From: "Theodore Ts'o" <tytso@mit.edu>
To: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
Cc: Siddh Raman Pant <siddh.raman.pant@oracle.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1
Date: Mon, 9 Dec 2024 11:26:23 -0500 [thread overview]
Message-ID: <20241209162623.GA1667758@mit.edu> (raw)
In-Reply-To: <2024120952-decorator-lyricist-1e9a@gregkh>
On Mon, Dec 09, 2024 at 02:08:02PM +0100, gregkh@linuxfoundation.org wrote:
> On Mon, Dec 09, 2024 at 12:30:08PM +0000, Siddh Raman Pant wrote:
> > On Mon, 21 Oct 2024 20:02:55 +0200, Greg Kroah-Hartman wrote:
> > > In the Linux kernel, the following vulnerability has been resolved:
> > >
> > > ext4: no need to continue when the number of entries is 1
> > >
> > > The Linux kernel CVE team has assigned CVE-2024-49967 to this issue.
> >
> > This seems to fix nothing:
> >
> > https://lore.kernel.org/all/6ba9afc8-fa95-478c-8ed2-a4ad10b3c520@huawei.com/
>
> Ok, so should it be revoked?
We're not aware of a way of triggering the OOB error, so in that sense
the CVE is not valid. There might be a way that someone might be able
to trigger it in the future; in that hypothetical future, there might
be some other fix that would address the root cause, but this would be
a belt and suspenders thing that might prevent that (hypothetical)
future. So in that sense, it is highly commended that enterprise
distros and people who are not following the LTS kernels take this
patch. But is it actually fixing a known vulnerability today? Not
that we know of.
Cheers,
- Ted
P.S. If some security researcher wants to find such a way, to educate
people on why using LTS kernels is superior, they should feel free to
consider this a challenge. :-P
next prev parent reply other threads:[~2024-12-09 16:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2024102133-CVE-2024-49967-a58a@gregkh>
2024-12-09 12:30 ` CVE-2024-49967: ext4: no need to continue when the number of entries is 1 Siddh Raman Pant
2024-12-09 13:08 ` gregkh
2024-12-09 16:26 ` Theodore Ts'o [this message]
2024-12-10 6:08 ` Siddh Raman Pant
2025-01-06 18:09 ` Theodore Ts'o
2025-01-06 18:14 ` gregkh
2025-01-07 8:47 ` gregkh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241209162623.GA1667758@mit.edu \
--to=tytso@mit.edu \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=siddh.raman.pant@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox