Hi Greg,
On 25/02/24 13:46, Greg Kroah-Hartman wrote:
> Description
> ===========
>
> In the Linux kernel, the following vulnerability has been resolved:
>
> ice: Fix some null pointer dereference issues in ice_ptp.c
>
> devm_kasprintf() returns a pointer to dynamically allocated memory
> which can be NULL upon failure.
>
I have a question about this and couple of other CVEs:
CVE-2023-52465: -- devm_kzalloc() and devm_kasprintf() failures
CVE-2023-52467: -- kasprintf() failure
CVE-2023-52471: -- devm_kasprintf() failure
CVE-2023-52472: -- allocation failure
As it's widely believed that small kmallocs cannot fail, is it worth
having CVEs for the above bug fixes ?
Thanks,
Harshit
> The Linux kernel CVE team has assigned CVE-2023-52471 to this issue.
>
>
> Affected and fixed versions
> ===========================
>
> Issue introduced in 6.7 with commit d938a8cca88a and fixed in 6.7.2 with commit 3cd9b9bee33f
> Issue introduced in 6.7 with commit d938a8cca88a and fixed in 6.8-rc1 with commit 3027e7b15b02
>
> Please see https://www.kernel.org or a full list of currently supported
> kernel versions by the kernel community.
>
> Unaffected versions might change over time as fixes are backported to
> older supported kernel versions. The official CVE entry at
> https://cve.org/CVERecord/?id=CVE-2023-52471
> will be updated if fixes are backported, please check that for the most
> up to date information about this issue.
>
>
> Affected files
> ==============
>
> The file(s) affected by this issue are:
> drivers/net/ethernet/intel/ice/ice_ptp.c
>
>
> Mitigation
> ==========
>
> The Linux kernel CVE team recommends that you update to the latest
> stable kernel version for this, and many other bugfixes. Individual
> changes are never tested alone, but rather are part of a larger kernel
> release. Cherry-picking individual commits is not recommended or
> supported by the Linux kernel community at all. If however, updating to
> the latest release is impossible, the individual changes to resolve this
> issue can be found at these commits:
> https://git.kernel.org/stable/c/3cd9b9bee33f39f6c6d52360fe381b89a7b12695
> https://git.kernel.org/stable/c/3027e7b15b02d2d37e3f82d6b8404f6d37e3b8cf
>
On Mon, Feb 26, 2024 at 12:21:40AM +0530, Harshit Mogalapalli wrote:
> Hi Greg,
>
> On 25/02/24 13:46, Greg Kroah-Hartman wrote:
> > Description
> > ===========
> >
> > In the Linux kernel, the following vulnerability has been resolved:
> >
> > ice: Fix some null pointer dereference issues in ice_ptp.c
> >
> > devm_kasprintf() returns a pointer to dynamically allocated memory
> > which can be NULL upon failure.
> >
>
> I have a question about this and couple of other CVEs:
>
> CVE-2023-52465: -- devm_kzalloc() and devm_kasprintf() failures
> CVE-2023-52467: -- kasprintf() failure
> CVE-2023-52471: -- devm_kasprintf() failure
> CVE-2023-52472: -- allocation failure
>
> As it's widely believed that small kmallocs cannot fail, is it worth having
> CVEs for the above bug fixes ?
If you believe that, then sure, don't worry about these individual
commits. But if you don't believe it (after all, why would we add
checks if the code could never fail?), then perhaps you should take
them.
In other words, why would you NOT take a known fix for a weakess in the
codebase?
thanks,
greg k-h