Re: [PATCH] tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()

To: Greg KH <gregkh@linuxfoundation.org>
Cc: debian-kernel@lists.debian.org, carnil@debian.org, ben@decadent.org.uk, Steven Rostedt <rostedt@goodmis.org>, stable@vger.kernel.org, ameyt@codeaurora.org, amit.pundir@linaro.org
Subject: Re: [PATCH] tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
From: Loic <hackurx@opensec.fr>
Date: Tue, 18 Dec 2018 18:45:29 +0100
Message-id: <[🔎] d99c13d33ae7d6d1894ac9a8745187b9@opensec.fr>
In-reply-to: <[🔎] 20181217210558.GB2758@kroah.com>
References: <20181215182537.e0f95a3bb791e4f68f23eac8@opensec.fr> <20181216085233.GC29097@kroah.com> <20181216142702.09ed540b@vmware.local.home> <44d50224c2b4fbe8b814da24a53f67c0@opensec.fr> <20181217081940.GA16452@kroah.com> <[🔎] 6af2b12206e8a640a0a30f78d4414b56@opensec.fr> <[🔎] 20181217210558.GB2758@kroah.com>

Le 2018-12-17 22:05, Greg KH a écrit :

On Mon, Dec 17, 2018 at 08:42:38PM +0100, Loic wrote:

Le 2018-12-17 09:19, Greg KH a écrit :
> On Sun, Dec 16, 2018 at 09:08:20PM +0100, Loic wrote:
> > Le 2018-12-16 20:27, Steven Rostedt a écrit :
> > > On Sun, 16 Dec 2018 09:52:33 +0100
> > > Greg KH <gregkh@linuxfoundation.org> wrote:
> > >
> > > > On Sat, Dec 15, 2018 at 06:25:37PM +0100, Loic wrote:
> > > > > Hello,
> > > > >
> > > > > Please picked up this patch for linux 4.4 and 4.9.
> > > > > This fixes CVE-2017-0605 (Rejected?). Tested in Debian ;)
> > > >
> > > > It was rejected as a CVE for a good reason, and that reason is also
> > > > why
> > > > I refused to add it to the stable kernel releases.  In short, this is
> > > > not an issue or bug at all, there is nothing wrong with the existing
> > > > code.
> > > >
> > >
> > > I'm starting to regret that I ever accepted the original patch :-(
> > >
> > > -- Steve
> >
> > Okay, I hadn't looked at the previous conversations because this
> > change is
> > in the upstream and in debian...
>
> Upstream is fine, it's a valid change so that people don't keep sending
> the crazy patch over and over.
>
> Debian is just cargo-culting the thing and should probably drop it as it
> keeps coming back to me every 3 months or so, and I have to reject it
> again :(
>
> thanks,
>
> greg k-h

Why didn't you follow the upstream or add a comment "no change forfake

CVE-2017-0605" to break the debian patch ?


How can I change upstream?  The commit can not be changed once it is
merged.

greg k-h


Sorry for my English.

No, I wanted to say a comment in stable to prevent this patch from beingeasily applied without reading the "fake CVE" comment.

This avoids some upstream commit arriving on stable.

Sorry for the waste of time. Thank you.

I was always sceptical about this CVE and commented to that effect in
<https://salsa.debian.org/kernel-team/kernel-sec/raw/master/retired/CVE-2017-0605>.
But the upstream "fix" also looked safe to apply just in case there was
something I was missing...

As it's causing confusion I can drop the patch from Debian now.

Ben.


Thank you very much.

--
Best regards,

Loic

Reply to:

References:
- Re: [PATCH] tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
  - From: Loic <hackurx@opensec.fr>
- Re: [PATCH] tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
  - From: Greg KH <gregkh@linuxfoundation.org>

Prev by Date: Processed: limit source to linux, tagging 916774
Next by Date: Bug#916797: linux-image-4.19.0-1-amd64-unsigned: 4.19 + amdgpu + 144 hz = screen corruption / flickering
Previous by thread: Re: [PATCH] tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
Next by thread: Re: [PATCH] tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
Index(es):
- Date
- Thread