From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 68E5313665B for ; Mon, 6 Jan 2025 18:09:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=18.9.28.11 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736186969; cv=none; b=aJnIuPMu7q8Dig1nH4S6MeVGN+48uNxuVh780LTTW0KaSaY+eJl1LrE2AxnyCGnWE6vH4AJWB+Go570ipO90RlCCvsZE3aRslLtF4q5vQCgDTlQrlDb41niqKKxj4nfbqQxjHw+rPK6M71kxs+TkpwzTEsNWV4jfyc132aYlJIk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736186969; c=relaxed/simple; bh=sXh0Qg70+Gie5Lnj/ZwEjhK+Kz46CSWTZPM8uBy6qvQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Hhd+x9flgL+E/h0CMP1EdzgHDo8MDJoNMdsq9KBhkI9WWWwLEU3HayxMaesRD3sOyuZlyP8C59ArsdXA2POh2AFN7TSYhSlFn2/ug5H9J/XDc4nmNn6CZYIvjQ5WKMhX6peurufyZP0BKZ5UCPG9mXnYcahPR4CTyOo9Xoi5rfg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=mit.edu; spf=pass smtp.mailfrom=mit.edu; dkim=pass (2048-bit key) header.d=mit.edu header.i=@mit.edu header.b=eTfi/3cL; arc=none smtp.client-ip=18.9.28.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=mit.edu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mit.edu Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=mit.edu header.i=@mit.edu header.b="eTfi/3cL" Received: from cwcc.thunk.org (pool-173-48-117-149.bstnma.fios.verizon.net [173.48.117.149]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 506I9GtQ009597 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 6 Jan 2025 13:09:17 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1736186958; bh=yl9N8t5TQORc5wT2ozTUWlNhIPvOkP6lbMiKb08OSYQ=; h=Date:From:Subject:Message-ID:MIME-Version:Content-Type; b=eTfi/3cLlhmM5T5OAEGzNquTYP+whxPWjKqb4j+azJ4XMxv7OMIcEd9x/5sIAZ/Iy XdquU9i/Ckhp0HlrtqxeABrOfYzwvfH/hlfqOlHqOy5PkZng8h08KVoMlS9W2oeV+q W1M38S9ZXj0iGdgzqB0QZoRgUYBwttkrtoEh14C7nzExQS+Q+XpAlXqhualpVM93ea C74M0ORxzXqM5NaWt2MD9rdE0uzKpnPgA1jjFRYi1lPGQdU3RbZMyFLIInNmupAJYu EVioX7CmqkRB7p265IpFZDfPntqwVKymN0jPZhdFCDdjAh/c42p/17kCgFQZQJrLHb 7Y6LDkW0OB7xQ== Received: by cwcc.thunk.org (Postfix, from userid 15806) id 07F6815C0164; Mon, 06 Jan 2025 13:09:16 -0500 (EST) Date: Mon, 6 Jan 2025 13:09:16 -0500 From: "Theodore Ts'o" To: Siddh Raman Pant Cc: "gregkh@linuxfoundation.org" , "linux-kernel@vger.kernel.org" , cve@kernel.org Subject: Re: CVE-2024-49967: ext4: no need to continue when the number of entries is 1 Message-ID: <20250106180916.GI1284777@mit.edu> References: <2024102133-CVE-2024-49967-a58a@gregkh> <2024120952-decorator-lyricist-1e9a@gregkh> <20241209162623.GA1667758@mit.edu> <87a034f185ff5e865bc5d0db8121c39086c4f5c9.camel@oracle.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87a034f185ff5e865bc5d0db8121c39086c4f5c9.camel@oracle.com> It looks like this CVE hasn't been revoked yet, at least per nvd.nist.gov? Is that the best way to check kernel CVE's status? Thanks, - Ted On Tue, Dec 10, 2024 at 06:08:46AM +0000, Siddh Raman Pant wrote: > On Mon, Dec 09 2024 at 21:56:23 +0530, Theodore Ts'o wrote: > > On Mon, Dec 09, 2024 at 02:08:02PM +0100, gregkh@linuxfoundation.org wrote: > > > Ok, so should it be revoked? > > Yes, as this was an incorrect attempt at fixing CVE-2024-42305. > > > We're not aware of a way of triggering the OOB error, so in that sense > > the CVE is not valid. There might be a way that someone might be able > > to trigger it in the future; in that hypothetical future, there might > > be some other fix that would address the root cause, but this would be > > a belt and suspenders thing that might prevent that (hypothetical) > > future. So in that sense, it is highly commended that enterprise > > distros and people who are not following the LTS kernels take this > > patch. But is it actually fixing a known vulnerability today? Not > > that we know of. > > > > Cheers, > > > > - Ted > > > > P.S. If some security researcher wants to find such a way, to educate > > people on why using LTS kernels is superior, they should feel free to > > consider this a challenge. :-P > > I agree. > > Thanks, > Siddh