Hi Greg,
Could you please apply it for 4.4-stable.
This fixes https://nvd.nist.gov/vuln/detail/CVE-2017-9985
Takashi Iwai (1):
ALSA: msnd: Optimize / harden DSP and MIDI loops
sound/isa/msnd/msnd_midi.c | 30 +++++++++++++++---------------
sound/isa/msnd/msnd_pinnacle.c | 23 ++++++++++++-----------
2 files changed, 27 insertions(+), 26 deletions(-)
--
2.10.3.dirty
On Fri, Sep 08, 2017 at 09:06:25AM -0700, grygorii tertychnyi wrote:
> Hi Greg,
>
> Could you please apply it for 4.4-stable.
> This fixes https://nvd.nist.gov/vuln/detail/CVE-2017-9985
Why just 4.4? What about 4.12, 4.9, and any others?
thanks,
greg k-h
On Fri, 08 Sep 2017 18:06:25 +0200,
grygorii tertychnyi wrote:
>
> Hi Greg,
>
> Could you please apply it for 4.4-stable.
> This fixes https://nvd.nist.gov/vuln/detail/CVE-2017-9985
This vulnerability is just non-issue. You can't get it working
practically; it requires a modified hardware of the decade old ISA
sound card, and yet the system has to load / set up the module
beforehand. We should withdraw it from CVE, IMO.
thanks,
Takashi
>
> Takashi Iwai (1):
> ALSA: msnd: Optimize / harden DSP and MIDI loops
>
> sound/isa/msnd/msnd_midi.c | 30 +++++++++++++++---------------
> sound/isa/msnd/msnd_pinnacle.c | 23 ++++++++++++-----------
> 2 files changed, 27 insertions(+), 26 deletions(-)
>
> --
> 2.10.3.dirty
>
>> Hi Greg,
>>
>> Could you please apply it for 4.4-stable.
>> This fixes https://nvd.nist.gov/vuln/detail/CVE-2017-9985
>
> This vulnerability is just non-issue. You can't get it working
> practically; it requires a modified hardware of the decade old ISA
> sound card, and yet the system has to load / set up the module
> beforehand. We should withdraw it from CVE, IMO.
I think it is worth having it in 4.4, 4.9 and 4.12 also.
>>
>> Takashi Iwai (1):
>> ALSA: msnd: Optimize / harden DSP and MIDI loops
>>
>> sound/isa/msnd/msnd_midi.c | 30 +++++++++++++++---------------
>> sound/isa/msnd/msnd_pinnacle.c | 23 ++++++++++++-----------
>> 2 files changed, 27 insertions(+), 26 deletions(-)
>>
On Fri, Sep 08, 2017 at 06:57:57PM +0200, Takashi Iwai wrote:
> On Fri, 08 Sep 2017 18:06:25 +0200,
> grygorii tertychnyi wrote:
> >
> > Hi Greg,
> >
> > Could you please apply it for 4.4-stable.
> > This fixes https://nvd.nist.gov/vuln/detail/CVE-2017-9985
>
> This vulnerability is just non-issue. You can't get it working
> practically; it requires a modified hardware of the decade old ISA
> sound card, and yet the system has to load / set up the module
> beforehand. We should withdraw it from CVE, IMO.
Hah, good luck trying to get a CVE withdrawn, people seem to love the
foolish things...
On Fri, 08 Sep 2017 19:47:32 +0200,
Grygorii Tertychnyi (gtertych) wrote:
>
>
> >> Hi Greg,
> >>
> >> Could you please apply it for 4.4-stable.
> >> This fixes https://nvd.nist.gov/vuln/detail/CVE-2017-9985
> >
> > This vulnerability is just non-issue. You can't get it working
> > practically; it requires a modified hardware of the decade old ISA
> > sound card, and yet the system has to load / set up the module
> > beforehand. We should withdraw it from CVE, IMO.
>
> I think it is worth having it in 4.4, 4.9 and 4.12 also.
... even though the code has never been tested on the real hardware?
That doesn't sound good for stable kernels at all. That's why I
didn't put Cc to stable in the patch.
Takashi
On Tue, Sep 12, 2017 at 09:17:38AM +0200, Takashi Iwai wrote:
> On Fri, 08 Sep 2017 19:47:32 +0200,
> Grygorii Tertychnyi (gtertych) wrote:
> >
> >
> > >> Hi Greg,
> > >>
> > >> Could you please apply it for 4.4-stable.
> > >> This fixes https://nvd.nist.gov/vuln/detail/CVE-2017-9985
> > >
> > > This vulnerability is just non-issue. You can't get it working
> > > practically; it requires a modified hardware of the decade old ISA
> > > sound card, and yet the system has to load / set up the module
> > > beforehand. We should withdraw it from CVE, IMO.
> >
> > I think it is worth having it in 4.4, 4.9 and 4.12 also.
>
> ... even though the code has never been tested on the real hardware?
> That doesn't sound good for stable kernels at all. That's why I
> didn't put Cc to stable in the patch.
Oh, I didn't know that, want me to drop the patch from the stable queues
now?
thanks,
greg k-h
On Tue, 12 Sep 2017 14:34:18 +0200,
[email protected] wrote:
>
> On Tue, Sep 12, 2017 at 09:17:38AM +0200, Takashi Iwai wrote:
> > On Fri, 08 Sep 2017 19:47:32 +0200,
> > Grygorii Tertychnyi (gtertych) wrote:
> > >
> > >
> > > >> Hi Greg,
> > > >>
> > > >> Could you please apply it for 4.4-stable.
> > > >> This fixes https://nvd.nist.gov/vuln/detail/CVE-2017-9985
> > > >
> > > > This vulnerability is just non-issue. You can't get it working
> > > > practically; it requires a modified hardware of the decade old ISA
> > > > sound card, and yet the system has to load / set up the module
> > > > beforehand. We should withdraw it from CVE, IMO.
> > >
> > > I think it is worth having it in 4.4, 4.9 and 4.12 also.
> >
> > ... even though the code has never been tested on the real hardware?
> > That doesn't sound good for stable kernels at all. That's why I
> > didn't put Cc to stable in the patch.
>
> Oh, I didn't know that, want me to drop the patch from the stable queues
> now?
Honestly, I don't mind. The patch should work, and even if it
doesn't, it would be harmless as no one can see the breakage in
practice :)
It's just ridiculous that people urge such commit for stable kernels
even though they never tested / care the real cases but only look at
the CVE entry.
thanks,
Takashi