Recent searches
Search options
The #Linux #kernel's #CVE team just published their thousandth CVE[1]. 
This happened 78 days after the effort was announced[2].
Note, 26 of the 1003 CVE entries published so far were later rejected. For details check https://git.kernel.org/pub/scm/linux/security/vulns.git/ or https://lore.kernel.org/linux-cve-announce/
[2] http://www.kroah.com/log/blog/2024/02/13/linux-is-a-cna/ #LinuxKernel
Year Reserved Assigned Rejected Total
2019: 47 2 1 50
2020: 37 13 0 50
2021: 39 304 7 350
2022: 7 43 0 50
2023: 60 180 10 250
2024: 107 435 8 550
Total: 297 977 26 1300
Anything older than 2023 is us back-filling in from the GSD database, and we still have a long way to go for there. Some 2023 ones are in there too from GSD, but mostly not, all of 2024 is since we took over being a CNA.
Thx for the additional details (but FWIW, seems you missed that the toot already had mentioned that 26 were rejected 
whatever, easy to miss).
And thx for all your work, too!
@gregkh @kernellogger A 3% false positive rate seems entirely reasonable to me, especially given the volumes involved.
I still don't know what it'll do to my annually created CVE graphs, though. But I'm looking forward to having a whole year's worth of data to look back on. I think we're still at "early days" on this.
At least that's what is happening so far on all the rejects in 2023 and older, for 2024, those are actual "false positives" so our numbers look higher than I imagined. Maybe no one is paying attention, which could also be the case...
sima@gregkh @kees @kernellogger I just reviewed the last month or so of fixes for drivers/gpu and how many you assigned CVEs for. and I think you're still substantially undercounting issues
there's a bunch of things that very much look like they can be used for denial of service stuff, and a bunch of tlb invalidation fixes and other races like that which ... well we learned how to exploit that stuff on the cpu very well, it's not that much harder for gpu. and more
but it's definitely a start
@gregkh @kees @kernellogger I wonder whether a script that sprinkles and later updates CVE annotations over a kernel repo (for a given git rev-list query, otherwise it'll take forever) would be useful for reviewing this all in a year
with that I could just fire up gitk and see which commits are tagged as CVE and which aren't, instead of having to manually compare ...
then a few randomized samples over the relevant subsystem history, and we should have pretty solid data
Note that it's not just a 'tag' but for enterprise kernels often entails (potentially significant) work in addressing CVEs?
Perhaps a metadata tag would work better? Potentially-Exploitable or such? :)
Given the controversy around CVEs that might be a lighter touch than the gradual move towards treating more and more commits as if they were known security flaws.
@ljs @kees @kernellogger @gregkh eh at least for drivers/gpu my take is that the only thing that works is if you backport the entire subsystem. and even that is very tricky to integrate into an older kernel without issues. otherwise you have schrödinger security because all it takes is someone to get bored enough to type the exploit
and given that rhel does that too I think @airlied is concurring
if the CVE flood is forcing more people towards that model, then I think that's a good thing.
@ljs @kees @kernellogger @gregkh @airlied like imo these bugs aren't "potentially exploitable", they are "I don't have the time to type the exploit and debug it to prove to you that it's exploitable"
and sure people can guess wrong, but from my very quick look for drivers/gpu fixes they're still guessing wrong with a very substantial false negative rate
The issue comes with the reductio ad absurdum of 'if it fixes something then let's assume it's a reportable security flaw', which seems to be the current approach to kernel CVEs (and hence the controversy).
@ljs @airlied @kees @kernellogger @gregkh well my take, from a quick look at least, is that for drm the current approach still undercounts the patches that I think are clearly exploitable.
there is a wide set of patches where it's hard to make the call without in-depth analysis, especially in the rather complex modeset paths. but a few fixes on the gem side are obvious exploit material on a pure design analysis basis
@ljs @airlied @kees @kernellogger @gregkh plus the kernel has no internal isolation, so even if it's not a full exploit on its own, a lot of the patches without cves I looked at are very useful tools to exploit otherwise harmless bugs elsewhere
And at that point why are you tagging anything?
Forcing more people into what model?
@ljs @airlied @kees @kernellogger @gregkh a few stable kernels at most is the limit for backporting individual patches for drm. beyond that, it's just wishful thinking and yes, you're better off backprting the entire subsystem
imo for drm already lts kernels are an illusion
@gregkh @kees @kernellogger there's also the policy question of whether issues with handling external screens should be counted or not. kinda like hostile usb devices that you can plug in and exploit the kernel with, depending upon exact config
that would substantially blow up the CVE count for drm
@gregkh @kees @kernellogger display port has a substantial sidechannel protocol, and hdmi gained that too with 2.0, and desktops tend to autoconfigure new screens so there's a lot of code that just runs automatically
so it's way beyond "EDID parsing bugs" at this point
@gregkh @kees @kernellogger I was more thinking to gather some data, then maybe discuss that next lpc and figure out what we need to do to catch them automatically
because trying to triage this manually is more than a full time job for something like drivers/gpu
@gregkh @sima @kees @kernellogger The "C" in "CVE" is for "candy". 
@sima @gregkh @kees @kernellogger like the ioctl deadlock I was fixing in nouveau: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/gpu/drm/nouveau?h=v6.9-rc6&id=daf8739c3322a762ce84f240f50e0c39181a41ab