Brainy: User-Triggerable Kernel Memory Leak in execve()

classic Classic list List threaded Threaded
30 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: Brainy: User-Triggerable Kernel Memory Leak in execve()

Christian Schulte
Am 08/09/15 um 23:38 schrieb Theo de Raadt:
>> Awful lot of noise wherein people tell someone else what they should
>> need to do with their time and their code.

Sorry. It wasn't meant that way. I was just trying to be helpful to
someone saying "I don't have time for that" and "this effort is too much
for my spare time". Not a developer. Ok. No more noise from me. Thank
you everyone for providing this OS the way you do.

Reply | Threaded
Open this post in threaded view
|

Re: Brainy: User-Triggerable Kernel Memory Leak in execve()

Alexey Suslikov
In reply to this post by Theo de Raadt
Theo de Raadt <deraadt <at> cvs.openbsd.org> writes:

> I would like to point out the noise is coming from *users* -- not from
> actual developers in the project.

http://www.imdb.com/title/tt1278449/

you'll get the idea.

sam
Reply | Threaded
Open this post in threaded view
|

Re: Brainy: User-Triggerable Kernel Memory Leak in execve()

sam
In reply to this post by Maxime Villard-2
I'm sorry, I misread you. I wasn't trying to make fun of you or
disregard your work.

Thanks for reporting this (among other bugs).

I am also of the opinion that if somebody/a method can discover bugs,
they should report them. And if they can't, that method should be
disclosed to allow others to continue their work.

On Fri, 7 Aug 2015 21:55:21 +0200
Maxime Villard <[hidden email]> wrote:

> Well, I guess I'll have to admit that I find your attitude extremely
> disrespectful. But I don't tend to feel particularly offended by this
> kind of things, so it probably does not matter.
>
>
> Le 21/07/2015 12:31, sam a écrit :
> > On Tue, 21 Jul 2015 11:31:44 +0200
> > Maxime Villard <[hidden email]> wrote:
> >
> >> Found by The Brainy Code Scanner.
> >>
> >> It is not the last bug Brainy has found, but it is the last one I
> >> report. I don't have time for that.
> >>
> >
> > How about you release the Brainy Code Scanner then?
> >
> > "I have so many bugs; in fact, there are so many, I don't even have
> > the time to report them! My scanner is so good!"
> >
> > Or perhaps you should report 'just' the relatively important ones?
> >
>
> I think my work does (or used to) benefit to a lot of users,
> developers and vendors here; a lot of people, including you.
>
> Nobody supports my work, and I've never asked for anything here about
> that. Even though I almost never receive a simple "thank you" for all
> the bugs and vulnerabilities I've so far reported, I still expect a
> "spiritual thank you" for my work.
>
> But I certainly do not expect that kind of emails you just sent,
> somehow trying to either make fun of me or disregard what I'm willing
> to spend my spare time on for you.
>
> Developing, improving and maintaining Brainy takes time and energy, as
> well as investigating and packaging the bugs and vulnerabilities it
> finds. I've so far sent some reports here just because I'm "friendly"
> enough, and because modifying a few things for Brainy to properly
> understand the OpenBSD code does not require a Herculean work.
>
> Now, I believe that this effort is too much for my spare time. If you
> want to say "thanks" to me for reporting this vulnerability, dear Sam,
> it's never too late.
>
> Maxime
>

sam
Reply | Threaded
Open this post in threaded view
|

Re: Brainy: User-Triggerable Kernel Memory Leak in execve()

sam
In reply to this post by shun.obsd.tech
On Fri, 7 Aug 2015 22:49:50 +0200
[hidden email] wrote:

> Hi Maxime,
> Hi Sam,
>
> I have been following this thread (and others) for some time.
>
> On Fri, Aug 07, 2015 at 09:55:21PM +0200, Maxime Villard wrote:
> > Well, I guess I'll have to admit that I find your attitude extremely
> > disrespectful.
> I have to agree that the emails are rather short and tend to lack the
> subtle cues of human face-to-face interaction. They can easily get
> out of hand.
>
I'd like to agree with the sentiment here and in the rest of the mail.
The lack of body language and tone can result in misunderstandings. I
wasn't trying to be disrespectful.

It's very easy to pile on a person's comment on the internet.

It feels wasteful to develop a seemingly comprehensive and modular code
scanner which will inherently find heaps of bugs, and then not release
it or allow others to work with it.

I am of course grateful that Maxime and others report bugs, but it
feels unusual to me that it's acceptable for somebody to consistently
be able to find them with a tool, and yet nobody thinks it'd be a good
idea to have that tool shared if Maxime is willing.

As many here have acknowledged, Maxime's reports are a contribution. So
why not seek to have those contributions continue? _That_ was my point,
though it was poorly conveyed, falsely appearing to be sarcasm.

>
> > Le 21/07/2015 12:31, sam a écrit :
> > >On Tue, 21 Jul 2015 11:31:44 +0200
> > >Maxime Villard <[hidden email]> wrote:
> > >
> > >>Found by The Brainy Code Scanner.
> > >>
> > >>It is not the last bug Brainy has found, but it is the last one I
> > >>report. I don't have time for that.
> > >>
> > >
> > >How about you release the Brainy Code Scanner then?
> Maxime, I have to agree with Sam here. I did check your website, but
> have not found any code there. It would be of great help if you would
> release it.
>
> > >"I have so many bugs; in fact, there are so many, I don't even
> > >have the time to report them! My scanner is so good!"
> > >
> > >Or perhaps you should report 'just' the relatively important ones?
> >
> > I think my work does (or used to) benefit to a lot of users,
> > developers and vendors here; a lot of people, including you.
> Sam, I think Maxime has done good work so far. There is no reason to
> mock the work or the person. I thought the motto is "Shut Up and
> Hack!" and not "Ridicule and Hack!".
>
> > Nobody supports my work, and I've never asked for anything here
> > about that. Even though I almost never receive a simple "thank you"
> > for all the bugs and vulnerabilities I've so far reported, I still
> > expect a "spiritual thank you" for my work.
> Yes, this is a common problem. Hence: Thank you Maxime! Thank you for
> all the bugs you (and Brainy) have found so far.
>
>
> > Developing, improving and maintaining Brainy takes time and energy,
> > as well as investigating and packaging the bugs and vulnerabilities
> > it finds.
> You could share that burden. I am willing to give it a shot.
>
> shun
>

regards,
sam

Reply | Threaded
Open this post in threaded view
|

Re: Brainy: User-Triggerable Kernel Memory Leak in execve()

Stuart Henderson-6
In reply to this post by sam
On 2015/08/10 11:54, sam wrote:
> I am also of the opinion that if somebody/a method can discover bugs,
> they should report them. And if they can't, that method should be
> disclosed to allow others to continue their work.

So you think others "should" do work for you, right? Whether that work is in
discovering and reporting bugs, or in preparing their code for release so you
can use it (maybe tidying, writing docs, fielding bug reports, etc.etc.etc.)....?

Like other developers who replied to this thread, I'm grateful to Maxime for
the reports in the past (also I totally understand wanting to stop spending
time on this!).

Reply | Threaded
Open this post in threaded view
|

Re: Brainy: User-Triggerable Kernel Memory Leak in execve()

Theo de Raadt
In reply to this post by sam
> I am also of the opinion that if somebody/a method can discover bugs,
> they should report them. And if they can't, that method should be
> disclosed to allow others to continue their work.

And my opinion is that Sam should back his opinions with lots of
money.

Reply | Threaded
Open this post in threaded view
|

Re: Brainy: User-Triggerable Kernel Memory Leak in execve()

Theo de Raadt
In reply to this post by sam
> It feels wasteful to develop a seemingly comprehensive and modular code
> scanner which will inherently find heaps of bugs, and then not release
> it or allow others to work with it.

Sam, since you think throwing opinions out there is valuable

Let me give me yours.

I think you should talk privately to Maxime and find out how much money
he wants from you, to release his tool.

Maxime, I suggest you take Sam for all he is worth.

That's my opinion in this situation.  I came to this opinion because
Sam feels so incredibly entitled.

Reply | Threaded
Open this post in threaded view
|

Re: Brainy: User-Triggerable Kernel Memory Leak in execve()

Артур Истомин
In reply to this post by Theo de Raadt
On Sun, Aug 09, 2015 at 03:38:25PM -0600, Theo de Raadt wrote:

> > Awful lot of noise wherein people tell someone else what they should
> > need to do with their time and their code.
> >
> >
> > To the best of my knowledge, we've cited and/or thanked Maxime in the
> > commits fixing the issues he's found, and we're glad to continue to
> > receive his reports, whether or not they include patches.  My
> > apologies if we've failed to do so.
>
> Thanks for saying that Philip.
>
> I would like to point out the noise is coming from *users* -- not from
> actual developers in the project.

.so let's get rid of the users!

I don't understand the purpose of your observations.

Reply | Threaded
Open this post in threaded view
|

Re: Brainy: User-Triggerable Kernel Memory Leak in execve()

Артур Истомин
In reply to this post by Stuart Henderson-6
On Mon, Aug 10, 2015 at 12:23:44PM +0100, Stuart Henderson wrote:
> On 2015/08/10 11:54, sam wrote:
> > I am also of the opinion that if somebody/a method can discover bugs,
> > they should report them. And if they can't, that method should be
> > disclosed to allow others to continue their work.
>
> So you think others "should" do work for you, right? Whether that work is in
> discovering and reporting bugs, or in preparing their code for release so you
> can use it (maybe tidying, writing docs, fielding bug reports, etc.etc.etc.)....?

This is how the capitalist system has always worked. Exploiting the weakness, folly
or fanaticism. OpenBSD is the OS created mostly by a group of people with a strong
belief that capitalism and/or democracy is right things for society. What is surprising?

Reply | Threaded
Open this post in threaded view
|

Re: Brainy: User-Triggerable Kernel Memory Leak in execve()

Stuart Henderson-6
On 2015/08/12 17:10, Артур Истомин wrote:

> On Mon, Aug 10, 2015 at 12:23:44PM +0100, Stuart Henderson wrote:
> > On 2015/08/10 11:54, sam wrote:
> > > I am also of the opinion that if somebody/a method can discover bugs,
> > > they should report them. And if they can't, that method should be
> > > disclosed to allow others to continue their work.
> >
> > So you think others "should" do work for you, right? Whether that work is in
> > discovering and reporting bugs, or in preparing their code for release so you
> > can use it (maybe tidying, writing docs, fielding bug reports, etc.etc.etc.)....?
>
> This is how the capitalist system has always worked. Exploiting the weakness, folly
> or fanaticism. OpenBSD is the OS created mostly by a group of people with a strong
> belief that capitalism and/or democracy is right things for society. What is surprising?

Gift economy doesn't seem like capitalism to me.

Anyway this is off-topic for tech@.  Please redirect any replies to
misc, or /dev/null.


12