From: Michal Hocko <mhocko@suse.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: cve@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array
Date: Mon, 26 Feb 2024 16:25:09 +0100 [thread overview]
Message-ID: <ZdytVTOgfvKBBvtn@tiehlicka> (raw)
In-Reply-To: <2024022639-wronged-grafted-6777@gregkh>
On Mon 26-02-24 16:06:51, Greg KH wrote:
> On Mon, Feb 26, 2024 at 03:52:11PM +0100, Michal Hocko wrote:
> > On Thu 22-02-24 17:21:58, Greg KH wrote:
> > > Description
> > > ===========
> > >
> > > In the Linux kernel, the following vulnerability has been resolved:
> > >
> > > powerpc/pseries/memhp: Fix access beyond end of drmem array
> > >
> > > dlpar_memory_remove_by_index() may access beyond the bounds of the
> > > drmem lmb array when the LMB lookup fails to match an entry with the
> > > given DRC index. When the search fails, the cursor is left pointing to
> > > &drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the
> > > last valid entry in the array. The debug message at the end of the
> > > function then dereferences this pointer:
> > >
> > > pr_debug("Failed to hot-remove memory at %llx\n",
> > > lmb->base_addr);
> >
> > While this is a reasonable fix and the stable material it is really
> > unclear to me why it has gained a CVE. Memory hotplug is a privileged
> > operation. Could you clarify please?
>
> As you know, history has shown us that accessing out of your allocated
> memory can cause problems, and we can not assume use-cases, as we don't
> know how everyone uses our codebase, so marking places where we fix
> out-of-bound memory accesses is resolving a weakness in the codebase,
> hence a CVE assignment.
Does that mean that any potentially incorrect input provided by an admin is
considered CVE now? I guess we would need to ban interfaces like
/dev/mem and many others.
> If your systems are not vulnerable to this specific issue, wonderful, no
> need to take it, but why wouldn't you want to take a fix that resolves a
> known weakness?
I have explicitly said, the fix is reasonable. I just do not see a point
to mark it as CVE. I fail to see any thread model where this would
matter as it would require untrusted privileged actor to trigger it
AFAICS. I am happy to be proven wrong here.
--
Michal Hocko
SUSE Labs
next prev parent reply other threads:[~2024-02-26 15:25 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-22 16:21 CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array Greg Kroah-Hartman
2024-02-26 14:52 ` Michal Hocko
2024-02-26 15:06 ` Greg Kroah-Hartman
2024-02-26 15:25 ` Michal Hocko [this message]
2024-02-26 16:12 ` Greg Kroah-Hartman
2024-02-26 16:36 ` Michal Hocko
2024-02-27 5:14 ` Greg Kroah-Hartman
2024-02-27 8:51 ` Michal Hocko
2024-03-03 12:02 ` Michael Ellerman
2024-03-03 12:02 ` Michael Ellerman
2024-02-27 9:53 ` Jiri Kosina
2024-02-27 18:35 ` Kees Cook
2024-02-28 12:04 ` Michal Hocko
2024-02-28 17:12 ` Kees Cook
2024-02-29 8:22 ` Michal Hocko
2024-02-29 8:35 ` Greg Kroah-Hartman
2024-02-29 9:41 ` Michal Hocko
2024-02-29 14:18 ` Greg Kroah-Hartman
2024-02-29 15:08 ` Kees Cook
2024-02-29 17:36 ` Michal Hocko
2024-02-29 15:09 ` Jiri Kosina
2024-02-29 16:09 ` Sasha Levin
2024-02-29 17:11 ` Jiri Kosina
2024-02-29 17:36 ` Jiri Kosina
2024-02-29 18:32 ` Greg Kroah-Hartman
2024-02-29 17:38 ` Sasha Levin
2024-02-29 10:03 ` Pavel Machek
2024-02-29 10:00 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZdytVTOgfvKBBvtn@tiehlicka \
--to=mhocko@suse.com \
--cc=cve@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.