Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp1225121rdb; Fri, 16 Feb 2024 08:51:38 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVwx5Ao2LK2GiMJ0sd4BLnC/FB0bjd66ZH+cJMWSc+IrgAJ7a4tSifcQtz9Azv+phYYTzZjmtPjq7x2RAuap5c3gQ0rE1BayovHl9ZldA== X-Google-Smtp-Source: AGHT+IHmuTTKFXmjDRMhpGnq2EasLgmE3jAODUyGjTqN8YD+dM6hMyMrwQaaGHjphZk0kJ4cFh3t X-Received: by 2002:a0c:e290:0:b0:68f:3dce:7b94 with SMTP id r16-20020a0ce290000000b0068f3dce7b94mr743829qvl.4.1708102298510; Fri, 16 Feb 2024 08:51:38 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708102298; cv=pass; d=google.com; s=arc-20160816; b=CisdX8vIVK53sRXBgZQW6VH2ffLp3gJc9Mrde1YKF93OIWSiLW0u6RR+Mmmv1NxUnX dThD39MWXz8Muima1qHjnrgzvgPpOj8NWXYIELgzyvg4ZByZ0KPMzlsZUESSpF+zh5OV aDtYR085/XW5RKs325sb0iBpdoz0/ix8kD8mus/mynb8ZKE3qhQYBkxGwNaIKeYCmNdu yc7xhtB0BzeKCaTXBOvVPjX5mcLcXtftle8hDQQ175V5KNwMnots2402V75rcr5OK9J6 4YMbZsB+l+1QgnV3yRa43X6VRkEOm5vvRSXNvT/4tpw8c4+PNHtsAiRMs7yTj/zJEsh4 qq1A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature:dkim-signature; bh=F6kQvlK/L7iuReKt8M8eM35S1Vrh5nJKRZ/vQtmta6k=; fh=ddIvapyrxqAJBuJ+gsKofohD9arAtCaaa8hhI84M0KU=; b=geVqKfMhzQQbHNhk3fuMcVF6mxPJg5hrBiLmS14M3SsIYplpZUnGLJI1mgZSAC8X0+ PSUvWJcf6x3r2miMV2f5d4x16/ogWACbYgYbHDIXLmZSpSVonK7XjoUTN9RevffvP39S s5VL8LbiSz4q1zW+4kWnHx4j4WrwkAyNM9YBXOorf2xPrYdJNjEtwoilcdgAuHMD3EtP dBqUcJ/I8NqKSTTAzkNjtKVSwWQpTfAEaIhQ130Zd0psSEemjMVPiP/H0j0Q+xEOtvRg PseNhM4DXBGI2ySMvFM7x0zalg/YQhULRmpk8x4j7zQvYA7RjcuI3bCA0B18XdhTPwGp T+Gg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=u7vQAp4C; dkim=pass header.i=@suse.com header.s=susede1 header.b=u7vQAp4C; arc=pass (i=1 spf=pass spfdomain=suse.com dkim=pass dkdomain=suse.com dkim=pass dkdomain=suse.com dmarc=pass fromdomain=suse.com); spf=pass (google.com: domain of linux-kernel+bounces-68984-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-68984-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id a11-20020ad45c4b000000b0068f2d640381si121382qva.614.2024.02.16.08.51.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Feb 2024 08:51:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-68984-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=u7vQAp4C; dkim=pass header.i=@suse.com header.s=susede1 header.b=u7vQAp4C; arc=pass (i=1 spf=pass spfdomain=suse.com dkim=pass dkdomain=suse.com dkim=pass dkdomain=suse.com dmarc=pass fromdomain=suse.com); spf=pass (google.com: domain of linux-kernel+bounces-68984-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-68984-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 375A81C21BA3 for ; Fri, 16 Feb 2024 16:51:38 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E7FE9130E20; Fri, 16 Feb 2024 16:51:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="u7vQAp4C"; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="u7vQAp4C" Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5FE8C12F36A; Fri, 16 Feb 2024 16:51:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708102289; cv=none; b=li5XtKXvQ5o9T8nZ22qXOqW47GeVM+LTab37WNC6BQ3oUuZK4smS6cBqZGdID4o35AXD/bh6nq6+FaE4gPnjA2DOjYBIbZR97QrGIZGXBZvWuusUejB0xFaF094Ql1NbcnIcOrHDRVsBbdHWI6DFIKFZHh7QhRYpE4lkDFdcyyc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708102289; c=relaxed/simple; bh=GFdZ9x5VnyQk2XmemYZ+RhJwyg2qNpV8wiYTo3qSBFc=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=PeotcInXT4MWm0P9N2jhG0z//Bccr97v61zRR3PeXdDghq4ymZBLHEQRyyCyFGaPwOOi98NgDDOdUNy/9weC202xi0FYrm9FnGyaFOsZnlbiRudwS+wacFGYr/oOO6z20VmO+sVFakkLdTcWa4utONcOknliLcwa2h/WGo2PyNE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=u7vQAp4C; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=u7vQAp4C; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 59E4C1FB76; Fri, 16 Feb 2024 16:51:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1708102283; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=F6kQvlK/L7iuReKt8M8eM35S1Vrh5nJKRZ/vQtmta6k=; b=u7vQAp4CkLoRxaZTYE7BDD3PqS4k9gTykTFSu4hXaUkUQKtXHba1yT8p8XZWQtAnYUtFHC vaboM5s/oSXVvBzx2RbAPT9AzHThsw1G0q3sE/On/nDZp9EI9D2gPnQ4MzvRGpQHN/Y00y Qks5UC4qaRtZHhafStqtbmthpldqme8= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1708102283; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=F6kQvlK/L7iuReKt8M8eM35S1Vrh5nJKRZ/vQtmta6k=; b=u7vQAp4CkLoRxaZTYE7BDD3PqS4k9gTykTFSu4hXaUkUQKtXHba1yT8p8XZWQtAnYUtFHC vaboM5s/oSXVvBzx2RbAPT9AzHThsw1G0q3sE/On/nDZp9EI9D2gPnQ4MzvRGpQHN/Y00y Qks5UC4qaRtZHhafStqtbmthpldqme8= Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 410BE1398D; Fri, 16 Feb 2024 16:51:23 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id R4gXDouSz2W5VAAAD6G6ig (envelope-from ); Fri, 16 Feb 2024 16:51:23 +0000 Date: Fri, 16 Feb 2024 17:51:22 +0100 From: Michal Hocko To: Greg Kroah-Hartman Cc: corbet@lwn.net, workflows@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, security@kernel.org, Kees Cook , Sasha Levin , Lee Jones Subject: Re: [PATCH v3] Documentation: Document the Linux Kernel CVE process Message-ID: References: <2024021430-blanching-spotter-c7c8@gregkh> <2024021518-stature-frightful-e7fc@gregkh> <2024021646-procedure-faceted-ea87@gregkh> <2024021620-retrieval-lethargic-eeca@gregkh> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2024021620-retrieval-lethargic-eeca@gregkh> Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.com header.s=susede1 header.b=u7vQAp4C X-Spamd-Result: default: False [-2.81 / 50.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[suse.com:s=susede1]; SPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_COUNT_THREE(0.00)[3]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; DKIM_TRACE(0.00)[suse.com:+]; MX_GOOD(-0.01)[]; RCPT_COUNT_SEVEN(0.00)[9]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Rspamd-Queue-Id: 59E4C1FB76 X-Spam-Level: X-Spam-Score: -2.81 X-Spam-Flag: NO On Fri 16-02-24 16:34:57, Greg KH wrote: > On Fri, Feb 16, 2024 at 02:20:04PM +0100, Michal Hocko wrote: > > > Right now > > > we are fixing lots and lots of things and no one notices as their > > > "traditional" path of only looking at CVEs for the kernel is totally > > > incorrect. > > > > Right, there are quite a lot of people who consider CVE fixes much more > > important than regular fixes. Their reasoning might be completely > > misleading but there might be very good reasons to stick to minimalistic > > approach, e.g. to reduce risk of regressions. > > > > I believe it is perfectly fair to say that whoever relies on stable > > kernels support needs to update to the latest stable kernel version to > > be covered by security and functional fixes. On the other hand I do not > > think it is an improvement to the process to swamp CVE database with any > > random fixes without a proper evaluation. If the kernel community > > doesn't believe in the CVE process then fair enough, just do not assign > > them unless you want to explicitly call out fixes with a high impact > > security implications. Having fewer good quality CVEs would definitely > > improve the process. > > As you know, it's almost impossible to determine if a fix is "high > impact" or not, given that we have no idea what anyone's use case is for > the kernel. We have documented proof of single-byte-buffer-overflows > resulting in complete system takeovers, and the same for very tiny > use-after-free issues, and the same for tiny "overflow a USB string > buffer" issues, and so on. Right, generally speaking this is not an easy task. It requires a lot of diligence actually. Sometimes there is no clear cut and that is _fine_. The CVE system cannot ever be bullet proof and mark every single security related fix (really you can be creating new security problems just by backporting upstream fixes into stable trees). But that is not really all that important, the main thing/question is whether it can be _useful_. If you simply assign CVE to any fix in stable you end up with thousands of CVEs and I really fail to see any practical benefit from that. Well, unless you want to DoS the system and its consumers. Who do you expect to be the user/consumer of those CVE numbers? You have already said that community supported stable kernels mandate the latest version to be used. Those users do not need to know there is $BIG_NUMBER of CVEs in them. If you want to mark a specific class of fixes with CVE because they are known to be used for exploits then fine! That is something actually useful. If you allow users to explicitly mark a fix as security relevant because of XYZ argument then really great! > So as always, we need to treat "a bug is a bug is a bug" and when > looking at the bug fix, if it resolves something that is known to be ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > a vulnerability (again, as defined by CVE themselves), then we need to ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > mark it as such. I am completely with you on that! That is quite far away from what the documentation says AFAICS. > If you find that we are marking things as a CVE thatt you do not feel > should be marked as such, please let us know and we will be glad to > discuss it on a case-by-case basis. I've been through that exercise with the CVE process over years many times. It has always been a pain because you were not talking to domain experts who could evaluate the reasoning behind the dispute. I consider the new process of a clearly defined dispute process a big improvement! But if the real practice would be thousands of CVEs created for any stable backport then this will DoS many existing CVE consumers. All that being said. I do agree that taking control of CVEs and making that kernel community thing is a good thing! But I really fail to understand how increasing the number of CVEs by nominating all/most stable fixes is going to help anybody or improve the existing process. Thanks! -- Michal Hocko SUSE Labs