From: Dave Chinner <david@fromorbit.com>
To: bugzilla-daemon@kernel.org
Cc: linux-xfs@vger.kernel.org
Subject: Re: [Bug 215927] kernel deadlock when mounting the image
Date: Thu, 5 May 2022 18:51:04 +1000 [thread overview]
Message-ID: <20220505085104.GH1098723@dread.disaster.area> (raw)
In-Reply-To: <bug-215927-201763-qVJPAGrN3y@https.bugzilla.kernel.org/>
On Thu, May 05, 2022 at 05:46:45AM +0000, bugzilla-daemon@kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=215927
>
> --- Comment #3 from Artem S. Tashkinov (aros@gmx.com) ---
> XFS maintainers? This looks like a serious issue.
A fix has already been written and pushed into the upstream tree.
It's not a real world problem - exposing this issue requires
significant malicious tampering with multiple filesystem structures.
We can't (and have never tried to) defend against such a threat
model - our verification mechanisms are intended to defend against
known storage corruption vectors and software bugs, not malicious
actors.
If anyone wants credit for discovering fuzzer induced bugs like
this, then they need to be responsible in how they report them and
perform some initial triage work to determine the scope of the issue
they have discovered before they report it. Making potentially
malicious reproducer scripts public without any warning does not win
any friends or gain influence.
We're tired of having to immediately jump to investigate issues
found by format verification attack tools that have been dumped in
public with zero analysis, zero warning and, apparently, no clue
of how serious the problem discovered might be.
The right process for reporting issues found by format verification
attacks is called "responsible disclosure". This is the process that
reporting any issue that has potential system security impacts
should use.
-Dave.
--
Dave Chinner
david@fromorbit.com
next prev parent reply other threads:[~2022-05-05 8:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-01 5:51 [Bug 215927] New: kernel deadlock when mounting the image bugzilla-daemon
2022-05-01 7:09 ` [Bug 215927] " bugzilla-daemon
2022-05-01 7:11 ` bugzilla-daemon
2022-05-05 5:46 ` bugzilla-daemon
2022-05-05 6:21 ` Darrick J. Wong
2022-05-05 8:51 ` Dave Chinner [this message]
2022-05-05 6:21 ` bugzilla-daemon
2022-05-05 8:51 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220505085104.GH1098723@dread.disaster.area \
--to=david@fromorbit.com \
--cc=bugzilla-daemon@kernel.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.