From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9890DC678D5 for ; Tue, 7 Mar 2023 11:32:59 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D3D1C6B0071; Tue, 7 Mar 2023 06:32:58 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id CED066B0072; Tue, 7 Mar 2023 06:32:58 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BB4386B0073; Tue, 7 Mar 2023 06:32:58 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id A84E26B0071 for ; Tue, 7 Mar 2023 06:32:58 -0500 (EST) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 6B3D91401FC for ; Tue, 7 Mar 2023 11:32:58 +0000 (UTC) X-FDA: 80541890436.13.19BA8E8 Received: from mail-ed1-f51.google.com (mail-ed1-f51.google.com [209.85.208.51]) by imf17.hostedemail.com (Postfix) with ESMTP id 84BAB40018 for ; Tue, 7 Mar 2023 11:32:56 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=iFp6JvQI; spf=pass (imf17.hostedemail.com: domain of error27@gmail.com designates 209.85.208.51 as permitted sender) smtp.mailfrom=error27@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1678188776; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=oiDoMgPguVRDoOdt7v+G+rTfGrO+m61olXH7zbIH4gg=; b=AgrHW4Cywlfnkux38O4oV0HghPs5iEyPymFSdthow9Ay3paKOTd1PMvT7xl7Ec0iehZXpm DhRHylunt8NkU4Cq0Jn5v3dMtvMfCoFDt1lGaw1AVqCDcQHU+SGNpT3jeikUGdLJ03loDB uGwE3UUOtmRB5w1ikWe/FYmIZ8SScjw= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=iFp6JvQI; spf=pass (imf17.hostedemail.com: domain of error27@gmail.com designates 209.85.208.51 as permitted sender) smtp.mailfrom=error27@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1678188776; a=rsa-sha256; cv=none; b=ANdUt6674aD/t6LDVNZDvbZRnclmV0PsKmbZoPRdua26+AVb1vtsw/4yZ0YfvTAiJm/XlN fk/p/q+Jvs8SCy5QxPY2zaGH6ueb3mgpRGgSIoePTo7vq7m6iheCHVIJyyNNYVTbrBFS7y aTsWqNoiPuANzFU2krysYgJdMg3S0P4= Received: by mail-ed1-f51.google.com with SMTP id s11so50888901edy.8 for ; Tue, 07 Mar 2023 03:32:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678188775; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=oiDoMgPguVRDoOdt7v+G+rTfGrO+m61olXH7zbIH4gg=; b=iFp6JvQIixohY4/BBzT/zOyLGZW9lW4N2C2yWUC2OhMzjTEu3Q2rLkFueK7BhHkhpf OSQ3hd1hxQILHmcAnZfDBvZTWHDuJZNYAIKttqDqx2t9hGSeFjTV7jC2D2tTNHyJ3C+I X5PUiENl+95h17BecQuYnmoOXoDih9ki7GbJYtaLLWQECljE/jhVEWZZcv60aTorcix8 D1HxASlDDsaaPRZ+ObDLYSUIN1BY96zjMhpk6ME2Vi4t1wV/FgzyeqLjGddLFsAsBKv2 uhH2cDE8lHfDHET2NX8dF9bLRrskJHahIrAB6dr74e5St23xKdZxQVk6A2Nn8LoCSoMc naHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678188775; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=oiDoMgPguVRDoOdt7v+G+rTfGrO+m61olXH7zbIH4gg=; b=swQmIemZ7hEhwJKyYCF17QAAknhhSX26c+lRuVSivBc1ozNaPhc8lDLAU5SjzLeVnS JKEtAE5I5YVKZX/iqJ5cnEChZYxvZk9OGyJYNzrcNw54isfLaz5NAZHzaeyPtqo4RjsJ 6iB3qOTbdatLo0mDTv5LlggHYQ5Zb5dXhUjeVmO13dYkwLe6vDzK4X6FzQiZC7LpERJx 1jJL3oau7CtnR5uhL+dku730mqrm3vRBrsI/XmcrKqCG87v/RWhsOzZ3+HEymeQd11nW 5o3MUtK8Vm6YEirKjormhn+cgwzOoNy10W3VST528Cq8lb1Qhi0A+dRX7ryNDDlodoIH 0caQ== X-Gm-Message-State: AO0yUKVfJ3wKf34h/hmgW+2CAvsdfrOjtpWqf0Cmty+Vj7WRxCibSMS0 dxhqWxCRm1RRXVhl4ttYXQM= X-Google-Smtp-Source: AK7set807sqE4Ga6zKjwdlnf+kCVQ++djtYpExWIUXBlspClRcIsCv0GxT2HdmAbLY8hXtqDkcAnUw== X-Received: by 2002:a17:907:8a10:b0:8f8:7a2b:cc0d with SMTP id sc16-20020a1709078a1000b008f87a2bcc0dmr20457434ejc.47.1678188774897; Tue, 07 Mar 2023 03:32:54 -0800 (PST) Received: from localhost ([102.36.222.112]) by smtp.gmail.com with ESMTPSA id rl10-20020a170907216a00b008baeb5c9bdbsm6016886ejb.141.2023.03.07.03.32.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 03:32:54 -0800 (PST) Date: Tue, 7 Mar 2023 14:32:48 +0300 From: Dan Carpenter To: Hillf Danton Cc: Masami Ichikawa , cip-dev , linux-mm@kvack.org, linux-kernel@vger.kernel.org, lwn@lwn.net, smatch@ver.kernel.org Subject: Re: Who is looking at CVEs to prevent them? Message-ID: <4f8e6d29-a60a-47e2-bd7b-8c66bb9ee0dc@kili.mountain> References: <20230307110029.1947-1-hdanton@sina.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230307110029.1947-1-hdanton@sina.com> X-Rspamd-Queue-Id: 84BAB40018 X-Stat-Signature: 4pkb88chd1xik9k6b3w3osx77ou771oh X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1678188776-725837 X-HE-Meta: U2FsdGVkX19Ok6zXqoCuQ/WSyzoNGqX0HdxUrzeBm9drqXKCXZj/I+0Jtze/wqUGsrpXTCYyblRUQBfb0LFYedGY08XEZ1SCeqgVcDI6cw59wtN4Bp6FAD3cwP96/3yml8nu4IZCPA/hJa3aAFxOi6RG7v0oW5gmUXcPpWFb6TJEovWB/gDD+f2qpEgImcF3RNxJAQ1yp/ST6uWZITqT9VwC7FHPjn375W6/wkIHvGDEqwP/8e+qXbSx7Yt3hR82oFjb1U6KS7ciTEfds1ePH7YFjci3XgT8y0FKUlYxIzNWUr9FMsIdSgdTSiR8CHTnwaQFrRs92tCKUkjEaibXJESY1uM2LY5n4POonUnVNm6zonpF5Fs/KamFOt06Y/ZBtuJUs2I8pocQo/aJyd2wu7VSu8itS7TnbYgMfcnES1H+W4dMSQKgDfrAg+h7UCmqGRek2/Y2zMNaCZI2iAkfN2lNnK3zHSrTI9D1/pDEgqw1n10NFEED2AvFh22JObrwdGL+11zYogt9nyuXVgrfMqidl6tsyu+yDkYmGGodQCsziS26QgdfXtNE8Gg7KqcDfKV9cZB2IVjZlEOzE6W+0r/vdN+Xd4boUgPDUbzw6A2QdBv+bKXEZ9BKtHMTT0NpvNE/aLAKqKwyZ5SpasoSvGipU2qdNxXcpmWmKYu3XR0+o9ZYs6xaZoT6QgkhIHE9fZSZN4qnnmLBpAcUWJmR8hJuSzs8KROTCpOAoPqkb8CBKc9eYAtL+IIzSTZoKvFESYboUedueNHiZ+xffTDDzZT8am+CAtkfXU6JauRZMeRLkA8MvOXbSO+rsI7gMPQtUdj6EDKAsOImuw1NMmaIwUXeBjO0aRq61GLsrEQCOoBzGzX8J6Mf4LoXF18Nxo68q9h9bG3AN0USneURAH6+vuXnYKZddAyMR+Aia1mLKHk4Erj+EEkM+bthYEOdGRkOBd/u7t99WVprFpZ5kTy Fp2q1FRQ MADA4GJuDeu+WySdjq+CIYgDabzUoTmgG6q2hErW3UlMJ5pEvWHac98xaB5BnPuom6gHuRLjJoWr6GFER2drMvb6JiHjfJCibsu1JlP5RDShHROg3Tr0OS+ktAg0QRAXZ6GYiH5A38JhPLS5LbZd4uHZ6RkWRiScJkh0NBqEthZq6c7xRice1BjavJIHEtEn83kto94gWoJ/LAchOCHih5vNvszDXpNFo34RWAFCL1Y+ZbTzr0SDybDbS3Z79nQGD3/Xyq8ePPVD2Ikmg/IRS7OeaRqNuuXk09flfVsoJm+iGpaP/tT1/YMIa6Fu3zznmVpZNWfB0YPjHsOmV38xhS1ARnCyd/7hjPWzTcA1K79VGZ+5qjYau0dGzfD3fGSnU/QWzHOnGPlFT+thUoq4AZYLcK4e8twmDn15gG4iiHHhoC+gXfV4+2U/8fIJwC6wlP0iqtcSAxOG4cBqyQYepZQgy6g7WRW9u/YMoNLtSUIExy0GD2LWY1ujlt767ry6mxCQ4maHVru9ipS8SSYhfDr/vHd6G1oLJQDm+7OXBKG+TY+Pem4K4tRPDa7PhclJUJ6fHkwSkQHV+lekqsL5kFjb4tPtoEQ4VsOBr X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Mar 07, 2023 at 07:00:29PM +0800, Hillf Danton wrote: > On 7 Mar 2023 12:51:14 +0300 Dan Carpenter > > On Thu, Jan 19, 2023 at 09:14:53AM +0900, Masami Ichikawa wrote: > > > CVE-2023-0210: ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in > > > ksmbd_decode_ntlmssp_auth_blob > > > > > > 5.15, 6.0, and 6.1 were fixed. > > > > > > Fixed status > > > mainline: [797805d81baa814f76cf7bdab35f86408a79d707] > > > stable/5.15: [e32f867b37da7902685c9a106bef819506aa1a92] > > > stable/6.0: [1e7ed525c60d8d51daf2700777071cd0dfb6f807] > > > stable/6.1: [5e7d97dbae25ab4cb0ac1b1b98aebc4915689a86] > > > > Sorry, I have kind of hijacked the cip-dev email list... I use these > > lists to figure out where we are failing. > > > > I created a static checker warning for this bug. I also wrote a blog > > stepping through the process: > > https://staticthinking.wordpress.com/2023/03/07/triaging-security-bugs/ > > > > If anyone wants to review the warnings, just email me and I can send > > them to you. I Cc'd LWN because I was going to post the warnings but I > > chickened out because that didn't feel like responsible disclosure. The > > Given the syzbot reports only in the past three years for instance, the > chickenout sounds a bit over reaction. Yeah. Really just posting the code and the results seems like the best way forward to me too. That's how syzbot does it and it's the only realistic way forward. The good thing is that static checker warnings are much easier to analyse than syzbot warnings. > > > instructions for how to find these yourself are kind of right there in > > the blog so it's not too hard to generate these results yourself... I > > don't really have enough time to review static checker warnings anymore > > but I don't know who wants to do that job now. > > If no more than three warnings you will post a week after filtering, feel > free to add me to your Cc list, better with the leading [triage smatch > warning] on the subject line the same way as the syzbot report. I've sent you the complete list just so you can see what there is. I want to get out of the filtering business as much as possible. I want more people involved at all stages really. Writing checks. Reviewing warnings. regards, dan carpenter