Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp1311439rdb; Fri, 16 Feb 2024 11:26:55 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXx3kQfY1sSAmqDrQfBbYAoPZ5xbzU221eE2DlT/zHZhFl3UocJxbg+vYoDwb1rbA6EoxHm7910bMmsFbE8L5DPLkv/SuFtthuh7y9qeA== X-Google-Smtp-Source: AGHT+IFM1srOggCtdOLcLtZbor37wlIeQqTYrW939EQTmT4kRpDduxFEseXpuPH4chbOqgEpZ7BK X-Received: by 2002:a17:906:2c56:b0:a3d:f102:aad with SMTP id f22-20020a1709062c5600b00a3df1020aadmr1447059ejh.41.1708111615320; Fri, 16 Feb 2024 11:26:55 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708111615; cv=pass; d=google.com; s=arc-20160816; b=K/273XgCRwGwqANppLAYxF1Rvpi/DzwOoZO1UMVtm6Rgbzp2tth1vFK0zMFR5d2Akb OWMbQRfL8vHt7bzydCdUHbURwAbcPW9PUJkfEbwYYAJ9ZgG2vn5Jb99srhEgT1y0oIf8 S3zm8o1+xqt3u1Vpm5Syx3LajW/8pQWVe3qfO9z12LfsSt93lflOpgkmbjADkKhuVFej jIbAtMsGhKs6ThDQtbEbnI+AAbRoFsEYSryInZwwZNzXHQQ2aZbbNtP/0NKUD6U/He6w MVlPzrKIlT9JhVgHepwFtYRVi8oF+PzTy7UtChHpgsmWtQxhwEVKhPzjZ337iQi1sug6 ON9A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=nDmfUzhsaFH0Jc2Zpmv1BnkkYtyZBG1NCcsQBkP6feQ=; fh=Hh0zJ1rB05heMcwOscsgSOw4tB1grt1FYVSjSDPZatQ=; b=0QV3ppylUPkUcDjiFOOeBeeFmZqdV5f7j+jxke/qgwm0HRAkNPW5rHZXp9rmOU+wKT KURh2nZZIb3Cojsm4z4SIKQ8L0RkuyGAr6byuU7oME/D2LXQT0huDG+jWv6nmYyfWd9/ bEQpLrfEQTxvVh4ei4iVKN/2l1U3r9rBZAlIz4xdaviCsC0zee7Z/sTbrKI1AOP6emOP jCfK43XJAeBc3oFoCROncttf9VXEQniY0K9FvH1w70R655rpsR6gVkwxu+DUzorhLKEG CN3eiTVcN203kOVgEbEOuaID7xY6A7XKAX7kPMvo2WFCxfIT7op20oiRywtZ5RWZz3Xa ag6A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=QfHnCJNB; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-69242-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-69242-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id qw37-20020a1709066a2500b00a3d1e75f8a1si207868ejc.6.2024.02.16.11.26.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Feb 2024 11:26:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-69242-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=QfHnCJNB; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-69242-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-69242-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 3F8C01F243EE for ; Fri, 16 Feb 2024 19:26:39 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5979B1369B4; Fri, 16 Feb 2024 19:26:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="QfHnCJNB" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 68992135402; Fri, 16 Feb 2024 19:26:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708111588; cv=none; b=B8AKbiptePOe+UYEtcU+WNclScwEHIDD39vWLgPewEORvrDcX/Y5TFSTsJluqLL8/ecPrnK20f0nBElAhZyQAaPE42meV/MdS9vNPyHC/hWhoaq0fAtOhMHx3Ik7HOHm1TqYiutTm8Z/nI9PiacPbge4ZukzvdMlIkQNZp6R020= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708111588; c=relaxed/simple; bh=1mpjenY//1/lR2l1bgr2WJZpCyo7YC4v+ajLMTbKotE=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=T38HGIh+H9/vVEw+X91Q8/TqiPjDVxzfwvjOM3Ca0MfePRge/qBzCPGeoZeB/mGIYBzB63Tr7x18JKIVCjxhBtluyNysLQI+fb8PhFYK7p0dU0ZGt7gsHbC6dpH57k7WN8XmqQ+gjVSPqTP5r1YPjmbv2F5kENDYJA5+Hxv/Fts= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=QfHnCJNB; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6B630C43390; Fri, 16 Feb 2024 19:26:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708111588; bh=1mpjenY//1/lR2l1bgr2WJZpCyo7YC4v+ajLMTbKotE=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=QfHnCJNB3GHYywyG7spCptMCzNszHj5csHJWlnqyQGO1P3//zNoyIPXWUUGyRRaWo 73QBBp3w/vRwg2TbZyI0yIDgemjuQYxB0nAVsQfberERofvoWxzhGHYmXEvdZy8bbf tbtL0tBeybawWyidQ2n7yZjAgQLYHM/xdYyB1s3a4jN/i/B7g75EF7IyiIIcbg4T70 C32Ms0XKzwBL0r/1ygx6V19VKJ5lCfZWlTvz80vLLjp6LPYGqRQGv2m6o8w+xML/21 DM16neeI1J00KV4W9D5VgwFrOSn9hGkWgYGHeXMA7eUzm2Y9vsBu7Wm8hgRzjrSeCQ IGaAKWRKTbs9Q== Date: Fri, 16 Feb 2024 11:26:25 -0800 From: Josh Poimboeuf To: Greg Kroah-Hartman Cc: corbet@lwn.net, workflows@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, security@kernel.org, linux@leemhuis.info, Kees Cook , Konstantin Ryabitsev , Krzysztof Kozlowski , Lukas Bulwahn , Sasha Levin , Lee Jones Subject: Re: [PATCH v4] Documentation: Document the Linux Kernel CVE process Message-ID: <20240216192625.o3q6m7cjgkwyfe4y@treble> References: <2024021500-laziness-grimace-ed80@gregkh> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <2024021500-laziness-grimace-ed80@gregkh> On Thu, Feb 15, 2024 at 01:10:55PM +0100, Greg Kroah-Hartman wrote: > +Note, due to the layer at which the Linux kernel is in a system, almost > +any bug might be exploitable to compromise the security of the kernel, > +but the possibility of exploitation is often not evident when the bug is > +fixed. By this paranoid black-and-white logic, any mainline commit could have a yet-to-be-discovered regression resulting in a catastrophic vulnerability. Should we stay one step ahead and just open a CVE for every mainline commit? Problem solved, all "vulnerabilities" have been identified! False positives be damned! For that matter, why don't we do as Thomas has suggested and hardcode NR_CPUS to zero! > Because of this, the CVE assignment team is overly cautious and > +assign CVE numbers to any bugfix that they identify. This > +explains the seemingly large number of CVEs that are issued by the Linux > +kernel team. How does this match up with the definition of a vulnerabilty? An instance of one or more weaknesses in a Product that can be exploited, causing a negative impact to confidentiality, integrity, or availability; a set of conditions or behaviors that allows the violation of an explicit or implicit security policy. Bug != vulnerability. Otherwise the definition of a vulnerability would be much simpler, i.e., "any software defect". If a CVE is created without any analysis and doesn't describe how the bug can be exploited then it's completely useless. Who is this process helping? - Not users of -stable since they already know they need to be on the latest version. - Not distros or their users as it's just flooding them with low quality CVEs which have no analysis or scoring. And enterprise distros will never be able to rebase onto -stable, especially for older streams for which they have to be very selective, in order to avoid destabilizing them. As you say, "a bug is a bug". If the problem is low CVE quality then of course it makes a lot of sense for kernel.org to become a CNA in order to take a leadership role in helping define and improve the process for its users. But it makes no sense to "fix" it by making CVE quality *vastly* lower by flooding people with useless CVEs. -- Josh