Linux-NFS Archive on lore.kernel.org
 help / color / Atom feed
From: Alexander Grund <alex@grundis.de>
To: gregkh@linuxfoundation.org
Cc: a.shelat@northeastern.edu, anna.schumaker@netapp.com,
	bfields@fieldses.org, chuck.lever@oracle.com,
	davem@davemloft.net, dwysocha@redhat.com, kuba@kernel.org,
	leon@kernel.org, linux-kernel@vger.kernel.org,
	linux-nfs@vger.kernel.org, netdev@vger.kernel.org,
	pakki001@umn.edu, sudipm.mukherjee@gmail.com,
	trondmy@hammerspace.com
Subject: Re: [PATCH] SUNRPC: Add a check for gss_release_msg
Date: Wed, 21 Apr 2021 20:50:33 +0200
Message-ID: <821177ec-dba0-e411-3818-546225511a00@grundis.de> (raw)
In-Reply-To: <YIAtwtOpy/emQWr2@kroah.com>

 > Below is the list that didn't do a simple "revert" that I need to look
 > at. I was going to have my interns look into this, there's no need to
 > bother busy maintainers with it unless you really want to, as I can't
 > tell anyone what to work on :)

I'm not involved or affliated with the group or the kernel, but I'd like to make a suggestion:
Do not revert umn.edu patches unconditionally.
See below:

According to the paper:
 > We submit the three patches using a randomGmail account to the Linux community andseek their feedback

So while their behaviour regarding this practice may have been bad, I'd give them the benefit of doubt that they didn't want to actually introduce 
a bug.
I.e. what they wrote:

> we immediately notify themaintainers of the introduced UAF and request them to notgo ahead to apply the patch.
 > At the same time, we point out the correct fixing of the bug and provide our correct patch.
 > [...] All the UAF-introducing patches stayed only in the emailexchanges, without even becoming a Git commit in Linuxbranches

TLDR:
- The faulty patches were NOT from umn.edu accounts but from a gmail account
- Only the corrected patches should have made it to the branches

So while I would at least double-check that the last point is actually true, I believe reverting all umn.edu patches is wrong and actually (re-)introduces vulnerabilities or bugs which have been legitimately fixed (at least in good faith)
And especially if the reverts do not apply cleanly on the current HEADs I 
think you might be wasting a lot of work/time, too.

And yes, this aftermath makes it even worse what they did and excluding them from future contributions may make sense.
But maybe reverting EVERYTHING is a bit to much here, especially if that doesn't even include the faulty stuff (assuming they are not plain lying in their paper, which I really doubt they would)

Alex



  parent reply index

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-07  0:16 Aditya Pakki
2021-04-07 15:34 ` J. Bruce Fields
2021-04-08 15:01 ` Trond Myklebust
2021-04-08 15:24   ` Olga Kornievskaia
2021-04-08 16:02     ` Trond Myklebust
2021-04-20  7:15 ` Greg KH
2021-04-20 17:10   ` J. Bruce Fields
2021-04-21  5:10     ` Leon Romanovsky
2021-04-21  5:43       ` Greg KH
2021-04-21  6:08         ` Leon Romanovsky
     [not found]         ` <CA+EnHHSw4X+ubOUNYP2zXNpu70G74NN1Sct2Zin6pRgq--TqhA@mail.gmail.com>
2021-04-21  8:15           ` Greg KH
2021-04-21 10:07         ` Sudip Mukherjee
2021-04-21 10:21           ` Greg KH
2021-04-21 11:58             ` Shelat, Abhi
2021-04-21 12:08               ` Greg KH
2021-04-21 12:19               ` Leon Romanovsky
2021-04-21 13:11                 ` Trond Myklebust
2021-04-21 13:20                   ` Leon Romanovsky
2021-04-21 13:42                     ` Steven Rostedt
2021-04-21 13:21                   ` gregkh
2021-04-21 13:34                     ` Leon Romanovsky
2021-04-21 13:50                       ` gregkh
2021-04-21 14:12                         ` Leon Romanovsky
2021-04-21 18:50                         ` Alexander Grund [this message]
2021-04-21 13:37               ` J. Bruce Fields
2021-04-21 13:49                 ` Leon Romanovsky
2021-04-21 13:56                   ` J. Bruce Fields
2021-04-22 19:39                     ` J. Bruce Fields
2021-04-23 17:25                       ` Leon Romanovsky
2021-04-23 18:07                         ` J. Bruce Fields
2021-04-23 19:29                           ` Leon Romanovsky
2021-04-23 21:48                             ` J. Bruce Fields
2021-04-24  7:21                               ` Leon Romanovsky
2021-04-24 18:34                               ` Al Viro
2021-04-24 21:34                                 ` J. Bruce Fields
2021-04-25  0:41                                   ` Theodore Ts'o
2021-04-25  6:29                                     ` Greg KH
     [not found]                                       ` <20210426133605.GD21222@fieldses.org>
2021-04-26 13:47                                         ` J. Bruce Fields
2021-04-22  8:10             ` Sudip Mukherjee
2021-04-22  8:27               ` Greg KH
2021-04-21 12:51       ` Anna Schumaker
2021-04-21 14:15         ` Leon Romanovsky
2021-04-21 15:48           ` Theodore Ts'o
2021-04-21 17:34             ` Mike Rapoport
2021-04-22  3:57               ` Leon Romanovsky
2021-04-21 22:52 ` Guenter Roeck
     [not found] <CAHr+ZK-ayy2vku9ovuSB4egtOxrPEKxCdVQN3nFqMK07+K5_8g@mail.gmail.com>
2021-04-21 19:49 ` Theodore Ts'o
2021-04-22  7:50   ` Eric Biggers
2021-04-21 20:27 Weikeng Chen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=821177ec-dba0-e411-3818-546225511a00@grundis.de \
    --to=alex@grundis.de \
    --cc=a.shelat@northeastern.edu \
    --cc=anna.schumaker@netapp.com \
    --cc=bfields@fieldses.org \
    --cc=chuck.lever@oracle.com \
    --cc=davem@davemloft.net \
    --cc=dwysocha@redhat.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=kuba@kernel.org \
    --cc=leon@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pakki001@umn.edu \
    --cc=sudipm.mukherjee@gmail.com \
    --cc=trondmy@hammerspace.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-NFS Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-nfs/0 linux-nfs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-nfs linux-nfs/ https://lore.kernel.org/linux-nfs \
		linux-nfs@vger.kernel.org
	public-inbox-index linux-nfs

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-nfs


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git