| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 Mar 2024 08:49:42 +0100 From: Michal Hocko <mhocko@...e.com> To: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Cc: cve@...nel.org, linux-kernel@...r.kernel.org Subject: Re: CVE-2023-52560: mm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions() On Tue 05-03-24 22:25:11, Greg KH wrote: > On Tue, Mar 05, 2024 at 05:51:11PM +0100, Michal Hocko wrote: > > On Sat 02-03-24 22:59:54, Greg KH wrote: > > > Description > > > =========== > > > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > > > mm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions() > > > > > > When CONFIG_DAMON_VADDR_KUNIT_TEST=y and making CONFIG_DEBUG_KMEMLEAK=y > > > and CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y, the below memory leak is detected. > > > > This is a kunit test case AFAICS. Is this really a CVE material? > > People run kunit tests on real systems (again, we do not dictate use > cases.) So yes, fixing a memory leak that can be triggered is resolving > a weakness and so should get a CVE I would think, right? This is stretching the meaning of CVE beyond my imagination. Up to you to decide but I yet have to see a real production system that casually runs unit test just for <looking for a reason .... but failed>. -- Michal Hocko SUSE Labs
Powered by blists - more mailing lists