Received: by 2002:ab2:3b09:0:b0:1ed:14ea:9113 with SMTP id b9csp36405lqc;
        Thu, 29 Feb 2024 09:37:02 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCUxqkvw/ZvGcZnTc1Xiqv2BcPnEJsMXW4hZXmupq3j4aL9xoeAwnBlOrBuG3s3g2c/NlcCEhKNXmIx/XKpONENXQKW7ZSGJ3/GCnp9htQ==
X-Google-Smtp-Source: AGHT+IHD9rVUEHGhoZ/WukrZypxtYuOV9QjWRRqNQ853Fj0dOBgbE/0zlujEKT5pcYSPW2pcdZnS
X-Received: by 2002:ac8:5811:0:b0:42e:c629:a6f4 with SMTP id g17-20020ac85811000000b0042ec629a6f4mr33296qtg.52.1709228222079;
        Thu, 29 Feb 2024 09:37:02 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1709228222; cv=pass;
        d=google.com; s=arc-20160816;
        b=xGPh8OlZ7pyPaYfJeeMuv8QbrNo85aDB4RHZB7HeAd6e7cGIXXpRDtzVdn82egOmnj
         dr9MQ1/0QxN+tiCPPUPnB3HS4zuTgSHKWy6Y9//LURxoExpo5+GcYt33gUnpqJqLVyYw
         2dQ1lXigOkhWrzjxHaAmeirrj9bH+/HDAkyNwrPJXw7KTYOIGWj9YMwjwnf/6p1yJi3N
         GeLenDKUcUWWJyx4fYVduyQDv68voh9gDsKZJ4JfbPH30I9zFdXzpEMxSE9hpHJL/Sw/
         xsGgJajL6cHiKaXPiHwlJ5n/WlZl15kabH1nikLn8YhJFmohS4JKDekX0wyd63z5LfKe
         /6dw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature:dkim-signature;
        bh=vpBFV488mGbzEhc4yj49r8uR7a9BeE38z4pBORJHIdw=;
        fh=ofswc3RM3+b00AgCYMxopUpS/iCmvL2JLL8iZPAgRss=;
        b=qCXZxV+nbtxrrKVtl1ZuhnOa/DHyjUWbKsM75l/xNuZQa6dQ1bCI/rlVwcDDozvLWy
         /f2aeI244j9Z5n58S++eaWKj0Kswki36Y5xkBRIF+l8z8plcynG357UzTvN+YNmytfdU
         3uwPDPY7LuxnLctaou61NURbLVcbqBY4mSNm81fLCqxDWvWYrxOIF2oPYkJL/fAhkzbA
         v5B6HjWyDTWEHttBtusaQ6Lq0w5B4PYfku+C/7X3TyTOI3GfPz79uQY6BhSejX+ZfYFX
         wFAxLkMHR+Vmosy2oYwjoUUGZwtBrR6QuH4xaWJLWP/jOm6Q5ZJ1NCjni3hej0DVRRQW
         0R+w==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@suse.com header.s=susede1 header.b=gRsoWfqL;
       dkim=pass header.i=@suse.com header.s=susede1 header.b=gRsoWfqL;
       arc=pass (i=1 spf=pass spfdomain=suse.com dkim=pass dkdomain=suse.com dkim=pass dkdomain=suse.com dmarc=pass fromdomain=suse.com);
       spf=pass (google.com: domain of linux-kernel+bounces-87184-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-87184-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com
Return-Path: <linux-kernel+bounces-87184-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id r17-20020ac85c91000000b0042c4a131193si1993022qta.362.2024.02.29.09.37.01
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 29 Feb 2024 09:37:02 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-87184-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.com header.s=susede1 header.b=gRsoWfqL;
       dkim=pass header.i=@suse.com header.s=susede1 header.b=gRsoWfqL;
       arc=pass (i=1 spf=pass spfdomain=suse.com dkim=pass dkdomain=suse.com dkim=pass dkdomain=suse.com dmarc=pass fromdomain=suse.com);
       spf=pass (google.com: domain of linux-kernel+bounces-87184-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-87184-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id BEE581C2179B
	for <linux.lists.archive@gmail.com>; Thu, 29 Feb 2024 17:37:01 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 6932670AED;
	Thu, 29 Feb 2024 17:36:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="gRsoWfqL";
	dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="gRsoWfqL"
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B175570AE6
	for <linux-kernel@vger.kernel.org>; Thu, 29 Feb 2024 17:36:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1709228186; cv=none; b=Caz99SxyJ6FTHmFhBhCS01kt3EWzl+YV9luNgqGGNV4HdHnOmSeD1RcoyABJSKeobAFkri8aTgsMHAA/p+sLfbu5r0YMCo7OajPhrOA2Idgifx63JXNhD0yGpJ+6UbrQo4Bx0+jx2sUe0VEdRwmQp8DkiqKL4dNT/+r4vhbfCpg=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1709228186; c=relaxed/simple;
	bh=iR3owAjar1QBrZxphTgj8xGOl+9mw9uymkrVoayhBog=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=orBv7fqBAVdWR0LhemCiUEKH8QczYCnOVg6By7A1e4hQ4UTD0QUuJh6razWYlLf4FDFWvsIj04/v2dZvlMdRpQ2IO3gOOCuOTLzwbE+abb0bhfF4jOswUWsDAIlB19e1fz5ClaeedyxhhXEhyJr5dm1uqCv8UlDmor7jdXPwGa8=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=gRsoWfqL; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=gRsoWfqL; arc=none smtp.client-ip=195.135.223.131
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com
Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [10.150.64.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp-out2.suse.de (Postfix) with ESMTPS id A57431FBEF;
	Thu, 29 Feb 2024 17:36:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1709228182; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=vpBFV488mGbzEhc4yj49r8uR7a9BeE38z4pBORJHIdw=;
	b=gRsoWfqL83bYLtZZX2oTiMMF/nqN/gVAL98f+vQWPSR91OeGKOx6EbHpF//e7/n+3TRBR5
	y4LBHgIU7LzJRunqAhL7pzgEebwj4gcPJbW32kdp8Tp+dnF6nlIA0OClrVwu7ih9rc2Fj1
	biET31QXeqPYr5BKuhnEd1lh2Bm7HH4=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
	t=1709228182; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=vpBFV488mGbzEhc4yj49r8uR7a9BeE38z4pBORJHIdw=;
	b=gRsoWfqL83bYLtZZX2oTiMMF/nqN/gVAL98f+vQWPSR91OeGKOx6EbHpF//e7/n+3TRBR5
	y4LBHgIU7LzJRunqAhL7pzgEebwj4gcPJbW32kdp8Tp+dnF6nlIA0OClrVwu7ih9rc2Fj1
	biET31QXeqPYr5BKuhnEd1lh2Bm7HH4=
Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 8B8AE13503;
	Thu, 29 Feb 2024 17:36:22 +0000 (UTC)
Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])
	by imap1.dmz-prg2.suse.org with ESMTPSA
	id 4LcaH5bA4GU3TwAAD6G6ig
	(envelope-from <mhocko@suse.com>); Thu, 29 Feb 2024 17:36:22 +0000
Date: Thu, 29 Feb 2024 18:36:21 +0100
From: Michal Hocko <mhocko@suse.com>
To: Kees Cook <kees@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Kees Cook <keescook@chromium.org>, cve@kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of
 drmem array
Message-ID: <ZeDAlRyp9L4L7f37@tiehlicka>
References: <2024022639-wronged-grafted-6777@gregkh>
 <ZdytVTOgfvKBBvtn@tiehlicka>
 <202402271029.FD67395@keescook>
 <Zd8hPpP_6q_o8uQW@tiehlicka>
 <202402280906.D6D5590DB@keescook>
 <ZeA-281OudkWBhd_@tiehlicka>
 <2024022915-dissuade-grandson-ebd4@gregkh>
 <ZeBRZqJd5HAKaOfC@tiehlicka>
 <2024022913-borrower-resource-ecc9@gregkh>
 <D06F40E5-0DBC-4FF2-BAF5-2373BDF3815C@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <D06F40E5-0DBC-4FF2-BAF5-2373BDF3815C@kernel.org>
Authentication-Results: smtp-out2.suse.de;
	none
X-Spam-Level: 
X-Spam-Score: -0.81
X-Spamd-Result: default: False [-0.81 / 50.00];
	 ARC_NA(0.00)[];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 FROM_HAS_DN(0.00)[];
	 TO_DN_SOME(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 MIME_GOOD(-0.10)[text/plain];
	 RCPT_COUNT_FIVE(0.00)[5];
	 RCVD_COUNT_THREE(0.00)[3];
	 DKIM_SIGNED(0.00)[suse.com:s=susede1];
	 NEURAL_HAM_SHORT(-0.20)[-1.000];
	 DBL_BLOCKED_OPENRESOLVER(0.00)[linuxfoundation.org:email];
	 FUZZY_BLOCKED(0.00)[rspamd.com];
	 FROM_EQ_ENVFROM(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 MID_RHS_NOT_FQDN(0.50)[];
	 RCVD_TLS_ALL(0.00)[];
	 BAYES_HAM(-0.01)[46.37%]
X-Spam-Flag: NO

On Thu 29-02-24 07:08:06, Kees Cook wrote:
> 
> 
> On February 29, 2024 6:18:36 AM PST, Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> >As part of the requirement to be a CNA, we have to announce everything
> >that we think is a potential vulnerability, severity not be judged at
> > [...]
> >Again, none of this has anything to do with "severity", it only is an
> >identifier that says "this fixes a vulnerability".
> 
> The language here can perhaps be improved for better understanding by
> folks since "CVE" and "vulnerability" can mean different things to
> different people. I would say "this fixes a weakness".
> 
> CVEs are for anything deemed a "weakness"[1]. It doesn't need to rise
> to the level of what many people would consider a "vulnerability".
> (Modern attacks traditionally chain many weaknesses together to form
> an exploit, some of which look harmless when examined in isolation.)
> 
> I find it helps to keep in mind the "CIA" acronym of what makes up a
> security weakness: "negative impact to Confidentiality, Integrity, or
> Availability". (Not to be confused with the US Gov intelligence org
> with the name acronym, ironically.)

Yes, this makes a lot of sense to me and I believe we are on the same
page here. We have gone in several tangents here but let me just remind
that I was objecting/wondering how much sense does it make to assign CVE
to configurations which are inherently insecure. From a user POV, does
it make me safer to have that addressed when the fundamental
configuration hole (to allow untrusted user to access said resources)
still in place. See my point or do I still fail to explain myself? It is
not about assuming usecases and whatnot.
 
> -Kees
> 
> [1] https://nvd.nist.gov/vuln

-- 
Michal Hocko
SUSE Labs