From: Pavel Machek <pavel@ucw.cz>
To: Lee Jones <lee@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
Luis Chamberlain <mcgrof@kernel.org>,
Michal Hocko <mhocko@suse.com>,
cve@kernel.org, linux-kernel@vger.kernel.org,
Joel Granados <j.granados@samsung.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: CVE-2023-52596: sysctl: Fix out of bounds access for empty sysctl registers
Date: Wed, 20 Mar 2024 19:59:34 +0100 [thread overview]
Message-ID: <ZfsyFm46YM2cbqDR@duo.ucw.cz> (raw)
In-Reply-To: <20240313080132.GD1522089@google.com>
[-- Attachment #1: Type: text/plain, Size: 1890 bytes --]
Hi!
> > I have tried to argue before that it's up to the core kernel code to Do
> > The Right Thing, even in the face of crappy out-of-tree code, so to me,
> > since this is a (very very very limited) weakness in the core kernel
> > code, give it a CVE.
> >
> > My attempt at a CVSS for it yields a 3.4 overall:
> > AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:X
> > https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:X&version=3.1
>
> Thank you Luis and Kees for your input. Your efforts are very much
> appreciated. I have read and digested everyone's points.
>
> Since no one (including myself) is willing to conclude that this
> represents _zero_ risk, the allocation will not be rescinded. In our
Well, if you insist this is real risk (it is not) would you be so kind
at at least fix the "vulnerability" description?
"Module can trigger BUG_ON in kernel" would be suitable, according to
the discussion. Current description is copy/paste nonsense :-(.
Best regards,
Pavel
https://nvd.nist.gov/vuln/detail/CVE-2023-52596
Description
In the Linux kernel, the following vulnerability has been resolved:
sysctl: Fix out of bounds access for empty sysctl registers When
registering tables to the sysctl subsystem there is a check to see if
header is a permanently empty directory (used for mounts). This check
evaluates the first element of the ctl_table. This results in an out
of bounds evaluation when registering empty directories. The function
register_sysctl_mount_point now passes a ctl_table of size 1 instead
of size 0. It now relies solely on the type to identify a permanently
empty register. Make sure that the ctl_table has at least one element
before testing for permanent emptiness.
--
People of Russia, stop Putin before his war on Ukraine escalates.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
next prev parent reply other threads:[~2024-03-20 18:59 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2024030645-CVE-2023-52596-b98e@gregkh>
2024-03-11 8:11 ` CVE-2023-52596: sysctl: Fix out of bounds access for empty sysctl registers Michal Hocko
2024-03-11 21:57 ` Luis Chamberlain
2024-03-12 9:17 ` Lee Jones
2024-03-12 9:45 ` Michal Hocko
2024-03-12 15:11 ` Luis Chamberlain
2024-03-12 15:49 ` Lee Jones
2024-03-12 18:04 ` Luis Chamberlain
2024-03-12 21:47 ` Kees Cook
2024-03-13 8:01 ` Lee Jones
2024-03-20 18:59 ` Pavel Machek [this message]
2024-03-20 15:30 ` Michal Hocko
2024-03-12 11:20 ` Joel Granados
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZfsyFm46YM2cbqDR@duo.ucw.cz \
--to=pavel@ucw.cz \
--cc=cve@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=j.granados@samsung.com \
--cc=keescook@chromium.org \
--cc=lee@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=mhocko@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox