From: Vlastimil Babka <vbabka@suse.cz>
To: Hillf Danton <hdanton@sina.com>, Dan Carpenter <error27@gmail.com>
Cc: Masami Ichikawa <masami.ichikawa@miraclelinux.com>,
cip-dev <cip-dev@lists.cip-project.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org, lwn@lwn.net,
smatch@kernel.org
Subject: Re: Who is looking at CVEs to prevent them?
Date: Tue, 7 Mar 2023 12:42:03 +0100 [thread overview]
Message-ID: <b27c7950-873a-f0e9-d7b4-322bb941a11f@suse.cz> (raw)
In-Reply-To: <20230307110029.1947-1-hdanton@sina.com>
On 3/7/23 12:00, Hillf Danton wrote:
> On 7 Mar 2023 12:51:14 +0300 Dan Carpenter <error27@gmail.com>
>> On Thu, Jan 19, 2023 at 09:14:53AM +0900, Masami Ichikawa wrote:
>> > CVE-2023-0210: ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in
>> > ksmbd_decode_ntlmssp_auth_blob
>> >
>> > 5.15, 6.0, and 6.1 were fixed.
>> >
>> > Fixed status
>> > mainline: [797805d81baa814f76cf7bdab35f86408a79d707]
>> > stable/5.15: [e32f867b37da7902685c9a106bef819506aa1a92]
>> > stable/6.0: [1e7ed525c60d8d51daf2700777071cd0dfb6f807]
>> > stable/6.1: [5e7d97dbae25ab4cb0ac1b1b98aebc4915689a86]
>>
>> Sorry, I have kind of hijacked the cip-dev email list... I use these
>> lists to figure out where we are failing.
>>
>> I created a static checker warning for this bug. I also wrote a blog
>> stepping through the process:
>> https://staticthinking.wordpress.com/2023/03/07/triaging-security-bugs/
>>
>> If anyone wants to review the warnings, just email me and I can send
>> them to you. I Cc'd LWN because I was going to post the warnings but I
>> chickened out because that didn't feel like responsible disclosure. The
>
> Given the syzbot reports only in the past three years for instance, the
> chickenout sounds a bit over reaction.
>
>> instructions for how to find these yourself are kind of right there in
>> the blog so it's not too hard to generate these results yourself... I
>> don't really have enough time to review static checker warnings anymore
>> but I don't know who wants to do that job now.
>
> If no more than three warnings you will post a week after filtering, feel
> free to add me to your Cc list, better with the leading [triage smatch
> warning] on the subject line the same way as the syzbot report.
>
> Thanks
> Hillf
Why do you keep adding linux-mm to the Cc list of random threads that are
not about MM?
next prev parent reply other threads:[~2023-03-07 12:57 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-19 0:14 New CVE entries this week Masami Ichikawa
2023-03-03 14:08 ` Dan Carpenter
2023-03-07 9:51 ` Who is looking at CVEs to prevent them? Dan Carpenter
[not found] ` <20230307110029.1947-1-hdanton@sina.com>
2023-03-07 11:32 ` Dan Carpenter
2023-03-07 11:42 ` Vlastimil Babka [this message]
2023-03-07 11:53 ` Dan Carpenter
2023-03-08 7:52 ` Vlastimil Babka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b27c7950-873a-f0e9-d7b4-322bb941a11f@suse.cz \
--to=vbabka@suse.cz \
--cc=cip-dev@lists.cip-project.org \
--cc=error27@gmail.com \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lwn@lwn.net \
--cc=masami.ichikawa@miraclelinux.com \
--cc=smatch@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).