Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs/linux: updated reporting security bugs guide #5461

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

novitoll
Copy link
Contributor

@novitoll novitoll commented Nov 4, 2024

Updated the documentation with:

Removed minor, major security bug classifications as now, CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn enabled and reboots the system.

Since there are 4 different parties with own interests:

  • [email protected] wants to release the fix ASAP, but can be postponed if the reporter asks an embargo period to let linux-distros update their kernels.

  • [email protected] is included in the mailing list, once the fix is developed, but NOT merged in the stable tree

Once the fix lands on the stable tree, [email protected] should not be mentioned in the conversation as they don't have any further interests.

  • [email protected] is notified once the fix is publicly merged to the stable tree

  • [email protected] is notified if the CVE should be assigned to the fix which is publicly merged to the stable tree.

reporting_kernel_bugs.png generation:

  • Go to https://draw.io/
  • Click "Open the existing diagram" -> "Upload" tab
  • Browse to the repository's docs/linux/reporting_kernel_bugs.drawio
  • Make necessary changes
  • Click "Export as" -> PNG -> disable "Include a copy of my diagram"
    as we've already included the draw.io scheme as the separate
    file
  • Press "Ctrl-Shift-S" or "Cmd-Shift-S" on macOS to save ".drawio"
    format (draw.io scheme)

Fixes: #4714

CC: @xairy , @dvyukov , @ramosian-glider , @a-nogikh , @tarasmadan

@novitoll
Copy link
Contributor Author

novitoll commented Nov 4, 2024

This can be also sent for the confirmation to [email protected] and CC with [email protected] before PR merge

docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved

### Process

![reporting kernel bugs](./reporting_kernel_bugs.png)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love the graph, thanks a lot for making it!

A couple of nits:

  • can you please add an instruction for generating it to the commit message?
  • there are two arrows going from the reporter to [email protected] and oss-security, but it is not clear from the picture at which point the letter to oss-security should be sent. If the blue numbers 1-4 on the picture correspond to steps 1-4 below, maybe the second arrow should be marked with the number 2?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the comments! I've updated the .md with syntax/grammar corrections, updated .drawio scheme and .png graph with the addressed comments. PTAL

@novitoll novitoll force-pushed the docs-linux-kernel-sec-4714 branch 2 times, most recently from 33cf9d3 to 2e5cad9 Compare November 5, 2024 14:55
Copy link
Collaborator

@a-nogikh a-nogikh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for updating the docs!

docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
@novitoll novitoll force-pushed the docs-linux-kernel-sec-4714 branch from 2e5cad9 to 13a8d7b Compare November 6, 2024 12:51
@novitoll
Copy link
Contributor Author

novitoll commented Nov 6, 2024

PTAL. I'd like to have the confirmation that the updated instructions and diagram are accurate from @xairy , [email protected] and CC with [email protected] before PR merge. I can send the email referring to this PR after @ramosian-glider , @a-nogikh reviews (thanks again for the comments!)

docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.md Outdated Show resolved Hide resolved
<mxCell id="oGheDNism3NP_6yb4b1f-34" value="Bug is confirmed.&lt;div&gt;Fix is accepted.&lt;/div&gt;" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;" vertex="1" parent="1">
<mxGeometry x="370" y="140" width="120" height="60" as="geometry" />
</mxCell>
<mxCell id="oGheDNism3NP_6yb4b1f-42" value="&lt;div&gt;&lt;span style=&quot;font-size: 10px;&quot;&gt;embargo period is up to 7 calendar days, with extension of 14 days.&lt;/span&gt;&lt;/div&gt;" style="rounded=0;whiteSpace=wrap;html=1;" vertex="1" parent="1">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/embargo/Embargo (please capitalize the phrases in the white blocks)

It is also unclear who is requesting the extension, and what is the maximum possible embargo period (is it 14 or 7+14 days?)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've clarified with the following:

Embargo period is up to 7 calendar days, with the maximum additional 7 calendar days extension (14 days in total) which should be requested by the reporter with [email protected] and
linux-distros coordination.

docs/linux/reporting_kernel_bugs.drawio Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.drawio Outdated Show resolved Hide resolved
docs/linux/reporting_kernel_bugs.drawio Outdated Show resolved Hide resolved
<mxCell id="oGheDNism3NP_6yb4b1f-93" value="&lt;div&gt;&lt;span style=&quot;font-size: 10px;&quot;&gt;once the fix is merged to the stable tree, do NOT include [email protected] in discussion&lt;/span&gt;&lt;/div&gt;" style="rounded=0;whiteSpace=wrap;html=1;" vertex="1" parent="1">
<mxGeometry x="550" y="586.25" width="130" height="70" as="geometry" />
</mxCell>
<mxCell id="oGheDNism3NP_6yb4b1f-95" value="&lt;div&gt;&lt;span style=&quot;font-size: 10px;&quot;&gt;CVEs are assigned&lt;/span&gt;&lt;/div&gt;&lt;div&gt;&lt;span style=&quot;font-size: 10px;&quot;&gt;after-the-fact of the fix is merged by CVE assignment team (see linux-cve-announce list). If the applicable CVE is missed, or reporter needs CVE assigned before an issue is resolved with a commit, notify [email protected]&lt;/span&gt;&lt;/div&gt;" style="rounded=0;whiteSpace=wrap;html=1;" vertex="1" parent="1">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why does the font change before "after-the-fact"?

Also, we can make it shorter:

CVEs are typically assigned after the fix is merged (see linux-cve-announce list). If a CVE is missing or needed before the fix reaches upstream, contact [email protected].

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed the font size to 12 px for all the most right comment boxes. Changed the description for the proposed shorter version.

@novitoll novitoll force-pushed the docs-linux-kernel-sec-4714 branch 5 times, most recently from 0848902 to 8f37ba2 Compare November 11, 2024 13:12
@novitoll
Copy link
Contributor Author

novitoll commented Nov 11, 2024

@ramosian-glider , @a-nogikh I've resolved all reviews, thanks! PTAL. I will send this current version to Greg for the confirmation that the graph is logically correct. Will update this message with the posted lore link.

UPDT1: Posted here in lore.

UPDT2: Updated the diagram with the most recent version.

UPDT3: Received Greg's comments and recommendations not to contact linux-distros. Please let me know how to proceed further as I'm confused.

Updated the documentation with:

* vulnerability definition and kernel security bug description
* reporting security procedure per https://docs.kernel.org/process/security-bugs.html
* CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html,
	and recent Greg K-H video from the recent conference,
	https://www.youtube.com/watch?v=KumwRn1BA6s
* reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros

Removed minor, major security bug classifications as now, CVE is assigned to
the issue even it triggers WARN_ON with panic_on_warn enabled and
reboots the system.

Since there are 4 different parties with own interests:
- [email protected] wants to release the fix ASAP, but can be
  postponed if the reporter asks an embargo period to let linux-distros
  update their kernels.

- [email protected] is included in the mailing list, once
  the fix is developed, but NOT merged in the stable tree

Once the fix lands on the stable tree, [email protected] should not be
mentioned in the conversation as they don't have any further interests.

- [email protected] is notified once the fix is publicly
  merged to the stable tree

- [email protected] is notified if the CVE should be assigned to the fix
  which is publicly merged to the stable tree.

reporting_kernel_bugs.png generation
====================================
- Go to https://draw.io
- Click "Open the existing diagram" -> "Upload" tab
- Browse to the repository's docs/linux/reporting_kernel_bugs.drawio
- Make necessary changes
- Click "Export as" -> PNG -> disable "Include a copy of my diagram"
	as we've already included the draw.io scheme as the separate
	file
- Press "Ctrl-Shift-S" or "Cmd-Shift-S" on macOS to save ".drawio"
  format (draw.io scheme)

Fixes: google#4714
@novitoll novitoll force-pushed the docs-linux-kernel-sec-4714 branch from 8f37ba2 to 35b45ef Compare November 11, 2024 13:39
@novitoll
Copy link
Contributor Author

novitoll commented Nov 11, 2024

UPDT3: Received Greg's comments and recommendations not to contact linux-distros. Please let me know how to proceed further as I'm confused.

I should've started with the conversation with Greg first as it seems, linux-distros shouldn't be contacted at all as it's not recommended by the Linux security team. Please check the lore thread in UPDT1:
https://lore.kernel.org/all/2024111153-percent-arbitrate-3c6a@gregkh/T/#t

So I think we should just remove all security guidelines so as not to confuse syzkaller users and just point them to kernel docs. Hence, the "nicely" drawn diagram is not needed here maybe(?), perhaps, we can leave only [email protected] as the only reporting party.

I'll wait for any comments related to this and send here the adjusted guideline version tomorrow, where Greg's recommendations are followed.

UPDT:
We need to choose either option:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

docs: information about reporting Linux kernel security bugs is outdated
3 participants