| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Feb 2024 06:39:16 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com> Cc: cve@...nel.org, linux-kernel@...r.kernel.org, Darren Kenny <darren.kenny@...cle.com> Subject: Re: CVE-2023-52471: ice: Fix some null pointer dereference issues in ice_ptp.c On Mon, Feb 26, 2024 at 12:21:40AM +0530, Harshit Mogalapalli wrote: > Hi Greg, > > On 25/02/24 13:46, Greg Kroah-Hartman wrote: > > Description > > =========== > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > ice: Fix some null pointer dereference issues in ice_ptp.c > > > > devm_kasprintf() returns a pointer to dynamically allocated memory > > which can be NULL upon failure. > > > > I have a question about this and couple of other CVEs: > > CVE-2023-52465: -- devm_kzalloc() and devm_kasprintf() failures > CVE-2023-52467: -- kasprintf() failure > CVE-2023-52471: -- devm_kasprintf() failure > CVE-2023-52472: -- allocation failure > > As it's widely believed that small kmallocs cannot fail, is it worth having > CVEs for the above bug fixes ? If you believe that, then sure, don't worry about these individual commits. But if you don't believe it (after all, why would we add checks if the code could never fail?), then perhaps you should take them. In other words, why would you NOT take a known fix for a weakess in the codebase? thanks, greg k-h
Powered by blists - more mailing lists