Re: [Qemu-devel] [PATCH 0/4] migration: fix CVE-2014-7840

[Amit Shah]

On (Mon) 17 Nov 2014 [14:36:45], Michael S. Tsirkin wrote:
> On Mon, Nov 17, 2014 at 05:50:34PM +0530, Amit Shah wrote:
> > On (Mon) 17 Nov 2014 [13:48:58], Michael S. Tsirkin wrote:
> > > On Mon, Nov 17, 2014 at 04:37:50PM +0530, Amit Shah wrote:
> > > > On (Mon) 17 Nov 2014 [12:52:59], Michael S. Tsirkin wrote:
> > > > > On Mon, Nov 17, 2014 at 04:08:58PM +0530, Amit Shah wrote:
> > > > > > On (Mon) 17 Nov 2014 [12:32:57], Michael S. Tsirkin wrote:
> > > > > > > On Mon, Nov 17, 2014 at 12:06:38PM +0530, Amit Shah wrote:
> > > > > > > > On (Wed) 12 Nov 2014 [11:44:35], Michael S. Tsirkin wrote:
> > > > > > > > > This patchset fixes CVE-2014-7840: invalid
> > > > > > > > > migration stream can cause arbitrary qemu memory
> > > > > > > > > overwrite.
> > > > > > > > > First patch includes the minimal fix for the issue.
> > > > > > > > > Follow-up patches on top add extra checking to reduce the
> > > > > > > > > chance this kind of bug recurs.
> > > > > > > > > 
> > > > > > > > > Note: these are already (tentatively-pending review)
> > > > > > > > > queued in my tree, so only review/ack
> > > > > > > > > is necessary.
> > > > > > > > 
> > > > > > > > Why not let this go in via the migration tree?
> > > > > > > 
> > > > > > > Well I Cc'd Juan and David, so if they had a problem with this, I 
> > > > > > > expect
> > > > > > > they'd complain.  David acked so I assume it's ok.  Since I 
> > > > > > > wasted time
> > > > > > > testing this and have it on my tree already, might as well just 
> > > > > > > merge.
> > > > > > 
> > > > > > IMO asking as a courtesy would've been better than just stating it.
> > > > > 
> > > > > Right, thanks for reminding me.
> > > > > 
> > > > > BTW, there is actually a good reason to special-case it: it's a CVE 
> > > > > fix,
> > > > > which I handle.  So they stay on my private queue and are passed
> > > > > to vendors so vendors can fix downstreams, until making fix public is
> > > > > cleared with all reporters and vendors.
> > > > > After reporting is cleared, I try to collect acks but don't normally 
> > > > > route
> > > > > patches through separate queues - that would make it harder to
> > > > > track the status which we need for CVEs.
> > > > 
> > > > Patch is public, so all of this doesn't really matter.
> > > > 
> > > > But: involving maintainers in their areas, even if the patch is
> > > > embargoed, should be a pre-requisite.  I'm not sure if we're doing
> > > > that, but please do that so patches get a proper review from the
> > > > maintainers.
> > > 
> > > Involving more people means more back and forth with reporters which
> > > must approve any disclosure.  If the issue isn't clear, I do involve
> > > maintainers.  I send patches on list and try to merge them only after
> > > they get ack from relevant people. I'm sorry, but this is as far as I
> > > have the time to go.
> > 
> > The other aspect of the thing is sub-optimal, or patches with bugs,
> > get pushed in, because the maintainers didn't get involved.  
> 
> Patches don't get merged before they are on list for a while.
> I typically ping people if I don't get acks.

BTW I was talking about embargoed bugs / patches.  That's not relevant
for this discussion.  I'll create a new thread to discuss qemu's
security policy for embargoed bugs.


                Amit