Re: [Ksummit-discuss] [MAINTAINERS SUMMIT] CVE patches annotation

[Takashi Iwai <tiwai@suse.de>]

On Tue, 11 Sep 2018 16:21:34 +0200,
Greg KH wrote:
> 
> On Tue, Sep 11, 2018 at 02:00:58PM +0200, Takashi Iwai wrote:
> > On Tue, 11 Sep 2018 13:57:09 +0200,
> > Justin Forbes wrote:
> > > 
> > > On Mon, Sep 10, 2018 at 8:11 PM, Eduardo Valentin <edubezval@gmail.com> wrote:
> > > > Hello,
> > > >
> > > > I would like to open a discussion on improving the annotation
> > > > around CVE patches on the Linux kernel. Today, the kernel Documentation
> > > > mentions about CVE assignment and asks as a good practice to at least
> > > > mention the CVE  number in the patch [1]. But, is that enough?
> > > > Should the kernel have more info about what patches fixes a specific
> > > > CVE?
> > > >
> > > > Some of the challenges with current process:
> > > > - The info about of about what CVEs have been patched in a kernel is
> > > >   outside the kernel tree / git history.
> > > > - Today, some patches have the CVE info, and many others do not mention
> > > >   anything about CVE number.
> > > > - As mentioned in the kernel documentation [1], not always the CVE
> > > >   number is assigned when the patch(es) go into the kernel tree, so
> > > >   maybe this may require some post merge annotation?
> > > 
> > > This is also sometimes relevant when you can fix and embargoed CVE
> > > before embargo lifts because the actual fix doesn't make it obvious
> > > that there is a security issue. Obfuscation is a somewhat useful tool
> > > when fixing security bugs sometimes.  I would rather get the patches
> > > in sooner than have them be properly annotated for the security fixes
> > > they really are.
> > 
> > I hoped that git-notes could be used for such additional post-release
> > notes.  But it seems that it never flies well due to various
> > reasons...
> 
> I do remember a tree somewhere on github that had a tracking between
> cves and kernel commits.  It was a pain to keep up to date, but the
> author was doing a good job for a number of months.
> 
> Can't find it now...
> 
> Anyway, the main problem here is that almost all the time, CVEs are
> assigned _after_ the patch is in the kernel tree.  And we can't go back
> in time to change a changelog entry.

Actually, git-notes is exactly for that purpose: adding notes after
the commit.  Say, you have a shiny new CVE for the commit in 4.19-rc2,
and you can put the CVE number in each commit via git-notes.  Then
git-log will show that notes, and you can search over the notes in a
(sort of) namespace, too.

The same would work for the reverse-mapping of Fixes tag, too, BTW.

The pain point of git-notes is the way to share the notes.
Also it's not really scalable.  But for the amount of CVE numbering,
it should suffice, I guess.

> Also, what about huge series of patches all to fix one CVE?  What would
> you put down for the single Meltdown commit?
> 
> So this is up to those that wish to track these types of things, good
> luck!
> 
> And yes, this is my "CVEs are a joke" feelings coming through here,
> sorry if you are someone who has to treat them as something important...

Heh, I share your feeling :)


thanks,

Takashi