lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <2024051947-hermit-yeast-3e15@gregkh>
Date: Sun, 19 May 2024 10:53:11 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Michal Koutný <mkoutny@...e.com>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
	linux-cve-announce@...r.kernel.org
Subject: Re: CVE-2024-27406: lib/Kconfig.debug: TEST_IOV_ITER depends on MMU

On Fri, May 17, 2024 at 07:42:14PM +0200, Michal Koutný wrote:
> On Fri, May 17, 2024 at 01:40:41PM GMT, Greg Kroah-Hartman <gregkh@...uxfoundation.org> wrote:
> > BUG: failure at mm/nommu.c:318/vmap()!
> > Kernel panic - not syncing: BUG!
> > 
> > The test calls vmap() directly, but vmap() is not supported on nommu
> > systems, causing the crash.  TEST_IOV_ITER therefore needs to depend on
> > MMU.
> 
> This is fixing mising assumption of a testing module.
> The BUG is deserved AFAIU. The CVE should be reverted IMO.

Many people/distros run the built-in unit tests at boot time, and having
crashes is not a good idea.  So if you don't enable this option, great,
this CVE isn't relevent, but if you do, it's an in-kernel crash which is
not good, and this is the fix for that.

So I don't think this CVE should be rejected, sorry.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ