Re: [PATCH v2 bpf-next] bpf: Fix latent unsoundness in and/or/xor value tracking

[Harishankar Vishwanathan]

> On Apr 10, 2024, at 7:43 AM, Shung-Hsi Yu <shung-hsi.yu@xxxxxxxx> wrote:
>
> On Tue, Apr 09, 2024 at 06:17:05PM +0100, Edward Cree wrote:
>> I don't feel too strongly about it, and if you or Shung-Hsi still
>> think, on reflection, that backporting is desirable, then go ahead
>> and keep the Fixes: tag.
>> But maybe tweak the description so someone doesn't see "latent
>> unsoundness" and think they need to CVE and rush this patch out as
>> a security thing; it's more like hardening.  *shrug*
>
> Unfortunately with Linux Kernel's current approach as a CVE Numbering
> Authority I don't think this can be avoided. Patches with fixes tag will
> almost certainly get a CVE number assigned (e.g. CVE-2024-26624[1][2]),
> and we can only dispute[3] after such assignment happend for the CVE to
> be rejected.

It seems the best option is to CC the patch to stable@xxxxxxxxxxxxxxx (so
that it will be backported), and not add the fixes tag (so that no CVE will
be assigned). Does this seem reasonable? If yes, I’ll proceed with v3.
I'll also mention that this is a hardening in the commit message.

Hari

>
> Shung-Hsi
>
> 1: https://lore.kernel.org/linux-cve-announce/2024030648-CVE-2024-26624-3032@gregkh/
> 2: https://lore.kernel.org/linux-cve-announce/2024032747-REJECTED-f2cf@gregkh/
> 3: https://docs.kernel.org/process/cve.html#disputes-of-assigned-cves