Received: by 2002:ab2:3b09:0:b0:1ed:14ea:9113 with SMTP id b9csp52111lqc; Thu, 29 Feb 2024 10:03:20 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUj4aWGImqiXHvCyfY0EyJCR55JM4yAwo/355bhCTTTjhqyLVgOXJ/Pu7yilUHTMQbGxWt1+RVy9mqXAwrsfC49+uq2iaX+T7E41sRIMg== X-Google-Smtp-Source: AGHT+IFRu86FmHyKNpNhYOqIca7ppbFdE3gmsw46BE3M31VgRgVVNNpRH+iHrggpxlKwfw5AfU9L X-Received: by 2002:a05:6a00:9388:b0:6e5:7a4d:1849 with SMTP id ka8-20020a056a00938800b006e57a4d1849mr3982553pfb.3.1709229800615; Thu, 29 Feb 2024 10:03:20 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709229800; cv=pass; d=google.com; s=arc-20160816; b=XtAdl6eUzAeYOIzxSt5QsPEScp7+Rozbcbv5gmxaMXND8Q6x9NO5e7yUNFPfAtGFrR X97q545SMdmEnlEmIoU8qBvW215iuZUtVPEUxo1MvPiCTrJgXJTKlDfqKt5SIWn38vNd oopGLEhiBPDlWaZNkWjTTX4DO/jhzv/3kVQEmMalR+5p2YbPIYu+G8Ocnh5YH+6fI7zf cldbUodkJALr41kpkQ8NJQwpAhgJX6KJCDPd+AXRTzUHIWFVz1h7U+x3IseoHkEvSJ9V oxubx8cZ8CZrLn6uAcmwGVRJWusQQyTBwdvOJl06SkjOOoSo9wfZ/r+O02AKsEtW2IHe 9jPg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=TxVbKwt0yFtc34AKKhSOVC0H0tTkoOcYM2TCS2mMth0=; fh=4hg1kK3tzR8YjslEn9DU2BitZOPZW2zLcFzBcdu2648=; b=zbYkq7BB5OABd2wkNiIM+u5k8AxREhTaS15p/EEX8Y1NKAgAWxE2gew6uNGqyZSPSB xcj4ewOyZ3Oaoi7KjSzm494d7DkiV4unWj/VJhqmxeQKIW++i3Trulq6n6HL5uzWPmzz y842OPvZKmjQc9IXolojb2xa+9uaTjXQBViTmZ/c+RNgRQ3dQPPkP391x4PFgGV0F2K6 S0sgbWWItkJlhgw4ZRZo1p4qlfIQl3UKrkvxasGbRlaegLKdDXOW9PU445bvjvohBwRH Z0Tv1/dMEmECn3Hga1C+WXQOSTNzeRDGRlEdymOWx7crM6CoxBRyCWplUWs9t0t3r6Oo 4dXQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=KOoVxgBv; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-87189-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-87189-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id a41-20020a056a001d2900b006e444ed29edsi1796260pfx.200.2024.02.29.10.03.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Feb 2024 10:03:20 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-87189-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=KOoVxgBv; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-87189-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-87189-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 9DE0DB2354C for ; Thu, 29 Feb 2024 17:38:16 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5145970AE0; Thu, 29 Feb 2024 17:38:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="KOoVxgBv" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6DC3C70ACB for ; Thu, 29 Feb 2024 17:38:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709228290; cv=none; b=tqTnP6Snif8WQQSS+olFn1bhEn/HlW+1j1mGEbNnYNLNEG+jY3dRFNQr4Wj5BSfpDBpEOaelmomRVwejcqFWErR7MPv2RicyZW53cGV22lZo7xFb4UpghoECfSwGSakopPPNueJ3rZbCNT9lN+InM4v7pNVeXvKNLpegYrBOGp8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709228290; c=relaxed/simple; bh=tUITHwST1lYVxq/4qPfl41pArvRGDhecffC7VYCP++Y=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Uq1oi8XirZ46pEsJvxpIQabCLAFBYmDnDRMnIGCU5pnis6h3J2oAyWCFkMBYpZp8ELJAW3biS9AqF6JtZk21kj2ZC1gvQprkbk53ezSDEjhszwd+gMSV56bFC+60vuzxKBUOrVDIBDtym4oUe1h3kzI9EH/M7wzHUuaddOGWl3I= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=KOoVxgBv; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id BD13FC433F1; Thu, 29 Feb 2024 17:38:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1709228290; bh=tUITHwST1lYVxq/4qPfl41pArvRGDhecffC7VYCP++Y=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=KOoVxgBvv3gSAu10U8qKAoKX7/KA6hFp0mJrhMOTvVkkwJ3GcVpQnbhfwrq/tGg5T korFgRDcJj6S8pnzFLFT1FZu3KD6OBfqFKOpITNT288Pc4UgkHb3f/jRQfFjTlLb4O bhwVc1XBb5LJH4QGwgIxfGgO2V81UymBcsmv5XLqfMP1cbXNLH0jCIoDmxPN6Jmt9m O5XVjopeeRJaaK9WeRlTifJoaqSFX2Eq4WR2FSlVPa6UnP+L1t/MShmS25rZ/xyRdu ojm98sDXHu97OeXUjPaekU2y7LyaDJjpilhas8DdMqRfQerkjU/LSOIWJ/thlQw1IH 72YQNIpMUNS/Q== Date: Thu, 29 Feb 2024 12:38:09 -0500 From: Sasha Levin To: Jiri Kosina Cc: Greg Kroah-Hartman , Michal Hocko , Kees Cook , cve@kernel.org, linux-kernel@vger.kernel.org Subject: Re: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array Message-ID: References: <202402271029.FD67395@keescook> <202402280906.D6D5590DB@keescook> <2024022915-dissuade-grandson-ebd4@gregkh> <2024022913-borrower-resource-ecc9@gregkh> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: On Thu, Feb 29, 2024 at 06:11:40PM +0100, Jiri Kosina wrote: >On Thu, 29 Feb 2024, Sasha Levin wrote: > >> >> It's pretty trivial to get root on most of the "enterprise" kernels >> > >> >Wow, that's a very strong statement you are making here, and I'd now >> >really like to ask you to back that up with some real data. >> >> Is something like https://www.suse.com/security/cve/CVE-2023-52447.html >> a good example? > >- this fix is on our list/queue to be integrated into one of our kernel > branches, and was even beore it just got CVE assigned, as it references > a commit in Fixes: that we have present in one of our branches, but > hasn't been processed yet, mainly because we don't allow unprivileged > BPF This comment touches on two points raised in this thread: Greg's point that instead of taking all the fixes, they end up in queues waiting to be processed, which means that the trees en up being vulnerable during that time. Kees's point that exploitation is rarely a single issue coming in to play, but is usually a long chain of different exploits coming together to achieve a goal. >- you pointed to a fix for UAF in BPF, which definitely is a good fix to > have, I don't even dispute that CVE is justified in this particular > case. What I haven't yet seen though how this connects to in my view > rather serious 'trivial to get root' statement Yes, the patch reads like a fix for a UAF. -- Thanks, Sasha