Re: CVE-2024-41067: btrfs: scrub: handle RST lookup error correctly

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: David Sterba <dsterba@suse.cz>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: cve@kernel.org, linux-kernel@vger.kernel.org,
	linux-cve-announce@vger.kernel.org
Subject: Re: CVE-2024-41067: btrfs: scrub: handle RST lookup error correctly
Date: Wed, 31 Jul 2024 16:34:42 +0200	[thread overview]
Message-ID: <20240731143441.GO17473@suse.cz> (raw)
In-Reply-To: <2024073030-vagabond-imprudent-8ea2@gregkh>

On Tue, Jul 30, 2024 at 06:53:40AM +0200, Greg Kroah-Hartman wrote:
> > > The Linux kernel CVE team has assigned CVE-2024-41067 to this issue.
> > 
> > Please drop the CVE. It's a fix for feature that's still in development
> > and is not enabled on production kernels (requires CONFIG_BTRFS_DEBUG).
> 
> We do not know people's use case, and can not "gate" CVE ids based on
> difference config options like this.

The use case are early adopters for a known unfinished feature where
instabilty could happen and there are known problems like lockups.  It's
behind the config option for that purpose so bugs are reported but don't
have to be treated as security.

> > There was even a recent on-disk format change (mkfs required), this is
> > not really for environments where security matters. Thanks.
> 
> It's a fix for a vulnerability, so I think it should stay assigned.  If
> your system does not enable that config option, then there is nothing to
> worry about, right?

It's not a vulnerability unless you define that very extensively. My
systems don't enable that, distro kernels don't enable that, so there's
nothing to worry about. Conclusiion is not to assign a CVE, right.
Otherwise it only increases paperwork.

next prev parent reply	other threads:[~2024-07-31 14:34 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <2024072907-CVE-2024-41067-bc18@gregkh>
2024-07-29 20:55 ` CVE-2024-41067: btrfs: scrub: handle RST lookup error correctly David Sterba
2024-07-30  4:53   ` Greg Kroah-Hartman
2024-07-31 14:34     ` David Sterba [this message]
2024-07-31 14:49       ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240731143441.GO17473@suse.cz \
    --to=dsterba@suse.cz \
    --cc=cve@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-cve-announce@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox