Re: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array

[Michal Hocko <mhocko@suse.com>]

On Wed 28-02-24 09:12:15, Kees Cook wrote:
> On Wed, Feb 28, 2024 at 01:04:14PM +0100, Michal Hocko wrote:
> > On Tue 27-02-24 10:35:40, Kees Cook wrote:
> > > On Mon, Feb 26, 2024 at 04:25:09PM +0100, Michal Hocko wrote:
> > [...]
> > > > Does that mean that any potentially incorrect input provided by an admin is
> > > > considered CVE now?
> > > 
> > > Yes. Have you seen what USER_NS does? There isn't a way to know how
> > > deployments are using Linux, and this is clearly a "weakness" as defined
> > > by CVE. It is better to be over zealous than miss things.
> > 
> > If we are over zealous to the point when almost any fix is marked CVE
> > then the special marking simply stops making any sense IMHO.
> 
> Perhaps, but the volume of fixes is high, and I think it's better to
> over estimate than under estimate -- the work needed to actually
> evaluate all these changes is huge: it's better to take everything from
> -stable.

This is simply not feasible for many downstream kernels and reasons have
been discussed many times.

> This has been a long standing problem with communicating this
> to engineering management in many organizations. They have pointed to
> the relatively small number of CVEs and said, "just backport those
> fixes", and trying to explain that it's is totally insufficient falls on
> deaf ears.

I think it is fair to say/expect that every downstream is responsibile
for the kernel they are distributing and that applies to vulnerabilities
affecting those kernels. Forcing fixes by slapping CVE over them sounds
just very dubious to me.

-- 
Michal Hocko
SUSE Labs