lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 25 Jul 2023 10:26:00 +0800
From: Zheng Hacker <hackerzheng666@...il.com>
To: Lee Jones <lee@...nel.org>
Cc: Sergey Shtylyov <s.shtylyov@....ru>, Jakub Kicinski <kuba@...nel.org>, Zheng Wang <zyytlz.wz@....com>, 
	davem@...emloft.net, linyunsheng@...wei.com, edumazet@...gle.com, 
	pabeni@...hat.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, 
	1395428693sheep@...il.com, alex000young@...il.com
Subject: Re: [PATCH net v3] net: ravb: Fix possible UAF bug in ravb_remove

Lee Jones <lee@...nel.org> 于2023年7月24日周一 17:21写道:
>
> On Mon, 17 Jul 2023, Lee Jones wrote:
>
> > On Sun, 16 Jul 2023, Zheng Hacker wrote:
> > > Zheng Hacker <hackerzheng666@...il.com> 于2023年7月16日周日 10:11写道:
> > > >
> > > > Hello,
> > > >
> > > > This bug is found by static analysis. I'm sorry that my friends apply
> > > > for a CVE number before we really fix it. We made a list about the
> > > > bugs we have submitted and wouldn't disclose them before the fix. But
> > > > we had a inconsistent situation last month. And we applied it by
> > > > mistake foe we thought we had fixed it. And so sorry about my late
> > > > reply, I'll see the patch right now.
> > > >
> > > > Best regards,
> > > > Zheng Wang
> > > >
> > > > Sergey Shtylyov <s.shtylyov@....ru> 于2023年7月16日周日 04:48写道:
> > > > >
> > > > > On 7/15/23 7:07 PM, Zheng Hacker wrote:
> > > > >
> > > > > > Sorry for my late reply. I'll see what I can do later.
> > > > >
> > > > >    That's good to hear!
> > > > >    Because I'm now only able to look at it during weekends...
> > > > >
> > > > > > Lee Jones <lee@...nel.org> 于2023年7月12日周三 19:56写道:
> > > > > >>
> > > > > >> On Mon, 10 Jul 2023, Jakub Kicinski wrote:
> > > > > >>
> > > > > >>> On Mon, 10 Jul 2023 12:42:53 +0100 Lee Jones wrote:
> > > > > >>>> For better or worse, it looks like this issue was assigned a CVE.
> > > > > >>>
> > > > > >>> Ugh, what a joke.
> > > > > >>
> > > > > >> I think that's putting it politely. :)
> > >
> > > After reviewing the code, I think it's better to put the code in
> > > ravb_remove. For the ravb_remove is bound with the device and
> > > ravb_close is bound with the file. We may not call ravb_close if
> > > there's no file opened.
> >
> > When you do submit this, would you be kind enough to Cc me please?
>
> Could I trouble you for an update on this please?
>
> Have you submitted v4 yet?

Sorry, will do right now.

Best regards,
Zheng
>
> --
> Lee Jones [李琼斯]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ