Received: by 2002:a89:d88:0:b0:1fa:5c73:8e2d with SMTP id eb8csp440561lqb; Fri, 24 May 2024 03:17:02 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVT3c0hQ9TEQDRMaBRJ+D8dyZtkOsjTX/yfiIAekV9r/MNV1Eh7mFhVnTX5bmGJvk46UM/DATtSJL9+JcjG6NhXo4gX8eDDxKg4fQs3Jw== X-Google-Smtp-Source: AGHT+IFa0JgPs1kdcighyHvn3wjlbpHC1x/C/iKU85LEO6pyFbZPDUgyKXwTMy4rZLK4dmuJlwMB X-Received: by 2002:a05:6358:7242:b0:197:c159:fc99 with SMTP id e5c5f4694b2df-197e5219072mr237534255d.17.1716545822530; Fri, 24 May 2024 03:17:02 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716545822; cv=pass; d=google.com; s=arc-20160816; b=GqUPcZSAe1eN6HlZ+XCmFERQywc5+dEDqWTSaLf6s/vQmBMqflW4TO+UzEIkaEoSQy Iju24G1AZi1BampYvoSkpeSInjKz4SqOQ6QySBGsW6urd+A09kLPSMCQqrwABBsb+PmO nTnyFmq/YS2mcjmAogz0obsN4UMvN6TNNqk0ILelpCCIW1cHShonsfPhsR5u7gCp8lTs /KKk4dDYAqLD2zZiBsYkk63OYOoIZnLHZ/NPO8iRbiD6Vg9dNViv8Ko/S9wIYMIQiXaf FWKzdIcAGVNY6DrYmUmO7oqSGcBZaSKE3H2dPE2eUS99+IpcnKCNOMYNVnWCtIDL3z+/ jPUQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=IpAzTwVXQFp2jrewN9FfXkFzJE7j6kCkiYg5uRm5oV4=; fh=6w1WhOOfoTPm3TAzZ0TEvTJY7PMhNgQ7GupS1KuGQxg=; b=eeqcXYepqfA6rrvCBTns+rzfaqnS5rLjydLv/1FXxCdPb8LuJHw+5TcyNJ37BBeZWr 197BOFaAbK6t5FuRPR5LsWg1eTFcIpafxuVXUop1qOL4wJSLY3MhusFrF/77K1zAFV35 YmgOmoumzp8Y4v0ljDEw7dTwmeyXsAQXp7d66PN7TDchSAo0ywJ2lp+Gp4o85iGBppZZ W2TgKlI02ZETQVXPdQd6nEP4a3tQZH4hg6Oh8a7OtLn2FeKqd1Ngpu1HmXqHgvoMtDIT LkWr7yZ6DfAk2xNCIxw0VrYd5xv7BjYc5T1VuU4+tSknHD5gGhxsJMK3HiD0w45KbPE3 jQvw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=hIZ1OUEc; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-188595-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-188595-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id 41be03b00d2f7-6822a7a3bdfsi996566a12.740.2024.05.24.03.17.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 24 May 2024 03:17:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-188595-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=hIZ1OUEc; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-188595-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-188595-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id C2257B21840 for ; Fri, 24 May 2024 10:15:57 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id CB07B84A54; Fri, 24 May 2024 10:15:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="hIZ1OUEc" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BE30A1AACC; Fri, 24 May 2024 10:15:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716545750; cv=none; b=aeWy/H2dUp0se/+cf/B4KCrrvncLsH7hgg5GO/81ro98GIjonK8FIwGHAeBK0/HyNHpiidQSygB2aa5U/xKgUTMFiUv9X6Vl5etkTY/xA69T5khwGPfiTWpk2OR3/ObYgf/xgkCRJDTQnvbnY+KtDBEYjrXOyVN4oNMBZrAoHX0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716545750; c=relaxed/simple; bh=R5rYHQb1TAG58PbBXJgHJ+ttcFuaB23hec7lYtqwcMo=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=gvLujUTjsi4X5camy/zPUyrOonEGiNft3lBzORlahe4PE/HG7Ct6KYRt8bcFjifeUql8DKmpnXPjJbU9izTzV/R2zEmUOXMfjw/sRgRwMR/SBtJVxQaUsk6cXyamp1aq285gcH9Eph7DF2go0QydZGa5frq3+ZIDMOhGvA1N2Oo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=hIZ1OUEc; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id CD570C2BBFC; Fri, 24 May 2024 10:15:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1716545750; bh=R5rYHQb1TAG58PbBXJgHJ+ttcFuaB23hec7lYtqwcMo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=hIZ1OUEcDUHvmaS+RVIUyOCw/IBlOk/zRR5YB66EvWu45ufo84U1EvZznCiaRAVZf 3BeuhBX6I0HG1yYzKFQOxD6CgJhCyuI1Glg6DNYsWpF1N0VITNFcW0uP3vxTbvZCiZ YdJiefejjI9QmHZQ4xp8g9V8wcpS2bKFX/in52JM= Date: Fri, 24 May 2024 12:15:47 +0200 From: Greg Kroah-Hartman To: Jiri Bohac Cc: cve@kernel.org, linux-kernel@vger.kernel.org, linux-cve-announce@vger.kernel.org, Eric Biederman , kexec@lists.infradead.org Subject: Re: CVE-2023-52823: kernel: kexec: copy user-array safely Message-ID: <2024052420-clang-flatterer-366b@gregkh> References: <2024052106-CVE-2023-52823-3d81@gregkh> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Fri, May 24, 2024 at 12:02:10PM +0200, Jiri Bohac wrote: > On Tue, May 21, 2024 at 05:31:59PM +0200, Greg Kroah-Hartman wrote: > > kernel: kexec: copy user-array safely > > > > Currently, there is no overflow-check with memdup_user(). > > This is false. > Therefore, I'd like to dispute this CVE. > > The overflow check is in the kexec_load_check() > function called shortly before the memdup_user() call: > > > SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, > struct kexec_segment __user *, segments, unsigned long, flags) > { > result = kexec_load_check(nr_segments, flags); > if (result) > return result; > ... > ksegments = memdup_user(segments, nr_segments * sizeof(ksegments[0])); > ... > } > > #define KEXEC_SEGMENT_MAX 16 > static inline int kexec_load_check(unsigned long nr_segments, > unsigned long flags) > { > ... > if (nr_segments > KEXEC_SEGMENT_MAX) > return -EINVAL; > } Nice, but then why was this commit worded this way? Now we check twice? Double safe? Should it be reverted? I'll go revoke this, thanks for the review! greg k-h