Received: by 2002:a05:7208:9594:b0:7e:5202:c8b4 with SMTP id gs20csp1814992rbb;
        Tue, 27 Feb 2024 01:53:49 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCUGLrazWsAyH03P5jfb5k3FcGDsCYMQKfyZhu0udbzZ5LxbXxlxdzDktwoLonErGJ/F1GVTZGtmY0loMQ30OBEHSYQm0vsfF2J3YisY6g==
X-Google-Smtp-Source: AGHT+IELYVUy8pB4pzETZ0r+J4/uPObZ0FnjPNFe40K8VaQHn5B8sHxxf8VFQuFpE7ta15JSpQv5
X-Received: by 2002:a05:6a20:762a:b0:1a0:d25b:aaac with SMTP id m42-20020a056a20762a00b001a0d25baaacmr1082275pze.32.1709027629264;
        Tue, 27 Feb 2024 01:53:49 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1709027629; cv=pass;
        d=google.com; s=arc-20160816;
        b=L4w/2WkGvETu+uUFD3p8ShdBbKn7ILhTIPfahUC2TKBsCbFoB9xXLKyhXfyRLH2vTE
         gGbpf587vdRpxJ37Qz3E2nS+2tA1Mlq02JdiWeR+eFvCxaJhuXeZqAlI0w9seBWsrwmJ
         WVkCSLPinOumIWEzzcC+GJ0rPSHHvyMBFuJrVgcZgkNyXA75VisS1yKLo3q7k6yaYNN7
         oit/fyq3DaWA0FFWLyBOniaLAkzsw0a8FlkfNv5uQ5XVa3OEqyWO5C2pKhulWb4QFffI
         ptbGbX7N///SeBuGYI+T0kjVEqc5VNVMf2ldlt070SPKjGR/OnLLcwmeykYWQXgERg5O
         C0Dg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :user-agent:references:message-id:in-reply-to:subject:cc:to:from
         :date:dkim-signature;
        bh=LR7QhEgvaysHUMCCMvMK6CvoHk7sVMMUgLQq50kHCyI=;
        fh=+tRqSZxnhkRS3fv7XzVpwxXAgTTNJH39iR5NkGBSTm0=;
        b=Zhj6viC6hjH5Vs1JYYC0ov4xMiCWkxQoyW2c+MFXOEqpGoIEvmrd+L6f5vAwoovJDr
         nLjcMzYLG5zI8vZLyGSgRxJ/LQqB7Hj0rX4K0YEGPHEsvkt2F+LnwZELqGBW7PM5FeV+
         RLtl03rHFuPoIsgTej6WiNqYXW8TDUzw6Br7TzG9VMXwR1dPg2Q1vLkDtzJ94mLQnpED
         3e3jzb64L4pClpZjpbjPQ0shN3dgFXkN76hx/lbMXIC55Q0rTSmGu2xyOyt+OGhvrA9L
         JZGHnB7b//TztWuimLmKdIPhm67rfTghNXdF4a5X2q4Lud6OqWq4ZiUe7Jkz1iEAjzi7
         6mNQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="eyFtZ/c4";
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-82993-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-82993-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel+bounces-82993-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id j9-20020a170902da8900b001dc788e13d4si1138568plx.140.2024.02.27.01.53.49
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 27 Feb 2024 01:53:49 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-82993-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="eyFtZ/c4";
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-82993-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-82993-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id F01CE280D02
	for <linux.lists.archive@gmail.com>; Tue, 27 Feb 2024 09:53:48 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 01DAB137C2D;
	Tue, 27 Feb 2024 09:53:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="eyFtZ/c4"
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 300DF136991
	for <linux-kernel@vger.kernel.org>; Tue, 27 Feb 2024 09:53:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1709027623; cv=none; b=TgvkouZLeDXqjpQr0Hq2OVqipLYrGFO6rgV5zxPNURHtj/eb00oOvJrong14MXxxZ5ciBkP2NeE1MItgtp5u/WNx8MyABeJENODw6ZuF71moiQ5l1zcX/uVvopW7LJtGSpnkA+zVOu1DZD2CfNU65W+u1E2AcN1C9k4zJ2sPrMM=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1709027623; c=relaxed/simple;
	bh=plLoL4DD0A3QHlueOZrtS4jcTTEZWoft2yMb6MuRcG8=;
	h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References:
	 MIME-Version:Content-Type; b=b++mrZ1HzYmLTeZxFH5MAy+s2UwElqSE2lLX3Mie0XiKagPjoHuZ+5ay+EJWl3jBn/rLhzkUXqlAsnrSCAk6mTJsG8cE9Z78SxA8Cq2Yue8EIgGZO304qsEeZN1B5nlrVFN4zv34/iznLMP1vopa7qk00IFZgYaSOYbL33aOvXw=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=eyFtZ/c4; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 71499C433C7;
	Tue, 27 Feb 2024 09:53:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1709027622;
	bh=plLoL4DD0A3QHlueOZrtS4jcTTEZWoft2yMb6MuRcG8=;
	h=Date:From:To:cc:Subject:In-Reply-To:References:From;
	b=eyFtZ/c43QHHcti+MXlW1VXNf9SyXfR2Sl1dERwQLydHkKO4JuL+2MsKvhhdC+g8r
	 q/YRnSdsexwVkZP5Tr6tu/Hsdj5H6O5vzlhPEqGqg72QlqbJaXSFMrTVgvh4gxaCs7
	 O75N6QNfxqFCy25mZArjUbW3JTCyISoYKc/GdHU1vm4pu6VKZz5YYJNPAIkWDP8ou7
	 4WWu1ZNbvJBMrE95XBsc90CZ8wYzyjTx4TM9ZxSYWMv1hdSPXaZHCoL8jikBLXEGLY
	 vegJ6tzZ0uBNkP7yMT0Q6KtKBUflFJ8Glg+1mzEIUSAjywJL5z6xvVNoRMlzbG/UW0
	 6SbbN0hRP2aDQ==
Date: Tue, 27 Feb 2024 10:53:43 +0100 (CET)
From: Jiri Kosina <jikos@kernel.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
cc: Michal Hocko <mhocko@suse.com>, cve@kernel.org, 
    linux-kernel@vger.kernel.org
Subject: Re: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of
 drmem array
In-Reply-To: <2024022750-treble-wish-b009@gregkh>
Message-ID: <nycvar.YFH.7.76.2402271051480.21798@cbobk.fhfr.pm>
References: <2024022257-CVE-2023-52451-7bdb@gregkh> <Zdylmz28rZ-mCeiN@tiehlicka> <2024022639-wronged-grafted-6777@gregkh> <ZdytVTOgfvKBBvtn@tiehlicka> <2024022652-defective-fretful-3d13@gregkh> <Zdy-KbmSt0egNV3c@tiehlicka>
 <2024022750-treble-wish-b009@gregkh>
User-Agent: Alpine 2.21 (LSU 202 2017-01-01)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII

On Tue, 27 Feb 2024, Greg Kroah-Hartman wrote:

> Ok, I traced this call back, and here is the callpath, starting with a
> write to the the 'dlpar' sysfs file (conviently NOT documented in
> Documentation/ABI, and it looks like it violates the "one value per
> file" rule...)
> 	dlpar_store()
> 	handle_dlpar_errorlog()
> 	dlpar_memory()
> 	dlpar_memory_remove_by_index()
> 
> Yes, the kernel by default sets 'dlpar' to 0644, BUT that means that
> root in a container can cause this use-after-free to happen, or if the
> permissions are changed by userspace, or if you are in "lockdown mode",
> or if you want to attempt the crazy "confidential computing" model, or
> if you have a system which root is possible for some things by normal
> users (there are lots of different security models out there...)

Whatever the security threat model, whoever can offline memory by writing 
to this file can kill the machine already. So there is no *additional*
security issue fixed by this that'd justify a CVE.

-- 
Jiri Kosina
SUSE Labs