From: Hillf Danton <hdanton@sina.com>
To: Dan Carpenter <error27@gmail.com>
Cc: Masami Ichikawa <masami.ichikawa@miraclelinux.com>,
cip-dev <cip-dev@lists.cip-project.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org, lwn@lwn.net,
smatch@ver.kernel.org
Subject: Re: Who is looking at CVEs to prevent them?
Date: Tue, 7 Mar 2023 19:00:29 +0800 [thread overview]
Message-ID: <20230307110029.1947-1-hdanton@sina.com> (raw)
In-Reply-To: <59f7f076-a9d5-4bfb-a6da-bbe0a7567688@kili.mountain>
On 7 Mar 2023 12:51:14 +0300 Dan Carpenter <error27@gmail.com>
> On Thu, Jan 19, 2023 at 09:14:53AM +0900, Masami Ichikawa wrote:
> > CVE-2023-0210: ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in
> > ksmbd_decode_ntlmssp_auth_blob
> >
> > 5.15, 6.0, and 6.1 were fixed.
> >
> > Fixed status
> > mainline: [797805d81baa814f76cf7bdab35f86408a79d707]
> > stable/5.15: [e32f867b37da7902685c9a106bef819506aa1a92]
> > stable/6.0: [1e7ed525c60d8d51daf2700777071cd0dfb6f807]
> > stable/6.1: [5e7d97dbae25ab4cb0ac1b1b98aebc4915689a86]
>
> Sorry, I have kind of hijacked the cip-dev email list... I use these
> lists to figure out where we are failing.
>
> I created a static checker warning for this bug. I also wrote a blog
> stepping through the process:
> https://staticthinking.wordpress.com/2023/03/07/triaging-security-bugs/
>
> If anyone wants to review the warnings, just email me and I can send
> them to you. I Cc'd LWN because I was going to post the warnings but I
> chickened out because that didn't feel like responsible disclosure. The
Given the syzbot reports only in the past three years for instance, the
chickenout sounds a bit over reaction.
> instructions for how to find these yourself are kind of right there in
> the blog so it's not too hard to generate these results yourself... I
> don't really have enough time to review static checker warnings anymore
> but I don't know who wants to do that job now.
If no more than three warnings you will post a week after filtering, feel
free to add me to your Cc list, better with the leading [triage smatch
warning] on the subject line the same way as the syzbot report.
Thanks
Hillf
next parent reply other threads:[~2023-03-07 11:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAODzB9qjdhQkZ+tALHpDLHoK7GAf8Uybfzp8mxXt=Dwnn_0RjA@mail.gmail.com>
[not found] ` <59f7f076-a9d5-4bfb-a6da-bbe0a7567688@kili.mountain>
2023-03-07 11:00 ` Hillf Danton [this message]
2023-03-07 11:32 ` Dan Carpenter
2023-03-07 11:42 ` Vlastimil Babka
2023-03-07 11:53 ` Dan Carpenter
2023-03-08 7:52 ` Vlastimil Babka
2023-03-07 12:47 ` Hillf Danton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230307110029.1947-1-hdanton@sina.com \
--to=hdanton@sina.com \
--cc=cip-dev@lists.cip-project.org \
--cc=error27@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lwn@lwn.net \
--cc=masami.ichikawa@miraclelinux.com \
--cc=smatch@ver.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox