| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 6 Jun 2021 08:29:34 +0300
From: Leon Romanovsky <leon@...nel.org>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: SyzScope <syzscope@...il.com>, davem@...emloft.net,
johan.hedberg@...il.com, kuba@...nel.org,
linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org,
marcel@...tmann.org, netdev@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: use-after-free Read in hci_chan_del
On Sun, Jun 06, 2021 at 07:16:00AM +0200, Greg KH wrote:
> On Sat, Jun 05, 2021 at 11:12:49AM -0700, SyzScope wrote:
> > Hi Greg,
<...>
> > Perhaps we misunderstood the problem of syzbot-generated bugs. Our
> > understanding is that if a syzbot-generated bug is exploited in the wild
> > and/or the exploit code is made publicly available somehow, then the bug
> > will be fixed in a prioritized fashion. If our understanding is correct,
> > wouldn't it be nice if we, as good guys, can figure out which bugs are
> > security-critical and patch them before the bad guys exploit them.
>
> The "problem" is that no one seems willing to provide the resources to
> fix the issues being found as quickly as they are being found. It
> usually takes an exponentially longer amount of time for a fix than to
> find the problem.
And this is even an easy case, the more complex and common situation
where repro is not available or it doesn't reproduce locally, because
it is race.
Thanks
Powered by blists - more mailing lists