lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ab557ae6-7550-189a-81dd-6e3346d84620@leemhuis.info>
Date:   Wed, 26 Jul 2023 10:47:46 +0200
From:   Thorsten Leemhuis <linux@...mhuis.info>
To:     Ricardo Ribalda <ribalda@...omium.org>
Cc:     Laurent Pinchart <laurent.pinchart@...asonboard.com>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
        Sergey Senozhatsky <senozhatsky@...omium.org>,
        stable@...nel.org, Zubin Mithra <zsm@...omium.org>,
        Kai Wasserbäch <kai@....carbon-project.org>
Subject: Re: [PATCH v2] media: uvcvideo: Fix OOB read

On 26.07.23 10:38, Ricardo Ribalda wrote:
> On Wed, 26 Jul 2023 at 10:33, Thorsten Leemhuis <linux@...mhuis.info> wrote:
>> On 26.07.23 10:07, Laurent Pinchart wrote:
>>> (CC'ing Kai and Thorsten who have added the check to checkpatch)
>>>
>>> On Wed, Jul 26, 2023 at 08:24:50AM +0200, Ricardo Ribalda wrote:
>>>> On Tue, 25 Jul 2023 at 23:34, Laurent Pinchart wrote:
>>>>> On Thu, Jul 20, 2023 at 05:46:54PM +0000, Ricardo Ribalda wrote:
>>>>>> If the index provided by the user is bigger than the mask size, we might do an
>>>>>> out of bound read.
>>>>>>
>>>>>> CC: stable@...nel.org
>>>>>> Fixes: 40140eda661e ("media: uvcvideo: Implement mask for V4L2_CTRL_TYPE_MENU")
>>>>>> Reported-by: Zubin Mithra <zsm@...omium.org>
>>>>>
>>>>> checkpatch now requests a Reported-by tag to be immediately followed by
>>>>> a Closes
>>
>> Not that it matters, the changes I performed only required a Link: tag,
>> which is how things should have been done for many years already. It
>> later became Closes: due to patches from Matthieu. But whatever. :-D
> 
> I prefer to leave the Reported-by and remove the Closes, that way we
> credit the reporter (assuming they approved to be referred).
> 
> But if that is not possible, just remove the reported-by. A private
> link is pretty much noise on the tree.

Yeah, of course that's the right strategy (Linus made it pretty clear
that he doesn't want any private links) in case the reporter okay with
the Reported-by. Sorry, forgot to cover that case in my reply.

Ciao, Thorsten

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ