From owner-freebsd-stable@FreeBSD.ORG Mon Apr 2 17:13:09 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC4D110657A6 for ; Mon, 2 Apr 2012 17:13:09 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 64F8D8FC15 for ; Mon, 2 Apr 2012 17:13:09 +0000 (UTC) Received: by vbmv11 with SMTP id v11so2664545vbm.13 for ; Mon, 02 Apr 2012 10:13:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=P17o1IJ6Q4vn/Fs0A/OlI5YBqDa+KVIlJ+Csu3HD43U=; b=nJvMDEr1Md5Unvv8kzXLH0DZ1xXYwjNi2zypUnhVCKXPXX5oQTE/BE10Rh+AduGL+M TkM6rOEbA8iU9pMCv1e4oxgLm0hKnuDQD2fX+dEg9Gis25ckQLu3QrKI0CCKTGGibKTt JAbbaTBoayM2zPiBLmKqGOeXZA7LVIGzUmrPHiBYGiEVvnUU6wLHw8+awkgF1xz4ZQx8 GHuD5OjqSktvSNfnxXLxIn1fNwkghwUxPPyLeR3rg7hM2xZmnoxa9lJ/d6ujC5SDjGj0 lxl7J3fngI6JgRgy9T/IpP8bu8P9y2Bj8Io0P0pMQa9xsV1M5E5O7ztESczQDNMeqEsq MVGQ== MIME-Version: 1.0 Received: by 10.52.95.198 with SMTP id dm6mr3510206vdb.91.1333386787868; Mon, 02 Apr 2012 10:13:07 -0700 (PDT) Received: by 10.52.181.129 with HTTP; Mon, 2 Apr 2012 10:13:07 -0700 (PDT) In-Reply-To: <4F79D88B.3040102@cs.stonybrook.edu> References: <4F75E404.8000104@cs.stonybrook.edu> <4F75EF86.6090909@cs.stonybrook.edu> <20120330190713.GG2358@deviant.kiev.zoral.com.ua> <4F760C9E.6060405@cs.stonybrook.edu> <20120330194649.GH2358@deviant.kiev.zoral.com.ua> <4F761371.7020606@cs.stonybrook.edu> <20120330203605.GI2358@deviant.kiev.zoral.com.ua> <4F76350F.8000708@cs.stonybrook.edu> <20120330224631.GJ2358@deviant.kiev.zoral.com.ua> <4F7637F3.2060502@cs.stonybrook.edu> <4F766F29.2030803@cs.stonybrook.edu> <4F79D88B.3040102@cs.stonybrook.edu> Date: Mon, 2 Apr 2012 18:13:07 +0100 Message-ID: From: Tom Evans To: Richard Yao Content-Type: text/plain; charset=UTF-8 Cc: freebsd-stable@freebsd.org Subject: Re: Text relocations in kernel modules X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2012 17:13:09 -0000 On Mon, Apr 2, 2012 at 5:49 PM, Richard Yao wrote: > On 04/02/12 05:56, Tom Evans wrote: >> On Sat, Mar 31, 2012 at 3:42 AM, Richard Yao wrote: >>>> There are no security implications, no system resources to be wasted. >>>> >>>> And if you think there are security implications, then lets see a >>>> proof-of-concept. >>> >>> If I find time to write a proof-of-concept, I promise to publish it >>> publicly. Your security team will find out when everyone else does. >> >> Richard, I'm not sure what you are trying to accomplish here. You have >> had a clear explanation of why certain things are done in a certain >> way in the FreeBSD codebase, and a confirmation that they do not think >> it causes any security issues in FreeBSD. >> >> Your response is to threaten to write an exploit against FreeBSD, and >> distribute it publicly before disclosing to security@. > > Some people believe that projects that do not take proper > countermeasures against security vulnerabilities do not deserve to have > special notification of issues. I happen to be one of them. This is a straw man argument - FreeBSD does take proper countermeasures against security vulnerabilities - and so your conclusion that you can blithely fully disclose vulnerabilities with no moral concerns is a logical fallacy. You have posited that this is a vulnerability to FreeBSD (based upon checks put in place for a Linux project) whilst many FreeBSD committers have said that you are mistaken, and it does not do so. If you disagree with them, then show them by example or argument that they are wrong. If you think they are wrong and that it is a vulnerability to FreeBSD, you should be discussing this off list in detail with the sec team - security-officer@FreeBSD.org Threatening to jeopardise FreeBSD's security by public disclosure, with no discussion with the FreeBSD security team is a puerile way of acting, and does neither you, your university nor Gentoo any favours. > I suggest that you look at things from my perspective. I asked a simple > question on your mailing list. I then received several private emails > from various FreeBSD developers insulting my intelligence for the act of > asking a question. Who is the "ass" here? > I can't comment as to what people said to you off-list, I'm not party to that. What you said on-list: > If I find time to write a proof-of-concept, I promise to publish it > publicly. Your security team will find out when everyone else does. that is "ass" territory. Cheers Tom