From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Wed, 11 Dec 2013 15:17:59 +1100 From: Dave Chinner To: Kees Cook Cc: Josh Boyer , Luis Henriques , Dwight Engen , LKML , Brian Foster , Dave Chinner , Gao feng , Ben Myers , Greg KH , xfs@oss.sgi.com, "stable@vger.kernel.org" , Dan Carpenter Subject: Re: XFS security fix never sent to -stable? Message-ID: <20131211041758.GI10988@dastard> References: <20131209121534.GE4278@hercules> <20131209235523.GW31386@dastard> <20131211010326.GF10988@dastard> <20131211020007.GH10988@dastard> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org List-ID: On Tue, Dec 10, 2013 at 06:45:54PM -0800, Kees Cook wrote: > On Tue, Dec 10, 2013 at 6:00 PM, Dave Chinner wrote: > > On Tue, Dec 10, 2013 at 08:10:51PM -0500, Josh Boyer wrote: > >> On Tue, Dec 10, 2013 at 8:03 PM, Dave Chinner wrote: > >> > Security processes are not something that should be hidden away in > >> > it's own private corner - if there's a problem upstream needs to > >> > take action on, then direct contact with upstream is necessary. We > >> > need to know about security issues - even ones that are classified > >> > post-commit as security issues - so we are operating with full > >> > knowledge of the issues in our code and the impact of our fixes.... > >> > >> Agreed. I'm going to interpret your comments at being directed to the > >> general audience because otherwise you're just shooting the messenger > >> :). > > > > Right, they are not aimed at you - they are aimed at those on the > > security side of the fence. I'm tired of learning about CVEs in XFS > > code through chinese whispers and/or luck. > > Mostly I try to shield anyone not interested in CVEs from the boring > process, and try to focus on just getting things marked as needing to > go into stable. I don't think anyone needs to read the oss-security > list if they don't want to. Which is how is should be. ;) All I want is some kind of notification when a CVE raised for an XFS issue. It may be telling us something we already known, but if: a) it has not yet been pushed upstream; or b) it was not marked for stable kernels at commit time; or c) don't have a fix for it yet then it's an indication that we need to pay a little more attention to this class of problem when we review similar fixes. > In this case, the fix Dan sent was part of a larger collection of > security issues reported by Nico. I think the communication error here > was Dan accidentally forgetting to add the Cc: stable tag. But beyond > that, it was sent to the xfs list and Cc: to security, so I'm not sure > it's fair to say it was hidden away. :) Right - this falls into the above category a) because of that. There didn't appear to be any urgency because of the level of exposure of the problem (i.e. need CAP_SYS_ADMIN to trip over it) and the fact it's been like this for the past 10 years.... > Besides the missing Cc: stable tag, what should future patch senders > do to call attention to an issue being a security problem at the time > it is being reported? Well, it may not be known at the time it's considered a security issue, so I think that the best thing to do is make sure that when a CVE is actually raise a note is sent to the relevant list just to indicate 'CVE 1024-3267 has been raised for commit abcd1234 ("xfs: knabgraddle the frobnozzle")'. At least that way everyone - including XFS users - that there is an issue that they might want to look out for and plan to upgrade their stable kernels in the not-to-distant future... Cheers, Dave. -- Dave Chinner david@fromorbit.com