linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Red Hat Product Security <secalert@redhat.com>
To: b.zolnierkie@samsung.com, bob.liu@oracle.com,
	chuck.lever@oracle.com, davem@davemloft.net, emamd001@umn.edu,
	gregkh@linuxfoundation.org, kubakici@wp.pl, kvalo@codeaurora.org,
	navid.emamdoost@gmail.com, sam@ravnborg.org
Cc: airlied@linux.ie, alexandre.belloni@bootlin.com,
	alexandre.torgue@st.com, allison@lohutok.net,
	andriy.shevchenko@linux.intel.com, anna.schumaker@netapp.com,
	axboe@kernel.dk, bfields@fieldses.org, colin.king@canonical.com,
	daniel@ffwll.ch, devel@driverdev.osuosl.org,
	dri-devel@lists.freedesktop.org, joabreu@synopsys.com,
	johnfwhitmore@gmail.com, josef@toxicpanda.com, jslaby@suse.com,
	kjlu@umn.edu, kstewart@linuxfoundation.org,
	linux-arm-kernel@lists.infradead.org,
	linux-block@vger.kernel.org, linux-ide@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org,
	linux-nfs@vger.kernel.org, linux-serial@vger.kernel.org,
	linux-stm32@st-md-mailman.stormreply.com,
	linux-wireless@vger.kernel.org, matthias.bgg@gmail.com,
	matthias@redhat.com, mcoquelin.stm32@gmail.com,
	nbd@other.debian.org, netdev@vger.kernel.org,
	nishkadg.linux@gmail.com, peppe.cavallaro@st.com,
	smccaman@umn.edu, tglx@linutronix.de, thierry.reding@gmail.com,
	trond.myklebust@hammerspace.com, unglinuxdriver@microchip.com,
	vishal@chelsio.com, vkoul@kernel.org
Subject: [engineering.redhat.com #494100] Question on submitting patch for a security bug
Date: Mon, 5 Aug 2019 13:38:48 -0400	[thread overview]
Message-ID: <rt-4.0.13-23214-1565026728-1358.494100-5-0@engineering.redhat.com> (raw)
In-Reply-To: <CAJ7L_Gp2HJoFOVxTgakCJw3LMuiPY0+60-giOtw3OwRD6zyNTQ@mail.gmail.com>

Hello Navid,

On Thu, 18 Jul 2019 01:30:20 GMT, emamd001@umn.edu wrote:
> I've found a null dereference bug in the Linux kernel source code. I was
> wondering should I cc the patch to you as well (along with the
> maintainers)?

No. Please do not cc <secalert@redhat.com> on the upstream kernel patches.
It is meant for reporting security issues only.

Going through the patches here

1. Issues in ../staging/ drivers are not considered for CVE, they are not to be
used
in production environment.

2. Many of the patches listed fix NULL pointer dereference when memory
allocation
fails and returns NULL.

3. Do you happen to have reproducers for these issues? Could an unprivileged
user trigger them?

> Also, I was wondering what are the steps to get CVE for the bug (this is
> the first time I am reporting a bug)?

Generally CVE is assigned after confirming that a given issue really is a
security issue. And it may
have impact ranging from information leakage, DoS to privilege escalation or
maybe arbitrary code
execution. Every NULL pointer dereference is not security issue.


Hope it helps. Thank you.
---
Prasad J Pandit / Red Hat Product Security Team


           reply	other threads:[~2019-08-05 17:39 UTC|newest]

Thread overview: expand[flat|nested]  mbox.gz  Atom feed
 [parent not found: <CAJ7L_Gp2HJoFOVxTgakCJw3LMuiPY0+60-giOtw3OwRD6zyNTQ@mail.gmail.com>]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=rt-4.0.13-23214-1565026728-1358.494100-5-0@engineering.redhat.com \
    --to=secalert@redhat.com \
    --cc=airlied@linux.ie \
    --cc=alexandre.belloni@bootlin.com \
    --cc=alexandre.torgue@st.com \
    --cc=allison@lohutok.net \
    --cc=andriy.shevchenko@linux.intel.com \
    --cc=anna.schumaker@netapp.com \
    --cc=axboe@kernel.dk \
    --cc=b.zolnierkie@samsung.com \
    --cc=bfields@fieldses.org \
    --cc=bob.liu@oracle.com \
    --cc=chuck.lever@oracle.com \
    --cc=colin.king@canonical.com \
    --cc=daniel@ffwll.ch \
    --cc=davem@davemloft.net \
    --cc=devel@driverdev.osuosl.org \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=emamd001@umn.edu \
    --cc=gregkh@linuxfoundation.org \
    --cc=joabreu@synopsys.com \
    --cc=johnfwhitmore@gmail.com \
    --cc=josef@toxicpanda.com \
    --cc=jslaby@suse.com \
    --cc=kjlu@umn.edu \
    --cc=kstewart@linuxfoundation.org \
    --cc=kubakici@wp.pl \
    --cc=kvalo@codeaurora.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-ide@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mediatek@lists.infradead.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=linux-serial@vger.kernel.org \
    --cc=linux-stm32@st-md-mailman.stormreply.com \
    --cc=linux-wireless@vger.kernel.org \
    --cc=matthias.bgg@gmail.com \
    --cc=matthias@redhat.com \
    --cc=mcoquelin.stm32@gmail.com \
    --cc=navid.emamdoost@gmail.com \
    --cc=nbd@other.debian.org \
    --cc=netdev@vger.kernel.org \
    --cc=nishkadg.linux@gmail.com \
    --cc=peppe.cavallaro@st.com \
    --cc=sam@ravnborg.org \
    --cc=smccaman@umn.edu \
    --cc=tglx@linutronix.de \
    --cc=thierry.reding@gmail.com \
    --cc=trond.myklebust@hammerspace.com \
    --cc=unglinuxdriver@microchip.com \
    --cc=vishal@chelsio.com \
    --cc=vkoul@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).