lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6c507b78-35fb-fe23-51f0-e5bb754679d0@kernel.dk>
Date:   Thu, 23 Mar 2023 16:51:17 -0600
From:   Jens Axboe <axboe@...nel.dk>
To:     Michal Koutný <mkoutny@...e.com>,
        Josef Bacik <josef@...icpanda.com>
Cc:     linux-block@...r.kernel.org, nbd@...er.debian.org,
        linux-kernel@...r.kernel.org,
        Navid Emamdoost <navid.emamdoost@...il.com>,
        Michal Kubecek <mkubecek@...e.cz>
Subject: Re: [PATCH RESEND v3] nbd_genl_status: null check for nla_nest_start

On 3/23/23 1:30 PM, Michal Koutný wrote:
> From: Navid Emamdoost <navid.emamdoost@...il.com>
> 
> nla_nest_start may fail and return NULL. The check is inserted, and
> errno is selected based on other call sites within the same source code.
> Update: removed extra new line.
> v3 Update: added release reply, thanks to Michal Kubecek for pointing
> out.

Josef? Looks straight forward to me, though it's not clear (to me) how
this can be triggered and hence how important it is.

> Signed-off-by: Navid Emamdoost <navid.emamdoost@...il.com>
> Reviewed-by: Michal Kubecek <mkubecek@...e.cz>
> Link: https://lore.kernel.org/r/20190911164013.27364-1-navid.emamdoost@gmail.com/
> ---
> 
> I'm resending the patch because there was apparent consensus of its
> inclusion and it seems it was only overlooked. Some people may care
> about this because of CVE-2019-16089.

Anyone can file a CVE, and in fact they are often filed as some kind
of silly trophy. Whether a CVE exists or not has ZERO bearing on
whether a bug is worth fixing.

So please don't mix CVEs into any of this, they don't matter one bit.
Never have, and never will. What's important is how the bug can be
triggered.

-- 
Jens Axboe


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ