cip-dev@lists.cip-project.org | Who is looking at CVEs to prevent them?

Home Messages Hashtags Subgroups

Date Date 1 - 3 of 3

Who is looking at CVEs to prevent them?

Vlastimil Babka <vbabka@...> #10947 On 3/7/23 12:00, Hillf Danton wrote: On 7 Mar 2023 12:51:14 +0300 Dan Carpenter <error27@...> On Thu, Jan 19, 2023 at 09:14:53AM +0900, Masami Ichikawa wrote: CVE-2023-0210: ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in ksmbd_decode_ntlmssp_auth_blob 5.15, 6.0, and 6.1 were fixed. Fixed status mainline: [797805d81baa814f76cf7bdab35f86408a79d707] stable/5.15: [e32f867b37da7902685c9a106bef819506aa1a92] stable/6.0: [1e7ed525c60d8d51daf2700777071cd0dfb6f807] stable/6.1: [5e7d97dbae25ab4cb0ac1b1b98aebc4915689a86] Sorry, I have kind of hijacked the cip-dev email list... I use these lists to figure out where we are failing. I created a static checker warning for this bug. I also wrote a blog stepping through the process: https://staticthinking.wordpress.com/2023/03/07/triaging-security-bugs/ If anyone wants to review the warnings, just email me and I can send them to you. I Cc'd LWN because I was going to post the warnings but I chickened out because that didn't feel like responsible disclosure. The Given the syzbot reports only in the past three years for instance, the chickenout sounds a bit over reaction. instructions for how to find these yourself are kind of right there in the blog so it's not too hard to generate these results yourself... I don't really have enough time to review static checker warnings anymore but I don't know who wants to do that job now. If no more than three warnings you will post a week after filtering, feel free to add me to your Cc list, better with the leading [triage smatch warning] on the subject line the same way as the syzbot report. Thanks Hillf Why do you keep adding linux-mm to the Cc list of random threads that are not about MM?
More
Dan Carpenter <error27@...> #10948 On Tue, Mar 07, 2023 at 12:42:03PM +0100, Vlastimil Babka wrote: Why do you keep adding linux-mm to the Cc list of random threads that are not about MM? That's kbuild-bot stuff. The kbuild-bot generates those emails and I just look them over and hit send. I don't why the kbuild bot CCs linux-mm either... Let me ask the devs about that. A lot of the -mm warning are correct but just the CC list is weird. The kbuild-bot stuff is really nice for me. The kbuild-bot doesn't use the cross function DB so everything is local to the function and easy to review. regards, dan carpenter
More
Vlastimil Babka <vbabka@...> #10951 On 3/7/23 12:53, Dan Carpenter wrote: On Tue, Mar 07, 2023 at 12:42:03PM +0100, Vlastimil Babka wrote: Why do you keep adding linux-mm to the Cc list of random threads that are not about MM? That's kbuild-bot stuff. The kbuild-bot generates those emails and I just look them over and hit send. Sorry, wasn't clear that I was asking Hillf who did the Cc on this thread and other threads (not only kbuild bot threads). I don't why the kbuild bot CCs linux-mm either... Let me ask the devs about that. A lot of the -mm warning are correct but just the CC list is weird. Sure, it's fine if a bug is suspected to be mm related that linux-mm is Cc'd, even if it turns out a wrong guess in the end. The kbuild-bot stuff is really nice for me. The kbuild-bot doesn't use the cross function DB so everything is local to the function and easy to review. regards, dan carpenter
More

1 - 3 of 3

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms