[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2024071553-yippee-broadways-8035@gregkh>
Date: Mon, 15 Jul 2024 13:16:38 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Mickaël Salaün <mic@...ikod.net>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
linux-cve-announce@...r.kernel.org,
Günther Noack <gnoack@...gle.com>,
linux-security-module@...r.kernel.org
Subject: Re: CVE-2024-40938: landlock: Fix d_parent walk
On Mon, Jul 15, 2024 at 12:37:53PM +0200, Mickaël Salaün wrote:
> Hello,
>
> AFAIK, commit 88da52ccd66e ("landlock: Fix d_parent walk") doesn't fix a
> security issue but an unexpected case. The triggered WARN_ON_ONCE() is
> just a canary, and this case was correctly handled with defensive
> programming and didn't allow to bypass the security policy nor to harm
> the kernel. However, this fix should indeed be backported.
If a WARN_ON() is hit, a machine with panic_on_warn enabled will reboot,
hence if there is any way that userspace can hit this, it needs to be
issued a CVE, sorry.
> Could you please Cc me for future CVE related to my changes or to
> Landlock? For kernel CVEs, I think it would be good to Cc at least
> maintainers, reviewers, authors, and committers for the related commits.
I suggest setting up lei to watch the linux-cve-announce mailing list if
you wish to do this (just filter for landlock stuff). Automatically
mailing cve stuff to maintainers has been deemed too "noisy" which is
why we do not do this by default.
thanks,
greg k-h
Powered by blists - more mailing lists