lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2024071553-yippee-broadways-8035@gregkh>
Date: Mon, 15 Jul 2024 13:16:38 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Mickaël Salaün <mic@...ikod.net>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
	linux-cve-announce@...r.kernel.org,
	Günther Noack <gnoack@...gle.com>,
	linux-security-module@...r.kernel.org
Subject: Re: CVE-2024-40938: landlock: Fix d_parent walk

On Mon, Jul 15, 2024 at 12:37:53PM +0200, Mickaël Salaün wrote:
> Hello,
> 
> AFAIK, commit 88da52ccd66e ("landlock: Fix d_parent walk") doesn't fix a
> security issue but an unexpected case.  The triggered WARN_ON_ONCE() is
> just a canary, and this case was correctly handled with defensive
> programming and didn't allow to bypass the security policy nor to harm
> the kernel.  However, this fix should indeed be backported.

If a WARN_ON() is hit, a machine with panic_on_warn enabled will reboot,
hence if there is any way that userspace can hit this, it needs to be
issued a CVE, sorry.

> Could you please Cc me for future CVE related to my changes or to
> Landlock?  For kernel CVEs, I think it would be good to Cc at least
> maintainers, reviewers, authors, and committers for the related commits.

I suggest setting up lei to watch the linux-cve-announce mailing list if
you wish to do this (just filter for landlock stuff).  Automatically
mailing cve stuff to maintainers has been deemed too "noisy" which is
why we do not do this by default.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ