's a
problem.

Returning accounting information at a 1k granularity should make it
impractical to use that to guess keys etc. It still gives *some*
information (and enough for rough statistics), but it doesn't give the
level of detail required for any simple attack.

Sometimes excessive precision isn't a good thing.

Andrew - the IO_ACCT stuff went through you (back in 2006), the
taskstats did too, methinks. Comments?

                     Linus

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ