Received: by 2002:ac0:e34a:0:0:0:0:0 with SMTP id g10csp297336imn; Thu, 28 Jul 2022 00:27:25 -0700 (PDT) X-Google-Smtp-Source: AGRyM1s54+uGG71ahNfhsmE2RWtrMr0+cKMEnwUWSGOCOi46e2b4vsmysjV8k6SXxyd/Iwwkgm3h X-Received: by 2002:a17:907:2c6b:b0:72b:2eb9:6673 with SMTP id ib11-20020a1709072c6b00b0072b2eb96673mr20740767ejc.71.1658993245598; Thu, 28 Jul 2022 00:27:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658993245; cv=none; d=google.com; s=arc-20160816; b=KzW/MO1ZZfq5aKabWAebAJDoY3RZzJY67iY6upqFJAoF3RB1nv1kjUd+9u2LZZ4CuX H2DS11oyX4ZU0kBvvevuG2DB5kxZaIqdektxCksSp0tYIc7no69Q41xQ9p8hs0PrTsYO TYMsv62ByC6j0f1wVZEVUAL39XnYxgI6Q21srmRYw3M/IoG0VPMxwiRm8JmwP3NSpohD 13CdFhcaK6EcD/TDfFZ33T1Kss43eSi2XCXE/ROJ8tzdnmMksJ8W+hIrg0bEY83A1XUJ lj01Vi3HHvGnGZ0V5INio/DvZVy4Hbq5IJHQW7vjQsCughIscX+kP+UrGVCQhjc4G2Uh zKZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=+tMkjEMziXVWQL0Hc0sIbnW0UNTbgF4ku145LrrHidY=; b=04u/+9CFchTBMMZDL0f4TzsS1UKX1aeCUQY0sBTawMUDAOp1UDbDZqgeyTZRwO8avO Qsa4JXNSn5FzyQVg22k1zUA5MnKQaUCdxQQxyp2HHC69vk1r56mF9Z6sIUDowAqd79iJ tXCKKPTbzisnmyir0PsYcM1Br8EbjddqQVEEQvTdI4Bdex2c1Eu0EtB5pluA1gI8Jz7U mq3Z6jyPGJgnjK5WFbW4ZSG76D12p74saeofXrW3UNZLPxc2Q97UhAGbfhpFBFl4iRCg ayA2FCeJdcZmrYvTu2P+O4lVpi5OP3QxrBIVs20XvLACr9ue63N5AVWehS1SFboAbp5C a6Xw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=OsuIoib4; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id fp34-20020a1709069e2200b0072f267eeba3si106660ejc.677.2022.07.28.00.27.01; Thu, 28 Jul 2022 00:27:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=OsuIoib4; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234328AbiG1HZV (ORCPT + 99 others); Thu, 28 Jul 2022 03:25:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50562 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234386AbiG1HZU (ORCPT ); Thu, 28 Jul 2022 03:25:20 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 022E4BC92 for ; Thu, 28 Jul 2022 00:25:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1658993117; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=+tMkjEMziXVWQL0Hc0sIbnW0UNTbgF4ku145LrrHidY=; b=OsuIoib4y6iDAU2T4JcHju9h9s/tk+nvSZOZRh4/F9YKmQ0sBrGfMdu88baT6urEpfekVC XKlwGwJM8vV4L6uGW9IaJV114RqL1HQdbPvT7M6tU2FXH2DuKz8I3ptB9WCmeRSwoEtm8m pXC8GdKE7p/Xz5f1DWVP4mZHeG3loas= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-599-73_cM-pEO8y-2M9qmTaPfw-1; Thu, 28 Jul 2022 03:25:13 -0400 X-MC-Unique: 73_cM-pEO8y-2M9qmTaPfw-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 597CE85A585; Thu, 28 Jul 2022 07:25:13 +0000 (UTC) Received: from fedora (unknown [10.40.193.52]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8B5AF1121314; Thu, 28 Jul 2022 07:25:12 +0000 (UTC) Date: Thu, 28 Jul 2022 09:25:10 +0200 From: Lukas Czerner To: Dave Chinner Cc: "Darrick J. Wong" , bugzilla-daemon@kernel.org, linux-ext4@vger.kernel.org Subject: Re: [Bug 216283] New: FUZZ: BUG() triggered in fs/ext4/extent.c:ext4_ext_insert_extent() when mount and operate on crafted image Message-ID: <20220728072510.yunkzplfqx2vt4wb@fedora> References: <20220727115307.qco6dn2tqqw52pl7@fedora> <20220727232224.GW3600936@dread.disaster.area> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220727232224.GW3600936@dread.disaster.area> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Thu, Jul 28, 2022 at 09:22:24AM +1000, Dave Chinner wrote: > On Wed, Jul 27, 2022 at 01:53:07PM +0200, Lukas Czerner wrote: > > On Tue, Jul 26, 2022 at 01:10:24PM -0700, Darrick J. Wong wrote: > > > If you are going to run some scripted tool to randomly > > > corrupt the filesystem to find failures, then you have an > > > ethical and moral responsibility to do some of the work to > > > narrow down and identify the cause of the failure, not just > > > throw them at someone to do all the work. > > > > > > --D > > > > While I understand the frustration with the fuzzer bug reports like this > > I very much disagree with your statement about ethical and moral > > responsibility. > > > > The bug is in the code, it would have been there even if Wenqing Liu > > didn't run the tool. > > Yes, but it's not just a bug. It's a format parser exploit. And what do you think this is exploiting? A bug in a "format parser" perhaps? Are you trying both downplay it to not-a-bug and elevate it to 'security vulnerability' at the same time ? ;) > > > We know there are bugs in the code we just don't > > know where all of them are. Now, thanks to this report, we know a little > > bit more about at least one of them. That's at least a little useful. > > But you seem to argue that the reporter should put more work in, or not > > bother at all. > > > > That's wrong. Really, Wenqing Liu has no more ethical and moral > > responsibility than you finding and fixing the problem regardless of the > > bug report. > > By this reasoning, the researchers that discovered RetBleed > should have just published their findings without notify any of the > affected parties. > > i.e. your argument implies they have no responsibility and hence are > entitled to say "We aren't responsible for helping anyone understand > the problem or mitigating the impact of the flaw - we've got our > publicity and secured tenure with discovery and publication!" > > That's not _responsible disclosure_. Look, your entire argument hinges on the assumption that this is a security vulnerability that could be exploited and the report makes the situation worse. And that's very much debatable. I don't think it is and Ted described it very well in his comment. Asking for more information, or even asking reported to try to narrow down the problem is of course fine. But making sweeping claims about moral and ethical responsibilities is always a little suspicious and completely bogus in this case IMO. -Lukas