Arthur Besse
link
fedilink
03Y

This is a great writeup, but I’m not thrilled with the disclosure timeline.

Why did the author notify Google prior to submitting the patch to LKML, but then wait another whole week after that before notifying any other Linux distributors? (The LKML post doesn’t say that the bug it fixed is an exploitable vulnerability, but after the fix was public there was a much higher chance that attackers could realize that it is.)

Also, did any distros ship updates on March 7 when the vulnerability became fully public? Given that they were notified on February 28, it seems like they should have, but none of the ones I’ve checked did. (And while some have now, many still haven’t!)

disclosure timeline

  • 2021-04-29: first support ticket about file corruption
  • 2022-02-19: file corruption problem identified as Linux kernel bug, which turned out to be an exploitable vulnerability
  • 2022-02-20: bug report, exploit and patch sent to the Linux kernel security team
  • 2022-02-21: bug reproduced on Google Pixel 6; bug report sent to the Android Security Team
  • 2022-02-21: patch sent to LKML (without vulnerability details) as suggested by Linus Torvalds, Willy Tarreau and Al Viro
  • 2022-02-23: Linux stable releases with my bug fix (5.16.11, 5.15.25, 5.10.102)
  • 2022-02-24: Google merges my bug fix into the Android kernel
  • 2022-02-28: notified the linux-distros mailing list
  • 2022-03-07: public disclosure

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

  • Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
  • No misinformation
  • No NSFW content
  • No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

  • 0 users online
  • 5 users / day
  • 20 users / week
  • 27 users / month
  • 16 users / 6 months
  • 20 subscribers
  • 684 Posts
  • 1.7K Comments
  • Modlog