Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751953AbcDUMAB (ORCPT ); Thu, 21 Apr 2016 08:00:01 -0400 Received: from mail-wm0-f52.google.com ([74.125.82.52]:36018 "EHLO mail-wm0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751571AbcDUL77 (ORCPT ); Thu, 21 Apr 2016 07:59:59 -0400 Subject: Re: stable-security kernel updates To: Sasha Levin , LKML , stable References: <5717DD8A.4000707@oracle.com> <571876AB.2060106@suse.cz> <5718B57D.4000504@oracle.com> Cc: lwn@lwn.net From: Jiri Slaby Message-ID: <5718C0B8.8010609@suse.cz> Date: Thu, 21 Apr 2016 13:59:52 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <5718B57D.4000504@oracle.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="f8bhrdbkWMI1i0mVfxhUkLvNTqvI6sWUa" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 5063 Lines: 137 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --f8bhrdbkWMI1i0mVfxhUkLvNTqvI6sWUa Content-Type: multipart/mixed; boundary="MCncB4RsHKdf6fijBi0O6GI5s1d8IApEE" From: Jiri Slaby To: Sasha Levin , LKML , stable Cc: lwn@lwn.net Message-ID: <5718C0B8.8010609@suse.cz> Subject: Re: stable-security kernel updates References: <5717DD8A.4000707@oracle.com> <571876AB.2060106@suse.cz> <5718B57D.4000504@oracle.com> In-Reply-To: <5718B57D.4000504@oracle.com> --MCncB4RsHKdf6fijBi0O6GI5s1d8IApEE Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 04/21/2016, 01:11 PM, Sasha Levin wrote: >> Ok, not that bad, it is only unused code, but why are *not* these in t= he >> security tree? >> ipr: Fix out-of-bounds null overwrite >=20 > Is there a particular way to exploit this that I'm missing? Any (write > 100) to "/sys/.../fw_update" writes '0' out of bounds, I suppose. But the point is different: I don't even need to care if there is one. And more, I don't even want to wait for one to appear. >> Input: powermate - fix oops with malicious USB descriptors >=20 > This requires physical access to the machine. This is no relevant argument. There are plenty of studying rooms with computers and I don't want users to crash a machine by a buggy driver. OK, in this particular case, a broken cable, buggy bus or FW bug or whatever would be needed on the top of that. But I am not a god to know the circumstances before they occur, so better be safe now as it's clearly a bugfix. >> rapidio/rionet: fix deadlock on SMP >=20 > Seemed a bit borderline I suppose. There's nothing specific the > user can do to actually trigger this? Given my experience with fuzzers and bug hunting, how is not just heavy loading the machine sufficient? Pardom my ignorance, how can you actually be sure? > Another thing to note here is that security patch selection database > is shared between versions, so if a given commit gets marked as securit= y > later on (someone figured out it's a CVE or something similar), it'll > get added to the stable-security tree even if it was initially skipped.= But that's too late. You then have to force people update immediately while you actually would not need to. > So I've also ended up auditing the 3.12 for missing CVE fixes and these= > ones ended up being at the top of the list. Could you explain why they > are not in the 3.12 stable tree (and as a result can't get to users of > the corresponding stable-security tree)? Sure. They didn't apply or were not marked as stable. In both cases it is the code maintainer responsibility to take care of those. At least by pinging the stable list with SHAs. On the top of that, I monitor SLE12 changes and: > (CVE-2015-7513) 0185604 KVM: x86: Reload pit counters for all channels = when restoring state This was not evaluated for SLE12 yet. > (CVE-2015-8539) 096fe9e KEYS: Fix handling of stored error in a negativ= ely instantiated user key Backported now. Thanks for noting. > (CVE-2016-2085) 613317b EVM: Use crypto_memneq() for digest comparisons= Does not exist in the CVE database/is not confirmed yet AFAICS. > So while the stable-security tree might be missing commits that might > or might not have security impact, it seems the 3.12 tree itself is > missing fixes for privilege escalation CVEs from last year. Should I > be recommending that no one uses 3.12? First, I am not deliberately filtering commits on an invalid basis. Second, every fart can have a CVE number today. CVE number should be by no means used as a decision. Third, whatever is missing and is applicable, I am putting in. Fourth, naturally, there is a lot of patches missing in the net flowing in the large sea of patches. But given your count of patches, you have ~ 2 times higher chance to miss something important. thanks, --=20 js suse labs --MCncB4RsHKdf6fijBi0O6GI5s1d8IApEE-- --f8bhrdbkWMI1i0mVfxhUkLvNTqvI6sWUa Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXGMC7AAoJEL0lsQQGtHBJxoIP/01WwmgdPME9PwGb7hPWlshy utUnCaZKTz7eKFGVBcdmtIjPR7zKDEWihw+zKQ3XkTR5uH78h5Rq6+sYaR0s/eeS H37od5CW8UVWg3D3fgwUxjEtkV4uBqvj4duHxNETBu43UvlFGBOCJh5UFnS0G1hA VG7+LkMIakfC0ZNGlZEVOfHfw0xSd0KyDCs8Yodk2gPRkekTeq3oqgg27Gu42mgQ fA6R5k9mumZ+fHU5P0nqB75Ot3f0bSpG4MWyC82TTlwgeI72kIT7+77+3MWyz4Wp BWFs9CJGPE/+1xxuNaYcGMPcBgFdDWr5G6/Pg9yWJXLQ+aZ/lo7oeV74C1LYyaUB XbMVMsRmmfzcZ6bI0jqarmp4FsLUfQLPH9hGqBsD2LW17Pzsz2h5NnHYxkUgU1p2 wOLuKj9t8sapFc2//kJaGaqdC4ElCy1f6UBIQrJeBFBbDAGYQEm+9vqW2/fEpWQV nldsv3OmgT8I5CDKIMmvK0yA+mWmBc3h3GSkg41oDH8Z548tbHIAkqfQIAyZUqlP AjO4V5lhAyKekowEsbyvTaEfGlM0dPUQXXPT07L3lRueSkcb1mq7LEBRMceK9Z2G WUV7BQsOtQaJAuj5fwlCdoimftlpG+y6V53ZZ1TPuybCRpKgu9qZBkXqr0i6q2d1 olZZZhHOoOGlYo7dhzF4 =FzDt -----END PGP SIGNATURE----- --f8bhrdbkWMI1i0mVfxhUkLvNTqvI6sWUa--