Re: [PATCH] tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()

To: Loic <hackurx@opensec.fr>, Greg KH <gregkh@linuxfoundation.org>, debian-kernel@lists.debian.org, carnil@debian.org
Cc: Steven Rostedt <rostedt@goodmis.org>, stable@vger.kernel.org, ameyt@codeaurora.org, amit.pundir@linaro.org
Subject: Re: [PATCH] tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 18 Dec 2018 03:00:58 +0000
Message-id: <[🔎] 51abcc14912900c6bd7a8349984c4536726a8df3.camel@decadent.org.uk>
In-reply-to: <[🔎] 6af2b12206e8a640a0a30f78d4414b56@opensec.fr>
References: <20181215182537.e0f95a3bb791e4f68f23eac8@opensec.fr> <20181216085233.GC29097@kroah.com> <20181216142702.09ed540b@vmware.local.home> <44d50224c2b4fbe8b814da24a53f67c0@opensec.fr> <20181217081940.GA16452@kroah.com> <[🔎] 6af2b12206e8a640a0a30f78d4414b56@opensec.fr>

On Mon, 2018-12-17 at 20:42 +0100, Loic wrote:
> Le 2018-12-17 09:19, Greg KH a écrit :
> > On Sun, Dec 16, 2018 at 09:08:20PM +0100, Loic wrote:
> > > Le 2018-12-16 20:27, Steven Rostedt a écrit :
> > > > On Sun, 16 Dec 2018 09:52:33 +0100
> > > > Greg KH <gregkh@linuxfoundation.org> wrote:
> > > > 
> > > > > On Sat, Dec 15, 2018 at 06:25:37PM +0100, Loic wrote:
> > > > > > Hello,
> > > > > > 
> > > > > > Please picked up this patch for linux 4.4 and 4.9.
> > > > > > This fixes CVE-2017-0605 (Rejected?). Tested in Debian ;)
> > > > > 
> > > > > It was rejected as a CVE for a good reason, and that reason is also
> > > > > why
> > > > > I refused to add it to the stable kernel releases.  In short, this is
> > > > > not an issue or bug at all, there is nothing wrong with the existing
> > > > > code.
> > > > > 
> > > > 
> > > > I'm starting to regret that I ever accepted the original patch :-(
> > > > 
> > > > -- Steve
> > > 
> > > Okay, I hadn't looked at the previous conversations because this 
> > > change is
> > > in the upstream and in debian...
> > 
> > Upstream is fine, it's a valid change so that people don't keep sending
> > the crazy patch over and over.
> > 
> > Debian is just cargo-culting the thing and should probably drop it as 
> > it
> > keeps coming back to me every 3 months or so, and I have to reject it
> > again :(
> > 
> > thanks,
> > 
> > greg k-h
> 
> Why didn't you follow the upstream or add a comment "no change for fake 
> CVE-2017-0605" to break the debian patch ?
>
> In short, I accuse the Debian kernel team in my defense, it's up to them 
> to buy you a beer :)

I was always sceptical about this CVE and commented to that effect in
<https://salsa.debian.org/kernel-team/kernel-sec/raw/master/retired/CVE-2017-0605>.
But the upstream "fix" also looked safe to apply just in case there was
something I was missing...

As it's causing confusion I can drop the patch from Debian now.

Ben.

-- 
Ben Hutchings
Anthony's Law of Force: Don't force it, get a larger hammer.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- Re: [PATCH] tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
  - From: Loic <hackurx@opensec.fr>

Prev by Date: linux-signed-arm64_4.19.9+1_source.changes is NEW
Next by Date: Processing of linux-latest_101_allonly.changes
Previous by thread: Re: [PATCH] tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
Next by thread: Bug#916718: linux-image-4.18.0-3-amd64: Booting on Thinkpad X300 leave screen black (NULL pointer dereference in i915 drm driver)
Index(es):
- Date
- Thread