Re: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Michal Hocko <mhocko@suse.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: cve@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array
Date: Mon, 26 Feb 2024 16:25:09 +0100	[thread overview]
Message-ID: <ZdytVTOgfvKBBvtn@tiehlicka> (raw)
In-Reply-To: <2024022639-wronged-grafted-6777@gregkh>

On Mon 26-02-24 16:06:51, Greg KH wrote:
> On Mon, Feb 26, 2024 at 03:52:11PM +0100, Michal Hocko wrote:
> > On Thu 22-02-24 17:21:58, Greg KH wrote:
> > > Description
> > > ===========
> > > 
> > > In the Linux kernel, the following vulnerability has been resolved:
> > > 
> > > powerpc/pseries/memhp: Fix access beyond end of drmem array
> > > 
> > > dlpar_memory_remove_by_index() may access beyond the bounds of the
> > > drmem lmb array when the LMB lookup fails to match an entry with the
> > > given DRC index. When the search fails, the cursor is left pointing to
> > > &drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the
> > > last valid entry in the array. The debug message at the end of the
> > > function then dereferences this pointer:
> > > 
> > >         pr_debug("Failed to hot-remove memory at %llx\n",
> > >                  lmb->base_addr);
> > 
> > While this is a reasonable fix and the stable material it is really
> > unclear to me why it has gained a CVE. Memory hotplug is a privileged
> > operation. Could you clarify please?
> 
> As you know, history has shown us that accessing out of your allocated
> memory can cause problems, and we can not assume use-cases, as we don't
> know how everyone uses our codebase, so marking places where we fix
> out-of-bound memory accesses is resolving a weakness in the codebase,
> hence a CVE assignment.

Does that mean that any potentially incorrect input provided by an admin is
considered CVE now? I guess we would need to ban interfaces like
/dev/mem and many others.
 
> If your systems are not vulnerable to this specific issue, wonderful, no
> need to take it, but why wouldn't you want to take a fix that resolves a
> known weakness?

I have explicitly said, the fix is reasonable. I just do not see a point
to mark it as CVE. I fail to see any thread model where this would
matter as it would require untrusted privileged actor to trigger it
AFAICS. I am happy to be proven wrong here.

-- 
Michal Hocko
SUSE Labs

next prev parent reply	other threads:[~2024-02-26 15:25 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <2024022257-CVE-2023-52451-7bdb@gregkh>
2024-02-26 14:52 ` CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array Michal Hocko
2024-02-26 15:06   ` Greg Kroah-Hartman
2024-02-26 15:25     ` Michal Hocko [this message]
2024-02-26 16:12       ` Greg Kroah-Hartman
2024-02-26 16:36         ` Michal Hocko
2024-02-27  5:14           ` Greg Kroah-Hartman
2024-02-27  8:51             ` Michal Hocko
2024-03-03 12:02               ` Michael Ellerman
2024-02-27  9:53             ` Jiri Kosina
2024-02-27 18:35       ` Kees Cook
2024-02-28 12:04         ` Michal Hocko
2024-02-28 17:12           ` Kees Cook
2024-02-29  8:22             ` Michal Hocko
2024-02-29  8:35               ` Greg Kroah-Hartman
2024-02-29  9:41                 ` Michal Hocko
2024-02-29 14:18                   ` Greg Kroah-Hartman
2024-02-29 15:08                     ` Kees Cook
2024-02-29 17:36                       ` Michal Hocko
2024-02-29 15:09                     ` Jiri Kosina
2024-02-29 16:09                       ` Sasha Levin
2024-02-29 17:11                         ` Jiri Kosina
2024-02-29 17:36                           ` Jiri Kosina
2024-02-29 18:32                             ` Greg Kroah-Hartman
2024-02-29 17:38                           ` Sasha Levin
2024-02-29 10:03                 ` Pavel Machek
2024-02-29 10:00         ` Pavel Machek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZdytVTOgfvKBBvtn@tiehlicka \
    --to=mhocko@suse.com \
    --cc=cve@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox