* 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
@ 2019-06-03 23:02 Zubin Mithra
2019-06-04 7:53 ` Greg KH
2019-06-06 18:58 ` Ben Hutchings
0 siblings, 2 replies; 7+ messages in thread
From: Zubin Mithra @ 2019-06-03 23:02 UTC (permalink / raw)
To: stable
Cc: gregkh, groeck, blackgod016574, davem, kuznet, jmorris, yoshfuji,
kaber
Hello,
CVE-2019-12381 was fixed in the upstream linux kernel with the commit :-
* 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()")
Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ?
Tests run:
* Chrome OS tryjobs
Thanks,
- Zubin
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") 2019-06-03 23:02 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") Zubin Mithra @ 2019-06-04 7:53 ` Greg KH 2019-06-06 18:58 ` Ben Hutchings 1 sibling, 0 replies; 7+ messages in thread From: Greg KH @ 2019-06-04 7:53 UTC (permalink / raw) To: Zubin Mithra Cc: stable, groeck, blackgod016574, davem, kuznet, jmorris, yoshfuji, kaber On Mon, Jun 03, 2019 at 04:02:40PM -0700, Zubin Mithra wrote: > Hello, > > CVE-2019-12381 was fixed in the upstream linux kernel with the commit :- > * 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") > > Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ? Same comments here as on the ipv6 bug. Should I just go create CVEs for every single stable kernel patches? Actually, it's been often suggested that I should, just to drive the point home... thanks, greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") 2019-06-03 23:02 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") Zubin Mithra 2019-06-04 7:53 ` Greg KH @ 2019-06-06 18:58 ` Ben Hutchings 2019-06-07 1:59 ` Gen Zhang 2019-06-07 2:41 ` Gen Zhang 1 sibling, 2 replies; 7+ messages in thread From: Ben Hutchings @ 2019-06-06 18:58 UTC (permalink / raw) To: Zubin Mithra, stable Cc: gregkh, groeck, blackgod016574, davem, kuznet, jmorris, yoshfuji, kaber [-- Attachment #1: Type: text/plain, Size: 741 bytes --] On Mon, 2019-06-03 at 16:02 -0700, Zubin Mithra wrote: > Hello, > > CVE-2019-12381 was fixed in the upstream linux kernel with the commit :- > * 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") > > Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ? > > Tests run: > * Chrome OS tryjobs This doesn't fix a security vulnerability. There already was a check for allocation failure before dereferencing the returned pointer; it just wasn't in the most obvious place. I've requested rejection of this CVE, and several other invalid reports from the same person. Ben. -- Ben Hutchings Experience is what causes a person to make new mistakes instead of old ones. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") 2019-06-06 18:58 ` Ben Hutchings @ 2019-06-07 1:59 ` Gen Zhang 2019-06-07 2:41 ` Gen Zhang 1 sibling, 0 replies; 7+ messages in thread From: Gen Zhang @ 2019-06-07 1:59 UTC (permalink / raw) To: Ben Hutchings Cc: Zubin Mithra, stable, gregkh, groeck, davem, kuznet, jmorris, yoshfuji, kaber On Thu, Jun 06, 2019 at 07:58:35PM +0100, Ben Hutchings wrote: > On Mon, 2019-06-03 at 16:02 -0700, Zubin Mithra wrote: > > Hello, > > > > CVE-2019-12381 was fixed in the upstream linux kernel with the commit :- > > * 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") > > > > Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ? > > > > Tests run: > > * Chrome OS tryjobs > > This doesn't fix a security vulnerability. There already was a check > for allocation failure before dereferencing the returned pointer; it > just wasn't in the most obvious place. I've discussing this with others these days. You mean the check if (!new_ra)? I don't think this check is for allocation failure. Because 'new_ra' is NULL when 'on' is zero. The check should be if (on && !new_ra) if it is for memory allocation failure. > > I've requested rejection of this CVE, and several other invalid reports > from the same person. I think I should be in the CC list. Should I? Thanks Gen > > Ben. > > -- > Ben Hutchings > Experience is what causes a person to make new mistakes > instead of old ones. > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") 2019-06-06 18:58 ` Ben Hutchings 2019-06-07 1:59 ` Gen Zhang @ 2019-06-07 2:41 ` Gen Zhang 2019-06-07 13:02 ` Ben Hutchings 1 sibling, 1 reply; 7+ messages in thread From: Gen Zhang @ 2019-06-07 2:41 UTC (permalink / raw) To: Ben Hutchings Cc: Zubin Mithra, stable, gregkh, groeck, davem, kuznet, jmorris, yoshfuji, kaber On Thu, Jun 06, 2019 at 07:58:35PM +0100, Ben Hutchings wrote: > On Mon, 2019-06-03 at 16:02 -0700, Zubin Mithra wrote: > > Hello, > > > > CVE-2019-12381 was fixed in the upstream linux kernel with the commit :- > > * 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") > > > > Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ? > > > > Tests run: > > * Chrome OS tryjobs > > This doesn't fix a security vulnerability. There already was a check > for allocation failure before dereferencing the returned pointer; it > just wasn't in the most obvious place. > > I've requested rejection of this CVE, and several other invalid reports > from the same person. And where did this 'invalid' come from? Did any maintainers claimed the patch 'invalid' or something? I am confused... Thanks Gen > > Ben. > > -- > Ben Hutchings > Experience is what causes a person to make new mistakes > instead of old ones. > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") 2019-06-07 2:41 ` Gen Zhang @ 2019-06-07 13:02 ` Ben Hutchings 2019-06-08 15:49 ` Gen Zhang 0 siblings, 1 reply; 7+ messages in thread From: Ben Hutchings @ 2019-06-07 13:02 UTC (permalink / raw) To: Gen Zhang Cc: Zubin Mithra, stable, gregkh, groeck, davem, kuznet, jmorris, yoshfuji, kaber [-- Attachment #1: Type: text/plain, Size: 1343 bytes --] On Fri, 2019-06-07 at 10:41 +0800, Gen Zhang wrote: > On Thu, Jun 06, 2019 at 07:58:35PM +0100, Ben Hutchings wrote: > > On Mon, 2019-06-03 at 16:02 -0700, Zubin Mithra wrote: > > > Hello, > > > > > > CVE-2019-12381 was fixed in the upstream linux kernel with the commit :- > > > * 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") > > > > > > Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ? > > > > > > Tests run: > > > * Chrome OS tryjobs > > > > This doesn't fix a security vulnerability. There already was a check > > for allocation failure before dereferencing the returned pointer; it > > just wasn't in the most obvious place. > > > > I've requested rejection of this CVE, and several other invalid reports > > from the same person. > And where did this 'invalid' come from? Did any maintainers claimed the > patch 'invalid' or something? I am confused... I'm not saying the patch is invalid. It makes the code clearer and seems to result in returning a more appropriate error code. So I don't disagree with the patch, only the claim that it's fixing a security issue. My requests to reject the CVE assignments were made using MITRE's web form. Ben. -- Ben Hutchings Life would be so much easier if we could look at the source code. [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") 2019-06-07 13:02 ` Ben Hutchings @ 2019-06-08 15:49 ` Gen Zhang 0 siblings, 0 replies; 7+ messages in thread From: Gen Zhang @ 2019-06-08 15:49 UTC (permalink / raw) To: Ben Hutchings Cc: Zubin Mithra, stable, gregkh, groeck, davem, kuznet, jmorris, yoshfuji, kaber On Fri, Jun 07, 2019 at 02:02:09PM +0100, Ben Hutchings wrote: > On Fri, 2019-06-07 at 10:41 +0800, Gen Zhang wrote: > > On Thu, Jun 06, 2019 at 07:58:35PM +0100, Ben Hutchings wrote: > > > On Mon, 2019-06-03 at 16:02 -0700, Zubin Mithra wrote: > > > > Hello, > > > > > > > > CVE-2019-12381 was fixed in the upstream linux kernel with the commit :- > > > > * 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") > > > > > > > > Could the patch be applied in order to v4.19.y, v4.14.y, v4.9.y and v4.4.y ? > > > > > > > > Tests run: > > > > * Chrome OS tryjobs > > > > > > This doesn't fix a security vulnerability. There already was a check > > > for allocation failure before dereferencing the returned pointer; it > > > just wasn't in the most obvious place. > > > > > > I've requested rejection of this CVE, and several other invalid reports > > > from the same person. > > And where did this 'invalid' come from? Did any maintainers claimed the > > patch 'invalid' or something? I am confused... > > I'm not saying the patch is invalid. It makes the code clearer and > seems to result in returning a more appropriate error code. So I don't > disagree with the patch, only the claim that it's fixing a security > issue. > > My requests to reject the CVE assignments were made using MITRE's web > form. Well, I see. Thanks for your comments. Thanks Gen > > Ben. > > -- > Ben Hutchings > Life would be so much easier if we could look at the source code. > > ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-06-08 15:49 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-03 23:02 425aa0e1d015 ("ip_sockglue: Fix missing-check bug in ip_ra_control()") Zubin Mithra
2019-06-04 7:53 ` Greg KH
2019-06-06 18:58 ` Ben Hutchings
2019-06-07 1:59 ` Gen Zhang
2019-06-07 2:41 ` Gen Zhang
2019-06-07 13:02 ` Ben Hutchings
2019-06-08 15:49 ` Gen Zhang
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.