lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2025070142-equation-unlighted-9720@gregkh>
Date: Tue, 1 Jul 2025 12:14:13 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Brendan Jackman <jackmanb@...gle.com>
Cc: stable@...r.kernel.org, Corey Minyard <minyard@....org>,
	Corey Minyard <cminyard@...sta.com>,
	openipmi-developer@...ts.sourceforge.net,
	linux-kernel@...r.kernel.org,
	Dan Carpenter <dan.carpenter@...aro.org>,
	Corey Minyard <corey@...yard.net>
Subject: Re: [PATCH stable] ipmi:msghandler: Fix potential memory corruption
 in ipmi_create_user()

On Tue, Jul 01, 2025 at 09:52:55AM +0000, Brendan Jackman wrote:
> On Mon Jun 30, 2025 at 6:10 PM UTC, Greg KH wrote:
> > On Mon, Jun 30, 2025 at 05:09:02PM +0000, Brendan Jackman wrote:
> >> From: Dan Carpenter <dan.carpenter@...aro.org>
> >> 
> >> commit fa332f5dc6fc662ad7d3200048772c96b861cf6b upstream
> >> 
> >> The "intf" list iterator is an invalid pointer if the correct
> >> "intf->intf_num" is not found.  Calling atomic_dec(&intf->nr_users) on
> >> and invalid pointer will lead to memory corruption.
> >> 
> >> We don't really need to call atomic_dec() if we haven't called
> >> atomic_add_return() so update the if (intf->in_shutdown) path as well.
> >> 
> >> Fixes: 8e76741c3d8b ("ipmi: Add a limit on the number of users that may use IPMI")
> >> Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
> >> Message-ID: <aBjMZ8RYrOt6NOgi@...nley.mountain>
> >> Signed-off-by: Corey Minyard <corey@...yard.net>
> >> Signed-off-by: Brendan Jackman <jackmanb@...gle.com>
> >> ---
> >> I have tested this in 6.12 with Google's platform drivers added to
> >> reproduce the bug.  The bug causes the panic notifier chain to get
> >> corrupted leading to a crash. With the fix this goes away.
> >> 
> >> Applies to 6.6 too but I haven't tested it there.
> >
> > So what kernels are you wanting this to be applied to?
> 
> Right, sorry for the ambiguity.  I've just applied the patch to 6.6 and
> booted QEMU and it worked fine.
> 
> I have not reproduced a crash in 6.6 but it's pretty clearly a real bug
> (it decrements the target of an uninitialized pointer).
> 
> So if you're OK with that then please apply to 6.6 and 6.12. Otherwise
> just 6.12 is fine, I will send another PATCH if I ever hit the issue for
> real in 6.6.

But why would we skip 6.15.y?  You can't apply patches to only older
stable kernels, as that would cause users to have regressions when they
move to newer ones. :(

greg k-h

>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ