All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Jens Axboe <axboe@kernel.dk>
Cc: "Gabriel Krisman Bertazi" <krisman@suse.de>,
	linux-cve-announce@vger.kernel.org, cve@kernel.org,
	linux-kernel@vger.kernel.org, "Tamás Koczka" <poprdi@google.com>
Subject: Re: CVE-2023-52656: io_uring: drop any code related to SCM_RIGHTS
Date: Sat, 25 May 2024 17:37:22 +0200	[thread overview]
Message-ID: <2024052515-usual-chewer-cbb4@gregkh> (raw)
In-Reply-To: <ededb63f-7abc-4cca-8bf7-c767e6026e48@kernel.dk>

On Sat, May 25, 2024 at 09:28:35AM -0600, Jens Axboe wrote:
> On 5/25/24 9:09 AM, Eduardo' Vela" <Nava> wrote:
> > On Sat, 25 May 2024, 09:15 Greg Kroah-Hartman, <gregkh@linuxfoundation.org <mailto:gregkh@linuxfoundation.org>> wrote:
> > 
> >     On Fri, May 24, 2024 at 10:57:07AM -0600, Jens Axboe wrote:
> >     > On 5/24/24 10:45 AM, Gabriel Krisman Bertazi wrote:
> >     > > Greg Kroah-Hartman <gregkh@linuxfoundation.org <mailto:gregkh@linuxfoundation.org>> writes:
> >     > >
> >     > >> Description
> >     > >> ===========
> >     > >>
> >     > >> In the Linux kernel, the following vulnerability has been resolved:
> >     > >>
> >     > >> io_uring: drop any code related to SCM_RIGHTS
> >     > >>
> >     > >> This is dead code after we dropped support for passing io_uring fds
> >     > >> over SCM_RIGHTS, get rid of it.
> >     > >>
> >     > >> The Linux kernel CVE team has assigned CVE-2023-52656 to this issue.
> >     > >
> >     > > Hello Greg,
> >     > >
> >     > > [+Jens in Cc]
> >     > >
> >     > > This is stable material, but doesn't deserve CVE status.  There is
> >     > > nothing exploitable that is fixed here. Instead, this commit is dropping
> >     > > unreachable code after the removal of a feature, following another CVE
> >     > > report.  Doing the clean up in the original patch would have made the
> >     > > real security fix harder to review.
> >     > >
> >     > > The real issue was reported as CVE-2023-52654 and handled by a different
> >     > > commit.
> >     >
> >     > FWIW, the same is true for a number of other commits recently. They are
> >     > nowhere near CVE material, it's just generic bug fixes.
> > 
> >     Ok, glad to revoke them if you do not think they are user triggerable
> >     issues.  I'll go reject this one right now, thanks.
> > 
> > 
> > Good day!
> > 
> > So, either I'm completely lost or CVE-2023-52656 shouldn't have been
> > rejected. Forgive me for mudding the problem even more.
> > 
> > I think we need to unreject this CVE (CVE-2023-52656) or
> > CVE-2023-52654 should be amended to include the dead code removal
> > commit.. that said, that'll be weirder than just unrejecting this
> > commit.
> > 
> > The reason is that the commit "io_uring/af_unix: disable sending
> > io_uring over sockets" is not enough to fix the vulnerability in
> > stable branches, because e.g. bcedd497b3b4a0be56f3adf7c7542720eced0792
> > on 5.15 only fixes one path (io_sqe_file_register) to reach
> > unix_inflight(), but it is still reachable via another path
> > (io_sqe_fileS_register) which is only removed by
> > d909d381c3152393421403be4b6435f17a2378b4 ("io_uring: drop any code
> > related to SCM_RIGHTS").
> > 
> > Although that patch claims "it is dead code", this claim was only true
> > on upstream, but not on stable branches (or at least on 5.15 where the
> > vulnerability was proven to be reachable).
> > 
> > What a mess! ?
> 
> Ah right, yeah it was a mess because of the stable backports, it was not
> for the upstream front. Agree Greg, let's just keep it because of the
> stable side.

Now republished, thanks!

greg k-h

  reply	other threads:[~2024-05-25 15:37 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-05-13 13:12 CVE-2023-52656: io_uring: drop any code related to SCM_RIGHTS Greg Kroah-Hartman
2024-05-24 16:45 ` Gabriel Krisman Bertazi
2024-05-24 16:57   ` Jens Axboe
2024-05-25  7:15     ` Greg Kroah-Hartman
     [not found]       ` <CAFswPa9jR6mKAsCrdmspCARe-evk16s1t0SG9LrRLCze_f6Ydw@mail.gmail.com>
2024-05-25 15:19         ` Greg Kroah-Hartman
2024-05-25 15:28         ` Jens Axboe
2024-05-25 15:37           ` Greg Kroah-Hartman [this message]
2024-05-25 18:15         ` Gabriel Krisman Bertazi
  -- strict thread matches above, loose matches on Subject: below --
2024-05-25 15:36 Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2024052515-usual-chewer-cbb4@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=axboe@kernel.dk \
    --cc=cve@kernel.org \
    --cc=krisman@suse.de \
    --cc=linux-cve-announce@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=poprdi@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.