lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2025032816-compress-balcony-e6f7@gregkh>
Date: Fri, 28 Mar 2025 07:53:43 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Gao Xiang <hsiangkao@...ux.alibaba.com>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
	linux-cve-announce@...r.kernel.org
Subject: Re: CVE-2023-53027: erofs: fix kvcalloc() misuse with __GFP_NOFAIL

On Fri, Mar 28, 2025 at 02:43:04PM +0800, Gao Xiang wrote:
> Hi,
> 
> On 2025/3/28 00:44, Greg Kroah-Hartman wrote:
> > Description
> > ===========
> > 
> > In the Linux kernel, the following vulnerability has been resolved:
> > 
> > erofs: fix kvcalloc() misuse with __GFP_NOFAIL
> > 
> > As reported by syzbot [1], kvcalloc() cannot work with  __GFP_NOFAIL.
> > Let's use kcalloc() instead.
> > 
> > [1] https://lore.kernel.org/r/0000000000007796bd05f1852ec2@google.com
> > 
> > The Linux kernel CVE team has assigned CVE-2023-53027 to this issue.
> 
> I think this CVE is invalid since it was then reverted by
> upstream commit 647dd2c3f0e1 ("erofs: Revert "erofs: fix kvcalloc()
> misuse with __GFP_NOFAIL"")
> 
> since it's not the correct way to fix this.

Ah, that commit was not in the "normal" revert style, which is why we
didn't notice that.

I've now rejected this CVE id, thanks for letting us know!

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ