search for: jannh

...erent interval maps Product: nftables Version: 1.0.x Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: jannh at selfnet.de Attached there is an "example.conf" file containing a simple set of very repetitive rules with 4 interval maps and add element calls to fill these maps with ~16000 entries. On our Debian bookworm (nftables 1.0.6) and ArchLinux (1.0.8) hosts, the resulting rules take very l...

...zeros Product: nftables Version: 1.0.x Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: major Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: jannh at selfnet.de Created attachment 722 --> https://bugzilla.netfilter.org/attachment.cgi?id=722&action=edit Example file When adding a counter to a ruleset, the statement "nft list counters" (or "nft reset counters") can be used to output the counter values. The list co...

On 20 July 2018 at 03:28, Jann Horn <jannh at google.com> wrote: > On Fri, Jul 20, 2018 at 2:26 AM Ahmed Soliman > <ahmedsoliman0x666 at gmail.com> wrote: >> >> On 20 July 2018 at 00:59, Jann Horn <jannh at google.com> wrote: >> > On Thu, Jul 19, 2018 at 11:40 PM Ahmed Abd El Mawgood >> >&g...

Moritz Muehlenhoff writes ("Re: Xen package security updates for jessie 4.4, XSA-213, XSA-214"): > On Thu, May 04, 2017 at 05:06:07PM +0100, Ian Jackson wrote: > > I have fixed these in stretch but the jessie package remains unfixed. > > I think I may be able to find some backports somewhere. Would that be > > useful ? Is anyone else working on this ? > >

On 20 July 2018 at 00:59, Jann Horn <jannh at google.com> wrote: > On Thu, Jul 19, 2018 at 11:40 PM Ahmed Abd El Mawgood > Why are you implementing this in the kernel, instead of doing it in > host userspace? I thought about implementing it completely in QEMU but It won't be possible for few reasons: - After talking to QE...

...the multicall +sequence to be aborted, as hypercalls are permitted from kernel mode +only. While likely not very useful in a multicall, also properly handle +the return value in the HYPERVISOR_iret case (which should be the guest +specified value). + +This is XSA-213. + +Reported-by: Jann Horn <jannh at google.com> +Signed-off-by: Jan Beulich <jbeulich at suse.com> +Reviewed-by: Andrew Cooper <andrew.cooper3 at citrix.com> +Acked-by: Julien Grall <julien.grall at arm.com> + +Backported to Xen 4.4 for Centos +From: Kevin Stange <kevin at steadfast.net> + +Dropped ARM...

Hi, This is my first set of patches that works as I would expect, and the third revision I sent to mailing lists. Following up with my previous discussions about kernel rootkit mitigation via placing R/O protection on critical data structure, static data, privileged registers with static content. These patches present the first part where it is only possible to place these protections on memory

Hi, This is my first set of patches that works as I would expect, and the third revision I sent to mailing lists. Following up with my previous discussions about kernel rootkit mitigation via placing R/O protection on critical data structure, static data, privileged registers with static content. These patches present the first part where it is only possible to place these protections on memory

...etkov <bp at suse.de> Cc: Aubrey Li <aubrey.li at intel.com> Cc: Dave Hansen <dave.hansen at intel.com> Cc: Dominik Brodowski <linux at dominikbrodowski.net> Cc: "H. Peter Anvin" <hpa at zytor.com> Cc: Ingo Molnar <mingo at redhat.com> Cc: Jann Horn <jannh at google.com> Cc: Joerg Roedel <jroedel at suse.de> Cc: Juergen Gross <jgross at suse.com> Cc: "Kirill A. Shutemov" <kirill.shutemov at linux.intel.com> Cc: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com> Cc: Thomas Lendacky <Thomas.Lendacky at amd.com>...

On Fri, Jul 3, 2020 at 1:30 PM Michal Hocko <mhocko at kernel.org> wrote: > On Fri 03-07-20 10:34:09, Catangiu, Adrian Costin wrote: > > This patch adds logic to the kernel power code to zero out contents of > > all MADV_WIPEONSUSPEND VMAs present in the system during its transition > > to any suspend state equal or greater/deeper than Suspend-to-memory, > > known

On Sat, Jul 4, 2020 at 12:44 AM Pavel Machek <pavel at ucw.cz> wrote: > > Cryptographic libraries carry pseudo random number generators to > > quickly provide randomness when needed. If such a random pool gets > > cloned, secrets may get revealed, as the same random number may get > > used multiple times. For fork, this was fixed using the WIPEONFORK > > madvise

On Mon, Jul 6, 2020 at 2:27 PM Alexander Graf <graf at amazon.com> wrote: > Unless we create a vsyscall that returns both the PID as well as the > epoch and thus handles fork *and* suspend. I need to think about this a > bit more :). You can't reliably detect forking by checking the PID if it is possible for multiple forks to be chained before the reuse check runs: - pid 1000

On Fri, Jul 3, 2020 at 12:34 PM Catangiu, Adrian Costin <acatan at amazon.com> wrote: > Cryptographic libraries carry pseudo random number generators to > quickly provide randomness when needed. If such a random pool gets > cloned, secrets may get revealed, as the same random number may get > used multiple times. For fork, this was fixed using the WIPEONFORK > madvise flag

Hi! My development VM (KVM guest, virtio graphics) is throwing warnings when I start up X while running a build from Linus' tree with lockdep turned on. I tried to bisect it, and it looks like at least the "suspicious RCU usage" one started triggering in commit 889165ad6190556ffe4a8fa6b0e486f1c25589d8 ("drm/virtio: pass gem reservation object to ttm init"). Slightly