lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240311140043.GR86322@google.com>
Date: Mon, 11 Mar 2024 14:00:43 +0000
From: Lee Jones <lee@...nel.org>
To: Eric Dumazet <edumazet@...gle.com>
Cc: Ben Hutchings <ben@...adent.org.uk>, netdev <netdev@...r.kernel.org>,
	cve@...nel.org, Salvatore Bonaccorso <carnil@...ian.org>
Subject: Re: Is CVE-2024-26624 a valid issue?

On Mon, 11 Mar 2024, Eric Dumazet wrote:

> Hi Ben
> 
> Yes, my understanding of the issue is that it is a false positive.
> 
> Some kernels might crash whenever LOCKDEP triggers, as for any WARNing.

Exactly.  So is it possible to trip this, false positive or otherwise?
Being able to crash the kernel, even under false pretences, is
definitely something we usually provide CVE allocations for.

> > I noted that CVE-2024-26624 was assigned by the kernel CVE authority to
> > the issue fixed by commit 4d322dce82a1 "af_unix: fix lockdep positive
> > in sk_diag_dump_icons()".  By my understanding, this does not fix any
> > locking bug, but only a false positive report from lockdep.  Do you
> > consider this a security issue?
> >
> > Ben.
> >
> > --
> > Ben Hutchings
> > Time is nature's way of making sure that
> > everything doesn't happen at once.
> >
> 

-- 
Lee Jones [李琼斯]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ