From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B1175C6FA99 for ; Tue, 7 Mar 2023 12:56:54 +0000 (UTC) Received: from mail-ed1-f44.google.com (mail-ed1-f44.google.com [209.85.208.44]) by mx.groups.io with SMTP id smtpd.web10.12069.1678188776533527960 for ; Tue, 07 Mar 2023 03:32:56 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=iFp6JvQI; spf=pass (domain: gmail.com, ip: 209.85.208.44, mailfrom: error27@gmail.com) Received: by mail-ed1-f44.google.com with SMTP id o12so50845867edb.9 for ; Tue, 07 Mar 2023 03:32:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678188775; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=oiDoMgPguVRDoOdt7v+G+rTfGrO+m61olXH7zbIH4gg=; b=iFp6JvQIixohY4/BBzT/zOyLGZW9lW4N2C2yWUC2OhMzjTEu3Q2rLkFueK7BhHkhpf OSQ3hd1hxQILHmcAnZfDBvZTWHDuJZNYAIKttqDqx2t9hGSeFjTV7jC2D2tTNHyJ3C+I X5PUiENl+95h17BecQuYnmoOXoDih9ki7GbJYtaLLWQECljE/jhVEWZZcv60aTorcix8 D1HxASlDDsaaPRZ+ObDLYSUIN1BY96zjMhpk6ME2Vi4t1wV/FgzyeqLjGddLFsAsBKv2 uhH2cDE8lHfDHET2NX8dF9bLRrskJHahIrAB6dr74e5St23xKdZxQVk6A2Nn8LoCSoMc naHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678188775; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=oiDoMgPguVRDoOdt7v+G+rTfGrO+m61olXH7zbIH4gg=; b=np11Vvz7Zt29bfnay0h/6GeLB8gORVc7tUgLpnWkn32C349Htwbr6fhVDIy8shKwxe 94UVXFwWsCBVCxbbxeThvV5vCLkfoYO03EtRft7D3tvjgtnOOIU/3vmKL/Cjn9ZYePSR nVnChwnXxXkmk3v1JRbPlFb2cXg12muBvz6AMu++0mymZZCB22sK5abSQSKhsrL7+2FM SZeS98zJAo3nMyB0pY/ni5V80WqucrrHWiddi7XiIqVC4KbxiINg5hplBWJ7NIJnlweT VrEqBKM5XJiLuI7X9Kp8W19VpR1cPoh9unT9rLdVvPpQL4JRcMbmeAd0LZaDDj9LO1qF oSwQ== X-Gm-Message-State: AO0yUKXFcQ9gJQyC+bEkRmbQCbBpO2WZeZylI6WKYhYAT2EnI2X8blUx JxXkNZe4j1j8xmK7OavfvmE= X-Google-Smtp-Source: AK7set807sqE4Ga6zKjwdlnf+kCVQ++djtYpExWIUXBlspClRcIsCv0GxT2HdmAbLY8hXtqDkcAnUw== X-Received: by 2002:a17:907:8a10:b0:8f8:7a2b:cc0d with SMTP id sc16-20020a1709078a1000b008f87a2bcc0dmr20457434ejc.47.1678188774897; Tue, 07 Mar 2023 03:32:54 -0800 (PST) Received: from localhost ([102.36.222.112]) by smtp.gmail.com with ESMTPSA id rl10-20020a170907216a00b008baeb5c9bdbsm6016886ejb.141.2023.03.07.03.32.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 03:32:54 -0800 (PST) Date: Tue, 7 Mar 2023 14:32:48 +0300 From: Dan Carpenter To: Hillf Danton Cc: Masami Ichikawa , cip-dev , linux-mm@kvack.org, linux-kernel@vger.kernel.org, lwn@lwn.net, smatch@kernel.org Subject: Re: Who is looking at CVEs to prevent them? Message-ID: <4f8e6d29-a60a-47e2-bd7b-8c66bb9ee0dc@kili.mountain> References: <20230307110029.1947-1-hdanton@sina.com> MIME-Version: 1.0 In-Reply-To: <20230307110029.1947-1-hdanton@sina.com> Content-Type: text/plain; charset=us-ascii Content-Disposition: inline List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Mar 2023 12:56:54 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/10946 On Tue, Mar 07, 2023 at 07:00:29PM +0800, Hillf Danton wrote: > On 7 Mar 2023 12:51:14 +0300 Dan Carpenter > > On Thu, Jan 19, 2023 at 09:14:53AM +0900, Masami Ichikawa wrote: > > > CVE-2023-0210: ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in > > > ksmbd_decode_ntlmssp_auth_blob > > > > > > 5.15, 6.0, and 6.1 were fixed. > > > > > > Fixed status > > > mainline: [797805d81baa814f76cf7bdab35f86408a79d707] > > > stable/5.15: [e32f867b37da7902685c9a106bef819506aa1a92] > > > stable/6.0: [1e7ed525c60d8d51daf2700777071cd0dfb6f807] > > > stable/6.1: [5e7d97dbae25ab4cb0ac1b1b98aebc4915689a86] > > > > Sorry, I have kind of hijacked the cip-dev email list... I use these > > lists to figure out where we are failing. > > > > I created a static checker warning for this bug. I also wrote a blog > > stepping through the process: > > https://staticthinking.wordpress.com/2023/03/07/triaging-security-bugs/ > > > > If anyone wants to review the warnings, just email me and I can send > > them to you. I Cc'd LWN because I was going to post the warnings but I > > chickened out because that didn't feel like responsible disclosure. The > > Given the syzbot reports only in the past three years for instance, the > chickenout sounds a bit over reaction. Yeah. Really just posting the code and the results seems like the best way forward to me too. That's how syzbot does it and it's the only realistic way forward. The good thing is that static checker warnings are much easier to analyse than syzbot warnings. > > > instructions for how to find these yourself are kind of right there in > > the blog so it's not too hard to generate these results yourself... I > > don't really have enough time to review static checker warnings anymore > > but I don't know who wants to do that job now. > > If no more than three warnings you will post a week after filtering, feel > free to add me to your Cc list, better with the leading [triage smatch > warning] on the subject line the same way as the syzbot report. I've sent you the complete list just so you can see what there is. I want to get out of the filtering business as much as possible. I want more people involved at all stages really. Writing checks. Reviewing warnings. regards, dan carpenter