Received: by 2002:a05:7208:9594:b0:7e:5202:c8b4 with SMTP id gs20csp1791582rbb; Tue, 27 Feb 2024 00:51:55 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCWEFuG624NL24ZC2wgsrTz8vTvptsqjIcYYK6d+LHfncwVJVDGNimT7NefLlL/zhQ+j0OM5ZMwpzScz3gJpkBq7YQCjuP5ZBCD28N0y+w== X-Google-Smtp-Source: AGHT+IHE6dgtV+xogD/gBqxwctmK+FEuxrosPZBbu8sZ2WQ+pcqlyUWhf1QHQZSwed1IDn5DFQC6 X-Received: by 2002:a0c:dd06:0:b0:68f:e87e:6be5 with SMTP id u6-20020a0cdd06000000b0068fe87e6be5mr1626903qvk.39.1709023915121; Tue, 27 Feb 2024 00:51:55 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709023915; cv=pass; d=google.com; s=arc-20160816; b=iEqt8TaHJlw7InSLZnzXwFfSA5aL/WUho7WeSsPqXGC29eZWyM4OZSZ0nANW1OMAgR ob5kNEyYbAAY3Xkp4HhdD+e0FwvDwc6tkprR4AYwC4BhOHesxxVxbminJO/EbIxUUVbi N0gpXXPAyp/83ES5CYZx1bWVvNXZsUg6tK2/FypBSoumrd3peMDNiwBq2Tsz4Z1LDPEB nz4dDXH4mB6SirY6FLyfnOlDgcxOje8M3uMgJn5zU4BfmsKxxa9nbi7tUdSLyN+DW/j4 oicCTrGYuz++uRaqF1uTCbfAGdZYAlGyrZMP/DxMe9t+ynBG4knxWcj1Z5sK9kS39ltI 5p/A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature:dkim-signature; bh=evwipRZQ70ZzKL4/OITcrRUSm3xAO+gUHyRjxqANGug=; fh=IttrF9+fpapMwLRth9UKTw3/L5OSV4gVOfG12EJ91Gs=; b=gRGUfwVzgVol+KPY3qNpxLNtVfLQAO+R9VDKWCujngshu9sYNU/egKVGn3grUX0rrA K2wRLjvSi/ljBvU9M/5cvU1JvcBmOlXOLnd0EWya14yex7RxI0kCsBmliyynkBhwwpJy XphaawNzuHLJfpHNKuuKsk4lX19KZHmmgYKtJx5yXT4itYrH/94MybgECk3199qDFvFJ kI+48aXXRmkMeuigoNEzTn+TWA/MM9anaPj6q+FJYDgfHaTcnSvamYUuQAjp/SIxhrlj SlOfkPT9CaaAuP5kc0LYZ97NoqESQOZX06Pe2i0FJRVfOme4F1pVRBMcZegpYMvLLhq1 Z4ug==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=kFfHqR3u; dkim=pass header.i=@suse.com header.s=susede1 header.b=kFfHqR3u; arc=pass (i=1 spf=pass spfdomain=suse.com dkim=pass dkdomain=suse.com dkim=pass dkdomain=suse.com dmarc=pass fromdomain=suse.com); spf=pass (google.com: domain of linux-kernel+bounces-82889-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-82889-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id 1-20020a0562140d4100b0069019d520fdsi2164652qvr.252.2024.02.27.00.51.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Feb 2024 00:51:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-82889-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=kFfHqR3u; dkim=pass header.i=@suse.com header.s=susede1 header.b=kFfHqR3u; arc=pass (i=1 spf=pass spfdomain=suse.com dkim=pass dkdomain=suse.com dkim=pass dkdomain=suse.com dmarc=pass fromdomain=suse.com); spf=pass (google.com: domain of linux-kernel+bounces-82889-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-82889-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id DAD121C22139 for ; Tue, 27 Feb 2024 08:51:54 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 43399130AFA; Tue, 27 Feb 2024 08:51:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="kFfHqR3u"; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="kFfHqR3u" Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 760E612FF61 for ; Tue, 27 Feb 2024 08:51:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709023906; cv=none; b=ctxxzoUBGZKkzkudgkReA3j0GQpKUZTl06eT4f8JwwaxIaQw15JjCPhNjUa5zeWmocjLdsC4FTKEcV7x/Z+IMy4MNjebmz0jlHqstaVLypeOoAkTotnA8J6DYfpofAF5/xNEzPXSTGXBSQ4cwZzO+UrbbzlHTnhiP89t5Ztw8HI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709023906; c=relaxed/simple; bh=CSDI6mafTkU7ve9xzNnR+5Tgow2PQP5GkHltM0IvTkA=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=etjDQHfy798TWGMQHQmozTx5pPIDlRgF10wucClr4P2MgYE3w/3yKoEDY7paokwV+RYnC7H9KwIuWO8Na+uJUYic53myBWk06D0BUbigmYnfdBGT3uXpaPixwBMDipvpDJYqmQKNrAGXomGrQ/SJCllvVv4aCK0s9f7EjOtxVko= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=kFfHqR3u; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=kFfHqR3u; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 9218A1F449; Tue, 27 Feb 2024 08:51:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1709023902; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=evwipRZQ70ZzKL4/OITcrRUSm3xAO+gUHyRjxqANGug=; b=kFfHqR3u/ANrbNjSeX8LDy6/m2Pj/Ad2fLhGb3lII2MM7NVvZUB2sDBmzSseR1KzkJFpkl d2bSywR2hMVvi2VyNpeakmxU8NHqpme9aZgq+QQArfP+7yfnGJ05heJSsstAa2PQ0EI7Go gh0tDDE0jUTrLPqAKBsJvZaiPTyj8Ow= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1709023902; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=evwipRZQ70ZzKL4/OITcrRUSm3xAO+gUHyRjxqANGug=; b=kFfHqR3u/ANrbNjSeX8LDy6/m2Pj/Ad2fLhGb3lII2MM7NVvZUB2sDBmzSseR1KzkJFpkl d2bSywR2hMVvi2VyNpeakmxU8NHqpme9aZgq+QQArfP+7yfnGJ05heJSsstAa2PQ0EI7Go gh0tDDE0jUTrLPqAKBsJvZaiPTyj8Ow= Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 8600513A58; Tue, 27 Feb 2024 08:51:42 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id dp5uIJ6i3WVGaQAAD6G6ig (envelope-from ); Tue, 27 Feb 2024 08:51:42 +0000 Date: Tue, 27 Feb 2024 09:51:38 +0100 From: Michal Hocko To: Greg Kroah-Hartman , Michael Ellerman Cc: cve@kernel.org, linux-kernel@vger.kernel.org Subject: Re: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array Message-ID: References: <2024022257-CVE-2023-52451-7bdb@gregkh> <2024022639-wronged-grafted-6777@gregkh> <2024022652-defective-fretful-3d13@gregkh> <2024022750-treble-wish-b009@gregkh> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2024022750-treble-wish-b009@gregkh> Authentication-Results: smtp-out2.suse.de; none X-Spam-Level: X-Spam-Score: -0.69 X-Spamd-Result: default: False [-0.69 / 50.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; NEURAL_SPAM_SHORT(2.91)[0.972]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_COUNT_THREE(0.00)[3]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Flag: NO [Let me add Michael as PPC maintainer - the thread starts with http://lkml.kernel.org/r/2024022257-CVE-2023-52451-7bdb@gregkh] On Tue 27-02-24 06:14:45, Greg KH wrote: > On Mon, Feb 26, 2024 at 05:36:57PM +0100, Michal Hocko wrote: [...] > > All that being said I dispute the issue fixed here has any more security > > relevance than allowing untrusted user to control memory hotplug which > > could easily result in DoS of the system. > > Ok, I traced this call back, and here is the callpath, starting with a > write to the the 'dlpar' sysfs file (conviently NOT documented in > Documentation/ABI, and it looks like it violates the "one value per > file" rule...) > dlpar_store() > handle_dlpar_errorlog() > dlpar_memory() > dlpar_memory_remove_by_index() > > Yes, the kernel by default sets 'dlpar' to 0644, BUT that means that > root in a container can cause this use-after-free to happen, or if the > permissions are changed by userspace, or if you are in "lockdown mode", > or if you want to attempt the crazy "confidential computing" model, or > if you have a system which root is possible for some things by normal > users (there are lots of different security models out there...) This is all nice but please do realize that if you allow access to to memory hotremove to any untrusted entity (be it a root in container or by changing access permissions) then the machine is in a serious resource management control trouble already and that is a security threat already. > Yes, I will argue that making the sysfs file writable by userspace is > out of our control, but what is in our control is the fact that there is > a out-of-bounds write that is fixed here, and we don't want those to be > able to be triggered by anyone as that is a weakness in our codebase. Yes, and that is why the fix is good and nobody disputes that. What I am actually trying to drill down to is whether this is an actual security threat worth assigning a CVE or it is just yet-anothing-pointless-CVE we were so used to with the old process. > That is what has caused the CVE to be created here, not the fact that > root can remove memory as that's the normal expected operation to have > happen here. > > However if the maintainer of the code here disputes this, we are more > than willing to mark this invalid and reject the CVE. Michael, do you see any real security risk being addressed by bd68ffce69f6 ("powerpc/pseries/memhp: Fix access beyond end of drmem array"). Thanks! -- Michal Hocko SUSE Labs