Received: by 2002:a05:7208:70d5:b0:7f:5597:fa5c with SMTP id q21csp94104rba;
        Wed, 20 Mar 2024 11:59:49 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCWN6AJTeYwVcfxJNLrp0C+g98EUrh0UY2P5ZfSPxRslMzL7YRPbs4cWk+fdmbihHZQP/muG70S0+rwu5C3byD4D+TOMKBRaI/6ymflyTQ==
X-Google-Smtp-Source: AGHT+IFxJaDlvUTt1QSQt+HjDJ9yJnyIWVKtTaRHL1gq/4G7TR5PHZgu4xb0G9sx0PUtFuIZfh0K
X-Received: by 2002:ac8:7f93:0:b0:430:d658:8b7b with SMTP id z19-20020ac87f93000000b00430d6588b7bmr11203454qtj.14.1710961188741;
        Wed, 20 Mar 2024 11:59:48 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1710961188; cv=pass;
        d=google.com; s=arc-20160816;
        b=zI0dV5PnebmZzQTg4+BFL0+pQW4CYtkeSIso3iQ4eZLnB44Djl34mMnup9jMYW4gwQ
         PHhIoET7JyE+h+xzn0J9aXTwS/rPL/tsLH+Y7YnH2kAnQt99SkS9MpZFttg/cMVhFsDC
         lhg+17IWSQDnZQCbaTbra6ORdwHJYJyaEEB+/zkdBGiGi4jrc/CELkErUSvmnednO2P9
         RoaHFR/Z81HDZBzAXb2NZTWQhR2wQeKVRsr69UHz0H4vEXmRCheVADa+rCNa8PfYoICF
         Osi6S7kSGNXV11ID9zZGjSAQI/ToW6ATYMmpoB6nSWCabTK8++xP1FA1WxLtCsmTpa6a
         MwRQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=OR/WXQvDApRGoduyJZRKiARfSeeGYfAfVOZRHxcAXMs=;
        fh=7GQl2ISdlVIkZFV22pTj7OURmqCDJp/xFmJ/bXEWpQs=;
        b=XgueY4auCZPbW9Nre0k+VVAhJ92fettkz81rg1Bej70Mlc3wydvH3WhOGKThezbJRz
         cN2UH9mnlzFwP6UJeL04gwr035hW0N+g864SKtH8S1nb13ITC9IK7MxSb6YhhbQumauf
         VdaG3t8C2mtfni2iakswshzJ8gVBQYer4qfkple8VyM6O9hjb9i6wEOanxtjwn5PqZHy
         oENexQ5ku3pY4MG00ijxNmU+HoqtnqsG582tWSohMVWZMxB3ZLRc0la3KEBl1h47gujq
         ScjjunBQaggwdeiJKSpDchcQcal3uzcWRx4TkYDmmGxqO4EsLRbywxXycEGxQFIfcX4h
         d1xQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@ucw.cz header.s=gen1 header.b=c732I0DS;
       arc=pass (i=1 spf=pass spfdomain=ucw.cz dkim=pass dkdomain=ucw.cz dmarc=pass fromdomain=ucw.cz);
       spf=pass (google.com: domain of linux-kernel+bounces-109326-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-109326-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ucw.cz
Return-Path: <linux-kernel+bounces-109326-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id v2-20020a05622a014200b004311b534475si480103qtw.513.2024.03.20.11.59.48
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 20 Mar 2024 11:59:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-109326-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ucw.cz header.s=gen1 header.b=c732I0DS;
       arc=pass (i=1 spf=pass spfdomain=ucw.cz dkim=pass dkdomain=ucw.cz dmarc=pass fromdomain=ucw.cz);
       spf=pass (google.com: domain of linux-kernel+bounces-109326-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-109326-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ucw.cz
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 7B1111C2129B
	for <linux.lists.archive@gmail.com>; Wed, 20 Mar 2024 18:59:48 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 0E0EE85627;
	Wed, 20 Mar 2024 18:59:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=ucw.cz header.i=@ucw.cz header.b="c732I0DS"
Received: from jabberwock.ucw.cz (jabberwock.ucw.cz [46.255.230.98])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B7C2685291
	for <linux-kernel@vger.kernel.org>; Wed, 20 Mar 2024 18:59:37 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=46.255.230.98
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1710961181; cv=none; b=d5G+Vk3Bo6lhW6j9NNHe8+hXQk6fH5fGiejFUb8/jnMOqJ5wsfjZUh6kC8qcOo9RDW5U3f80YvKAa0zafa9tCKuGIBoBixdk6hXyv5vwDmH5DDaQqhe6SCV2oZIEuHSi8y6xNGvVp6Qs1Tn01Ma88QMKT7epAbbqLKw/EwKT1cU=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1710961181; c=relaxed/simple;
	bh=RbZrfg2enwvomoRc2bu6a3WxV/74o7lRtsEbX7U9R6s=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=uuCN9ltADDmSV/ut2pq1MKLa/yYBvZtaD0Alh8rNwBGBvJbKRdAnB0WNXS8uw85ztdar0G1tZt3qmRgrKrzryDQHUC2ML9LvOQoFbANoKBMkUSHeQr3nD81sK/9hOL7e4VD9XzC40UQr6qQsPIeszHEiVkwz9f6sL5VDVX2PShA=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ucw.cz; spf=pass smtp.mailfrom=ucw.cz; dkim=pass (1024-bit key) header.d=ucw.cz header.i=@ucw.cz header.b=c732I0DS; arc=none smtp.client-ip=46.255.230.98
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ucw.cz
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ucw.cz
Received: by jabberwock.ucw.cz (Postfix, from userid 1017)
	id 4C3B71C007F; Wed, 20 Mar 2024 19:59:35 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ucw.cz; s=gen1;
	t=1710961175;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=OR/WXQvDApRGoduyJZRKiARfSeeGYfAfVOZRHxcAXMs=;
	b=c732I0DSTVxrrt4fXjYUwxa2dWiGnoL6N44Yhcndm131wyMqFmG1qCZrNiUvR64YugOxbI
	iq/zgXewzGdVgP6MlnxRIsewYut+zD39LPLwCup0zIpwZ7vvw7TrZnDt7g5kyQpcjuvDSF
	Q0n2ms0mzTETHPt6qGrKxZwiIIQ56IE=
Date: Wed, 20 Mar 2024 19:59:34 +0100
From: Pavel Machek <pavel@ucw.cz>
To: Lee Jones <lee@kernel.org>
Cc: Kees Cook <keescook@chromium.org>, Luis Chamberlain <mcgrof@kernel.org>,
	Michal Hocko <mhocko@suse.com>, cve@kernel.org,
	linux-kernel@vger.kernel.org,
	Joel Granados <j.granados@samsung.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: CVE-2023-52596: sysctl: Fix out of bounds access for empty
 sysctl registers
Message-ID: <ZfsyFm46YM2cbqDR@duo.ucw.cz>
References: <2024030645-CVE-2023-52596-b98e@gregkh>
 <Ze68r7_aTn6Vjbpj@tiehlicka>
 <Ze9-Xmn8v4P_wppv@bombadil.infradead.org>
 <20240312091730.GU86322@google.com>
 <ZfAkOFAV15BDMU7F@tiehlicka>
 <ZfBwuDyzLl5M0mhC@bombadil.infradead.org>
 <20240312154910.GC1522089@google.com>
 <ZfCZGevmDe149QeX@bombadil.infradead.org>
 <202403121431.55E67E201@keescook>
 <20240313080132.GD1522089@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="I/sz2lbjHdt9EdnG"
Content-Disposition: inline
In-Reply-To: <20240313080132.GD1522089@google.com>


--I/sz2lbjHdt9EdnG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

> > I have tried to argue before that it's up to the core kernel code to Do
> > The Right Thing, even in the face of crappy out-of-tree code, so to me,
> > since this is a (very very very limited) weakness in the core kernel
> > code, give it a CVE.
> >=20
> > My attempt at a CVSS for it yields a 3.4 overall:
> > AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:X
> > https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=3DAV:L/AC:H=
/PR:H/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:X&version=3D3.1
>=20
> Thank you Luis and Kees for your input.  Your efforts are very much
> appreciated.  I have read and digested everyone's points.
>=20
> Since no one (including myself) is willing to conclude that this
> represents _zero_ risk, the allocation will not be rescinded.  In our

Well, if you insist this is real risk (it is not) would you be so kind
at at least fix the "vulnerability" description?

"Module can trigger BUG_ON in kernel" would be suitable, according to
the discussion. Current description is copy/paste nonsense :-(.

Best regards,
								Pavel

https://nvd.nist.gov/vuln/detail/CVE-2023-52596
Description
In the Linux kernel, the following vulnerability has been resolved:
sysctl: Fix out of bounds access for empty sysctl registers When
registering tables to the sysctl subsystem there is a check to see if
header is a permanently empty directory (used for mounts). This check
evaluates the first element of the ctl_table. This results in an out
of bounds evaluation when registering empty directories. The function
register_sysctl_mount_point now passes a ctl_table of size 1 instead
of size 0. It now relies solely on the type to identify a permanently
empty register. Make sure that the ctl_table has at least one element
before testing for permanent emptiness.


--=20
People of Russia, stop Putin before his war on Ukraine escalates.

--I/sz2lbjHdt9EdnG
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCZfsyFgAKCRAw5/Bqldv6
8rlMAJ9zwEI6Bq3CaVa2JWurCHbkDkaa/QCfZVlLm3F+LvACRfwV8gjBUUT3hjo=
=988t
-----END PGP SIGNATURE-----

--I/sz2lbjHdt9EdnG--