* CVE-2024-49967: ext4: no need to continue when the number of entries is 1 @ 2024-10-21 18:02 Greg Kroah-Hartman 2024-12-09 12:30 ` Siddh Raman Pant 0 siblings, 1 reply; 8+ messages in thread From: Greg Kroah-Hartman @ 2024-10-21 18:02 UTC (permalink / raw) To: linux-cve-announce; +Cc: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: ext4: no need to continue when the number of entries is 1 The Linux kernel CVE team has assigned CVE-2024-49967 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.19 with commit ac27a0ec112a and fixed in 5.10.227 with commit 133ff0d78f1b Issue introduced in 2.6.19 with commit ac27a0ec112a and fixed in 5.15.168 with commit aca593e6070e Issue introduced in 2.6.19 with commit ac27a0ec112a and fixed in 6.1.113 with commit a02d7f5b2419 Issue introduced in 2.6.19 with commit ac27a0ec112a and fixed in 6.6.55 with commit 2d64e7dada22 Issue introduced in 2.6.19 with commit ac27a0ec112a and fixed in 6.10.14 with commit fe192515d293 Issue introduced in 2.6.19 with commit ac27a0ec112a and fixed in 6.11.3 with commit 9d4b2e4c36bb Issue introduced in 2.6.19 with commit ac27a0ec112a and fixed in 6.12-rc1 with commit 1a00a393d6a7 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-49967 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/ext4/namei.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/133ff0d78f1b160de011647bb65807195ca5d1ca https://git.kernel.org/stable/c/aca593e6070e21979430c344e9cb0b272a9e7e10 https://git.kernel.org/stable/c/a02d7f5b24193aed451ac67aad3453472e79dc78 https://git.kernel.org/stable/c/2d64e7dada22ab589d1ac216a3661074d027f25e https://git.kernel.org/stable/c/fe192515d2937b8ed2d21921b558a06dd2031d21 https://git.kernel.org/stable/c/9d4b2e4c36bb88d57018c1cbc8b6a0c4b44a7f42 https://git.kernel.org/stable/c/1a00a393d6a7fb1e745a41edd09019bd6a0ad64c ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1 2024-10-21 18:02 CVE-2024-49967: ext4: no need to continue when the number of entries is 1 Greg Kroah-Hartman @ 2024-12-09 12:30 ` Siddh Raman Pant 2024-12-09 13:08 ` gregkh 0 siblings, 1 reply; 8+ messages in thread From: Siddh Raman Pant @ 2024-12-09 12:30 UTC (permalink / raw) To: gregkh@linuxfoundation.org; +Cc: linux-kernel@vger.kernel.org [-- Attachment #1: Type: text/plain, Size: 403 bytes --] On Mon, 21 Oct 2024 20:02:55 +0200, Greg Kroah-Hartman wrote: > In the Linux kernel, the following vulnerability has been resolved: > > ext4: no need to continue when the number of entries is 1 > > The Linux kernel CVE team has assigned CVE-2024-49967 to this issue. This seems to fix nothing: https://lore.kernel.org/all/6ba9afc8-fa95-478c-8ed2-a4ad10b3c520@huawei.com/ Thanks, Siddh [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1 2024-12-09 12:30 ` Siddh Raman Pant @ 2024-12-09 13:08 ` gregkh 2024-12-09 16:26 ` Theodore Ts'o 0 siblings, 1 reply; 8+ messages in thread From: gregkh @ 2024-12-09 13:08 UTC (permalink / raw) To: Siddh Raman Pant; +Cc: linux-kernel@vger.kernel.org On Mon, Dec 09, 2024 at 12:30:08PM +0000, Siddh Raman Pant wrote: > On Mon, 21 Oct 2024 20:02:55 +0200, Greg Kroah-Hartman wrote: > > In the Linux kernel, the following vulnerability has been resolved: > > > > ext4: no need to continue when the number of entries is 1 > > > > The Linux kernel CVE team has assigned CVE-2024-49967 to this issue. > > This seems to fix nothing: > > https://lore.kernel.org/all/6ba9afc8-fa95-478c-8ed2-a4ad10b3c520@huawei.com/ Ok, so should it be revoked? thanks, greg k-h ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1 2024-12-09 13:08 ` gregkh @ 2024-12-09 16:26 ` Theodore Ts'o 2024-12-10 6:08 ` Siddh Raman Pant 0 siblings, 1 reply; 8+ messages in thread From: Theodore Ts'o @ 2024-12-09 16:26 UTC (permalink / raw) To: gregkh@linuxfoundation.org; +Cc: Siddh Raman Pant, linux-kernel@vger.kernel.org On Mon, Dec 09, 2024 at 02:08:02PM +0100, gregkh@linuxfoundation.org wrote: > On Mon, Dec 09, 2024 at 12:30:08PM +0000, Siddh Raman Pant wrote: > > On Mon, 21 Oct 2024 20:02:55 +0200, Greg Kroah-Hartman wrote: > > > In the Linux kernel, the following vulnerability has been resolved: > > > > > > ext4: no need to continue when the number of entries is 1 > > > > > > The Linux kernel CVE team has assigned CVE-2024-49967 to this issue. > > > > This seems to fix nothing: > > > > https://lore.kernel.org/all/6ba9afc8-fa95-478c-8ed2-a4ad10b3c520@huawei.com/ > > Ok, so should it be revoked? We're not aware of a way of triggering the OOB error, so in that sense the CVE is not valid. There might be a way that someone might be able to trigger it in the future; in that hypothetical future, there might be some other fix that would address the root cause, but this would be a belt and suspenders thing that might prevent that (hypothetical) future. So in that sense, it is highly commended that enterprise distros and people who are not following the LTS kernels take this patch. But is it actually fixing a known vulnerability today? Not that we know of. Cheers, - Ted P.S. If some security researcher wants to find such a way, to educate people on why using LTS kernels is superior, they should feel free to consider this a challenge. :-P ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1 2024-12-09 16:26 ` Theodore Ts'o @ 2024-12-10 6:08 ` Siddh Raman Pant 2025-01-06 18:09 ` Theodore Ts'o 0 siblings, 1 reply; 8+ messages in thread From: Siddh Raman Pant @ 2024-12-10 6:08 UTC (permalink / raw) To: gregkh@linuxfoundation.org, tytso@mit.edu; +Cc: linux-kernel@vger.kernel.org [-- Attachment #1: Type: text/plain, Size: 1088 bytes --] On Mon, Dec 09 2024 at 21:56:23 +0530, Theodore Ts'o wrote: > On Mon, Dec 09, 2024 at 02:08:02PM +0100, gregkh@linuxfoundation.org wrote: > > Ok, so should it be revoked? Yes, as this was an incorrect attempt at fixing CVE-2024-42305. > We're not aware of a way of triggering the OOB error, so in that sense > the CVE is not valid. There might be a way that someone might be able > to trigger it in the future; in that hypothetical future, there might > be some other fix that would address the root cause, but this would be > a belt and suspenders thing that might prevent that (hypothetical) > future. So in that sense, it is highly commended that enterprise > distros and people who are not following the LTS kernels take this > patch. But is it actually fixing a known vulnerability today? Not > that we know of. > > Cheers, > > - Ted > > P.S. If some security researcher wants to find such a way, to educate > people on why using LTS kernels is superior, they should feel free to > consider this a challenge. :-P I agree. Thanks, Siddh [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1 2024-12-10 6:08 ` Siddh Raman Pant @ 2025-01-06 18:09 ` Theodore Ts'o 2025-01-06 18:14 ` gregkh 0 siblings, 1 reply; 8+ messages in thread From: Theodore Ts'o @ 2025-01-06 18:09 UTC (permalink / raw) To: Siddh Raman Pant Cc: gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, cve It looks like this CVE hasn't been revoked yet, at least per nvd.nist.gov? Is that the best way to check kernel CVE's status? Thanks, - Ted On Tue, Dec 10, 2024 at 06:08:46AM +0000, Siddh Raman Pant wrote: > On Mon, Dec 09 2024 at 21:56:23 +0530, Theodore Ts'o wrote: > > On Mon, Dec 09, 2024 at 02:08:02PM +0100, gregkh@linuxfoundation.org wrote: > > > Ok, so should it be revoked? > > Yes, as this was an incorrect attempt at fixing CVE-2024-42305. > > > We're not aware of a way of triggering the OOB error, so in that sense > > the CVE is not valid. There might be a way that someone might be able > > to trigger it in the future; in that hypothetical future, there might > > be some other fix that would address the root cause, but this would be > > a belt and suspenders thing that might prevent that (hypothetical) > > future. So in that sense, it is highly commended that enterprise > > distros and people who are not following the LTS kernels take this > > patch. But is it actually fixing a known vulnerability today? Not > > that we know of. > > > > Cheers, > > > > - Ted > > > > P.S. If some security researcher wants to find such a way, to educate > > people on why using LTS kernels is superior, they should feel free to > > consider this a challenge. :-P > > I agree. > > Thanks, > Siddh ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1 2025-01-06 18:09 ` Theodore Ts'o @ 2025-01-06 18:14 ` gregkh 2025-01-07 8:47 ` gregkh 0 siblings, 1 reply; 8+ messages in thread From: gregkh @ 2025-01-06 18:14 UTC (permalink / raw) To: Theodore Ts'o; +Cc: Siddh Raman Pant, linux-kernel@vger.kernel.org, cve On Mon, Jan 06, 2025 at 01:09:16PM -0500, Theodore Ts'o wrote: > It looks like this CVE hasn't been revoked yet, at least per > nvd.nist.gov? Is that the best way to check kernel CVE's status? Yes it is, but I don't recall a concrete "please revoke this CVE" request which is why it didn't happen. Do you really want it revoked? thanks, greg k-h ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1 2025-01-06 18:14 ` gregkh @ 2025-01-07 8:47 ` gregkh 0 siblings, 0 replies; 8+ messages in thread From: gregkh @ 2025-01-07 8:47 UTC (permalink / raw) To: Theodore Ts'o; +Cc: Siddh Raman Pant, linux-kernel@vger.kernel.org, cve On Mon, Jan 06, 2025 at 07:14:18PM +0100, gregkh@linuxfoundation.org wrote: > On Mon, Jan 06, 2025 at 01:09:16PM -0500, Theodore Ts'o wrote: > > It looks like this CVE hasn't been revoked yet, at least per > > nvd.nist.gov? Is that the best way to check kernel CVE's status? > > Yes it is, but I don't recall a concrete "please revoke this CVE" > request which is why it didn't happen. Do you really want it revoked? Ok, now revoked. thanks greg k-h ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2025-01-07 8:47 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-10-21 18:02 CVE-2024-49967: ext4: no need to continue when the number of entries is 1 Greg Kroah-Hartman 2024-12-09 12:30 ` Siddh Raman Pant 2024-12-09 13:08 ` gregkh 2024-12-09 16:26 ` Theodore Ts'o 2024-12-10 6:08 ` Siddh Raman Pant 2025-01-06 18:09 ` Theodore Ts'o 2025-01-06 18:14 ` gregkh 2025-01-07 8:47 ` gregkh
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.