lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 27 Jun 2024 16:08:45 -0400
From: Sasha Levin <sashal@...nel.org>
To: Damien Le Moal <dlemoal@...nel.org>
Cc: Mikhail Ukhin <mish.uxin2012@...dex.ru>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Jens Axboe <axboe@...nel.dk>, Niklas Cassel <cassel@...nel.org>,
	stable@...r.kernel.org, linux-ide@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Pavel Koshutin <koshutin.pavel@...dex.ru>,
	lvc-project@...uxtesting.org
Subject: Re: [PATCH v4 5.10/5.15] ata: libata-scsi: check cdb length for
 VARIABLE_LENGTH_CMD commands

On Thu, Jun 27, 2024 at 11:02:23AM +0900, Damien Le Moal wrote:
>On 6/27/24 06:13, Mikhail Ukhin wrote:
>> Fuzzing of 5.10 stable branch reports a slab-out-of-bounds error in
>> ata_scsi_pass_thru.
>>
>> The error is fixed in 5.18 by commit ce70fd9a551a ("scsi: core: Remove the
>> cmd field from struct scsi_request") upstream.
>> Backporting this commit would require significant changes to the code so
>> it is bettter to use a simple fix for that particular error.
>
>This sentence is not needed in the commit message. That is a discussion to have
>when applying (or not) the patch.

It's good to have this reasoning in the commit message to, so that later
when we look at the patch and try to understand why we needed something
custom for the backport, the justification will be right there.

-- 
Thanks,
Sasha

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ