From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from bombadil.infradead.org ([198.137.202.133]:56310 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751878AbeDSCoA (ORCPT ); Wed, 18 Apr 2018 22:44:00 -0400 Date: Wed, 18 Apr 2018 19:43:58 -0700 From: Matthew Wilcox To: Eric Biggers Cc: Sergej Schumilo , linux-fsdevel@vger.kernel.org, gregkh@linuxfoundation.org, jlayton@redhat.com, akpm@linux-foundation.org, Linus Torvalds , Cornelius Aschermann Subject: Re: Null-Pointer Deference in hfs.ko (Linux 4.15.0-15.16 Ubuntu) Message-ID: <20180419024358.GA5215@bombadil.infradead.org> References: <6A96C62E-1D01-44AD-B2C5-7A2258BADC0D@schumilo.de> <20180418173028.GA30953@bombadil.infradead.org> <20180418175421.GA128146@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180418175421.GA128146@gmail.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Wed, Apr 18, 2018 at 10:54:21AM -0700, Eric Biggers wrote: > Also Sergej, I know that you want to consider this a "security bug" and report > it to "security" teams, and maybe even file a CVE number. But the reality is > that NULL pointer dereferences rarely have much security impact, and many > "security" teams seem to be wasting so much time with such bugs that they are > ignoring bugs with actual security impact, like the 34 use-after-free bugs that > are currently open in the syzbot dashbard. So IMO, going through the full > security circus on NULL pointer dereferences is actually detriminal to security. > (Though, they still need to be fixed of course!) I don't think this really needs to be fixed. I think the security bug is that Ubuntu have configured their system in such a way that it will attempt to automount an HFS filesystem on a USB key. By going through FUSE or some other userspace filesystem, the security risk would be eliminated. Is it time to start moving unmaintained obsolescent filesystems with few remaining users into staging? ... Hey, that sounds like a good topic for next week!