| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024052310-undermost-cramp-5d81@gregkh> Date: Thu, 23 May 2024 14:17:34 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: Nikolay Borisov <nik.borisov@...e.com> Cc: cve@...nel.org, linux-kernel@...r.kernel.org Subject: Re: CVE-2024-35802: x86/sev: Fix position dependent variable references in startup code On Thu, May 23, 2024 at 03:01:56PM +0300, Nikolay Borisov wrote: > > > On 23.05.24 г. 14:21 ч., Greg Kroah-Hartman wrote: > > Isn't crashing SEV guests a problem with "availability"? That term > > comes from the CVE definition of what we need to mark as a CVE, which is > > why this one was picked. > > But availability has never been one of the tenets of CoCo, in fact in > sev-snp/tdx the VMM is explicitly considered outside of the TCB so > availability cannot be guaranteed. This has nothing to do with CoCo (but really, ability of the host to crash the guest seems like it should be as I would assume that CoCo guests would want to be able to be run...) Official CVE definition of vulnerability from cve.org: An instance of one or more weaknesses in a Product that can be exploited, causing a negative impact to confidentiality, integrity, or availability; a set of conditions or behaviors that allows the violation of an explicit or implicit security policy. I think "able to crash SEV guests" is a direct weakness that has to do with availability here which is why I marked it as such (as did other reviewers.) Now if CoCo wants to claim it as part of their security implicit or explicit security policy, all the better :) thanks, greg k-h
Powered by blists - more mailing lists