From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Kees Cook <kees@kernel.org>
Cc: "Michal Koutný" <mkoutny@suse.com>,
cve@kernel.org, linux-kernel@vger.kernel.org,
linux-cve-announce@vger.kernel.org
Subject: Re: CVE-2024-35918: randomize_kstack: Improve entropy diffusion
Date: Tue, 30 Jul 2024 06:56:42 +0200 [thread overview]
Message-ID: <2024073029-clerk-trophy-b84c@gregkh> (raw)
In-Reply-To: <202407291715.017E39A4C@keescook>
On Mon, Jul 29, 2024 at 05:15:52PM -0700, Kees Cook wrote:
> On Mon, Jul 29, 2024 at 04:35:52PM +0200, Michal Koutný wrote:
> > On Sat, Jul 27, 2024 at 09:34:18AM GMT, Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> > > We assigned a CVE to 9c573cd313433 as it was implied by many that this
> > > was "fixing a weakness" in the security feature in 39218ff4c625d. If
> > > this is not the case, then we can revoke this CVE.
> >
> > If 9c573cd313433 (fixup) is fixing a weakness of too few bits in stack offset
> > randomization, then 39218ff4c625d (feature) is fixing such a weakness too.
> >
> > Or equivalently, if 39218ff4c625d is not fixing a weakness of too few
> > bits in stack offset randomization, then 9c573cd313433 is not fixing it
> > neither.
> >
> > By this reasoning I'd be for stripping this CVE. Both patches would thus
> > be equal. (As suggested by Kees.)
> > (Also to avoid going into the rabbit hole of how many bits of
> > randomization are enough.)
>
> Yeah, I think it's best to have neither be a CVE.
The CVE has now been rejected, thanks for the review!
greg k-h
next prev parent reply other threads:[~2024-07-30 4:56 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-19 10:11 CVE-2024-35918: randomize_kstack: Improve entropy diffusion Greg Kroah-Hartman
2024-07-26 9:45 ` Michal Koutný
2024-07-26 9:54 ` Greg Kroah-Hartman
2024-07-26 14:12 ` Kees Cook
2024-07-27 7:34 ` Greg Kroah-Hartman
2024-07-29 14:35 ` Michal Koutný
2024-07-30 0:15 ` Kees Cook
2024-07-30 4:56 ` Greg Kroah-Hartman [this message]
2024-07-30 9:16 ` Michal Koutný
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024073029-clerk-trophy-b84c@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=cve@kernel.org \
--cc=kees@kernel.org \
--cc=linux-cve-announce@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkoutny@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.