| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 Mar 2023 16:51:17 -0600
From: Jens Axboe <axboe@...nel.dk>
To: Michal Koutný <mkoutny@...e.com>,
Josef Bacik <josef@...icpanda.com>
Cc: linux-block@...r.kernel.org, nbd@...er.debian.org,
linux-kernel@...r.kernel.org,
Navid Emamdoost <navid.emamdoost@...il.com>,
Michal Kubecek <mkubecek@...e.cz>
Subject: Re: [PATCH RESEND v3] nbd_genl_status: null check for nla_nest_start
On 3/23/23 1:30 PM, Michal Koutný wrote:
> From: Navid Emamdoost <navid.emamdoost@...il.com>
>
> nla_nest_start may fail and return NULL. The check is inserted, and
> errno is selected based on other call sites within the same source code.
> Update: removed extra new line.
> v3 Update: added release reply, thanks to Michal Kubecek for pointing
> out.
Josef? Looks straight forward to me, though it's not clear (to me) how
this can be triggered and hence how important it is.
> Signed-off-by: Navid Emamdoost <navid.emamdoost@...il.com>
> Reviewed-by: Michal Kubecek <mkubecek@...e.cz>
> Link: https://lore.kernel.org/r/20190911164013.27364-1-navid.emamdoost@gmail.com/
> ---
>
> I'm resending the patch because there was apparent consensus of its
> inclusion and it seems it was only overlooked. Some people may care
> about this because of CVE-2019-16089.
Anyone can file a CVE, and in fact they are often filed as some kind
of silly trophy. Whether a CVE exists or not has ZERO bearing on
whether a bug is worth fixing.
So please don't mix CVEs into any of this, they don't matter one bit.
Never have, and never will. What's important is how the bug can be
triggered.
--
Jens Axboe
Powered by blists - more mailing lists