From: Michal Hocko <mhocko@suse.com>
To: Lee Jones <lee@kernel.org>
Cc: Luis Chamberlain <mcgrof@kernel.org>,
cve@kernel.org, linux-kernel@vger.kernel.org,
Joel Granados <j.granados@samsung.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: CVE-2023-52596: sysctl: Fix out of bounds access for empty sysctl registers
Date: Tue, 12 Mar 2024 10:45:28 +0100 [thread overview]
Message-ID: <ZfAkOFAV15BDMU7F@tiehlicka> (raw)
In-Reply-To: <20240312091730.GU86322@google.com>
On Tue 12-03-24 09:17:30, Lee Jones wrote:
[...]
> > Backporting this is fine, but wouldn't fix an issue unless an external
> > module had empty sysctls. And exploiting this is not possible unless
> > you purposely build an external module which could end up with empty
> > sysctls.
Thanks for the clarification Luis!
> Thanks for the amazing explanation Luis.
>
> If I'm reading this correctly, an issue does exist, but an attacker
> would have to lay some foundations before it could be triggered. Sounds
> like loading of a malicious or naive module would be enough.
If the bar is set as high as a kernel module to create and empty sysctl
directory then I think it is safe to say that the security aspect is
mostly moot. There are much simpler ways to attack the system if you are
able to load a kernel module.
> We know from conducting postmortems on previous exploits that successful
> attacks often consist of leveraging a chain of smaller, seemingly
> implausible or innocuous looking bugs rather than in isolation.
>
> With that in mind, it is still my belief that this could be used by an
> attacker in such a chain. Unless I have this totally wrong or any of
> the maintainers have strong feelings to the contrary, I would like to
> keep the CVE number associated with this fix.
No, no real strong feelings but I have to say that I find a CVE more
than a stretch. Kernel modules could do much more harm than just abuse
this particular bug.
--
Michal Hocko
SUSE Labs
next prev parent reply other threads:[~2024-03-12 9:45 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2024030645-CVE-2023-52596-b98e@gregkh>
2024-03-11 8:11 ` CVE-2023-52596: sysctl: Fix out of bounds access for empty sysctl registers Michal Hocko
2024-03-11 21:57 ` Luis Chamberlain
2024-03-12 9:17 ` Lee Jones
2024-03-12 9:45 ` Michal Hocko [this message]
2024-03-12 15:11 ` Luis Chamberlain
2024-03-12 15:49 ` Lee Jones
2024-03-12 18:04 ` Luis Chamberlain
2024-03-12 21:47 ` Kees Cook
2024-03-13 8:01 ` Lee Jones
2024-03-20 18:59 ` Pavel Machek
2024-03-20 15:30 ` Michal Hocko
2024-03-12 11:20 ` Joel Granados
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZfAkOFAV15BDMU7F@tiehlicka \
--to=mhocko@suse.com \
--cc=cve@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=j.granados@samsung.com \
--cc=lee@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox