Re: [PATCH 1/9] Known exploit detection
From: Ryan Mallon
Date: Fri Dec 13 2013 - 17:47:24 EST
On 13/12/13 20:20, Vegard Nossum wrote:
> On 12/13/2013 12:50 AM, Ryan Mallon wrote:
>> On 13/12/13 08:13, Kees Cook wrote:
>>> On Thu, Dec 12, 2013 at 11:06 AM, Theodore Ts'o <tytso@xxxxxxx> wrote:
>>>> On Thu, Dec 12, 2013 at 05:52:24PM +0100, vegard.nossum@xxxxxxxxxx wrote:
>>>>> The idea is simple -- since different kernel versions are vulnerable to
>>>>> different root exploits, hackers most likely try multiple exploits before
>>>>> they actually succeed.
>>
>> The _exploit() notifications could also be used to spam the syslogs.
>> Although they are individually ratelimited, if there are enough
>> _exploit() markers in the kernel then an annoying person can cycle
>> through them all to generate large amounts of useless syslog.
>
> They are rate limited collectively, not individually, so this should not be an issue.
Yes, sorry, I misread the code.
I wonder if the exploit() function name should be changed though. Having:
exploit("CVE-xxxx");
In the code looks like some sort of injection/testing framework. Maybe:
warn_known_exploit("CVE-xxxx");
would be clearer?
~Ryan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/