lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 29 Feb 2024 11:03:28 +0100
From: Pavel Machek <pavel@....cz>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Michal Hocko <mhocko@...e.com>, Kees Cook <keescook@...omium.org>,
	cve@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of
 drmem array

On Thu 2024-02-29 09:35:28, Greg Kroah-Hartman wrote:
> On Thu, Feb 29, 2024 at 09:22:51AM +0100, Michal Hocko wrote:
> > On Wed 28-02-24 09:12:15, Kees Cook wrote:
> > > On Wed, Feb 28, 2024 at 01:04:14PM +0100, Michal Hocko wrote:
> > > > On Tue 27-02-24 10:35:40, Kees Cook wrote:
> > > > > On Mon, Feb 26, 2024 at 04:25:09PM +0100, Michal Hocko wrote:
> > > > [...]
> > > > > > Does that mean that any potentially incorrect input provided by an admin is
> > > > > > considered CVE now?
> > > > > 
> > > > > Yes. Have you seen what USER_NS does? There isn't a way to know how
> > > > > deployments are using Linux, and this is clearly a "weakness" as defined
> > > > > by CVE. It is better to be over zealous than miss things.
> > > > 
> > > > If we are over zealous to the point when almost any fix is marked CVE
> > > > then the special marking simply stops making any sense IMHO.
> > > 
> > > Perhaps, but the volume of fixes is high, and I think it's better to
> > > over estimate than under estimate -- the work needed to actually
> > > evaluate all these changes is huge: it's better to take everything from
> > > -stable.
> > 
> > This is simply not feasible for many downstream kernels and reasons have
> > been discussed many times.
> 
> How does taking 10 patches differ from taking 200 patches?  Your
> testing/infrastructure issues should be the same, right?

It is more work to review 200 patches than to review 10. As you would
know if you actually reviewed -stable patches or at least AUTOSEL
ones.

								Pavel
-- 
People of Russia, stop Putin before his war on Ukraine escalates.

Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ