Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1
       [not found] <2024102133-CVE-2024-49967-a58a@gregkh>
@ 2024-12-09 12:30 ` Siddh Raman Pant
  2024-12-09 13:08   ` gregkh
  0 siblings, 1 reply; 7+ messages in thread
From: Siddh Raman Pant @ 2024-12-09 12:30 UTC (permalink / raw)
  To: gregkh@linuxfoundation.org; +Cc: linux-kernel@vger.kernel.org

[-- Attachment #1: Type: text/plain, Size: 403 bytes --]

On Mon, 21 Oct 2024 20:02:55 +0200, Greg Kroah-Hartman wrote:
> In the Linux kernel, the following vulnerability has been resolved:
> 
> ext4: no need to continue when the number of entries is 1
> 
> The Linux kernel CVE team has assigned CVE-2024-49967 to this issue.

This seems to fix nothing:

https://lore.kernel.org/all/6ba9afc8-fa95-478c-8ed2-a4ad10b3c520@huawei.com/

Thanks,
Siddh

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1
  2024-12-09 12:30 ` CVE-2024-49967: ext4: no need to continue when the number of entries is 1 Siddh Raman Pant
@ 2024-12-09 13:08   ` gregkh
  2024-12-09 16:26     ` Theodore Ts'o
  0 siblings, 1 reply; 7+ messages in thread
From: gregkh @ 2024-12-09 13:08 UTC (permalink / raw)
  To: Siddh Raman Pant; +Cc: linux-kernel@vger.kernel.org

On Mon, Dec 09, 2024 at 12:30:08PM +0000, Siddh Raman Pant wrote:
> On Mon, 21 Oct 2024 20:02:55 +0200, Greg Kroah-Hartman wrote:
> > In the Linux kernel, the following vulnerability has been resolved:
> > 
> > ext4: no need to continue when the number of entries is 1
> > 
> > The Linux kernel CVE team has assigned CVE-2024-49967 to this issue.
> 
> This seems to fix nothing:
> 
> https://lore.kernel.org/all/6ba9afc8-fa95-478c-8ed2-a4ad10b3c520@huawei.com/

Ok, so should it be revoked?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1
  2024-12-09 13:08   ` gregkh
@ 2024-12-09 16:26     ` Theodore Ts'o
  2024-12-10  6:08       ` Siddh Raman Pant
  0 siblings, 1 reply; 7+ messages in thread
From: Theodore Ts'o @ 2024-12-09 16:26 UTC (permalink / raw)
  To: gregkh@linuxfoundation.org; +Cc: Siddh Raman Pant, linux-kernel@vger.kernel.org

On Mon, Dec 09, 2024 at 02:08:02PM +0100, gregkh@linuxfoundation.org wrote:
> On Mon, Dec 09, 2024 at 12:30:08PM +0000, Siddh Raman Pant wrote:
> > On Mon, 21 Oct 2024 20:02:55 +0200, Greg Kroah-Hartman wrote:
> > > In the Linux kernel, the following vulnerability has been resolved:
> > > 
> > > ext4: no need to continue when the number of entries is 1
> > > 
> > > The Linux kernel CVE team has assigned CVE-2024-49967 to this issue.
> > 
> > This seems to fix nothing:
> > 
> > https://lore.kernel.org/all/6ba9afc8-fa95-478c-8ed2-a4ad10b3c520@huawei.com/
> 
> Ok, so should it be revoked?

We're not aware of a way of triggering the OOB error, so in that sense
the CVE is not valid.  There might be a way that someone might be able
to trigger it in the future; in that hypothetical future, there might
be some other fix that would address the root cause, but this would be
a belt and suspenders thing that might prevent that (hypothetical)
future.  So in that sense, it is highly commended that enterprise
distros and people who are not following the LTS kernels take this
patch.  But is it actually fixing a known vulnerability today?  Not
that we know of.

Cheers,

						- Ted

P.S.  If some security researcher wants to find such a way, to educate
people on why using LTS kernels is superior, they should feel free to
consider this a challenge.  :-P

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1
  2024-12-09 16:26     ` Theodore Ts'o
@ 2024-12-10  6:08       ` Siddh Raman Pant
  2025-01-06 18:09         ` Theodore Ts'o
  0 siblings, 1 reply; 7+ messages in thread
From: Siddh Raman Pant @ 2024-12-10  6:08 UTC (permalink / raw)
  To: gregkh@linuxfoundation.org, tytso@mit.edu; +Cc: linux-kernel@vger.kernel.org

[-- Attachment #1: Type: text/plain, Size: 1088 bytes --]

On Mon, Dec 09 2024 at 21:56:23 +0530, Theodore Ts'o wrote:
> On Mon, Dec 09, 2024 at 02:08:02PM +0100, gregkh@linuxfoundation.org wrote:
> > Ok, so should it be revoked?

Yes, as this was an incorrect attempt at fixing CVE-2024-42305.

> We're not aware of a way of triggering the OOB error, so in that sense
> the CVE is not valid.  There might be a way that someone might be able
> to trigger it in the future; in that hypothetical future, there might
> be some other fix that would address the root cause, but this would be
> a belt and suspenders thing that might prevent that (hypothetical)
> future.  So in that sense, it is highly commended that enterprise
> distros and people who are not following the LTS kernels take this
> patch.  But is it actually fixing a known vulnerability today?  Not
> that we know of.
> 
> Cheers,
> 
> 						- Ted
> 
> P.S.  If some security researcher wants to find such a way, to educate
> people on why using LTS kernels is superior, they should feel free to
> consider this a challenge.  :-P

I agree.

Thanks,
Siddh

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1
  2024-12-10  6:08       ` Siddh Raman Pant
@ 2025-01-06 18:09         ` Theodore Ts'o
  2025-01-06 18:14           ` gregkh
  0 siblings, 1 reply; 7+ messages in thread
From: Theodore Ts'o @ 2025-01-06 18:09 UTC (permalink / raw)
  To: Siddh Raman Pant
  Cc: gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, cve

It looks like this CVE hasn't been revoked yet, at least per
nvd.nist.gov?  Is that the best way to check kernel CVE's status?

Thanks,
					- Ted
					

On Tue, Dec 10, 2024 at 06:08:46AM +0000, Siddh Raman Pant wrote:
> On Mon, Dec 09 2024 at 21:56:23 +0530, Theodore Ts'o wrote:
> > On Mon, Dec 09, 2024 at 02:08:02PM +0100, gregkh@linuxfoundation.org wrote:
> > > Ok, so should it be revoked?
> 
> Yes, as this was an incorrect attempt at fixing CVE-2024-42305.
> 
> > We're not aware of a way of triggering the OOB error, so in that sense
> > the CVE is not valid.  There might be a way that someone might be able
> > to trigger it in the future; in that hypothetical future, there might
> > be some other fix that would address the root cause, but this would be
> > a belt and suspenders thing that might prevent that (hypothetical)
> > future.  So in that sense, it is highly commended that enterprise
> > distros and people who are not following the LTS kernels take this
> > patch.  But is it actually fixing a known vulnerability today?  Not
> > that we know of.
> > 
> > Cheers,
> > 
> > 						- Ted
> > 
> > P.S.  If some security researcher wants to find such a way, to educate
> > people on why using LTS kernels is superior, they should feel free to
> > consider this a challenge.  :-P
> 
> I agree.
> 
> Thanks,
> Siddh



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1
  2025-01-06 18:09         ` Theodore Ts'o
@ 2025-01-06 18:14           ` gregkh
  2025-01-07  8:47             ` gregkh
  0 siblings, 1 reply; 7+ messages in thread
From: gregkh @ 2025-01-06 18:14 UTC (permalink / raw)
  To: Theodore Ts'o; +Cc: Siddh Raman Pant, linux-kernel@vger.kernel.org, cve

On Mon, Jan 06, 2025 at 01:09:16PM -0500, Theodore Ts'o wrote:
> It looks like this CVE hasn't been revoked yet, at least per
> nvd.nist.gov?  Is that the best way to check kernel CVE's status?

Yes it is, but I don't recall a concrete "please revoke this CVE"
request which is why it didn't happen.  Do you really want it revoked?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1
  2025-01-06 18:14           ` gregkh
@ 2025-01-07  8:47             ` gregkh
  0 siblings, 0 replies; 7+ messages in thread
From: gregkh @ 2025-01-07  8:47 UTC (permalink / raw)
  To: Theodore Ts'o; +Cc: Siddh Raman Pant, linux-kernel@vger.kernel.org, cve

On Mon, Jan 06, 2025 at 07:14:18PM +0100, gregkh@linuxfoundation.org wrote:
> On Mon, Jan 06, 2025 at 01:09:16PM -0500, Theodore Ts'o wrote:
> > It looks like this CVE hasn't been revoked yet, at least per
> > nvd.nist.gov?  Is that the best way to check kernel CVE's status?
> 
> Yes it is, but I don't recall a concrete "please revoke this CVE"
> request which is why it didn't happen.  Do you really want it revoked?

Ok, now revoked.

thanks

greg k-h

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2025-01-07  8:47 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <2024102133-CVE-2024-49967-a58a@gregkh>
2024-12-09 12:30 ` CVE-2024-49967: ext4: no need to continue when the number of entries is 1 Siddh Raman Pant
2024-12-09 13:08   ` gregkh
2024-12-09 16:26     ` Theodore Ts'o
2024-12-10  6:08       ` Siddh Raman Pant
2025-01-06 18:09         ` Theodore Ts'o
2025-01-06 18:14           ` gregkh
2025-01-07  8:47             ` gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox