On Tue, 26 May 2026 19:50:59 -0700 Michael Lazin <[email protected]> wrote:
> Hello everyone, > > I have been looking into some of our lower-level hardware interfaces, > specifically auditing the AHCI driver (drivers/ata/ahci.c) through a > zero-trust hardware lens. With the rise of malicious peripherals and > PCIe-level attacks, I am concerned about the level of implicit trust > placed in MMIO responses within this driver. This sounds like something that should probably be sent to the upstream kernel developers, not to Debian... This also feels AI-generated. There have been a lot of good AI-generated vulnerability reports recently, but there have been bad ones too. The burden rests on you to verify if the potential vulns you've found with the help of AI are real vulns, and to explain to the kernel developers how those vulns work, since the upstream developers are likely flooded with work dealing with legitimate vulnerability reports on top of their usual workload. If you don't have the skill to do that, it's probably best to leave vuln hunting to others; AI generally tells multiple researchers about the same vulns at the same time, so there's a good chance anything you may have found will be found by someone else too. -- Aaron
pgp4ZjbZjmQ3F.pgp
Description: OpenPGP digital signature
