Received: by 2002:ab2:6309:0:b0:1fb:d597:ff75 with SMTP id s9csp199164lqt;
        Thu, 6 Jun 2024 00:24:21 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCXv3qyyoPNmurY4kwTPVHaBLWiVTEdx0sHtt/yOS8LZDnQAOgH2Vq2bIK69iyCaoVF37em4lF4KD8e1MbNbvGQ7XTt9OhzSVtqM4vnGHg==
X-Google-Smtp-Source: AGHT+IHL5LMbZ/WCHnToB7LNcRoZjvH2FV0K+xtTxk1RcTc5VFB1Qcr6QCvt6QhQ0DhWN/qZ3798
X-Received: by 2002:a05:6214:590f:b0:6ad:6d06:ea9e with SMTP id 6a1803df08f44-6b02bfa0e17mr49188146d6.37.1717658660999;
        Thu, 06 Jun 2024 00:24:20 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1717658660; cv=pass;
        d=google.com; s=arc-20160816;
        b=DgSRwostB80/DQKUNeTFy9ERvja1g9d4v0hvck1vgXs8OPhePOvWaMdrSCzXGm665y
         GZC/2revF1xXcVq3NLK1BQEw5W5pjA6AoLSTdaQWqvLZAQ3hB9vDb7SdgF4AGNZSOKjF
         y33cGqzksJFHvujPk/rvxrQ4VGOlYujR4miYW2b7Y3BwSS/RQCYlMjFFL/uXKMmb9hDN
         4/yKkwOMqUWLB6Ismbz/NjT4fJ5bwihnosks3ou5BIPTB6zNU19X5VmEEVGnggh0/anA
         2rSqoWNdYq6I2A3V7qUNnYqP+BLlGbdoI17ee5zaXSwuVZT68cPDUJEoIB3FApmhcMMw
         YPwA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature:dkim-signature;
        bh=dV+8uG3NWP7Z2WVw8rJlpezXlpJJAU6quHjqjCAuUvg=;
        fh=h3dLwMmz1AIIVawup8KVzHIO6xbX4PfTrbBptcZwlyc=;
        b=DwwKsqyAo1xzxko8gTzhvLfK7VGz5gzebFKnX9+Q26s8MpQ4SjRZg9B/Nr8qi/8ktr
         6O8fSMMn4o7EQHgnt5v1/hOKyQMnW7POOBfWvQipEyJKW474e/7Ya9m6wVmVv7n6jl0y
         z7Ut89iHNxjCZ3mJI5VeIrPaQCceKhBoFe2TLW8BKNVoQTvhr2VXy4/78kr04J4MHNiV
         RYI8FhC8CQTD2L8MHxTYc4GmhkC69mHJ7cu9clGmm8gUuhY/4MNWtxAhv3vXMfoToBth
         ghxJtlkr8WDa0VbxZ+MbfB7fS1Ztm9y7Y5fddvpk4Q/AAlu6xjekBXmnKpJ1YrRBHOqJ
         tASg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@suse.com header.s=susede1 header.b=I6RLl4RT;
       dkim=pass header.i=@suse.com header.s=susede1 header.b=YWBU5sB8;
       arc=pass (i=1 spf=pass spfdomain=suse.com dkim=pass dkdomain=suse.com dkim=pass dkdomain=suse.com dmarc=pass fromdomain=suse.com);
       spf=pass (google.com: domain of linux-kernel+bounces-203726-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-203726-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com
Return-Path: <linux-kernel+bounces-203726-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id d75a77b69052e-44038a6edf9si9775501cf.33.2024.06.06.00.24.20
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 06 Jun 2024 00:24:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-203726-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.com header.s=susede1 header.b=I6RLl4RT;
       dkim=pass header.i=@suse.com header.s=susede1 header.b=YWBU5sB8;
       arc=pass (i=1 spf=pass spfdomain=suse.com dkim=pass dkdomain=suse.com dkim=pass dkdomain=suse.com dmarc=pass fromdomain=suse.com);
       spf=pass (google.com: domain of linux-kernel+bounces-203726-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-203726-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id B19A71C245D5
	for <linux.lists.archive@gmail.com>; Thu,  6 Jun 2024 07:24:20 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id D8B9413B5B9;
	Thu,  6 Jun 2024 07:24:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="I6RLl4RT";
	dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="YWBU5sB8"
Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3E7AE1BDEF;
	Thu,  6 Jun 2024 07:24:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1717658654; cv=none; b=Z5aBAz70GMVbC7xu1d8JCB3dyp8MNbkbvxBuhTBykHAC79F62pB+58RD6VraMAm3dVFi8xXN/20AKef8yVF4FIKF6cyGi9rmHYCpFovmy4oVe4DPptY+FenCcnJYm//SpHJayUU1uwIiwZeeyXJP9oiehMPwCJQPJqAuacQl9MY=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1717658654; c=relaxed/simple;
	bh=jXYEynwSQ/kS6Y2DZCqgLn0Xi95jhH4Mfjku3tq6uV8=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=InfsNNijnyvkqpVAZGRV7fFGQltTUP0xt7dyXqqf3Y9hJ7G38on3VPt+UN93wCW+nWoUE6jTBTdiRM70WNoT7+JyqBzdLBuuvbggLm6YG6xfu4epnichYT/PRUW9fhWBpKbevwoKFaaOq1ImRMq4pTzFNOzBfPFtM14Q3AX6hig=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=I6RLl4RT; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=YWBU5sB8; arc=none smtp.client-ip=195.135.223.130
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com
Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp-out1.suse.de (Postfix) with ESMTPS id DEB0521A84;
	Thu,  6 Jun 2024 07:24:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1717658650; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=dV+8uG3NWP7Z2WVw8rJlpezXlpJJAU6quHjqjCAuUvg=;
	b=I6RLl4RTFv4iNm7RZk3oBzz1X4U9wTNmf++6TiYnwSjlgBzTnp/ljntV/374TuQ6sb1U0P
	w78+ysogjl1D35qof9jCd54F1SLwGyi604q2F0UQmdUrsbd0U7o2WKoK2kxnZPNOHtLndx
	j+4gpxqNtyWYaqwMc+09upJmlQUC/K4=
Authentication-Results: smtp-out1.suse.de;
	dkim=pass header.d=suse.com header.s=susede1 header.b=YWBU5sB8
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1717658649; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=dV+8uG3NWP7Z2WVw8rJlpezXlpJJAU6quHjqjCAuUvg=;
	b=YWBU5sB8RlKNt2fwTCRD3FIIKW2t72h7Ml+CqY9t0gBQC3Kq+xjuwBIBk3ByKnMyzjFdfs
	UBnR1OJ4dJET6uT5HsViBzkUz+tbSd6ScKOJrtNglepjY85ZlsO2l7lXptvRy5TPdg0SQe
	tX1gGABBxJBt3T2PC3Cag5d/FWVjZvc=
Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id C631513A79;
	Thu,  6 Jun 2024 07:24:09 +0000 (UTC)
Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])
	by imap1.dmz-prg2.suse.org with ESMTPSA
	id /GBaLRlkYWbETgAAD6G6ig
	(envelope-from <mhocko@suse.com>); Thu, 06 Jun 2024 07:24:09 +0000
Date: Thu, 6 Jun 2024 09:24:09 +0200
From: Michal Hocko <mhocko@suse.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: cve@kernel.org, linux-kernel@vger.kernel.org,
	linux-cve-announce@vger.kernel.org,
	Kees Cook <keescook@chromium.org>
Subject: Re: CVE-2023-52734: net: sched: sch: Bounds check priority
Message-ID: <ZmFkGWitjXvyOtbK@tiehlicka>
References: <2024052100-CVE-2023-52734-c8c2@gregkh>
 <ZlWNaIMC3NCkIFxv@tiehlicka>
 <2024052824-justice-lair-14e6@gregkh>
 <ZlbIZ8bdBK4tZcBa@tiehlicka>
 <2024052930-dealt-class-f845@gregkh>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2024052930-dealt-class-f845@gregkh>
X-Spam-Level: 
X-Spamd-Result: default: False [-4.01 / 50.00];
	BAYES_HAM(-3.00)[100.00%];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	MID_RHS_NOT_FQDN(0.50)[];
	R_DKIM_ALLOW(-0.20)[suse.com:s=susede1];
	NEURAL_HAM_SHORT(-0.20)[-1.000];
	MIME_GOOD(-0.10)[text/plain];
	MX_GOOD(-0.01)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	RCVD_TLS_ALL(0.00)[];
	ARC_NA(0.00)[];
	MIME_TRACE(0.00)[0:+];
	MISSING_XM_UA(0.00)[];
	TO_DN_SOME(0.00)[];
	FUZZY_BLOCKED(0.00)[rspamd.com];
	DNSWL_BLOCKED(0.00)[2a07:de40:b281:104:10:150:64:97:from,2a07:de40:b281:106:10:150:64:167:received];
	DKIM_SIGNED(0.00)[suse.com:s=susede1];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_FIVE(0.00)[5];
	RCVD_COUNT_TWO(0.00)[2];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:dkim];
	DKIM_TRACE(0.00)[suse.com:+]
X-Rspamd-Action: no action
X-Rspamd-Queue-Id: DEB0521A84
X-Rspamd-Server: rspamd1.dmz-prg2.suse.org
X-Spam-Flag: NO
X-Spam-Score: -4.01

On Wed 29-05-24 11:51:10, Greg KH wrote:
> On Wed, May 29, 2024 at 09:30:08AM +0200, Michal Hocko wrote:
[...]
> > I am questioning the decision to make it a CVE. Because if that was a
> > real deal then WARN_ON is something kernel CNA is considering a CVE worth
> > problem! So a CVE has been filed with a fix that is CVE itself.
> > Seriously how could this pass through the CVE review process?
> 
> "How" is "this was part of the entries in the GSD records that MITRE
> asked us to back-fill as CVE entries".  Those entries already went
> through two different rounds of review last year for the GSD record, and
> I did another one as well now before the CVE creation happened.  

I am sorry but I have no idea how that is supposed to justify assigning
a CVE to a non-issue with a fix that is clearly considered a CVE on its
own. An overlook, sure. That is understandable but the above doesn't
make any sense to me.

> It was in a batch where I reviewed 124 entries at once,

OK, this makes much more sense and I do not mean to blame you for
overlooking a particular things. But ...

> and if I only got one
> wrong, hey, that's a very good % overall, don't you think?  Especially
> as it has been a publicily listed "vulnerability fix" for well over a
> year now in the GSD system, and no one objected to it there.

... it is unavoidable to overlook completely bogus or even harmfull CVE
fixes if they are generated in the current volumes. It is much worse
that it is easier to overlook those which really are important.
Especially during CVSS assessment. This simply cannot scale!

[...]

> I welcome others to help out with this work, including yourself, if you
> so desire.  That would help out a lot.

I am sorry but I fundamentally disagree with the way how CVEs are
processed _now_ and therefore I will not put my name under that. I am
still hopeful that this is just the new process finding its own way and
it will settle on something much more reasonable and _useful_.

-- 
Michal Hocko
SUSE Labs