* Re: CVE-2024-26908: x86/xen: Add some null pointer checking to smp.c [not found] <2024041747-CVE-2024-26908-4690@gregkh> @ 2024-04-29 11:53 ` Juergen Gross 2024-04-30 8:11 ` Greg KH 2024-05-27 10:58 ` CVE-2021-47377: kernel: xen/balloon: use a kernel thread instead a workqueue Juergen Gross 1 sibling, 1 reply; 4+ messages in thread From: Juergen Gross @ 2024-04-29 11:53 UTC (permalink / raw) To: gregkh Cc: cve, linux-cve-announce, linux-kernel, xen-devel@lists.xenproject.org, Xen.org security team [-- Attachment #1.1.1: Type: text/plain, Size: 438 bytes --] Hi, I'd like to dispute CVE-2024-26908: the issue fixed by upstream commit 3693bb4465e6e32a204a5b86d3ec7e6b9f7e67c2 can in no way be triggered by an unprivileged user or by a remote attack of the system, as it requires hotplug of (virtual) cpus to the running system. This can be done only by either a host admin or by an admin of the guest which might suffer the out-of-memory situation. Please revoke this CVE. Juergen [-- Attachment #1.1.2: OpenPGP public key --] [-- Type: application/pgp-keys, Size: 3743 bytes --] [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 495 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CVE-2024-26908: x86/xen: Add some null pointer checking to smp.c 2024-04-29 11:53 ` CVE-2024-26908: x86/xen: Add some null pointer checking to smp.c Juergen Gross @ 2024-04-30 8:11 ` Greg KH 0 siblings, 0 replies; 4+ messages in thread From: Greg KH @ 2024-04-30 8:11 UTC (permalink / raw) To: Juergen Gross Cc: cve, linux-cve-announce, linux-kernel, xen-devel@lists.xenproject.org, Xen.org security team On Mon, Apr 29, 2024 at 01:53:44PM +0200, Juergen Gross wrote: > Hi, > > I'd like to dispute CVE-2024-26908: the issue fixed by upstream commit > 3693bb4465e6e32a204a5b86d3ec7e6b9f7e67c2 can in no way be triggered by > an unprivileged user or by a remote attack of the system, as it requires > hotplug of (virtual) cpus to the running system. This can be done only by > either a host admin or by an admin of the guest which might suffer the > out-of-memory situation. > > Please revoke this CVE. Sorry for the delay, thanks for looking into this and letting us know. It's now rejected. greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CVE-2021-47377: kernel: xen/balloon: use a kernel thread instead a workqueue [not found] <2024041747-CVE-2024-26908-4690@gregkh> 2024-04-29 11:53 ` CVE-2024-26908: x86/xen: Add some null pointer checking to smp.c Juergen Gross @ 2024-05-27 10:58 ` Juergen Gross 2024-05-28 19:03 ` Greg KH 1 sibling, 1 reply; 4+ messages in thread From: Juergen Gross @ 2024-05-27 10:58 UTC (permalink / raw) To: gregkh Cc: cve, linux-cve-announce, linux-kernel, xen-devel@lists.xenproject.org, Xen.org security team [-- Attachment #1.1.1: Type: text/plain, Size: 455 bytes --] Hi, I'd like to dispute CVE-2021-47377: the issue fixed by upstream commit 8480ed9c2bbd56fc86524998e5f2e3e22f5038f6 can in no way be triggered by an unprivileged user or by a remote attack of the system, as it requires initiation of memory ballooning of the running system. This can be done only by either a host admin or by an admin of the guest which might suffer the detection of the hanging workqueue. Please revoke this CVE. Juergen [-- Attachment #1.1.2: OpenPGP public key --] [-- Type: application/pgp-keys, Size: 3745 bytes --] [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 495 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CVE-2021-47377: kernel: xen/balloon: use a kernel thread instead a workqueue 2024-05-27 10:58 ` CVE-2021-47377: kernel: xen/balloon: use a kernel thread instead a workqueue Juergen Gross @ 2024-05-28 19:03 ` Greg KH 0 siblings, 0 replies; 4+ messages in thread From: Greg KH @ 2024-05-28 19:03 UTC (permalink / raw) To: Juergen Gross Cc: cve, linux-cve-announce, linux-kernel, xen-devel@lists.xenproject.org, Xen.org security team On Mon, May 27, 2024 at 12:58:16PM +0200, Juergen Gross wrote: > Hi, > > I'd like to dispute CVE-2021-47377: the issue fixed by upstream commit > 8480ed9c2bbd56fc86524998e5f2e3e22f5038f6 can in no way be triggered by > an unprivileged user or by a remote attack of the system, as it requires > initiation of memory ballooning of the running system. This can be done > only by either a host admin or by an admin of the guest which might > suffer the detection of the hanging workqueue. > > Please revoke this CVE. Ah, good catch, this came in as part of the GSD import, and I missed that this required that type of permissions. Now revoked, thanks for the review! greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-05-28 19:02 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <2024041747-CVE-2024-26908-4690@gregkh>
2024-04-29 11:53 ` CVE-2024-26908: x86/xen: Add some null pointer checking to smp.c Juergen Gross
2024-04-30 8:11 ` Greg KH
2024-05-27 10:58 ` CVE-2021-47377: kernel: xen/balloon: use a kernel thread instead a workqueue Juergen Gross
2024-05-28 19:03 ` Greg KH
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox