lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <364518a3a279657815b631e85f3177880b42f4f7.camel@suse.de>
Date: Tue, 02 Jul 2024 19:05:19 +0200
From: Jean Delvare <jdelvare@...e.de>
To: cve@...nel.org, linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Hamish Martin
	 <Hamish.Martin@...iedtelesis.co.nz>, Mika Westerberg
	 <mika.westerberg@...ux.intel.com>, Andi Shyti <andi.shyti@...nel.org>, 
	Wolfram Sang <wsa+renesas@...g-engineering.com>
Subject: Re: CVE-2024-39362: i2c: acpi: Unbind mux adapters before delete

Hi all,

On Tue, 2024-06-25 at 16:22 +0200, Greg Kroah-Hartman wrote:
> In the Linux kernel, the following vulnerability has been resolved:
> 
> i2c: acpi: Unbind mux adapters before delete
> (...)
> 
> The Linux kernel CVE team has assigned CVE-2024-39362 to this issue.

I would like to dispute this CVE. I don't quite understand how this bug
qualifies as a security bug, considering that only root can load and
unload overlay SSDT tables. The bug can't be triggered on purpose by a
remote or local unprivileged user.

The bug causes a warning to be dumped to the kernel log, due to trying
to unbind a companion device which is already unbound, but as far as I
can see, that's all. acpi_unbind_one() is a best-effort function, it
returns 0 no matter what. kernfs_remove_by_ame_ns() will gracefully
return an error code. I can't see any obvious use-after-free happening
so I see no way an attacker could exploit this bug.

So I would cancel this CVE.

For completeness and in case someone objects to the cancellation, I
would also point out that I don't think upstream commit 525e6fabeae2
("i2c / ACPI: add support for ACPI reconfigure notifications") is
sufficient to reproduce the bug. Support for ACPI-defined I2C
multiplexing was only added by commit 98b2b712bc85 ("i2c: i2c-mux-gpio:
Enable this driver in ACPI land") in kernel v5.12 and my understanding
is that this capability has to be used by the SSDT tables in order to
trigger the bug. So at the minimum, the CVE should be amended with this
piece of information.

Thanks,
-- 
Jean Delvare
SUSE L3 Support

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ