* 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
@ 2019-06-03 23:02 Zubin Mithra
2019-06-04 7:53 ` Greg KH
2019-06-06 18:58 ` Ben Hutchings
0 siblings, 2 replies; 7+ messages in thread
From: Zubin Mithra @ 2019-06-03 23:02 UTC (permalink / raw)
To: stable
Cc: gregkh, groeck, blackgod016574, davem, kuznet, jmorris, yoshfuji, kaber
Hello,
CVE-2019-12381 was fixed in the upstream linux kernel with the commit :-
* 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ?
Tests run:
* Chrome OS tryjobs
Thanks,
- Zubin
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
2019-06-03 23:02 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") Zubin Mithra
@ 2019-06-04 7:53 ` Greg KH
2019-06-06 18:58 ` Ben Hutchings
1 sibling, 0 replies; 7+ messages in thread
From: Greg KH @ 2019-06-04 7:53 UTC (permalink / raw)
To: Zubin Mithra
Cc: stable, groeck, blackgod016574, davem, kuznet, jmorris, yoshfuji, kaber
On Mon, Jun 03, 2019 at 04:02:40PM -0700, Zubin Mithra wrote:
> Hello,
>
> CVE-2019-12381 was fixed in the upstream linux kernel with the commit :-
> * 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
>
> Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ?
Same comments here as on the ipv6 bug.
Should I just go create CVEs for every single stable kernel patches?
Actually, it's been often suggested that I should, just to drive the
point home...
thanks,
greg k-h
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
2019-06-03 23:02 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") Zubin Mithra
2019-06-04 7:53 ` Greg KH
@ 2019-06-06 18:58 ` Ben Hutchings
2019-06-07 1:59 ` Gen Zhang
2019-06-07 2:41 ` Gen Zhang
1 sibling, 2 replies; 7+ messages in thread
From: Ben Hutchings @ 2019-06-06 18:58 UTC (permalink / raw)
To: Zubin Mithra, stable
Cc: gregkh, groeck, blackgod016574, davem, kuznet, jmorris, yoshfuji, kaber
[-- Attachment #1: Type: text/plain, Size: 741 bytes --]
On Mon, 2019-06-03 at 16:02 -0700, Zubin Mithra wrote:
> Hello,
>
> CVE-2019-12381 was fixed in the upstream linux kernel with the commit :-
> * 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
>
> Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ?
>
> Tests run:
> * Chrome OS tryjobs
This doesn't fix a security vulnerability. There already was a check
for allocation failure before dereferencing the returned pointer; it
just wasn't in the most obvious place.
I've requested rejection of this CVE, and several other invalid reports
from the same person.
Ben.
--
Ben Hutchings
Experience is what causes a person to make new mistakes
instead of old ones.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
2019-06-06 18:58 ` Ben Hutchings
@ 2019-06-07 1:59 ` Gen Zhang
2019-06-07 2:41 ` Gen Zhang
1 sibling, 0 replies; 7+ messages in thread
From: Gen Zhang @ 2019-06-07 1:59 UTC (permalink / raw)
To: Ben Hutchings
Cc: Zubin Mithra, stable, gregkh, groeck, davem, kuznet, jmorris,
yoshfuji, kaber
On Thu, Jun 06, 2019 at 07:58:35PM +0100, Ben Hutchings wrote:
> On Mon, 2019-06-03 at 16:02 -0700, Zubin Mithra wrote:
> > Hello,
> >
> > CVE-2019-12381 was fixed in the upstream linux kernel with the commit :-
> > * 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
> >
> > Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ?
> >
> > Tests run:
> > * Chrome OS tryjobs
>
> This doesn't fix a security vulnerability. There already was a check
> for allocation failure before dereferencing the returned pointer; it
> just wasn't in the most obvious place.
I've discussing this with others these days. You mean the check
if (!new_ra)? I don't think this check is for allocation failure.
Because 'new_ra' is NULL when 'on' is zero. The check should be
if (on && !new_ra) if it is for memory allocation failure.
>
> I've requested rejection of this CVE, and several other invalid reports
> from the same person.
I think I should be in the CC list. Should I?
Thanks
Gen
>
> Ben.
>
> --
> Ben Hutchings
> Experience is what causes a person to make new mistakes
> instead of old ones.
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
2019-06-06 18:58 ` Ben Hutchings
2019-06-07 1:59 ` Gen Zhang
@ 2019-06-07 2:41 ` Gen Zhang
2019-06-07 13:02 ` Ben Hutchings
1 sibling, 1 reply; 7+ messages in thread
From: Gen Zhang @ 2019-06-07 2:41 UTC (permalink / raw)
To: Ben Hutchings
Cc: Zubin Mithra, stable, gregkh, groeck, davem, kuznet, jmorris,
yoshfuji, kaber
On Thu, Jun 06, 2019 at 07:58:35PM +0100, Ben Hutchings wrote:
> On Mon, 2019-06-03 at 16:02 -0700, Zubin Mithra wrote:
> > Hello,
> >
> > CVE-2019-12381 was fixed in the upstream linux kernel with the commit :-
> > * 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
> >
> > Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ?
> >
> > Tests run:
> > * Chrome OS tryjobs
>
> This doesn't fix a security vulnerability. There already was a check
> for allocation failure before dereferencing the returned pointer; it
> just wasn't in the most obvious place.
>
> I've requested rejection of this CVE, and several other invalid reports
> from the same person.
And where did this 'invalid' come from? Did any maintainers claimed the
patch 'invalid' or something? I am confused...
Thanks
Gen
>
> Ben.
>
> --
> Ben Hutchings
> Experience is what causes a person to make new mistakes
> instead of old ones.
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
2019-06-07 2:41 ` Gen Zhang
@ 2019-06-07 13:02 ` Ben Hutchings
2019-06-08 15:49 ` Gen Zhang
0 siblings, 1 reply; 7+ messages in thread
From: Ben Hutchings @ 2019-06-07 13:02 UTC (permalink / raw)
To: Gen Zhang
Cc: Zubin Mithra, stable, gregkh, groeck, davem, kuznet, jmorris,
yoshfuji, kaber
[-- Attachment #1: Type: text/plain, Size: 1343 bytes --]
On Fri, 2019-06-07 at 10:41 +0800, Gen Zhang wrote:
> On Thu, Jun 06, 2019 at 07:58:35PM +0100, Ben Hutchings wrote:
> > On Mon, 2019-06-03 at 16:02 -0700, Zubin Mithra wrote:
> > > Hello,
> > >
> > > CVE-2019-12381 was fixed in the upstream linux kernel with the commit :-
> > > * 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
> > >
> > > Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ?
> > >
> > > Tests run:
> > > * Chrome OS tryjobs
> >
> > This doesn't fix a security vulnerability. There already was a check
> > for allocation failure before dereferencing the returned pointer; it
> > just wasn't in the most obvious place.
> >
> > I've requested rejection of this CVE, and several other invalid reports
> > from the same person.
> And where did this 'invalid' come from? Did any maintainers claimed the
> patch 'invalid' or something? I am confused...
I'm not saying the patch is invalid. It makes the code clearer and
seems to result in returning a more appropriate error code. So I don't
disagree with the patch, only the claim that it's fixing a security
issue.
My requests to reject the CVE assignments were made using MITRE's web
form.
Ben.
--
Ben Hutchings
Life would be so much easier if we could look at the source code.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
2019-06-07 13:02 ` Ben Hutchings
@ 2019-06-08 15:49 ` Gen Zhang
0 siblings, 0 replies; 7+ messages in thread
From: Gen Zhang @ 2019-06-08 15:49 UTC (permalink / raw)
To: Ben Hutchings
Cc: Zubin Mithra, stable, gregkh, groeck, davem, kuznet, jmorris,
yoshfuji, kaber
On Fri, Jun 07, 2019 at 02:02:09PM +0100, Ben Hutchings wrote:
> On Fri, 2019-06-07 at 10:41 +0800, Gen Zhang wrote:
> > On Thu, Jun 06, 2019 at 07:58:35PM +0100, Ben Hutchings wrote:
> > > On Mon, 2019-06-03 at 16:02 -0700, Zubin Mithra wrote:
> > > > Hello,
> > > >
> > > > CVE-2019-12381 was fixed in the upstream linux kernel with the commit :-
> > > > * 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
> > > >
> > > > Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ?
> > > >
> > > > Tests run:
> > > > * Chrome OS tryjobs
> > >
> > > This doesn't fix a security vulnerability. There already was a check
> > > for allocation failure before dereferencing the returned pointer; it
> > > just wasn't in the most obvious place.
> > >
> > > I've requested rejection of this CVE, and several other invalid reports
> > > from the same person.
> > And where did this 'invalid' come from? Did any maintainers claimed the
> > patch 'invalid' or something? I am confused...
>
> I'm not saying the patch is invalid. It makes the code clearer and
> seems to result in returning a more appropriate error code. So I don't
> disagree with the patch, only the claim that it's fixing a security
> issue.
>
> My requests to reject the CVE assignments were made using MITRE's web
> form.
Well, I see. Thanks for your comments.
Thanks
Gen
>
> Ben.
>
> --
> Ben Hutchings
> Life would be so much easier if we could look at the source code.
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-06-08 15:49 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-03 23:02 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") Zubin Mithra
2019-06-04 7:53 ` Greg KH
2019-06-06 18:58 ` Ben Hutchings
2019-06-07 1:59 ` Gen Zhang
2019-06-07 2:41 ` Gen Zhang
2019-06-07 13:02 ` Ben Hutchings
2019-06-08 15:49 ` Gen Zhang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.