Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp1311439rdb;
        Fri, 16 Feb 2024 11:26:55 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCXx3kQfY1sSAmqDrQfBbYAoPZ5xbzU221eE2DlT/zHZhFl3UocJxbg+vYoDwb1rbA6EoxHm7910bMmsFbE8L5DPLkv/SuFtthuh7y9qeA==
X-Google-Smtp-Source: AGHT+IFM1srOggCtdOLcLtZbor37wlIeQqTYrW939EQTmT4kRpDduxFEseXpuPH4chbOqgEpZ7BK
X-Received: by 2002:a17:906:2c56:b0:a3d:f102:aad with SMTP id f22-20020a1709062c5600b00a3df1020aadmr1447059ejh.41.1708111615320;
        Fri, 16 Feb 2024 11:26:55 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1708111615; cv=pass;
        d=google.com; s=arc-20160816;
        b=K/273XgCRwGwqANppLAYxF1Rvpi/DzwOoZO1UMVtm6Rgbzp2tth1vFK0zMFR5d2Akb
         OWMbQRfL8vHt7bzydCdUHbURwAbcPW9PUJkfEbwYYAJ9ZgG2vn5Jb99srhEgT1y0oIf8
         S3zm8o1+xqt3u1Vpm5Syx3LajW/8pQWVe3qfO9z12LfsSt93lflOpgkmbjADkKhuVFej
         jIbAtMsGhKs6ThDQtbEbnI+AAbRoFsEYSryInZwwZNzXHQQ2aZbbNtP/0NKUD6U/He6w
         MVlPzrKIlT9JhVgHepwFtYRVi8oF+PzTy7UtChHpgsmWtQxhwEVKhPzjZ337iQi1sug6
         ON9A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=nDmfUzhsaFH0Jc2Zpmv1BnkkYtyZBG1NCcsQBkP6feQ=;
        fh=Hh0zJ1rB05heMcwOscsgSOw4tB1grt1FYVSjSDPZatQ=;
        b=0QV3ppylUPkUcDjiFOOeBeeFmZqdV5f7j+jxke/qgwm0HRAkNPW5rHZXp9rmOU+wKT
         KURh2nZZIb3Cojsm4z4SIKQ8L0RkuyGAr6byuU7oME/D2LXQT0huDG+jWv6nmYyfWd9/
         bEQpLrfEQTxvVh4ei4iVKN/2l1U3r9rBZAlIz4xdaviCsC0zee7Z/sTbrKI1AOP6emOP
         jCfK43XJAeBc3oFoCROncttf9VXEQniY0K9FvH1w70R655rpsR6gVkwxu+DUzorhLKEG
         CN3eiTVcN203kOVgEbEOuaID7xY6A7XKAX7kPMvo2WFCxfIT7op20oiRywtZ5RWZz3Xa
         ag6A==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=QfHnCJNB;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-69242-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-69242-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel+bounces-69242-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id qw37-20020a1709066a2500b00a3d1e75f8a1si207868ejc.6.2024.02.16.11.26.55
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 16 Feb 2024 11:26:55 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-69242-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=QfHnCJNB;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-69242-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-69242-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 3F8C01F243EE
	for <linux.lists.archive@gmail.com>; Fri, 16 Feb 2024 19:26:39 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 5979B1369B4;
	Fri, 16 Feb 2024 19:26:29 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="QfHnCJNB"
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 68992135402;
	Fri, 16 Feb 2024 19:26:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1708111588; cv=none; b=B8AKbiptePOe+UYEtcU+WNclScwEHIDD39vWLgPewEORvrDcX/Y5TFSTsJluqLL8/ecPrnK20f0nBElAhZyQAaPE42meV/MdS9vNPyHC/hWhoaq0fAtOhMHx3Ik7HOHm1TqYiutTm8Z/nI9PiacPbge4ZukzvdMlIkQNZp6R020=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1708111588; c=relaxed/simple;
	bh=1mpjenY//1/lR2l1bgr2WJZpCyo7YC4v+ajLMTbKotE=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=T38HGIh+H9/vVEw+X91Q8/TqiPjDVxzfwvjOM3Ca0MfePRge/qBzCPGeoZeB/mGIYBzB63Tr7x18JKIVCjxhBtluyNysLQI+fb8PhFYK7p0dU0ZGt7gsHbC6dpH57k7WN8XmqQ+gjVSPqTP5r1YPjmbv2F5kENDYJA5+Hxv/Fts=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=QfHnCJNB; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6B630C43390;
	Fri, 16 Feb 2024 19:26:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1708111588;
	bh=1mpjenY//1/lR2l1bgr2WJZpCyo7YC4v+ajLMTbKotE=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=QfHnCJNB3GHYywyG7spCptMCzNszHj5csHJWlnqyQGO1P3//zNoyIPXWUUGyRRaWo
	 73QBBp3w/vRwg2TbZyI0yIDgemjuQYxB0nAVsQfberERofvoWxzhGHYmXEvdZy8bbf
	 tbtL0tBeybawWyidQ2n7yZjAgQLYHM/xdYyB1s3a4jN/i/B7g75EF7IyiIIcbg4T70
	 C32Ms0XKzwBL0r/1ygx6V19VKJ5lCfZWlTvz80vLLjp6LPYGqRQGv2m6o8w+xML/21
	 DM16neeI1J00KV4W9D5VgwFrOSn9hGkWgYGHeXMA7eUzm2Y9vsBu7Wm8hgRzjrSeCQ
	 IGaAKWRKTbs9Q==
Date: Fri, 16 Feb 2024 11:26:25 -0800
From: Josh Poimboeuf <jpoimboe@kernel.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: corbet@lwn.net, workflows@vger.kernel.org, linux-doc@vger.kernel.org,
	linux-kernel@vger.kernel.org, security@kernel.org,
	linux@leemhuis.info, Kees Cook <keescook@chromium.org>,
	Konstantin Ryabitsev <konstantin@linuxfoundation.org>,
	Krzysztof Kozlowski <krzk@kernel.org>,
	Lukas Bulwahn <lukas.bulwahn@gmail.com>,
	Sasha Levin <sashal@kernel.org>, Lee Jones <lee@kernel.org>
Subject: Re: [PATCH v4] Documentation: Document the Linux Kernel CVE process
Message-ID: <20240216192625.o3q6m7cjgkwyfe4y@treble>
References: <2024021500-laziness-grimace-ed80@gregkh>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <2024021500-laziness-grimace-ed80@gregkh>

On Thu, Feb 15, 2024 at 01:10:55PM +0100, Greg Kroah-Hartman wrote:
> +Note, due to the layer at which the Linux kernel is in a system, almost
> +any bug might be exploitable to compromise the security of the kernel,
> +but the possibility of exploitation is often not evident when the bug is
> +fixed.

By this paranoid black-and-white logic, any mainline commit could have a
yet-to-be-discovered regression resulting in a catastrophic
vulnerability.

Should we stay one step ahead and just open a CVE for every mainline
commit?

Problem solved, all "vulnerabilities" have been identified!  False
positives be damned!

For that matter, why don't we do as Thomas has suggested and hardcode
NR_CPUS to zero!

> Because of this, the CVE assignment team is overly cautious and
> +assign CVE numbers to any bugfix that they identify.  This
> +explains the seemingly large number of CVEs that are issued by the Linux
> +kernel team.

How does this match up with the definition of a vulnerabilty?

  An instance of one or more weaknesses in a Product that can be
  exploited, causing a negative impact to confidentiality, integrity, or
  availability; a set of conditions or behaviors that allows the
  violation of an explicit or implicit security policy.

Bug != vulnerability.  Otherwise the definition of a vulnerability would
be much simpler, i.e., "any software defect".

If a CVE is created without any analysis and doesn't describe how the
bug can be exploited then it's completely useless.

Who is this process helping?

- Not users of -stable since they already know they need to be on the
  latest version.

- Not distros or their users as it's just flooding them with low quality
  CVEs which have no analysis or scoring.

And enterprise distros will never be able to rebase onto -stable,
especially for older streams for which they have to be very selective,
in order to avoid destabilizing them.  As you say, "a bug is a bug".

If the problem is low CVE quality then of course it makes a lot of sense
for kernel.org to become a CNA in order to take a leadership role in
helping define and improve the process for its users.  But it makes no
sense to "fix" it by making CVE quality *vastly* lower by flooding
people with useless CVEs.

-- 
Josh