| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024052814-bubbly-ramp-2d8e@gregkh> Date: Tue, 28 May 2024 21:08:22 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: Michal Hocko <mhocko@...e.com> Cc: Nikolay Borisov <nik.borisov@...e.com>, cve@...nel.org, linux-kernel@...r.kernel.org, linux-cve-announce@...r.kernel.org Subject: Re: CVE-2024-35802: x86/sev: Fix position dependent variable references in startup code On Tue, May 28, 2024 at 10:51:52AM +0200, Michal Hocko wrote: > On Thu 23-05-24 14:14:57, Nikolay Borisov wrote: > [...] > > I'd like to dispute this CVE since it doesn't constitute a security related > > bug. Sure, it might crash a SEV guest during boot but it doesn't constitute > > a security issue per-se. > > Let me add analysis by Joerg here: > : This is not a security issue. The patch works around clangs compiler behavior > : where it inserts absolute references to kernel addresses. This breaks kernel > : boot because at the time this code runs the kernel still runs direct-mapped and > : needs to rely on RIP-relative addressing only. > : > : Any breakage there would be detected at early boot of the kernel by a fatal > : crash, which can not be exploited. Also, our kernels are not compiled with > : clang, so from that perspective this is also not an issue for us either. > > So this is a functional fix for clang builds. Thanks for the review, now rejected. greg k-h
Powered by blists - more mailing lists