github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/docs/linux/reporting_kernel_bugs.md (about) 1 # Reporting Linux kernel bugs 2 3 Before reporting a bug make sure nobody else already reported it. The easiest way to do this is to search through the [syzkaller mailing list](https://groups.google.com/forum/#!forum/syzkaller), [syzkaller-bugs mailing list](https://groups.google.com/forum/#!forum/syzkaller-bugs) and [syzbot dashboard](https://syzkaller.appspot.com/upstream) for key frames present in the kernel stack traces. 4 5 Please report found bugs to the Linux kernel maintainers. 6 To find out the list of maintainers responsible for a particular kernel subsystem, use the [get_maintainer.pl](https://github.com/torvalds/linux/blob/master/scripts/get_maintainer.pl) script: `./scripts/get_maintainer.pl -f guilty_file.c`. Please add `syzkaller@googlegroups.com` to the CC list. 7 Make sure to mention the exact kernel branch and revision where the bug occurred. 8 Many kernel mailing lists reject HTML formatted messages, so use the plain text mode when sending the report. 9 10 Think of what you report. Today, Linux maintainers are overwhelmed with bug reports, so increasing the incoming flow won't help to fix all the bugs. 11 The more actionable your report is, the higher the chance that it will be addressed. 12 Note that people are more likely to care about kernel crashes (e.g. use-after-frees or panics) than of INFO: messages and such, unless it is clearly visible from the report what exactly is wrong. 13 If there are stalls or hangs, only report them if they are frequent enough or have a reliable reproducer. 14 15 Overall, bugs without reproducers are way less likely to be triaged and fixed. 16 If the bug is reproducible, include the reproducer (C source if possible, otherwise a syzkaller program) and the `.config` you used for your kernel. 17 If the reproducer is available only in the form of a syzkaller program, please link [the instructions on how to execute them](/docs/executing_syzkaller_programs.md) in your report. 18 Check that the reproducer works if you run it manually. 19 Syzkaller tries to simplify the reproducer, but the result might not be ideal. 20 You can try to simplify or annotate the reproducer manually, that greatly helps kernel developers to figure out why the bug occurs. 21 22 If you want to get extra credit, you can try to understand the bug and develop a fix yourself. 23 If you can't figure out the right fix, but have some understanding of the bug, please add your thoughts and conclusions to the report, that will save some time for kernel developers. 24 25 ## Reporting security bugs 26 27 If you believe that a found bug poses potential security threat, consider following the instructions below. 28 Note, that these instructions are a work-in-progress and based on my current understanding of the disclosure process. 29 This instruction is now being discussed [here](http://seclists.org/oss-sec/2017/q3/242). 30 31 If you don't want to deal with this complex disclosure process you can either: 32 33 1. Report the bug privately to `security@kernel.org`. In this case it should be fixed in the upstream kernel, but there are no guarantees that the fix will be propagated to stable or distro kernels. The maximum embargo on this list is 7 days. 34 2. Report the bug privately to a vendor such as Red Hat (`secalert@redhat.com`) or SUSE (`security@suse.com`). They should fix the bug, assign a CVE, and notify other vendors. The maximum embargo on these lists is 5 weeks. 35 3. Report the bug publicly to `oss-security@lists.openwall.com`. 36 37 If you want to deal with the disclosure yourself, read below. 38 39 The three main mailing lists for reporting and disclosing Linux kernel security issues are `security@kernel.org`, `linux-distros@vs.openwall.org` and `oss-security@lists.openwall.com`. 40 The links for the guidelines for these lists are below, please read them carefully before sending anything to these lists. 41 42 1. `security@kernel.org` - https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html 43 2. `linux-distros@vs.openwall.org` - http://oss-security.openwall.org/wiki/mailing-lists/distros 44 3. `oss-security@lists.openwall.com` - http://oss-security.openwall.org/wiki/mailing-lists/oss-security 45 46 ### Reporting minor security bugs 47 48 To report minor security bugs (such as local DOS or local info leak): 49 50 1. Report the bug publicly to kernel developers as described above and wait until a fix is committed. Alternatively, you can develop and send a fix yourself. 51 2. Request a CVE from MITRE through [the web form](https://cveform.mitre.org/). Describe the bug details and add a link to the fix (from `patchwork.kernel.org`, `git.kernel.org` or `github.com`) in the request. 52 3. Once a CVE is assigned, send the bug details, the CVE number and a link to the fix to `oss-security@lists.openwall.com`. 53 54 ### Reporting major security bugs 55 56 To report major security bugs (such as LPE, remote DOS, remote info leak or RCE): 57 58 1. Understand the bug and develop a patch with a fix if possible. Optionally develop a proof-of-concept exploit. 59 2. Notify `security@kernel.org`: 60 * Describe vulnerability details, include the proposed patch and optionally the exploit. 61 * Ask for 7 days of embargo. 62 * Work on the patch together with the `security@kernel.org` members. 63 3. Notify `linux-distros@vs.openwall.org`: 64 * Describe vulnerability details, include the proposed patch and optionally the exploit. 65 * Ask them to assign a CVE number. 66 * Ask for 7 days of embargo. 67 4. Wait 7 days for linux distros to apply the patch. 68 5. Ask `linux-distros@vs.openwall.org` to make the CVE description public and roll out the updated kernels. 69 6. Send the fix upstream: 70 * Mention the CVE number in the commit message. 71 * Mention syzkaller in the commit message. 72 7. Notify `oss-security@lists.openwall.com`: 73 * Describe vulnerability details, include a link to the committed patch. 74 8. Wait 1-3 days for people to update their kernels. 75 9. Optionally publish the exploit on `oss-security@lists.openwall.com`. 76 77 A few notes: 78 79 * There should ideally be no delay between reports to `security@kernel.org` and `linux-distros@vs.openwall.org`. 80 * When working on the patch together with the `security@kernel.org` members and upstream maintainers, keep the linux-distros aware of the progress. 81 * There should ideally be no delay between CVE description publication, distros' updates, upstream commit and notification to `oss-security@lists.openwall.com`. All of these should be on the same day, at worst. 82 * The moment the issue is made public (e.g. patch is submitted upstream, CVE description published, etc.) it must be reported to `oss-security@lists.openwall.com` right away. 83 84 A good example of an LPE announcement structure on `oss-security@lists.openwall.com` can be found [here](http://seclists.org/oss-sec/2016/q4/607), however the timeline doesn't look right there: public announcement should have occurred right after the patch was submitted to netdev.