linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Pavel Machek <pavel@ucw.cz>
To: Jiri Kosina <jkosina@suse.cz>
Cc: Richard Weinberger <richard@nod.at>,
	Kees Cook <keescook@chromium.org>,
	LKML <linux-kernel@vger.kernel.org>,
	"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
	David Rientjes <rientjes@google.com>,
	Aaron Tomlin <atomlin@redhat.com>,
	DaeSeok Youn <daeseok.youn@gmail.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	vdavydov@parallels.com, Rik van Riel <riel@redhat.com>,
	Oleg Nesterov <oleg@redhat.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Ingo Molnar <mingo@redhat.com>, Al Viro <viro@zeniv.linux.org.uk>,
	Andy Lutomirski <luto@amacapital.net>,
	Brad Spengler <spender@grsecurity.net>
Subject: Re: [PATCH] [RFC] Deter exploit bruteforcing
Date: Fri, 2 Jan 2015 23:54:20 +0100	[thread overview]
Message-ID: <20150102225420.GC29018@amd> (raw)
In-Reply-To: <alpine.LNX.2.00.1501022348070.16297@pobox.suse.cz>

On Fri 2015-01-02 23:49:52, Jiri Kosina wrote:
> On Fri, 2 Jan 2015, Pavel Machek wrote:
> 
> > > You also want to protect against binaries that are evil on purpose,
> > > right?
> > 
> > Umm. No. Not by default. We don't want to break crashme or trinity by
> > default.
> 
> I thought trinity is issuing syscalls directly (would make more sense than 
> going through glibc, wouldn't it?) ... haven't checked the source though.

Patch in this thread wanted to insert delays into kernel on SIGSEGV
processing. That's bad idea by default.

But changing glibc to do sleep(30); abort(); instead of abort(); to
slow down bruteforcing of canaries makes some kind of sense... and
should be ok by default.
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

  parent reply	other threads:[~2015-01-02 22:54 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-12-24 21:39 [PATCH] [RFC] Deter exploit bruteforcing Richard Weinberger
2014-12-30 18:40 ` Kees Cook
2014-12-30 18:49   ` Andy Lutomirski
2014-12-30 18:50   ` Richard Weinberger
2015-01-02  5:11   ` Pavel Machek
2015-01-02 11:00     ` Richard Weinberger
2015-01-02 19:46       ` Pavel Machek
2015-01-02 21:40         ` Richard Weinberger
2015-01-02 22:29           ` Pavel Machek
2015-01-02 22:32             ` Jiri Kosina
2015-01-02 22:46               ` Pavel Machek
2015-01-02 22:49                 ` Jiri Kosina
2015-01-02 22:53                   ` Jiri Kosina
2015-01-02 22:54                   ` Pavel Machek [this message]
2015-01-02 23:00                     ` Richard Weinberger
2015-01-02 23:08                       ` Pavel Machek
2015-01-03  9:45                         ` Richard Weinberger
2015-01-03 22:36                           ` Pavel Machek
2015-01-03 22:44                             ` Richard Weinberger
2015-01-03 23:01                               ` Pavel Machek
2015-01-03 23:07                                 ` Richard Weinberger
2015-01-03 23:06                             ` Andy Lutomirski
2015-01-03 23:19                               ` Richard Weinberger
2015-01-05 22:56                                 ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150102225420.GC29018@amd \
    --to=pavel@ucw.cz \
    --cc=akpm@linux-foundation.org \
    --cc=atomlin@redhat.com \
    --cc=daeseok.youn@gmail.com \
    --cc=jkosina@suse.cz \
    --cc=keescook@chromium.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mingo@redhat.com \
    --cc=oleg@redhat.com \
    --cc=peterz@infradead.org \
    --cc=richard@nod.at \
    --cc=riel@redhat.com \
    --cc=rientjes@google.com \
    --cc=spender@grsecurity.net \
    --cc=tglx@linutronix.de \
    --cc=vdavydov@parallels.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).