lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 6 Jun 2021 07:16:00 +0200
From:   Greg KH <gregkh@...uxfoundation.org>
To:     SyzScope <syzscope@...il.com>
Cc:     davem@...emloft.net, johan.hedberg@...il.com, kuba@...nel.org,
        linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org,
        marcel@...tmann.org, netdev@...r.kernel.org,
        syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: use-after-free Read in hci_chan_del

On Sat, Jun 05, 2021 at 11:12:49AM -0700, SyzScope wrote:
> Hi Greg,
> 
> > I do not recall that, sorry, when was that?
> We sent an email to security@...nel.org from xzou017@....edu account on May
> 20, the title is "KASAN: use-after-free Read in hci_chan_del has dangerous
> security impact".

So you used a different email address and we were supposed to know how
to correlate between the two?  How?

> > Is that really the reason why syzbot-reported problems are not being
> > fixed?  Just because we don't know which ones are more "important"?
> > 
> > As someone who has been managing many interns for a year or so working
> > on these, I do not think that is the problem, but hey, what do I know...
> 
> Perhaps we misunderstood the problem of syzbot-generated bugs. Our
> understanding is that if a syzbot-generated bug is exploited in the wild
> and/or the exploit code is made publicly available somehow, then the bug
> will be fixed in a prioritized fashion. If our understanding is correct,
> wouldn't it be nice if we, as good guys, can figure out which bugs are
> security-critical and patch them before the bad guys exploit them.

The "problem" is that no one seems willing to provide the resources to
fix the issues being found as quickly as they are being found.  It
usually takes an exponentially longer amount of time for a fix than to
find the problem.  Try it yourself and see!  Fix these issues that your
tool is somehow categorizing as "more important" and let us know how it
goes.

Or is just fixing found bugs somehow not as much fun as writing new
tools?

good luck!

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ