|To:||Linus Torvalds <torvalds-AT-linux-foundation.org>, Andi Kleen <andi-AT-firstfloor.org>|
|Subject:||Re: [PATCH v5 9/9] x86-64: Add CONFIG_UNSAFE_VSYSCALLS to feature-removal-schedule|
|Date:||Mon, 06 Jun 2011 12:39:36 +0200|
|Cc:||Andy Lutomirski <luto-AT-mit.edu>, Ingo Molnar <mingo-AT-elte.hu>, x86-AT-kernel.org, Thomas Gleixner <tglx-AT-linutronix.de>, linux-kernel-AT-vger.kernel.org, Jesper Juhl <jj-AT-chaosbits.net>, Borislav Petkov <bp-AT-alien8.de>, Andrew Morton <akpm-AT-linux-foundation.org>, Arjan van de Ven <arjan-AT-infradead.org>, Jan Beulich <JBeulich-AT-novell.com>, richard -rw- weinberger <richard.weinberger-AT-gmail.com>, Mikael Pettersson <mikpe-AT-it.uu.se>, Andi Kleen <andi-AT-firstfloor.org>, Brian Gerst <brgerst-AT-gmail.com>, Louis Rilling <Louis.Rilling-AT-kerlabs.com>, Valdis.Kletnieks-AT-vt.edu|
On 6 Jun 2011 at 11:31, Andi Kleen wrote: > On Mon, Jun 06, 2011 at 05:46:41PM +0900, Linus Torvalds wrote: > > On Mon, Jun 6, 2011 at 2:50 AM, Andy Lutomirski <email@example.com> wrote: > > > CONFIG_UNSAFE_VSYSCALLS was added in the previous patch as a > > > temporary hack to avoid penalizing users who don't build glibc from > > > git. [didn't get your mail directly (yet?), so i'm replying here] > > I really hate that name. > > > > Do you have *any* reason to call this "unsafe"? any userland executable code at a universally (read: across any and all 2.6+ linux boxes) fixed address is not secure (no really, it's worse, it's simply insane design, there's a reason the vdso got randomized eventually), it's the prime vehicle used by both reliable userland and kernel exploits who need to execute syscalls and/or pop the stack until something useful is reached, etc. not to mention the generic snippets of both code and data (marketing word: ROP) that one may find in there. > > Seriously. The whole patch series just seems annoying. what is annoying is your covering up of security fixes on grounds that you don't want to help script kiddies (a bullshit argument as it were) but at the same time question proactive security measures (one can debate the implementation, see my other mail) that would *actually* prevent the same kiddies from writing textbook exploits. but hey, spouting security to journalists works so much better for marketing, doesn't it. > and assumes everyone is using glibc which is just wrong. the libc is irrelevant, they can all be fixed up to use the vdso entry points if they haven't been doing it already. already deployed systems will simply continue to use their flawed kernel and libc, they're not affected.
Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds