similar to: [PATCH v1 2/6] virtio console: Harden port adding

Hello, some days ago I followed these instructions https://sigs.centos.org/virt/tdx/host/ and after enabling the repo I installed the tdx necessary bits as indicated, with the command dnf install kernel-tdx qemu-kvm-tdx libvirt-tdx This gave me: libvirt 9.5.0-1.el9s qemu-kvm 8.0.0-15.el9s kernel 5.14.0-395.el9s But now if I run a usual "dnf update" I'm proposed

This simple additional check hardens sshbuf against linking an sshbuf into itself as parent/child pair, which could lead to ref counting issues. Purely defensive measure. I am not aware that this could happen somehwere in the code by now. Okay? Index: sshbuf.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sshbuf.c,v diff -u -p -u -p -r1.19

From: Joerg Roedel <jroedel at suse.de> Send SIGBUS to the user-space process that caused the #VC exception instead of killing the machine. Also ratelimit the error messages so that user-space can't flood the kernel log. Signed-off-by: Joerg Roedel <jroedel at suse.de> --- arch/x86/kernel/sev-es.c | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9

On Tue, Feb 11, 2020 at 5:53 AM Joerg Roedel <joro at 8bytes.org> wrote: > > From: Joerg Roedel <jroedel at suse.de> > > Send SIGBUS to the user-space process that caused the #VC exception > instead of killing the machine. Also ratelimit the error messages so > that user-space can't flood the kernel log. What would cause this? CPUID? Something else? --Andy

Hello all, During discussion for development of a new driver, an old thought came to my attention that we have a potentially insecure approach with some parts of the codebase working with string and "var arg list" manipulation, which use dynamic `char *` variables instead of fixed strings (or macros that expand to those). There are typically good reasons in code to do so, such as

Hello all, During discussion for development of a new driver, an old thought came to my attention that we have a potentially insecure approach with some parts of the codebase working with string and "var arg list" manipulation, which use dynamic `char *` variables instead of fixed strings (or macros that expand to those). There are typically good reasons in code to do so, such as

Widen SERHND_IDX (and use it where needed), introduce a flush low level driver method, and remove unnecessary peeking of the common code at the (driver specific) serial port identification string in the "console=" command line option value. Signed-off-by: Jan Beulich <jbeulich@suse.com> --- a/xen/arch/x86/smpboot.c +++ b/xen/arch/x86/smpboot.c @@ -1017,7 +1017,7 @@ void __init

Hi, I wanted to ask if there's an easy way to log the port in dovecot. The background is that, as everyone's probably aware, pop3/imap usually listen on two ports (110/995 for pop3, 143/993 for imap). One port is the "classic" port that allows unencrypted and STARTTLS connections, the other is the legacy SSL port that allows TLS only connections. The legacy SSL ports are

Hi, SafeStack currently relies on address randomization to protect the safe stack. If the location of a safe stack is somehow revealed and a corrupted pointer references it, then a safe stack can be corrupted. The creators of SafeStack envisioned the possibility of using X86 segmentation to further harden SafeStack against such corruption (see the comment near the top of

Hi, We are pleased to announce the call for presentations for this years Confidential Computing MC at the Linux Plumbers Conference. In this microconference we want to discuss ongoing developments around Linux support for memory encryption and support for confidential computing in general. Topics of interest include: * Support for unaccepted memory * Attestation workflows * Confidential

On 2/7/2017 20:02, Kostya Serebryany wrote: > ... > > My understanding is that BNDCU is the cheapest possible instruction, > just like XOR or ADD, > so the overhead should be relatively small. > Still my guesstimate would be >= 5% since stores are very numerous. > And such overhead will be on top of whatever overhead SafeStack has. > Do you have any measurements to

On 31/12/17 13:52, Peter Moody wrote: >> By making it impossible for people to use SSH > nb, it's not impossible to use opessh. it might not be possible to use > a*modern* openssh client to connect to an old, unpatched unmaintained > (by the vendor) sshd. i'd argue that's not the client's fault. Of course it's the client's fault.? The client worked, was

Hi all, I understand how the speculative information flow attack works. I'm trying get my head around the spectre v1 mitigation of LLVM. In the design document here : https://llvm.org/docs/SpeculativeLoadHardening.html#speculative-load-hardening. <https://llvm.org/docs/SpeculativeLoadHardening.html#speculative-load-hardening> Example: void leak(int data);void example(int* pointer1,

On Fri, 30 Aug 2019 at 17:34, Finkel, Hal J. via llvm-dev <llvm-dev at lists.llvm.org> wrote: > > > On 8/30/19 10:18 AM, Sam Elliott via llvm-dev wrote: > > TL;DR: I am proposing to add the GCC C Torture suite [1], as an additional external source of tests for the “nightly” test suite. If you are willing to review the patch, it is here: https://reviews.llvm.org/D66887 >

I'm pretty sure I already know the answer to this, but... Is there a way to copy/transfer/replicate sip subscriptions from one asterisk system to another, for the purposes of HA? You coudln't even write a script to do it I don't think. You can do an 'asterisk -rx sip show subscriptions' but there'd be no way to repopulate it on a second system. Yes/No? Doug.

Hi, I previously posted about using 32-bit X86 segmentation to harden SafeStack: http://lists.llvm.org/pipermail/llvm-dev/2016-May/100346.html That involves lowering the limits of the DS and ES segments that are used for ordinary data accesses while leaving the limit for SS, the stack segment, set to its maximum value. The safe stacks were clustered above the limits of DS and ES. Thus, by

How would one go about setting up the wakeup feature of Asterisk to NOT call an extension, but to call a phone number? My setup works great for wakeup on local extensions, but I'd like to set it up to call external phone numbers automatically and play a specific sound file (to remind people of upcoming hair stylist appointments). I suppose either there'd have to be a web interface to

Just curious about this after seeing the following output of a typical "yum upgrade": Resolving Dependencies --> Running transaction check ---> Package centos-release.x86_64 0:7-5.1804.el7.centos.2 will be updated ---> Package centos-release.x86_64 0:7-5.1804.1.el7.centos will be an update ...etc... After downloading the 2 centos-release RPMs, the content appears identical.?

Well, this is interesting (to me, at least). I joined a W10 machine to the domain (4.8/4.9.4 mix, I'm working on it), then renamed it via "WMIC /node:<computer> computersystem where name="<computer>" call rename name="<newname>". Doing so changed the displayName, sAMAccountName, dNSHostName, and assorted servicePrincipalNames, but did not change the

I get ties in output from runif() when I generate as few as 10^5 variates and get quite a lot when I generate 10^6. Is this expected?? I haven't seen any duplication with rnorm(10^6), but see varying amounts of duplication using rexp(), rbeta() and rgamma(). I would have thought that there'd be enough precision that one wouldn't get ties until generating samples larger than this..