Re: KASAN: use-after-free Read in hci_chan_del

From: SyzScope
Date: Sat Jun 05 2021 - 14:13:09 EST


Hi Greg,

I do not recall that, sorry, when was that?
We sent an email to security@xxxxxxxxxx from xzou017@xxxxxxx account on May 20, the title is "KASAN: use-after-free Read in hci_chan_del has dangerous security impact".
Is that really the reason why syzbot-reported problems are not being
fixed? Just because we don't know which ones are more "important"?

As someone who has been managing many interns for a year or so working
on these, I do not think that is the problem, but hey, what do I know...

Perhaps we misunderstood the problem of syzbot-generated bugs. Our understanding is that if a syzbot-generated bug is exploited in the wild and/or the exploit code is made publicly available somehow, then the bug will be fixed in a prioritized fashion. If our understanding is correct, wouldn't it be nice if we, as good guys, can figure out which bugs are security-critical and patch them before the bad guys exploit them.

On 05/06/2021 00:43, Greg KH wrote:
On Fri, Jun 04, 2021 at 10:11:03AM -0700, SyzScope wrote:
Hi Greg,

Who is working on and doing this "reseach project"?
We are a group of researchers from University of California, Riverside (we
introduced ourselves in an earlier email to security@xxxxxxxxxx if you
recall).
I do not recall that, sorry, when was that?

 Please allow us to articulate the goal of our research. We'd be
happy to hear your feedback and suggestions.

And what is it
doing to actually fix the issues that syzbot finds? Seems like that
would be a better solution instead of just trying to send emails saying,
in short "why isn't this reported issue fixed yet?"
From our limited understanding, we know a key problem with syzbot bugs is
that there are too many of them - more than what can be handled by
developers and maintainers. Therefore, it seems some form of prioritization
on bug fixing would be helpful. The goal of the SyzScope project is to
*automatically* analyze the security impact of syzbot bugs, which helps with
prioritizing bug fixes. In other words, when a syzbot bug is reported, we
aim to attach a corresponding security impact "signal" to help developers
make an informed decision on which ones to fix first.
Is that really the reason why syzbot-reported problems are not being
fixed? Just because we don't know which ones are more "important"?

As someone who has been managing many interns for a year or so working
on these, I do not think that is the problem, but hey, what do I know...

Currently,  SyzScope is a standalone prototype system that we plan to open
source. We hope to keep developing it to make it more and more useful and
have it eventually integrated into syzbot (we are in talks with Dmitry).

We are happy to talk more offline (perhaps even in a zoom meeting if you
would like). Thanks in advance for any feedback and suggestions you may
have.
Meetings are not really how kernel development works, sorry.

At the moment, these emails really do not seem all that useful, trying
to tell other people what to do does not get you very far when dealing
with people who you have no "authority" over...

Technical solutions to human issues almost never work, however writing a
procmail filter to keep me from having to see these will work quite well :)

good luck!

greg k-h