7.5% of kernel “CVEs” rejected on further examination

Posted Jun 19, 2024 20:38 UTC (Wed) by ewen (subscriber, #4772)
Parent article: How kernel CVE numbers are assigned

Reading this article (which seems to be an insider “please understand what we’re doing” post so presumably using the most favourable numbers), I was struck by the contrast between these two quotes:

“since we started this endeavor back in February, it has only resulted in 863 allocations out of the 16,514 commits”

“If the team agrees with the evaluation, the CVE assignment will be promptly rejected. Since the start of this endeavor, 65 such instances have occurred.”

65 / 863 is 7.5%. So even just counting the period where third parties tried to stem the tide of noise “CVEs” just asking “are you sure” in a convincing manner caused the kernel “CVE” team to concede 7.5% of their “CVEs” shouldn’t have been issued :-/ (Up thread some seem to have realised it’s a lot of work for little result to challenge these “CVE”s and stopped trying to do so.)

I get that analysing bugs for security risks is a lot of work. But the switch from “someone else should do this analysis on all bugs” (no kernel originated CVEs) to “someone else should do this analysis on all bugs that could possibly be a security risk” (many kernel originated “CVEs) doesn’t seem all that different to me. It’s still passing most of the difficult work off to “someone else”. (It’s worth noting at least one of the kernel “CVE” team is paid by the Linux Foundation to work on the kernel for the broader community good. And is still choosing to insist “someone else” should do the work of analysing the real risk, while they just keep adding to the “to do” list.)

Ewen

7.5% of kernel “CVEs” rejected on further examination

Posted Jun 20, 2024 7:09 UTC (Thu) by vegard (subscriber, #52330) [Link] (3 responses)

Keep in mind that those 65 include duplicates, i.e. CVEs that were assigned by other CNAs before kernel.org became one. So it's not like they are all false positives/non-issues.

7.5% of kernel “CVEs” rejected on further examination

Posted Jun 20, 2024 8:27 UTC (Thu) by mstsxfx (subscriber, #41804) [Link] (2 responses)

Incorrect, those were rejected as really bogus.

7.5% of kernel “CVEs” rejected on further examination

Posted Jun 20, 2024 10:47 UTC (Thu) by vegard (subscriber, #52330) [Link] (1 responses)

My reading of the penultimate paragraph is that those 65 included the duplicates reported by SUSE.

7.5% of kernel “CVEs” rejected on further examination

Posted Jun 20, 2024 11:01 UTC (Thu) by mstsxfx (subscriber, #41804) [Link]

Rejects do not contain reasoning for the rejections so you will need to follow discussions on the ML for the CVE.

I do not know where the idea of duplicates came from. We have rejected CVE filed by the kernel CNAs. Generally falling into several categories - fixes for userspace tools like perf, annotations like data_race which do not affect generated code, build fixes, incorrect fixes reverted later on etc. They generally seemed to fall into pattern matching pointed elsewhere.