| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024030541-unhappily-staff-8662@gregkh> Date: Tue, 5 Mar 2024 22:20:17 +0000 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: Michal Hocko <mhocko@...e.com> Cc: cve@...nel.org, linux-kernel@...r.kernel.org Subject: Re: CVE-2021-47090: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page() On Tue, Mar 05, 2024 at 07:45:04PM +0100, Michal Hocko wrote: > On Mon 04-03-24 19:11:17, Greg KH wrote: > > Description > > =========== > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page() > > I would like to dispute this CVE. The interface is behind CAP_SYSADMIN > and allowing access to this to any untrusted party is risking serious > troubles. This is a testing only feature. This fixes a weakness in the kernel, one that is allowed to crash it, why isn't that a good thing to have a CVE entry for? Are we saying that all VM_BUG_ON_PAGE() instances should not be accounted for? That's not what the config option for CONFIG_DEBUG_VM says, it just says it will affect performance. Also /sys/devices/system/memory/soft_offline_page doesn't say "can crash the system", so it should work properly, even if an admin uses it, it shouldn't shut the box down. confused, greg k-h
Powered by blists - more mailing lists