Hi peter:
Do you have any plans to backport this patch[1] to the stable branch of the lower version, such as 4.19.y ? When I try to backport this patch to 5.10.y, I met some KASAN[2] and KASLR[3] related issues. Although they were finally solved, there were still some detours in the process.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... [3]
Best Regards, Tong
.
My fault, the third patch link is missing:)
[3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
Best Regards, Tong
.
在 2023/2/21 15:19, Tong Tiangen 写道:
Hi peter:
Do you have any plans to backport this patch[1] to the stable branch of the lower version, such as 4.19.y ? When I try to backport this patch to 5.10.y, I met some KASAN[2] and KASLR[3] related issues. Although they were finally solved, there were still some detours in the process.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
[3]
Best Regards, Tong
.
On Tue, Feb 21, 2023 at 03:19:05PM +0800, Tong Tiangen wrote:
Hi peter:
Do you have any plans to backport this patch[1] to the stable branch of the lower version, such as 4.19.y ?
Why? That is a new feature for 6.2 why would it be needed to fix anything in really old kernels?
When I try to backport this patch to 5.10.y, I met some KASAN[2] and KASLR[3] related issues. Although they were finally solved, there were still some detours in the process.
Send your series of backports to the list for review please if they match the stable kernel rules.
But why can't you just use the 6.2 kernel instead of something obsolete like 4.19?
thanks,
greg k-h
在 2023/2/21 15:30, Greg KH 写道:
On Tue, Feb 21, 2023 at 03:19:05PM +0800, Tong Tiangen wrote:
Hi peter:
Do you have any plans to backport this patch[1] to the stable branch of the lower version, such as 4.19.y ?
Why? That is a new feature for 6.2 why would it be needed to fix anything in really old kernels?
Hi Greg:
This patch fix CVE-2023-0597[1], this CVE report a flaw possibility of memory leak. And this is important for some products using this stable version.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2165926
When I try to backport this patch to 5.10.y, I met some KASAN[2] and KASLR[3] related issues. Although they were finally solved, there were still some detours in the process.
Send your series of backports to the list for review please if they match the stable kernel rules.
OK.
But why can't you just use the 6.2 kernel instead of something obsolete like 4.19?
thanks,
greg k-h .
Thanks. Tong .
On Tue, Feb 21, 2023 at 03:46:27PM +0800, Tong Tiangen wrote:
在 2023/2/21 15:30, Greg KH 写道:
On Tue, Feb 21, 2023 at 03:19:05PM +0800, Tong Tiangen wrote:
Hi peter:
Do you have any plans to backport this patch[1] to the stable branch of the lower version, such as 4.19.y ?
Why? That is a new feature for 6.2 why would it be needed to fix anything in really old kernels?
Hi Greg:
This patch fix CVE-2023-0597[1],
The kernel developers do not care about CVEs as they are almost always invalid and do not mean anything, sorry. It is well known that companies like Red Hat use them to make up for broken internal engineering policies.
Are you sure this really is a valid problem that must be fixed in older kernels?
this CVE report a flaw possibility of memory leak. And this is important for some products using this stable version.
What exact memory leak are you referring to?
thanks,
greg k-h
在 2023/2/21 16:40, Greg KH 写道:
On Tue, Feb 21, 2023 at 03:46:27PM +0800, Tong Tiangen wrote:
在 2023/2/21 15:30, Greg KH 写道:
On Tue, Feb 21, 2023 at 03:19:05PM +0800, Tong Tiangen wrote:
Hi peter:
Do you have any plans to backport this patch[1] to the stable branch of the lower version, such as 4.19.y ?
Why? That is a new feature for 6.2 why would it be needed to fix anything in really old kernels?
Hi Greg:
This patch fix CVE-2023-0597[1],
The kernel developers do not care about CVEs as they are almost always invalid and do not mean anything,
Ok, thanks.
sorry. It is well known that, companies like Red Hat use them to make up for broken internal engineering policies.
Yeah, For company's internal engineering policies, the CVE with certain impact must be repaired.
Are you sure this really is a valid problem that must be fixed in older kernels?
this CVE report a flaw possibility of memory leak. And this is important for some products using this stable version.
What exact memory leak are you referring to?
Sorry for Inaccurate description, the memory leak means: a potential security risk of kernel memory information disclosure caused by no randomization of the exception stacks.
thanks,
greg k-h .
Thanks, Tong .
On Tue, Feb 21, 2023 at 05:19:42PM +0800, Tong Tiangen wrote:
在 2023/2/21 16:40, Greg KH 写道:
On Tue, Feb 21, 2023 at 03:46:27PM +0800, Tong Tiangen wrote:
在 2023/2/21 15:30, Greg KH 写道:
On Tue, Feb 21, 2023 at 03:19:05PM +0800, Tong Tiangen wrote:
Hi peter:
Do you have any plans to backport this patch[1] to the stable branch of the lower version, such as 4.19.y ?
Why? That is a new feature for 6.2 why would it be needed to fix anything in really old kernels?
Hi Greg:
This patch fix CVE-2023-0597[1],
The kernel developers do not care about CVEs as they are almost always invalid and do not mean anything,
Ok, thanks.
sorry. It is well known that, companies like Red Hat use them to make up for broken internal engineering policies.
Yeah, For company's internal engineering policies, the CVE with certain impact must be repaired.
So you are letting an opaque US government agency, and random third party companies, dictate your company's internal engineering policies and resource allocations? That feels very very odd and ripe for abuse.
Also note that MITRE refuses to allocate CVEs for many real kernel issues for unknown reasons, (i.e. they reject all of my requests), so you are getting only a small subset of real issues here.
Also, how do you handle revocation of CVEs that are obviously invalid and/or don't actually do anything (like this one?)
Are you sure this really is a valid problem that must be fixed in older kernels?
this CVE report a flaw possibility of memory leak. And this is important for some products using this stable version.
What exact memory leak are you referring to?
Sorry for Inaccurate description, the memory leak means: a potential security risk of kernel memory information disclosure caused by no randomization of the exception stacks.
And are you sure this can really happen? Have you proven this?
And why is this really an issue, KASR is a known-week-defense and almost useless against local attacks.
Anyway, please provide working patches if you think this really is an issue.
And please revisit your company's policies, they do not seem very sane :)
thanks,
greg k-h
在 2023/2/21 18:40, Greg KH 写道:
On Tue, Feb 21, 2023 at 05:19:42PM +0800, Tong Tiangen wrote:
在 2023/2/21 16:40, Greg KH 写道:
On Tue, Feb 21, 2023 at 03:46:27PM +0800, Tong Tiangen wrote:
在 2023/2/21 15:30, Greg KH 写道:
On Tue, Feb 21, 2023 at 03:19:05PM +0800, Tong Tiangen wrote:
Hi peter:
Do you have any plans to backport this patch[1] to the stable branch of the lower version, such as 4.19.y ?
Why? That is a new feature for 6.2 why would it be needed to fix anything in really old kernels?
Hi Greg:
This patch fix CVE-2023-0597[1],
The kernel developers do not care about CVEs as they are almost always invalid and do not mean anything,
Ok, thanks.
sorry. It is well known that, companies like Red Hat use them to make up for broken internal engineering policies.
Yeah, For company's internal engineering policies, the CVE with certain impact must be repaired.
So you are letting an opaque US government agency, and random third party companies, dictate your company's internal engineering policies and resource allocations? That feels very very odd and ripe for abuse.
Also note that MITRE refuses to allocate CVEs for many real kernel issues for unknown reasons, (i.e. they reject all of my requests), so you are getting only a small subset of real issues here.
Also, how do you handle revocation of CVEs that are obviously invalid and/or don't actually do anything (like this one?)
Are you sure this really is a valid problem that must be fixed in older kernels?
this CVE report a flaw possibility of memory leak. And this is important for some products using this stable version.
What exact memory leak are you referring to?
Sorry for Inaccurate description, the memory leak means: a potential security risk of kernel memory information disclosure caused by no randomization of the exception stacks.
And are you sure this can really happen? Have you proven this?
And why is this really an issue, KASR is a known-week-defense and almost useless against local attacks.
Anyway, please provide working patches if you think this really is an issue.
And please revisit your company's policies, they do not seem very sane :)
Hi Greg:
Thanks for these very useful suggestions and we will revisit our policies :)
Thanks, Tong .
thanks,
greg k-h .
linux-stable-mirror@lists.linaro.org