On Mon, Jun 11, 2018 at 3:33 PM, Theodore Y. Ts'o wrote:
> On Mon, Jun 11, 2018 at 03:07:24PM +0200, Dmitry Vyukov wrote:
>>
>> These can't be weaponized to execute code, but if a BUG_ON is
>> triggerable over a network, or from VM guest, then it's likely more
>> critical than a local code executi
On Mon, Jun 11, 2018 at 03:07:24PM +0200, Dmitry Vyukov wrote:
>
> These can't be weaponized to execute code, but if a BUG_ON is
> triggerable over a network, or from VM guest, then it's likely more
> critical than a local code execution. That's why I am saying that
> automated evaluation is infea
On Wed, May 30, 2018 at 10:51 PM, 'Matthew Garrett' via syzkaller-bugs
wrote:
> On Wed, May 30, 2018 at 1:42 PM Dave Chinner wrote:
>> We've learnt this lesson the hard way over and over again: don't
>> parse untrusted input in privileged contexts. How many times do we
>> have to make the same mi
On Sat, May 26, 2018 at 10:24 PM, Theodore Y. Ts'o wrote:
> On Sat, May 26, 2018 at 07:12:49PM +0200, Dmitry Vyukov wrote:
>>
>> I don't see that "some kind of machine learning or expert system
>> evaluation" is feasible. At least not in short/mid-term. There are
>> innocently-looking bugs that ac
On Wed, May 30, 2018 at 1:42 PM Dave Chinner wrote:
> We've learnt this lesson the hard way over and over again: don't
> parse untrusted input in privileged contexts. How many times do we
> have to make the same mistakes before people start to learn from
> them?
You're not wrong, but we haven't c
"Theodore Y. Ts'o" writes:
> On Thu, May 24, 2018 at 10:49:31AM +1000, Dave Chinner wrote:
>> User automounting of removable storage should be done via a
>> privilege separation mechanism and hence avoid this whole class of
>> security problems. We can get this separation by using FUSE in these
>
On Sat, May 26, 2018 at 07:12:49PM +0200, Dmitry Vyukov wrote:
>
> I don't see that "some kind of machine learning or expert system
> evaluation" is feasible. At least not in short/mid-term. There are
> innocently-looking bugs that actually turn out to be very bad, and
> there are badly looking at
On Thu, May 24, 2018 at 1:41 AM, Theodore Y. Ts'o wrote:
> On Wed, May 23, 2018 at 01:01:59PM -0500, Eric Sandeen wrote:
>>
>> What I'm personally hung up on are the bugs where the "exploit" involves
>> merely
>> mounting a crafted filesystem that in reality would never (until the heat
>> death
On 5/23/18 7:59 PM, Theodore Y. Ts'o wrote:
On Thu, May 24, 2018 at 10:49:31AM +1000, Dave Chinner wrote:
We've learnt this lesson the hard way over and over again: don't
parse untrusted input in privileged contexts. How many times do we
have to make the same mistakes before people start to lear
On Wed, May 23, 2018 at 08:59:06PM -0400, Theodore Y. Ts'o wrote:
> On Thu, May 24, 2018 at 10:49:31AM +1000, Dave Chinner wrote:
> >
> > We've learnt this lesson the hard way over and over again: don't
> > parse untrusted input in privileged contexts. How many times do we
> > have to make the sam
On Thu, May 24, 2018 at 10:49:31AM +1000, Dave Chinner wrote:
>
> We've learnt this lesson the hard way over and over again: don't
> parse untrusted input in privileged contexts. How many times do we
> have to make the same mistakes before people start to learn from
> them?
Good question. For ho
On Wed, May 23, 2018 at 07:41:15PM -0400, Theodore Y. Ts'o wrote:
> On Wed, May 23, 2018 at 01:01:59PM -0500, Eric Sandeen wrote:
> >
> > What I'm personally hung up on are the bugs where the "exploit" involves
> > merely
> > mounting a crafted filesystem that in reality would never (until the he
On Wed, May 23, 2018 at 01:01:59PM -0500, Eric Sandeen wrote:
>
> What I'm personally hung up on are the bugs where the "exploit" involves
> merely
> mounting a crafted filesystem that in reality would never (until the heat
> death
> of the universe) corrupt itself into that state on its own; it
13 matches
Mail list logo