On Thu, May 05, 2022 at 05:46:45AM +0000, bugzilla-daemon@xxxxxxxxxx wrote: > https://bugzilla.kernel.org/show_bug.cgi?id=215927 > > --- Comment #3 from Artem S. Tashkinov (aros@xxxxxxx) --- > XFS maintainers? This looks like a serious issue. A fix has already been written and pushed into the upstream tree. It's not a real world problem - exposing this issue requires significant malicious tampering with multiple filesystem structures. We can't (and have never tried to) defend against such a threat model - our verification mechanisms are intended to defend against known storage corruption vectors and software bugs, not malicious actors. If anyone wants credit for discovering fuzzer induced bugs like this, then they need to be responsible in how they report them and perform some initial triage work to determine the scope of the issue they have discovered before they report it. Making potentially malicious reproducer scripts public without any warning does not win any friends or gain influence. We're tired of having to immediately jump to investigate issues found by format verification attack tools that have been dumped in public with zero analysis, zero warning and, apparently, no clue of how serious the problem discovered might be. The right process for reporting issues found by format verification attacks is called "responsible disclosure". This is the process that reporting any issue that has potential system security impacts should use. -Dave. -- Dave Chinner david@xxxxxxxxxxxxx
