lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZeDBAW16ZbjNJWkn@sashalap>
Date: Thu, 29 Feb 2024 12:38:09 -0500
From: Sasha Levin <sashal@...nel.org>
To: Jiri Kosina <jikos@...nel.org>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Michal Hocko <mhocko@...e.com>, Kees Cook <keescook@...omium.org>,
	cve@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of
 drmem array

On Thu, Feb 29, 2024 at 06:11:40PM +0100, Jiri Kosina wrote:
>On Thu, 29 Feb 2024, Sasha Levin wrote:
>
>> >> It's pretty trivial to get root on most of the "enterprise" kernels
>> >
>> >Wow, that's a very strong statement you are making here, and I'd now
>> >really like to ask you to back that up with some real data.
>>
>> Is something like https://www.suse.com/security/cve/CVE-2023-52447.html
>> a good example?
>
>- this fix is on our list/queue to be integrated into one of our kernel
>  branches, and was even beore it just got CVE assigned, as it references
>  a commit in Fixes: that we have present in one of our branches, but
>  hasn't been processed yet, mainly because we don't allow unprivileged
>  BPF

This comment touches on two points raised in this thread:

Greg's point that instead of taking all the fixes, they end up in queues
waiting to be processed, which means that the trees en up being
vulnerable during that time.

Kees's point that exploitation is rarely a single issue coming in to
play, but is usually a long chain of different exploits coming together
to achieve a goal.

>- you pointed to a fix for UAF in BPF, which definitely is a good fix to
>  have, I don't even dispute that CVE is justified in this particular
>  case. What I haven't yet seen though how this connects to in my view
>  rather serious 'trivial to get root' statement

Yes, the patch reads like a fix for a UAF.

-- 
Thanks,
Sasha

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ