Date: Sun, 26 Jun 2011 19:57:23 -0700 From: Linus Torvalds <torvalds@...ux-foundation.org> To: Vasiliy Kulikov <segoon@...nwall.com>, Andrew Morton <akpm@...ux-foundation.org> Cc: oss-security@...ts.openwall.com, security@...nel.org Subject: Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) On Fri, Jun 24, 2011 at 5:34 AM, Vasiliy Kulikov <segoon@...nwall.com> wrote: > > I think it needs 2 CVE, one for /proc/PID/io and another for taskstats. Hmm. Should we just round them down to 1kB boundaries or something? People *do* want to know about IO accounting, but I agree that giving things at a byte granularity ends up giving way too much information. When you can see how many bytes something read off a tty, that's a problem. Returning accounting information at a 1k granularity should make it impractical to use that to guess keys etc. It still gives *some* information (and enough for rough statistics), but it doesn't give the level of detail required for any simple attack. Sometimes excessive precision isn't a good thing. Andrew - the IO_ACCT stuff went through you (back in 2006), the taskstats did too, methinks. Comments? Linus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ