From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id EA607C678D4 for ; Tue, 7 Mar 2023 11:42:08 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 34AFB6B0071; Tue, 7 Mar 2023 06:42:08 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 2FB026B0072; Tue, 7 Mar 2023 06:42:08 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 19D25280001; Tue, 7 Mar 2023 06:42:08 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 0C1E16B0071 for ; Tue, 7 Mar 2023 06:42:08 -0500 (EST) Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id E0371A0C13 for ; Tue, 7 Mar 2023 11:42:07 +0000 (UTC) X-FDA: 80541913494.11.216050D Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by imf16.hostedemail.com (Postfix) with ESMTP id D02FF18001D for ; Tue, 7 Mar 2023 11:42:05 +0000 (UTC) Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=jxnOzSkk; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b="ZsSdeVP/"; spf=pass (imf16.hostedemail.com: domain of vbabka@suse.cz designates 195.135.220.29 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1678189326; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=PfCj1neJmCfrUUT47ZTKFAGgBx7IRsC7B39zh/pZjJY=; b=6NzXva6Ia66AvfPTxXENLkLq2iDCZR3h6cs4gvfDNmKJEQv6+z+IukhPZeKPHjgJ2bTKVa UDDQbPYv9K61nlVMtnu9Q15baaeSdyPBY6LeJdAUEaOli29CuqhXbiRpNYUu7hhkn/YxFl 2Sf4KL0nn9DIh3I/SoO1cx8eje9+5rQ= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=jxnOzSkk; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b="ZsSdeVP/"; spf=pass (imf16.hostedemail.com: domain of vbabka@suse.cz designates 195.135.220.29 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1678189326; a=rsa-sha256; cv=none; b=g1qrH1lfe/tcQKi+RVSo7eV8tNXMYbnGcS9hz77fgvMisPTEqY2E3siF8FvGiodkDQdUOp Op+52zq1iWcc4Au/d66Z0IgZAkdx4C7CUFLwxaR8hJ3FfhhU9CfWPYzgPDf4GPjktOAVng Fye53KxzD/gjUiwwgoN30uy8hgH1MfU= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 2776A1FE1A; Tue, 7 Mar 2023 11:42:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1678189324; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PfCj1neJmCfrUUT47ZTKFAGgBx7IRsC7B39zh/pZjJY=; b=jxnOzSkkr5lkAr9qQ5rP6QSJxhoITzp3JhsC5Ul3YRJoDOKIG7W3hfXM1dA/htQNqqp5vp 3KyKQcUtPkSTmnSMdfG4eikDYQT9Dp2wY0VNy9qVGykhugTBuczRxARXzDFgF8/FMYRHWA MsZ7rcFab88U9sENderRWcdjhWY/SRw= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1678189324; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PfCj1neJmCfrUUT47ZTKFAGgBx7IRsC7B39zh/pZjJY=; b=ZsSdeVP/rqguQhmuE0vDQX9SWmwCIFY4m6IHGs0t9wlZvK/HXfMOvkmNFXe8CcrZmXhte0 sHbpXFiLf1M/5/Dg== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 0513D13440; Tue, 7 Mar 2023 11:42:03 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id iMo+OwsjB2TqEgAAMHmgww (envelope-from ); Tue, 07 Mar 2023 11:42:03 +0000 Message-ID: Date: Tue, 7 Mar 2023 12:42:03 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: Who is looking at CVEs to prevent them? To: Hillf Danton , Dan Carpenter Cc: Masami Ichikawa , cip-dev , linux-mm@kvack.org, linux-kernel@vger.kernel.org, lwn@lwn.net, smatch@ver.kernel.org References: <20230307110029.1947-1-hdanton@sina.com> Content-Language: en-US From: Vlastimil Babka In-Reply-To: <20230307110029.1947-1-hdanton@sina.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Stat-Signature: 9i5gp9ab3nekq4it1g9b5754e4qtifi7 X-Rspam-User: X-Rspamd-Queue-Id: D02FF18001D X-Rspamd-Server: rspam06 X-HE-Tag: 1678189325-117511 X-HE-Meta: U2FsdGVkX19WWR3XGF+zrFd0syH/qjG9NbNyQpkChUoY8nssx4OSGLgNvPg/6AfA1K1GGhKHrbPLxMfge2UmHm9/LTJ5O5ko2MmyVbTYSWYTSu3PEhHLxrjDb+QsDnVU8oaWPJkIhJ9QoCO6kJUdwllQl1bAgYHJQ3FheE7oiX6vEs/mhATKhoFWCLRmNTo0Nwohe/mEpz9VOlGnu3jLnfvFrblfEhLXbW/4/j3NcrlG1JsnyqFbuqyrOjyN2czfgkLVNwidJGZeOPuLaQmz0OgERQQ4zVelm9jN6zvxuxBDimlYeCdos/0rWdgUfrD31Rtj+6H3DwsCEyN79Ry51QQQAM8XMiOMrExQaG+3Hzf17PE2LoqKsFWjrcbn6MP2X9Spj31vVdF3uuGMOCH7go9UL4/OovBr8TsgC5Qzr0ZHWC5AiDBnwp4flgB9Y7g/I/eXBIZKclo7f6WlJG4y+4XCZ0cuL4ANu6diZtAIcWcwgTMtdu+Ew+zRluqcGiDL8NNFyKazkHGDFEN2rQjPQmVHVF5GmLtfi5EMmM/XKFKTeuvoIH7yB+kihWUhz14h8k7PVG+HVuSULCeR7xSCYwe+nH1s9Kqe29Zphow6UA/SqbVfGuoJU8N1OeZ1NwjE2xKV1UO5jRHlbNeonrRGOgeQqOdhhZo4G2748/1kYbPr21bZedAxCyxTpHyMf201g3uGF6nxzBCAnI0l4MBgskEi5yKJ200Tvi1ZjNzB5GevHYl3c4psRTqCX8n2HKD2UOEZDj1hKkKH6a1WjJBJlOF8x3WiViyFoVUU0Tzimzb9s2jwoXZWPvtSApx+sGopHukemdWzyN7YCJq0esJW4CWsFsamLZaC4AKF9S1xjgSn2O4VMuwW+opeS8ziM85DPtBmVxrGCTPSQNfCl7OhAGfudeP/Zwn2KUs5sNxV21wSCBUXmDgOgHrnxN/tBBu8/OHJRo439mA+kO8+7k6 ZqLBwoPg Tpj0nseVGSmY1aoOyLeAsJfvQRBqKrNddY0jSHe4qz/x1nFyNDmK+k+StfpacUvy0k8ULekzC19PXcbEEyYwH/E1FCSBTJxotTIJv34CS+ufBs7U7BezKlOlZEFqEYKZ26SJFAxgl2NH2ROiO7yA9pvervuG7FnPppgdrI1jK5BtBH1RtZtVHYtw0emQMgfaiiH67zqb2ITFXZppNTX5OgnYVriLYUoy7n9vW6Y+tuMfXeBUAAtbEwmXcQqtIcmkpajOLz44+FkYN9BhJkO5z9djvdj0wshjNox3CsfKfSghPIuNMgquGD4dp/RIjc3L0ogNAKvI7anBFuxeQ9RpntyF35Ej2YdqxUCzhGlJCjUdtx+q4rbkHv6z90nDyrdi+uI81NUGyiGsWQcasR+3GJ7C+9g== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 3/7/23 12:00, Hillf Danton wrote: > On 7 Mar 2023 12:51:14 +0300 Dan Carpenter >> On Thu, Jan 19, 2023 at 09:14:53AM +0900, Masami Ichikawa wrote: >> > CVE-2023-0210: ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in >> > ksmbd_decode_ntlmssp_auth_blob >> > >> > 5.15, 6.0, and 6.1 were fixed. >> > >> > Fixed status >> > mainline: [797805d81baa814f76cf7bdab35f86408a79d707] >> > stable/5.15: [e32f867b37da7902685c9a106bef819506aa1a92] >> > stable/6.0: [1e7ed525c60d8d51daf2700777071cd0dfb6f807] >> > stable/6.1: [5e7d97dbae25ab4cb0ac1b1b98aebc4915689a86] >> >> Sorry, I have kind of hijacked the cip-dev email list... I use these >> lists to figure out where we are failing. >> >> I created a static checker warning for this bug. I also wrote a blog >> stepping through the process: >> https://staticthinking.wordpress.com/2023/03/07/triaging-security-bugs/ >> >> If anyone wants to review the warnings, just email me and I can send >> them to you. I Cc'd LWN because I was going to post the warnings but I >> chickened out because that didn't feel like responsible disclosure. The > > Given the syzbot reports only in the past three years for instance, the > chickenout sounds a bit over reaction. > >> instructions for how to find these yourself are kind of right there in >> the blog so it's not too hard to generate these results yourself... I >> don't really have enough time to review static checker warnings anymore >> but I don't know who wants to do that job now. > > If no more than three warnings you will post a week after filtering, feel > free to add me to your Cc list, better with the leading [triage smatch > warning] on the subject line the same way as the syzbot report. > > Thanks > Hillf Why do you keep adding linux-mm to the Cc list of random threads that are not about MM?