[PATCH] UBUNTU: config: enable DEBUG_CREDENTIALS
Tim Gardner
tim.gardner at canonical.com
Thu Jul 26 12:34:31 UTC 2012
On 07/20/2012 02:57 PM, Kees Cook wrote:
> This adds a few bytes of overhead to each credential and adds a tiny
> amount of CPU overhead when changing credentials. It can catch some
> types of credential manipulation attacks, so turn it on.
>
> Signed-off-by: Kees Cook <kees at ubuntu.com>
> ---
Kees - I'm curious how a credential attack might be attempted? If a
successful credential attack is possible, then this option provides an
excellent DOS since AFAICT every credential check failure ultimately
ends up in a BUG() statement. I think DEBUG_CREDENTIALS was designed as
a coding aid to detect reference counting and RCU mistakes, not as a
protection method against attacks.
rtg
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list