lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 26 Feb 2024 06:39:16 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
	Darren Kenny <darren.kenny@...cle.com>
Subject: Re: CVE-2023-52471: ice: Fix some null pointer dereference issues in
 ice_ptp.c

On Mon, Feb 26, 2024 at 12:21:40AM +0530, Harshit Mogalapalli wrote:
> Hi Greg,
> 
> On 25/02/24 13:46, Greg Kroah-Hartman wrote:
> > Description
> > ===========
> > 
> > In the Linux kernel, the following vulnerability has been resolved:
> > 
> > ice: Fix some null pointer dereference issues in ice_ptp.c
> > 
> > devm_kasprintf() returns a pointer to dynamically allocated memory
> > which can be NULL upon failure.
> > 
> 
> I have a question about this and couple of other CVEs:
> 
> CVE-2023-52465: -- devm_kzalloc() and devm_kasprintf() failures
> CVE-2023-52467: -- kasprintf() failure
> CVE-2023-52471: -- devm_kasprintf() failure
> CVE-2023-52472: -- allocation failure
> 
> As it's widely believed that small kmallocs cannot fail, is it worth having
> CVEs for the above bug fixes ?

If you believe that, then sure, don't worry about these individual
commits.  But if you don't believe it (after all, why would we add
checks if the code could never fail?), then perhaps you should take
them.

In other words, why would you NOT take a known fix for a weakess in the
codebase?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ