Re: Who is looking at CVEs to prevent them?

From: Vlastimil Babka
Date: Tue Mar 07 2023 - 06:45:47 EST


On 3/7/23 12:00, Hillf Danton wrote:
> On 7 Mar 2023 12:51:14 +0300 Dan Carpenter <error27@xxxxxxxxx>
>> On Thu, Jan 19, 2023 at 09:14:53AM +0900, Masami Ichikawa wrote:
>> > CVE-2023-0210: ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in
>> > ksmbd_decode_ntlmssp_auth_blob
>> >
>> > 5.15, 6.0, and 6.1 were fixed.
>> >
>> > Fixed status
>> > mainline: [797805d81baa814f76cf7bdab35f86408a79d707]
>> > stable/5.15: [e32f867b37da7902685c9a106bef819506aa1a92]
>> > stable/6.0: [1e7ed525c60d8d51daf2700777071cd0dfb6f807]
>> > stable/6.1: [5e7d97dbae25ab4cb0ac1b1b98aebc4915689a86]
>>
>> Sorry, I have kind of hijacked the cip-dev email list... I use these
>> lists to figure out where we are failing.
>>
>> I created a static checker warning for this bug. I also wrote a blog
>> stepping through the process:
>> https://staticthinking.wordpress.com/2023/03/07/triaging-security-bugs/
>>
>> If anyone wants to review the warnings, just email me and I can send
>> them to you. I Cc'd LWN because I was going to post the warnings but I
>> chickened out because that didn't feel like responsible disclosure. The
>
> Given the syzbot reports only in the past three years for instance, the
> chickenout sounds a bit over reaction.
>
>> instructions for how to find these yourself are kind of right there in
>> the blog so it's not too hard to generate these results yourself... I
>> don't really have enough time to review static checker warnings anymore
>> but I don't know who wants to do that job now.
>
> If no more than three warnings you will post a week after filtering, feel
> free to add me to your Cc list, better with the leading [triage smatch
> warning] on the subject line the same way as the syzbot report.
>
> Thanks
> Hillf

Why do you keep adding linux-mm to the Cc list of random threads that are
not about MM?