LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

what security fix?

what security fix?

Posted Nov 10, 2008 14:09 UTC (Mon) by tialaramex (subscriber, #21167)
In reply to: what security fix? by ncm
Parent article: Stable kernel 2.6.27.5

Are you /sure/ you can skip it? Do you disable SCTP in your builds? If you don't, then it may be that the bug can be tripped by a remote attacker despite the fact that you "don't use" SCTP. And that's just the first example that comes to mind.

It would be relatively easy to carve out patches that only touch code in a specific area of the tree (for example, the SCTP implementation). But the recent e1000e bug illustrates beautifully that bugs aren't very good at respecting modularisation of design, since they're not designed but are instead unintentional.

If you do want to try this, as I said, it's fairly possible, Git makes it very practical for you to knock together a script that lists only those patches which touch your subset of the kernel, assuming you have the technical knowledge to understand how the kernel is laid out, and you have a complete list of the components you do or don't use, plus the time to examine architectural changes that might alter that list.

One thing that's going on is that there are many different constituencies who think that the kernel developers ought to make /their/ lives easier by doing just a minute or two's extra work. Since the kernel developers are a very precious resource I suggest that wherever possible you should look for ways to make things better without asking the developers to do more paperwork for you.

(Log in to post comments)

what security fix?

Posted Nov 10, 2008 14:54 UTC (Mon) by PaXTeam (subscriber, #24616) [Link]

> One thing that's going on is that there are many different
> constituencies who think that the kernel developers ought to
> make /their/ lives easier by doing just a minute or two's extra work.

huh? are you sure you understood the discussion at all? since when is withholding information *less* work than simply passing along what they already have?

what security fix?

Posted Nov 10, 2008 18:00 UTC (Mon) by tialaramex (subscriber, #21167) [Link]

Well that rather depends on what it takes to "withhold" information.

I have a copy of the novel "A Fire Upon the Deep" here but those tired of this increasingly long thread will be glad to know that it was perfectly simple to "withhold" the contents of the novel from this message, I simply didn't choose to manually retype the entire thing into this little text box, saving myself hours of work.

On the other hand, this post will automatically identify me as the poster. To create another account in order to disguise my true identity would be a considerable amount of work just to withhold some information...

what security fix?

Posted Nov 10, 2008 19:24 UTC (Mon) by PaXTeam (subscriber, #24616) [Link]

are you suggesting that kernel developers send patches on paper and integrators retype them carefully avoiding the security impact related info? impressive assumption, to say the least. because if that's not how kernel development works than your example has nothing to do with this thread's topic. as a sidenote, if you have to retype something then you don't 'have' it. you would 'have' it if you could copy-paste or attach it. incidentally, that's much more like how patches flow in kernel development. so give this one another try ;).

what security fix?

Posted Nov 10, 2008 18:23 UTC (Mon) by iabervon (subscriber, #722) [Link]

Actually, I think it would be nice to have a version of the -stable patches which only updates a version number that's not in a file used by the build system. That way, you'd be able to apply the patch to your source tree and it would only rebuild anything if it affected code that you build.

Then everybody would want to apply the patch, since either it would provide a benefit (either stability or security) or it would not require any downtime to apply. For that matter, it would be nice to have a make target that wouldn't recopy modules that hadn't changed, and an lsmod flag to show modules which are different on disk from what's loaded.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds