Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On 2016-04-14 00:27, Kees Cook wrote: On Wed, Apr 6, 2016 at 2:19 PM, Linus Torvalds wrote: On Wed, Apr 6, 2016 at 10:54 AM, Linus Torvalds wrote: So I'd find a patch like the attached to be perfectly acceptable (in fact, we

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On 2016-04-14 00:27, Kees Cook wrote: On Wed, Apr 6, 2016 at 2:19 PM, Linus Torvalds wrote: On Wed, Apr 6, 2016 at 10:54 AM, Linus Torvalds wrote: So I'd find a patch like the attached to be perfectly acceptable (in fact, we should have done this long ago). I just committed it, let's see

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 2:19 PM, Linus Torvalds wrote: > On Wed, Apr 6, 2016 at 10:54 AM, Linus Torvalds > wrote: >> >> So I'd find a patch like the attached to be perfectly acceptable (in >> fact, we should have done this long ago). >

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 2:19 PM, Linus Torvalds wrote: > On Wed, Apr 6, 2016 at 10:54 AM, Linus Torvalds > wrote: >> >> So I'd find a patch like the attached to be perfectly acceptable (in >> fact, we should have done this long ago). > > I just committed it, let's see if some odd program uses the

Re: [kernel-hardening] Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

* Linus Torvalds wrote: > So yeah, maybe swap partitions are still more common than I thought. And I > didn't even consider the possibility that people would hibernate a desktop > like > you do. Also many distros will hibernate automatically on critically low

Re: [kernel-hardening] Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

* Linus Torvalds wrote: > So yeah, maybe swap partitions are still more common than I thought. And I > didn't even consider the possibility that people would hibernate a desktop > like > you do. Also many distros will hibernate automatically on critically low battery (when suspend won't

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 2:27 PM, Kees Cook wrote: > > Hrm, okay. I still think just changing the perms would be less > troublesome. No, that would be much *more* trouble-some, because we have things like bug-reporting documentation that tells people to send /proc/iomem etc

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 2:27 PM, Kees Cook wrote: > > Hrm, okay. I still think just changing the perms would be less > troublesome. No, that would be much *more* trouble-some, because we have things like bug-reporting documentation that tells people to send /proc/iomem etc information on crashes.

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 2:19 PM, Linus Torvalds wrote: > On Wed, Apr 6, 2016 at 10:54 AM, Linus Torvalds > wrote: >> >> So I'd find a patch like the attached to be perfectly acceptable (in >> fact, we should have done this long ago). >

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 2:19 PM, Linus Torvalds wrote: > On Wed, Apr 6, 2016 at 10:54 AM, Linus Torvalds > wrote: >> >> So I'd find a patch like the attached to be perfectly acceptable (in >> fact, we should have done this long ago). > > I just committed it, let's see if some odd program uses the

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 10:54 AM, Linus Torvalds wrote: > > So I'd find a patch like the attached to be perfectly acceptable (in > fact, we should have done this long ago). I just committed it, let's see if some odd program uses the iomem data. I doubt it, and I

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 10:54 AM, Linus Torvalds wrote: > > So I'd find a patch like the attached to be perfectly acceptable (in > fact, we should have done this long ago). I just committed it, let's see if some odd program uses the iomem data. I doubt it, and I always enjoy improvements that

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

Linus Torvalds writes: > I suspect there really aren't all that many hibernation users out > there at all, and that yes, that would be the right default. > > Hibernation is really quite nasty when you have to have a fairly big > special partition for it, and shrink

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

Linus Torvalds writes: > I suspect there really aren't all that many hibernation users out > there at all, and that yes, that would be the right default. > > Hibernation is really quite nasty when you have to have a fairly big > special partition for it, and shrink your memory down. Writing

Re: [kernel-hardening] Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 06, 2016 at 09:11:07PM +0200, Yves-Alexis Perez wrote: > On mer., 2016-04-06 at 12:02 -0700, Linus Torvalds wrote: > > So yeah, maybe swap partitions are still more common than I thought. > > And I didn't even consider the possibility that people would hibernate > > a desktop like you

Re: [kernel-hardening] Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 06, 2016 at 09:11:07PM +0200, Yves-Alexis Perez wrote: > On mer., 2016-04-06 at 12:02 -0700, Linus Torvalds wrote: > > So yeah, maybe swap partitions are still more common than I thought. > > And I didn't even consider the possibility that people would hibernate > > a desktop like you

Re: [kernel-hardening] Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On mer., 2016-04-06 at 12:02 -0700, Linus Torvalds wrote: > So yeah, maybe swap partitions are still more common than I thought. > And I didn't even consider the possibility that people would hibernate > a desktop like you do. To be fair, it's *my* use case, because suspend won't work but I'm

Re: [kernel-hardening] Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On mer., 2016-04-06 at 12:02 -0700, Linus Torvalds wrote: > So yeah, maybe swap partitions are still more common than I thought. > And I didn't even consider the possibility that people would hibernate > a desktop like you do. To be fair, it's *my* use case, because suspend won't work but I'm

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, 6 Apr 2016, e...@abdsec.com wrote: > First, I wrote your attached patch, but then I thought zeroing other > /proc/iomem values would be better. So I changed it. On my systems, /proc/iomem, /proc/ioports and others get their world-readable bits removed during bootup - I guess that would

Re: [kernel-hardening] Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 11:53 AM, Yves-Alexis Perez wrote: > > Actually you just have to have a swap partition, which people still set as > more or less the ram size, I think, so all in all it works (especially if > people hibernate without the ram completely used). I guess

Re: [kernel-hardening] Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 11:53 AM, Yves-Alexis Perez wrote: > > Actually you just have to have a swap partition, which people still set as > more or less the ram size, I think, so all in all it works (especially if > people hibernate without the ram completely used). I guess people still do those.

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, 6 Apr 2016, e...@abdsec.com wrote: > First, I wrote your attached patch, but then I thought zeroing other > /proc/iomem values would be better. So I changed it. On my systems, /proc/iomem, /proc/ioports and others get their world-readable bits removed during bootup - I guess that would

Re: [kernel-hardening] Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On mer., 2016-04-06 at 11:43 -0700, Linus Torvalds wrote: > Hibernation is really quite nasty when you have to have a fairly big > special partition for it, and shrink your memory down. Writing things > to disk was a whole lot more reasonable back in the days when laptops > had 16MB of memory.

Re: [kernel-hardening] Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On mer., 2016-04-06 at 11:43 -0700, Linus Torvalds wrote: > Hibernation is really quite nasty when you have to have a fairly big > special partition for it, and shrink your memory down. Writing things > to disk was a whole lot more reasonable back in the days when laptops > had 16MB of memory.

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 11:52 AM, Christian Kujau wrote: > On Wed, 6 Apr 2016, e...@abdsec.com wrote: >> First, I wrote your attached patch, but then I thought zeroing other >> /proc/iomem values would be better. So I changed it. > > On my systems, /proc/iomem, /proc/ioports

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 11:52 AM, Christian Kujau wrote: > On Wed, 6 Apr 2016, e...@abdsec.com wrote: >> First, I wrote your attached patch, but then I thought zeroing other >> /proc/iomem values would be better. So I changed it. > > On my systems, /proc/iomem, /proc/ioports and others get their >

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 11:37 AM, Kees Cook wrote: > > At some point I'd like to see if distros would be interested in > inverting the default logic (maybe with a CONFIG to avoid changing the > current behavior) where instead of needing to put "kaslr" on the > command line

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 11:37 AM, Kees Cook wrote: > > At some point I'd like to see if distros would be interested in > inverting the default logic (maybe with a CONFIG to avoid changing the > current behavior) where instead of needing to put "kaslr" on the > command line to prefer kaslr over

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 11:31 AM, Linus Torvalds wrote: > On Wed, Apr 6, 2016 at 11:05 AM, wrote: >> >> Most distros don't use KASLR, but they use kptr_restrict. Without KASLR, >> kptr_restirct most likely useless. > > Well, yes kaslr is

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 11:31 AM, Linus Torvalds wrote: > On Wed, Apr 6, 2016 at 11:05 AM, wrote: >> >> Most distros don't use KASLR, but they use kptr_restrict. Without KASLR, >> kptr_restirct most likely useless. > > Well, yes kaslr is effectively useless right now due to the fact that >

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 11:05 AM, wrote: > > Most distros don't use KASLR, but they use kptr_restrict. Without KASLR, > kptr_restirct most likely useless. Well, yes kaslr is effectively useless right now due to the fact that people still use hibernation in effectively every

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 11:05 AM, wrote: > > Most distros don't use KASLR, but they use kptr_restrict. Without KASLR, > kptr_restirct most likely useless. Well, yes kaslr is effectively useless right now due to the fact that people still use hibernation in effectively every single distro out

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 11:05 AM, wrote: > First, I wrote your attached patch, but then I thought zeroing other > /proc/iomem values would be better. So I changed it. > > Most distros don't use KASLR, but they use kptr_restrict. Without KASLR, Well, hopefully that'll change over

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 11:05 AM, wrote: > First, I wrote your attached patch, but then I thought zeroing other > /proc/iomem values would be better. So I changed it. > > Most distros don't use KASLR, but they use kptr_restrict. Without KASLR, Well, hopefully that'll change over time. :) >

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

First, I wrote your attached patch, but then I thought zeroing other /proc/iomem values would be better. So I changed it. Most distros don't use KASLR, but they use kptr_restrict. Without KASLR, kptr_restirct most likely useless. As you said these things should be done long ago

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

First, I wrote your attached patch, but then I thought zeroing other /proc/iomem values would be better. So I changed it. Most distros don't use KASLR, but they use kptr_restrict. Without KASLR, kptr_restirct most likely useless. As you said these things should be done long ago

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 6:03 AM, Emrah Demir wrote: > From: Emrah Demir Hi! Thanks for sending this patch; I'm always glad to see new faces helping. :) I have a few comments inline and a larger suggestion at the end. > Even though KASLR is aiming to mitigate

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 6:03 AM, Emrah Demir wrote: > From: Emrah Demir Hi! Thanks for sending this patch; I'm always glad to see new faces helping. :) I have a few comments inline and a larger suggestion at the end. > Even though KASLR is aiming to mitigate remote attacks, with a simple LFI

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 8:20 AM, Linus Torvalds wrote: > > I'd much rather just not insert the resources in the first place then. So I'd find a patch like the attached to be perfectly acceptable (in fact, we should have done this long ago). That said, for a kernel

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 8:20 AM, Linus Torvalds wrote: > > I'd much rather just not insert the resources in the first place then. So I'd find a patch like the attached to be perfectly acceptable (in fact, we should have done this long ago). That said, for a kernel hardening thing, I think it

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 6:03 AM, Emrah Demir wrote: > > By this patch after insertion resources, start and end address are zeroed. I'd much rather just not insert the resources in the first place then. Linus

Re: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

On Wed, Apr 6, 2016 at 6:03 AM, Emrah Demir wrote: > > By this patch after insertion resources, start and end address are zeroed. I'd much rather just not insert the resources in the first place then. Linus

[PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

From: Emrah Demir Even though KASLR is aiming to mitigate remote attacks, with a simple LFI vulnerability through a web application, local leaks become as important as remote ones. On the KASLR enabled systems in order to achieve expected protection, some files are needed to

[PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file

From: Emrah Demir Even though KASLR is aiming to mitigate remote attacks, with a simple LFI vulnerability through a web application, local leaks become as important as remote ones. On the KASLR enabled systems in order to achieve expected protection, some files are needed to edited/modified