lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Mon, 25 May 2020 15:32:25 -0400
From:   Alan Stern <stern@...land.harvard.edu>
To:     Rick Mark <rickmark@...look.com>
Cc:     Kees Cook <keescook@...omium.org>,
        Matthew Garrett <mjg59@...gle.com>,
        Kernel Development List <linux-kernel@...r.kernel.org>,
        USB mailing list <linux-usb@...r.kernel.org>
Subject: Re: USB Security in the Linux Kernel

On Mon, May 25, 2020 at 05:28:33AM +0000, Rick Mark wrote:
> Hey Alan
> 
> You and other previously rejected a patch I submitted 13 months ago 

Nobody rejected your patch.  We pointed out problems with it, and we 
asked you to take a second look and provide more information.  You never 
replied.

> but have later integrated the changes under your name while missing a 
> few key security holes (I am working on another supplemental patch as 
> we speak).

That's not right.  Your changes were never merged into the kernel, in 
any form.

> Can you reconcile this mailing list email with commits made after it 
> in your name?
> 
> https://patchwork.kernel.org/patch/10941901/
> 
> Commit  a03ff54460817c76105f81f3aa8ef655759ccc9a

What is there to reconcile?  Your patch and my commit touched different 
code and addressed different (although similar) problems.  More 
specifically, your patch made changes to these routines:

	find_next_descriptor()
	usb_parse_ssp_isoc_endpoint_companion()
	usb_parse_ss_endpoint_companion()
	usb_parse_endpoint()
	usb_parse_interface()

whereas my commit changed:

	usb_get_bos_descriptor().

Furthermore, the changes you made appeared to be unnecessary (you added 
checks for things that either had already been checked or were checked a 
few lines later), whereas my commit fixed an actual bug, as demonstrated 
by syzbot.

> I find it highly improbable you managed to write that patch the same 
> day as my submission,

Indeed, I did _not_ write that patch the same day as your submission.  
If you check the datestamps on these emails in the archive, you'll see 
that my patch was posted on May 13 2019 and yours was posted on May 14, 
the next day:

	https://marc.info/?l=linux-usb&m=155776767725342&w=2
	https://marc.info/?l=linux-usb&m=155780009303416&w=2

> and the subsequent patches are also based on my 
> original work.

What subsequent patches?

Alan Stern

Powered by blists - more mailing lists