[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <2024051146-unengaged-halves-3681@gregkh>
Date: Sat, 11 May 2024 13:24:06 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Dominique Martinet <asmadeus@...ewreck.org>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: CVE-2022-48655: firmware: arm_scmi: Harden accesses to the reset
domains
On Sat, May 11, 2024 at 12:59:23PM +0100, Greg Kroah-Hartman wrote:
> On Fri, May 10, 2024 at 11:23:30PM +0900, Dominique Martinet wrote:
> > Greg Kroah-Hartman wrote on Fri, May 10, 2024 at 09:55:15AM +0100:
> > > > I can submit an edit as a patch to vulns.git json, but this doesn't seem
> > > > overly important so for now a mail will probably do.
> > >
> > > the json and mbox files are generated by tools, so patches to them is
> > > not a good idea as they will be overwritten the next time the scripts
> > > are run.
> >
> > Just let me know what's the most convenient; if mail it is I won't
> > bother :)
> >
> > > > >From a quick look it would seem it fixes arm_scmi from the addition of
> > > > scmi_domain_reset() in 95a15d80aa0d ("firmware: arm_scmi: Add RESET
> > > > protocol in SCMI v2.0"), which first appeared in v5.4-rc1, and does not
> > > > appear to have been backported to older kernels, so v5.4+ can be added
> > > > as a requirement.
> > >
> > > We can add a "this is where the problem showed up" if you know it, so
> > > that would be 95a15d80aa0d ("firmware: arm_scmi: Add RESET protocol in
> > > SCMI v2.0"), correct?
> >
> > Yes; this commit adds the out of bound access.
>
> Great, I'll mark the cve as having that as the "vulnerable" commit id,
> and then re-run the scripts and update the .json file and push it to
> cve.org when I get back to a better network connection.
Now updated on the cve.org web site, thanks!
greg k-h
Powered by blists - more mailing lists