From: Josh Poimboeuf <jpoimboe@kernel.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: corbet@lwn.net, workflows@vger.kernel.org,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
security@kernel.org, linux@leemhuis.info,
Kees Cook <keescook@chromium.org>,
Konstantin Ryabitsev <konstantin@linuxfoundation.org>,
Krzysztof Kozlowski <krzk@kernel.org>,
Lukas Bulwahn <lukas.bulwahn@gmail.com>,
Sasha Levin <sashal@kernel.org>, Lee Jones <lee@kernel.org>
Subject: Re: [PATCH v4] Documentation: Document the Linux Kernel CVE process
Date: Fri, 16 Feb 2024 11:26:25 -0800 [thread overview]
Message-ID: <20240216192625.o3q6m7cjgkwyfe4y@treble> (raw)
In-Reply-To: <2024021500-laziness-grimace-ed80@gregkh>
On Thu, Feb 15, 2024 at 01:10:55PM +0100, Greg Kroah-Hartman wrote:
> +Note, due to the layer at which the Linux kernel is in a system, almost
> +any bug might be exploitable to compromise the security of the kernel,
> +but the possibility of exploitation is often not evident when the bug is
> +fixed.
By this paranoid black-and-white logic, any mainline commit could have a
yet-to-be-discovered regression resulting in a catastrophic
vulnerability.
Should we stay one step ahead and just open a CVE for every mainline
commit?
Problem solved, all "vulnerabilities" have been identified! False
positives be damned!
For that matter, why don't we do as Thomas has suggested and hardcode
NR_CPUS to zero!
> Because of this, the CVE assignment team is overly cautious and
> +assign CVE numbers to any bugfix that they identify. This
> +explains the seemingly large number of CVEs that are issued by the Linux
> +kernel team.
How does this match up with the definition of a vulnerabilty?
An instance of one or more weaknesses in a Product that can be
exploited, causing a negative impact to confidentiality, integrity, or
availability; a set of conditions or behaviors that allows the
violation of an explicit or implicit security policy.
Bug != vulnerability. Otherwise the definition of a vulnerability would
be much simpler, i.e., "any software defect".
If a CVE is created without any analysis and doesn't describe how the
bug can be exploited then it's completely useless.
Who is this process helping?
- Not users of -stable since they already know they need to be on the
latest version.
- Not distros or their users as it's just flooding them with low quality
CVEs which have no analysis or scoring.
And enterprise distros will never be able to rebase onto -stable,
especially for older streams for which they have to be very selective,
in order to avoid destabilizing them. As you say, "a bug is a bug".
If the problem is low CVE quality then of course it makes a lot of sense
for kernel.org to become a CNA in order to take a leadership role in
helping define and improve the process for its users. But it makes no
sense to "fix" it by making CVE quality *vastly* lower by flooding
people with useless CVEs.
--
Josh
next prev parent reply other threads:[~2024-02-16 19:26 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-15 12:10 Greg Kroah-Hartman
2024-02-15 15:03 ` Jürgen Groß
2024-02-15 17:49 ` Greg Kroah-Hartman
2024-02-16 8:04 ` Jürgen Groß
2024-02-15 17:38 ` Jiri Kosina
2024-02-15 18:24 ` Greg Kroah-Hartman
2024-02-16 19:26 ` Josh Poimboeuf [this message]
2024-02-16 20:27 ` Jiri Kosina
2024-02-16 21:45 ` Theodore Ts'o
2024-02-16 21:51 ` Jiri Kosina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240216192625.o3q6m7cjgkwyfe4y@treble \
--to=jpoimboe@kernel.org \
--cc=corbet@lwn.net \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=konstantin@linuxfoundation.org \
--cc=krzk@kernel.org \
--cc=lee@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@leemhuis.info \
--cc=lukas.bulwahn@gmail.com \
--cc=sashal@kernel.org \
--cc=security@kernel.org \
--cc=workflows@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox