From: Michal Hocko <mhocko@suse.com>
To: cve@kernel.org, linux-kernel@vger.kernel.org
Cc: linux-cve-announce@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array
Date: Mon, 26 Feb 2024 15:52:11 +0100 [thread overview]
Message-ID: <Zdylmz28rZ-mCeiN@tiehlicka> (raw)
In-Reply-To: <2024022257-CVE-2023-52451-7bdb@gregkh>
On Thu 22-02-24 17:21:58, Greg KH wrote:
> Description
> ===========
>
> In the Linux kernel, the following vulnerability has been resolved:
>
> powerpc/pseries/memhp: Fix access beyond end of drmem array
>
> dlpar_memory_remove_by_index() may access beyond the bounds of the
> drmem lmb array when the LMB lookup fails to match an entry with the
> given DRC index. When the search fails, the cursor is left pointing to
> &drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the
> last valid entry in the array. The debug message at the end of the
> function then dereferences this pointer:
>
> pr_debug("Failed to hot-remove memory at %llx\n",
> lmb->base_addr);
While this is a reasonable fix and the stable material it is really
unclear to me why it has gained a CVE. Memory hotplug is a privileged
operation. Could you clarify please?
--
Michal Hocko
SUSE Labs
next prev parent reply other threads:[~2024-02-26 14:52 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-22 16:21 CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array Greg Kroah-Hartman
2024-02-26 14:52 ` Michal Hocko [this message]
2024-02-26 15:06 ` Greg Kroah-Hartman
2024-02-26 15:25 ` Michal Hocko
2024-02-26 16:12 ` Greg Kroah-Hartman
2024-02-26 16:36 ` Michal Hocko
2024-02-27 5:14 ` Greg Kroah-Hartman
2024-02-27 8:51 ` Michal Hocko
2024-03-03 12:02 ` Michael Ellerman
2024-03-03 12:02 ` Michael Ellerman
2024-02-27 9:53 ` Jiri Kosina
2024-02-27 18:35 ` Kees Cook
2024-02-28 12:04 ` Michal Hocko
2024-02-28 17:12 ` Kees Cook
2024-02-29 8:22 ` Michal Hocko
2024-02-29 8:35 ` Greg Kroah-Hartman
2024-02-29 9:41 ` Michal Hocko
2024-02-29 14:18 ` Greg Kroah-Hartman
2024-02-29 15:08 ` Kees Cook
2024-02-29 17:36 ` Michal Hocko
2024-02-29 15:09 ` Jiri Kosina
2024-02-29 16:09 ` Sasha Levin
2024-02-29 17:11 ` Jiri Kosina
2024-02-29 17:36 ` Jiri Kosina
2024-02-29 18:32 ` Greg Kroah-Hartman
2024-02-29 17:38 ` Sasha Levin
2024-02-29 10:03 ` Pavel Machek
2024-02-29 10:00 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zdylmz28rZ-mCeiN@tiehlicka \
--to=mhocko@suse.com \
--cc=cve@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-cve-announce@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.