| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c3a815ab-7c52-40fa-a06a-f838c00f19bf@linux.alibaba.com>
Date: Fri, 28 Mar 2025 14:55:59 +0800
From: Gao Xiang <hsiangkao@...ux.alibaba.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
linux-cve-announce@...r.kernel.org
Subject: Re: CVE-2023-53027: erofs: fix kvcalloc() misuse with __GFP_NOFAIL
On 2025/3/28 14:53, Greg Kroah-Hartman wrote:
> On Fri, Mar 28, 2025 at 02:43:04PM +0800, Gao Xiang wrote:
>> Hi,
>>
>> On 2025/3/28 00:44, Greg Kroah-Hartman wrote:
>>> Description
>>> ===========
>>>
>>> In the Linux kernel, the following vulnerability has been resolved:
>>>
>>> erofs: fix kvcalloc() misuse with __GFP_NOFAIL
>>>
>>> As reported by syzbot [1], kvcalloc() cannot work with __GFP_NOFAIL.
>>> Let's use kcalloc() instead.
>>>
>>> [1] https://lore.kernel.org/r/0000000000007796bd05f1852ec2@google.com
>>>
>>> The Linux kernel CVE team has assigned CVE-2023-53027 to this issue.
>>
>> I think this CVE is invalid since it was then reverted by
>> upstream commit 647dd2c3f0e1 ("erofs: Revert "erofs: fix kvcalloc()
>> misuse with __GFP_NOFAIL"")
>>
>> since it's not the correct way to fix this.
>
> Ah, that commit was not in the "normal" revert style, which is why we
> didn't notice that.
Yeah, that is somewhat awkward.. Anyway, backport this incorrect
fix due to a CVE just makes it worse.
>
> I've now rejected this CVE id, thanks for letting us know!
Thanks!
Thanks,
Gao Xiang
>
> greg k-h
Powered by blists - more mailing lists