Date
1 - 1 of 1
Who is looking at CVEs to prevent them?
Dan Carpenter <error27@...>
On Tue, Mar 07, 2023 at 07:00:29PM +0800, Hillf Danton wrote:
way forward to me too. That's how syzbot does it and it's the only
realistic way forward.
The good thing is that static checker warnings are much easier to
analyse than syzbot warnings.
I want to get out of the filtering business as much as possible. I want
more people involved at all stages really. Writing checks. Reviewing
warnings.
regards,
dan carpenter
On 7 Mar 2023 12:51:14 +0300 Dan Carpenter <error27@...>Yeah. Really just posting the code and the results seems like the bestOn Thu, Jan 19, 2023 at 09:14:53AM +0900, Masami Ichikawa wrote:Given the syzbot reports only in the past three years for instance, theCVE-2023-0210: ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE inSorry, I have kind of hijacked the cip-dev email list... I use these
ksmbd_decode_ntlmssp_auth_blob
5.15, 6.0, and 6.1 were fixed.
Fixed status
mainline: [797805d81baa814f76cf7bdab35f86408a79d707]
stable/5.15: [e32f867b37da7902685c9a106bef819506aa1a92]
stable/6.0: [1e7ed525c60d8d51daf2700777071cd0dfb6f807]
stable/6.1: [5e7d97dbae25ab4cb0ac1b1b98aebc4915689a86]
lists to figure out where we are failing.
I created a static checker warning for this bug. I also wrote a blog
stepping through the process:
https://staticthinking.wordpress.com/2023/03/07/triaging-security-bugs/
If anyone wants to review the warnings, just email me and I can send
them to you. I Cc'd LWN because I was going to post the warnings but I
chickened out because that didn't feel like responsible disclosure. The
chickenout sounds a bit over reaction.
way forward to me too. That's how syzbot does it and it's the only
realistic way forward.
The good thing is that static checker warnings are much easier to
analyse than syzbot warnings.
I've sent you the complete list just so you can see what there is.instructions for how to find these yourself are kind of right there inIf no more than three warnings you will post a week after filtering, feel
the blog so it's not too hard to generate these results yourself... I
don't really have enough time to review static checker warnings anymore
but I don't know who wants to do that job now.
free to add me to your Cc list, better with the leading [triage smatch
warning] on the subject line the same way as the syzbot report.
I want to get out of the filtering business as much as possible. I want
more people involved at all stages really. Writing checks. Reviewing
warnings.
regards,
dan carpenter