lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <593e3ae7-1f8c-218a-a5ce-3d90e3008999@linux.dev>
Date: Tue, 16 Jul 2024 09:04:08 +0800
From: Hao Ge <hao.ge@...ux.dev>
To: Jarkko Sakkinen <jarkko@...nel.org>, peterhuewe@....de, jgg@...pe.ca
Cc: linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
 Hao Ge <gehao@...inos.cn>
Subject: Re: [PATCH] tpm: Move dereference after NULL check in
 tpm_buf_check_hmac_response

Hi Jarkko

Have a nice day.

On 7/15/24 19:25, Jarkko Sakkinen wrote:
> On Tue Jul 9, 2024 at 5:33 AM EEST, Hao Ge wrote:
>> From: Hao Ge <gehao@...inos.cn>
>>
>> We shouldn't dereference "auth" until after we have checked that it is
>> non-NULL.
>>
>> Fixes: 7ca110f2679b ("tpm: Address !chip->auth in tpm_buf_append_hmac_session*()")
>> Signed-off-by: Hao Ge <gehao@...inos.cn>
> Also lacking:
>
> Reported-by: Dan Carpenter <dan.carpenter@...aro.org>
> Closes: https://lore.kernel.org/linux-integrity/3b1755a9-b12f-42fc-b26d-de2fe4e13ec2@stanley.mountain/T/#u

Regarding this version, I don't think I should add these.

I send this patch on July 9th, 2024.

The following email was sent on July 13th, 2024.

https://lore.kernel.org/linux-integrity/3b1755a9-b12f-42fc-b26d-de2fe4e13ec2@stanley.mountain/T/#u

I think these should be included in the subsequent versions (if any).

>
> What is happening here is that my commit exposed pre-existing bug to
> static analysis but it did not introduce a new regression. I missed
> from your patch how did you ended up to your conclusions.
>
> Please *do not* ignore the sources next time. Either explain how the bug
> was found or provide the reporting source. You are essentially taking
> credit and also blame from the work that you did not accomplish
> yourself, which is both wrong and dishonest.
>
> BR, Jarkko

OK,got it,I'll pay more attention to such details in the future.

I would like to clarify that I did not taking credit and dishonest.

As stated earlier, the timeline indicates that my patch preceded his email.

Before submitting my patch, I conducted a thorough search to ensure that 
there were no related submissions,

  in order to avoid any duplication of effort and wastage of everyone's 
time.

I didn't expect to have wasted everyone's time because of commit message 
, and I sincerely apologize for that.


Thanks

BR

Hao

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ