Received: by 2002:ab2:710b:0:b0:1ef:a325:1205 with SMTP id z11csp1157536lql;
        Tue, 12 Mar 2024 08:49:29 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCWsQ7gataVa/r/MmFdk8o0NLF0C6x13mAsl3fAeWkFDOAQWSs1zxPikK27O+JUCJ18tKuLnZtIGQ4P5w5IOKNozQX33M3Puywu6TMpw+Q==
X-Google-Smtp-Source: AGHT+IFzNr77DLaqTT4z1ctkynHX1/243rm5dxjg6ScelQgsUMPc690SaLDkuEOH9zL0Ax106G6v
X-Received: by 2002:a17:902:c948:b0:1dc:7bc:cb49 with SMTP id i8-20020a170902c94800b001dc07bccb49mr774292pla.60.1710258568975;
        Tue, 12 Mar 2024 08:49:28 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1710258568; cv=pass;
        d=google.com; s=arc-20160816;
        b=GlVX9PI7Re6T0hehP0UzbpJOEbjRXZ9RlRadOr4NAtYnypm6JTl36EyHJQq7j00z1y
         0X0Mft+C+//Nqw7x86JfdANZEX/Ydg3niluNgF7mLVGs4tMnM28sn6E110/hlAAKC/Ni
         HwTgoF6/CxwJtZmuo+4/8I1nkDPSU8MtyXEZlrjmQIsdyQzdNOqL28BHIOOIpIS47nCC
         dHumYgFd2TqYhM5WmOPoWSEvOYWiJXzuTJp4DF1R0HiyE5zTVpqzKYA05vJ+6veOWhHf
         zmxkaKLPNsGVI5rCG3f93UPyhYzhkZ5Sx1iYx6gesiQQwmxbQt4K0e5XsWATaGimp6NS
         dy1A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=JF5Vn5J7kN1824vjlUWnLB+CIfQRiSrCgmx1lIURMoM=;
        fh=KSbaZpRiIoUv6+8Drb0hmtWgQ+ewaiNfhVppf8yJOjI=;
        b=FAixlDmqycA/tqXj7LTsIIUdDTQ7EJZxO8j977aRUfJzBVrIcQD+FTnkrVyWjnsipX
         kjud9CDn8uEUDZUdNidSnzFzc4rStpI1MTyyabNAbyuj7nJR5LhfQG5r3L4BBFar/9Un
         qfFmDyUHKgCyti+m5FE9CjhJVCmtZclP1ClWTwEuKEAqX1i8g5D+MuFhpKRwt+Wj5AWY
         asEkBLnXf/vnOfsbT30rI3zFjzuJzQMoWbSJocp7voVFuhh3jYgK+xDGY6oNH2RcCsCg
         Iqtw2LjC4y+I2dYDlcIupfkXwfnhK0N3LZoy+knx8fBMHnn/k4uOe/ghmPaMRcQYWSmI
         KN+w==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=SCzd5Jr7;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-100472-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-100472-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel+bounces-100472-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id n4-20020a170903110400b001dd61bc14f9si7233294plh.572.2024.03.12.08.49.28
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 12 Mar 2024 08:49:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-100472-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=SCzd5Jr7;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-100472-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-100472-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id DA401B226E2
	for <linux.lists.archive@gmail.com>; Tue, 12 Mar 2024 15:49:27 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id D0B977D071;
	Tue, 12 Mar 2024 15:49:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="SCzd5Jr7"
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 090C579B65
	for <linux-kernel@vger.kernel.org>; Tue, 12 Mar 2024 15:49:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1710258555; cv=none; b=D23nfhe9mwQXCqKikL5uN7A3uKkFKKY9ZLQ+xA2SFEAElrllgLi0sT9Js58raE28fIK4dZit4jJQyHinHTWoCuR7cfpCoBmcHbmuyAQNBrYrL50yKQpHoD5gEuroyKt82fy5oxRVxdmnP5rfegrsMwEK2/Q1T+nRGWYpmUJOfJk=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1710258555; c=relaxed/simple;
	bh=hHMugEILW0UqdSdjlldWDhuqZFh0+D6PueKHA0uedwA=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=Oapu5TGVbNaD/G3pPsGXitb1FYXHKhJdvr7HCdjyYp9L5Ae6De+GU0gynCfW5bM99A9Ip5QybJ3OStBLiQvVhHmmPhIvL7duSRF+xXDOYuokS+oyYnK+9ig3idH4kMor+I2xWal+D03SYFcWiquNcYA7uDalG1pQUNE8sXcG6yc=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=SCzd5Jr7; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4789DC43390;
	Tue, 12 Mar 2024 15:49:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1710258554;
	bh=hHMugEILW0UqdSdjlldWDhuqZFh0+D6PueKHA0uedwA=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=SCzd5Jr7Jox23Fm16Gt1e+3vBB4621+FCaf8YVozi3JuXz1w5r270EfArEkUdUNwT
	 9mBa+Cl4xHq7EEX0T7h/cdRsJyJNLjwa1Px8txUt+ODGtyoZjyPJBhgW6VnQNChNvn
	 J6rF914Vyg23y3q+g+yp7ryzLSF/NRtu1h8ou+fPs647cgsgrFg/B9gMCP8sNvLRzh
	 YQktbhRb4n71LLeEqqPDEgt2/NSDfPIBUhVPP2I+NzbEoMSjV34JH3rjL1hfhPYq+m
	 5bm+I3/pFna+XfAlB5YR6awfUXK9CEkv9SRh2pI0w14FBOOSIyBtZSnU5szVxsgLcK
	 ecXX1rnX9CVtg==
Date: Tue, 12 Mar 2024 15:49:10 +0000
From: Lee Jones <lee@kernel.org>
To: Luis Chamberlain <mcgrof@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>, cve@kernel.org,
	linux-kernel@vger.kernel.org,
	Joel Granados <j.granados@samsung.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: CVE-2023-52596: sysctl: Fix out of bounds access for empty
 sysctl registers
Message-ID: <20240312154910.GC1522089@google.com>
References: <2024030645-CVE-2023-52596-b98e@gregkh>
 <Ze68r7_aTn6Vjbpj@tiehlicka>
 <Ze9-Xmn8v4P_wppv@bombadil.infradead.org>
 <20240312091730.GU86322@google.com>
 <ZfAkOFAV15BDMU7F@tiehlicka>
 <ZfBwuDyzLl5M0mhC@bombadil.infradead.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <ZfBwuDyzLl5M0mhC@bombadil.infradead.org>

On Tue, 12 Mar 2024, Luis Chamberlain wrote:

> On Tue, Mar 12, 2024 at 10:45:28AM +0100, Michal Hocko wrote:
> > On Tue 12-03-24 09:17:30, Lee Jones wrote:
> > [...]
> > > > Backporting this is fine, but wouldn't fix an issue unless an external
> > > > module had empty sysctls. And exploiting this is not possible unless
> > > > you purposely build an external module which could end up with empty
> > > > sysctls.
> > 
> > Thanks for the clarification Luis!
> > 
> > > Thanks for the amazing explanation Luis.
> > > 
> > > If I'm reading this correctly, an issue does exist, but an attacker
> > > would have to lay some foundations before it could be triggered.  Sounds
> > > like loading of a malicious or naive module would be enough.
> > 
> > If the bar is set as high as a kernel module to create and empty sysctl
> > directory then I think it is safe to say that the security aspect is
> > mostly moot. There are much simpler ways to attack the system if you are
> > able to load a kernel module.
> 
> Indeed, a simple BUG_ON(1) on external modules cannot possible be a
> source of a CVE. And so this becomes BUG_ON(when_sysctl_empty()) where

Issues that are capable of crashing the kernel in any way, including
with WARN() or BUG() are being considered weaknesses and presently get
CVEs.

> when_sysctl_empty() is hypotethical and I think the source of this
> question for CVE. Today's that not at boot time or dynamically with
> any linux kernel sources released, and so its only possible if:
> 
>   a) As Joel indicated if you backported an empty sysctl array (which
>   would be unless you carried all the infrastructure to support it).
> 
>   b) an external module has an empty sysctl

So what we're discussing here is weather this situation is
_possible_, however unlikely.

You are the maintainer here, so the final decision is yours.  If you say
this situation is impossible and the CVE should be revoked, I'll go
ahead and do just that.

-- 
Lee Jones [李琼斯]