| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <27297f052a89a5e171bad743dd59f39a339ce126.camel@HansenPartnership.com> Date: Tue, 16 Dec 2025 07:18:51 +0100 From: James Bottomley <James.Bottomley@...senPartnership.com> To: Shipei Qu <qu@...knavy.com>, Adam Radford <aradford@...il.com>, "Martin K. Petersen" <martin.petersen@...cle.com> Cc: linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org, DARKNAVY <vr@...knavy.com> Subject: Re: [PATCH v2] scsi: 3w-sas: validate request_id reported by controller On Tue, 2025-12-16 at 14:01 +0800, Shipei Qu wrote: > This issue was first reported via security@...nel.org. The kernel > security team replied that, under the usual upstream threat model > (only trusted PCIe/Thunderbolt devices are allowed to bind to such > drivers), it should be treated as a normal robustness bug rather than > a security issue, and asked us to send fixes to the relevant > development lists. This email follows that guidance. Realistically the same rationale goes for us as well. Absent the observation in the field of a problem device, we usually trust the hardware, so unless you can find an actual device that exhibits the problem this isn't really a fix for anything. If the security@ list is happy that the existing trust model for Thunderbolt/PCIe would prevent the attachment of malicious devices, then I think we're also happy to take their word for it. Even if thunderbolt were a security problem, the fix would likely be in the trust model not in all possible drivers. Regards, James Bottomley
Powered by blists - more mailing lists