From: Kees Cook <keescook@chromium.org>
To: Michal Hocko <mhocko@suse.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
cve@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array
Date: Wed, 28 Feb 2024 09:12:15 -0800 [thread overview]
Message-ID: <202402280906.D6D5590DB@keescook> (raw)
In-Reply-To: <Zd8hPpP_6q_o8uQW@tiehlicka>
On Wed, Feb 28, 2024 at 01:04:14PM +0100, Michal Hocko wrote:
> On Tue 27-02-24 10:35:40, Kees Cook wrote:
> > On Mon, Feb 26, 2024 at 04:25:09PM +0100, Michal Hocko wrote:
> [...]
> > > Does that mean that any potentially incorrect input provided by an admin is
> > > considered CVE now?
> >
> > Yes. Have you seen what USER_NS does? There isn't a way to know how
> > deployments are using Linux, and this is clearly a "weakness" as defined
> > by CVE. It is better to be over zealous than miss things.
>
> If we are over zealous to the point when almost any fix is marked CVE
> then the special marking simply stops making any sense IMHO.
Perhaps, but the volume of fixes is high, and I think it's better to
over estimate than under estimate -- the work needed to actually
evaluate all these changes is huge: it's better to take everything from
-stable. This has been a long standing problem with communicating this
to engineering management in many organizations. They have pointed to
the relatively small number of CVEs and said, "just backport those
fixes", and trying to explain that it's is totally insufficient falls on
deaf ears.
> Are you confusing hardening with security relevant fixes here? It makes
> a lot of sense to reduce the attack space by sacrificing functionality
> for some usecases but in general a large part of the kernel is built
> around a "root can do anything" philosophy. Whether we like it or not.
> And that means that we do not even pretend to protect dubious
> configurations by root/CAP_SYSADMIN which could effectivelly DoS the
> system (just consider hotplug/hotremove as an example - try to run your
> workload when most CPUs or memory is offlined). Some operations are
> simply not suited for untrusted entity.
Sure, I understand, but it's not possible to prove the negative. Perhaps
this particular fix will never be used in an attack, but I don't think
it's good to underestimate the creativity of attackers chaining
unexpected states together.
> [...]
>
> > There's no harm in marking fixes for weaknesses as CVEs, so why the
> > push back?
>
> Because assigning CVEs nilly willy was the main downside of the prior
> process and I was hoping that the new one, in hands of kernel people,
> could be better and we could be getting more relevant CVEs.
The old assignment pattern was both radically below actual fixes
landing, and also regularly not applicable at all (CVEs for out-of-tree
downstream patches against Linux). On both counts, I think the new
process is better, even if it will produce some "very low" severity
CVEs. :)
-Kees
--
Kees Cook
next prev parent reply other threads:[~2024-02-28 17:12 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2024022257-CVE-2023-52451-7bdb@gregkh>
2024-02-26 14:52 ` CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array Michal Hocko
2024-02-26 15:06 ` Greg Kroah-Hartman
2024-02-26 15:25 ` Michal Hocko
2024-02-26 16:12 ` Greg Kroah-Hartman
2024-02-26 16:36 ` Michal Hocko
2024-02-27 5:14 ` Greg Kroah-Hartman
2024-02-27 8:51 ` Michal Hocko
2024-03-03 12:02 ` Michael Ellerman
2024-02-27 9:53 ` Jiri Kosina
2024-02-27 18:35 ` Kees Cook
2024-02-28 12:04 ` Michal Hocko
2024-02-28 17:12 ` Kees Cook [this message]
2024-02-29 8:22 ` Michal Hocko
2024-02-29 8:35 ` Greg Kroah-Hartman
2024-02-29 9:41 ` Michal Hocko
2024-02-29 14:18 ` Greg Kroah-Hartman
2024-02-29 15:08 ` Kees Cook
2024-02-29 17:36 ` Michal Hocko
2024-02-29 15:09 ` Jiri Kosina
2024-02-29 16:09 ` Sasha Levin
2024-02-29 17:11 ` Jiri Kosina
2024-02-29 17:36 ` Jiri Kosina
2024-02-29 18:32 ` Greg Kroah-Hartman
2024-02-29 17:38 ` Sasha Levin
2024-02-29 10:03 ` Pavel Machek
2024-02-29 10:00 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202402280906.D6D5590DB@keescook \
--to=keescook@chromium.org \
--cc=cve@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mhocko@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox