lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CALf2hKtQH9KFp=KDQo6jmq4jpNzqoJnJRAFKWHf=Tk62U6RaVw@mail.gmail.com>
Date: Tue, 26 Nov 2024 20:08:32 +0800
From: Zhang Zhiyu <zhiyuzhang999@...il.com>
To: rpeterso@...hat.com, agruenba@...hat.com, gfs2@...ts.linux.dev, 
	linux-kernel@...r.kernel.org, syzkaller@...glegroups.com
Subject: Follow-up on Linux Kernel Vulnerability [v5.15] KASAN-stack-out-of-bounds-Read
 in gfs2_file_buffered_write

Dear Linux Kernel Developers and Maintainers,

I hope this message finds you well. I am following up on a previous
email I sent on March 3rd, 2024, regarding a stack out-of-bounds read
vulnerability in the Linux Kernel 5.15, specifically in the
gfs2_file_buffered_write function. Here is the link to the original
message I sent to the Linux kernel mailing list (but forgot to cc
syzkaller group):
https://lore.kernel.org/lkml/CALf2hKupR6mV4vUW8tWEJY_1CqaLLrqx5q2667XGEzEGnAtuQw@mail.gmail.com/T/

In that email, I attached a detailed analysis of the vulnerability,
demonstrating its validity and potential impact.  I have noticed that
the issue is still being triggered on the latest 5.15.y branch, as
reported by Syzbot
(https://syzkaller.appspot.com/bug?extid=43147f1cd55d15dfbf7d), and I
would greatly appreciate your insights on whether this vulnerability
has been fully addressed in subsequent kernel releases.

Additionally, I would like to ask whether a CVE has been assigned for
this vulnerability or if there are any updates regarding its
resolution. I also want to discuss the CVSS score for this type of
vulnerability, which seems similar to other stack out-of-bounds read
issues in the Linux kernel (e.g., CVE-2023-6606, CVE-2024-39487,
CVE-2024-46743, CVE-2024-50227, CVE-2024-50301), all of which were
assigned the CVSS vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.

Thank you very much for your time and assistance. I look forward to
your response.

Best regards,
Zhiyu Zhang

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ