[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5718B57D.4000504@oracle.com>
Date: Thu, 21 Apr 2016 07:11:57 -0400
From: Sasha Levin <sasha.levin@...cle.com>
To: Jiri Slaby <jslaby@...e.cz>, LKML <linux-kernel@...r.kernel.org>,
stable <stable@...r.kernel.org>
Cc: lwn@....net
Subject: Re: stable-security kernel updates
On 04/21/2016 02:43 AM, Jiri Slaby wrote:
> On 04/20/2016, 09:50 PM, Sasha Levin wrote:
>> Updates for stable-security kernels have been released:
>>
>> - v3.12.58-security
>
> I suggest nobody uses that kernel.
>
> That tree does not make much sense to me. For example, what's the
> purpose of "kernel: Provide READ_ONCE and ASSIGN_ONCE" (commit
> 230fa253df6352af12ad0a16128760b5cb3f92df upstream) without actually
> using the added macros (this commit was only a prerequisite)?
Looking at this, I believe that my scripts failed to merge the
follow up commit, and I missed that. I'll improve this so it won't
happen in the future. Thank you for this report.
> Ok, not that bad, it is only unused code, but why are *not* these in the
> security tree?
> ipr: Fix out-of-bounds null overwrite
Is there a particular way to exploit this that I'm missing?
> Input: powermate - fix oops with malicious USB descriptors
This requires physical access to the machine.
> rapidio/rionet: fix deadlock on SMP
Seemed a bit borderline I suppose. There's nothing specific the
user can do to actually trigger this?
Another thing to note here is that security patch selection database
is shared between versions, so if a given commit gets marked as security
later on (someone figured out it's a CVE or something similar), it'll
get added to the stable-security tree even if it was initially skipped.
So I've also ended up auditing the 3.12 for missing CVE fixes and these
ones ended up being at the top of the list. Could you explain why they
are not in the 3.12 stable tree (and as a result can't get to users of
the corresponding stable-security tree)?
(CVE-2015-7513) 0185604 KVM: x86: Reload pit counters for all channels when restoring state
(CVE-2015-8539) 096fe9e KEYS: Fix handling of stored error in a negatively instantiated user key
(CVE-2016-2085) 613317b EVM: Use crypto_memneq() for digest comparisons
So while the stable-security tree might be missing commits that might
or might not have security impact, it seems the 3.12 tree itself is
missing fixes for privilege escalation CVEs from last year. Should I
be recommending that no one uses 3.12?
Thanks,
Sasha
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists