Re: [PATCH v2] kernel: escape non-ASCII and control characters inprintk()

From: Ingo Molnar
Date: Fri Jul 01 2011 - 08:12:23 EST

Next message: Ingo Molnar: "Re: [PATCH 1/2] mm: Move definition of MIN_MEMORY_BLOCK_SIZE to aheader"
Previous message: Lothar WaÃmann: "[PATCH] add missing intialisation of bgc->dir"
In reply to: Linus Torvalds: "Re: [PATCH v2] kernel: escape non-ASCII and control characters in printk()"
Next in thread: Vasiliy Kulikov: "Re: [PATCH v2] kernel: escape non-ASCII and control characters inprintk()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Vasiliy Kulikov <segoon@xxxxxxxxxxxx> wrote:

> On Mon, Jun 27, 2011 at 00:01 +0200, Ingo Molnar wrote:
> > * Vasiliy Kulikov <segoon@xxxxxxxxxxxx> wrote:
> > > On Sun, Jun 26, 2011 at 21:46 +0200, Ingo Molnar wrote:
> > > > No, because the problems such a mistake causes are not equivalent: it
> > > > would have been far more harmful to not print out the *very real*
> > > > product names written in some non-US language than to accidentally
> > > > include some control character you did not think of.
> > >
> > > ???
> > >
> > > Not "not print", but print in "crypted" form. The information
> > > is still not lost, you can obviously restore it to the original
> > > form, with some effort, but possible. Compare it with the harm
> > > of log spoofing - it is not "restorable".
> >
> > The harm of 'potential' log spoofing affecting exactly zero known
> > users right now,
>
> ???
>
> A potential thing affects all users that *can be* affected by
> actual log spoofing. This is what the word "potential" means.

Yes, but there's a world of a difference between alleged harm and
actual demonstrated harm.

That is a not so fine distinction that is often missed in security
circles! :-)

So what i asked for before and what i ask for here is to protect
against real, specific harm. If we just 'protect' against things that
look dangerous it's easy to over-protect and cause colletaral damage.
(like the UTF-8 details the v1 patch missed)

> Analogy: if some privilege escalation bug is found in some very
> core code then all users iteracting with an untrusted security
> domains (local users, network, etc.) being able to exploit it would
> be affected. It is silly to say that nobody is affected because you
> just don't know any such cases of this bug exploitation in the
> past.

That analogy does not hold. If a security hole is obvious at first
sight then we'll indeed fix it without waiting for someone to be
exploited.

But here the actual 'harm' is a lot less clear and what i'm trying to
steer you towards is to be more fact-based and less belief-based. The
only 'harm' that got demonstrated so far was collateral damage caused
by the v1 patch ...

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ingo Molnar: "Re: [PATCH 1/2] mm: Move definition of MIN_MEMORY_BLOCK_SIZE to aheader"
Previous message: Lothar WaÃmann: "[PATCH] add missing intialisation of bgc->dir"
In reply to: Linus Torvalds: "Re: [PATCH v2] kernel: escape non-ASCII and control characters in printk()"
Next in thread: Vasiliy Kulikov: "Re: [PATCH v2] kernel: escape non-ASCII and control characters inprintk()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]