Received: by 2002:a89:d88:0:b0:1fa:5c73:8e2d with SMTP id eb8csp1231099lqb; Sat, 25 May 2024 11:15:49 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUfzGQDoSCmK7iq3F6EMGNrecSgt4RbZ7QRb2UwZC6tHznfDzi3kyemtvzW65LvxLrL6sgUGyMsWjVg5RVks+QAsaJEZbzVQwn0bassgw== X-Google-Smtp-Source: AGHT+IHN70VSI0BFBvKYPvQ6jMKYzkR8GXhHt8G6uXTOBUNhm+mbxqg4dIsFItGEsLgS7REq5Oi4 X-Received: by 2002:a17:902:ea0f:b0:1f4:743f:ea8c with SMTP id d9443c01a7336-1f4743febe3mr18954165ad.9.1716660949137; Sat, 25 May 2024 11:15:49 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716660949; cv=pass; d=google.com; s=arc-20160816; b=UKSr/GDUIZwUwlujye9DZL7f9r9M1DvL5xHtJPopE0Om5acHm49TLjBkUUXwBl7O9P M59oGb0Yy8rI23PTb1FuffDmoxk5r8iufpsR7AmHzn1yjk7hWiKrqLlHw52nYR82aBTd KlVuGF+Y3i+mzP5OLuOMq2R3KDVK8VHuLyltg+cvWs0cMAibL8pjuIaq4jdZlqzaP1uC 4muXr+pVlvE7qw99gZCELkmpeKPSoh9DJyYTzemo/lcnUqxuV/GYSk3Dmf766NbiF02A Q9mkN+IcQBVil/RJ5GzRtsoqMFeAYKj4T7Mm56wmJv5c1TpdKDoejYnxsl3WMw298Fan 66Kg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :user-agent:message-id:date:references:organization:in-reply-to :subject:cc:to:from:dkim-signature:dkim-signature:dkim-signature :dkim-signature; bh=XlI/1fQUHPJ28qJv6dfQq5z4tYvrNlHxR64HTljE4Lg=; fh=+dmqM4OvyQ0iUl+8LH83V6YHxA9Tflz+vLfQRp6Yx10=; b=UrkkHdhqLhkXONlPqFDSh/fZrSJJBR6RwiEo+AK3M7gPcdeUmmHcjLSA/3kjWle6jZ qkdlq9bR+FEwRUjYe9CXKu5KKnMvRxcdctlHjt3FIMWINXLsR4oq/Sr07Uwd34qAKy26 A/RjDDT/M06hf38xBB/JGXXZ+gOziCKezZTbuzsmz/Qk8mA8I92uR6zb4W2kCUDN3H5j u7sG2FJAMLKOxMNIHZyzdqituQBDjuOe+kRIt9C47OKx3/vjzPry9qousW9Thd+hc62Q 4A9NV0rBbD/gzN6ijk5aCZLPSy0z1XidgQxbgUTQez2BfnbYPuxVqn6pEpv6lV/Z3zTU 1/QQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b="GXPFa/9o"; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b="GXPFa/9o"; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519 header.b=oXTGqGAC; arc=pass (i=1 spf=pass spfdomain=suse.de dkim=pass dkdomain=suse.de dkim=pass dkdomain=suse.de dmarc=pass fromdomain=suse.de); spf=pass (google.com: domain of linux-kernel+bounces-189505-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-189505-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id d9443c01a7336-1f44c9f3169si32949145ad.586.2024.05.25.11.15.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 25 May 2024 11:15:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-189505-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b="GXPFa/9o"; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b="GXPFa/9o"; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519 header.b=oXTGqGAC; arc=pass (i=1 spf=pass spfdomain=suse.de dkim=pass dkdomain=suse.de dkim=pass dkdomain=suse.de dmarc=pass fromdomain=suse.de); spf=pass (google.com: domain of linux-kernel+bounces-189505-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-189505-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 33C7AB20FC4 for ; Sat, 25 May 2024 18:15:45 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 945191272C4; Sat, 25 May 2024 18:15:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b="GXPFa/9o"; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b="oXTGqGAC"; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b="GXPFa/9o"; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b="oXTGqGAC" Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 673099473; Sat, 25 May 2024 18:15:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716660935; cv=none; b=uQRCEoufSaIdIg5QQiYH5hDQ5+o1Ev9m6eIxW7atYoKuFW0MCVK9K/yZxY1WK/846TMSXdQQNdYCpnvmenTwrd8GIl4Fu1q6Vx9I8kR+41ocFUAEcAifDHqGQdqrVZDBWkO6t1GzH/lqSuhrU/KnkPZwysRdI4Pq26vnoK7gHTA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716660935; c=relaxed/simple; bh=h9JgLrbRZjPLaX3q5EmomeHwEIM+TyOAhWwJVd8yMG4=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=WHR+3Kp/kJsxVvsRj8vLvxspjKVcPKsnMLDxeyLNOFsZLCTPbkSPFfE5wDVLGdb0/cwsZBavoTdWmAgLs3RPz1pj1pJYJoBHzvU6PLcjzsYfuV8Z80xPzOFjTz/5B0162E1MtY4AENWlYMm3IHwUmSR9oScrMgeRpIdPFN5fU9k= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=suse.de; spf=pass smtp.mailfrom=suse.de; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b=GXPFa/9o; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b=oXTGqGAC; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b=GXPFa/9o; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b=oXTGqGAC; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=suse.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.de Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 95C9D5C269; Sat, 25 May 2024 18:15:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1716660925; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=XlI/1fQUHPJ28qJv6dfQq5z4tYvrNlHxR64HTljE4Lg=; b=GXPFa/9oIyPkQvQFpWFuL4d796QLUSF71OVsOCoTpjm2vZL+qXWr2ZqC0vgsmavi0fS9Vf SteUz6k/qBZnj9tyTlOOFlvLmjH/vY1trJHPt1QSWrhdXjkyylkyJ0mRcFWqKFK5axcRR/ CH1mCIeNksIhazpal6pW4NORHiMcUHw= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1716660925; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=XlI/1fQUHPJ28qJv6dfQq5z4tYvrNlHxR64HTljE4Lg=; b=oXTGqGAC7Fqz/1A35U6koQPZWll0Qthqa4cZdmkakHUhHPGh3efJl30/OPiyWVPgwHKoBH 7uYkaxLbjDEB/+Dg== Authentication-Results: smtp-out2.suse.de; dkim=pass header.d=suse.de header.s=susede2_rsa header.b="GXPFa/9o"; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=oXTGqGAC DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1716660925; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=XlI/1fQUHPJ28qJv6dfQq5z4tYvrNlHxR64HTljE4Lg=; b=GXPFa/9oIyPkQvQFpWFuL4d796QLUSF71OVsOCoTpjm2vZL+qXWr2ZqC0vgsmavi0fS9Vf SteUz6k/qBZnj9tyTlOOFlvLmjH/vY1trJHPt1QSWrhdXjkyylkyJ0mRcFWqKFK5axcRR/ CH1mCIeNksIhazpal6pW4NORHiMcUHw= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1716660925; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=XlI/1fQUHPJ28qJv6dfQq5z4tYvrNlHxR64HTljE4Lg=; b=oXTGqGAC7Fqz/1A35U6koQPZWll0Qthqa4cZdmkakHUhHPGh3efJl30/OPiyWVPgwHKoBH 7uYkaxLbjDEB/+Dg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 5265313A6C; Sat, 25 May 2024 18:15:25 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id a8kYDr0qUmazTwAAD6G6ig (envelope-from ); Sat, 25 May 2024 18:15:25 +0000 From: Gabriel Krisman Bertazi To: "Eduardo Vela " Cc: Greg Kroah-Hartman , Jens Axboe , linux-cve-announce@vger.kernel.org, cve@kernel.org, linux-kernel@vger.kernel.org, =?utf-8?Q?Tam=C3=A1s?= Koczka Subject: Re: CVE-2023-52656: io_uring: drop any code related to SCM_RIGHTS In-Reply-To: (Eduardo' Vela's message of "Sat, 25 May 2024 17:09:45 +0200") Organization: SUSE References: <2024051338-CVE-2023-52656-6545@gregkh> <871q5rqhuc.fsf@mailhost.krisman.be> <2024052542-diner-snare-a618@gregkh> Date: Sat, 25 May 2024 14:15:19 -0400 Message-ID: <87fru5pxl4.fsf@mailhost.krisman.be> User-Agent: Gnus/5.13 (Gnus v5.13) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain X-Spam-Level: X-Spamd-Result: default: False [-4.51 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; HAS_ORG_HEADER(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; RCPT_COUNT_SEVEN(0.00)[7]; RCVD_TLS_ALL(0.00)[]; SPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.de:dkim]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; DKIM_TRACE(0.00)[suse.de:+] X-Rspamd-Action: no action X-Rspamd-Queue-Id: 95C9D5C269 X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-Spam-Flag: NO X-Spam-Score: -4.51 "Eduardo' Vela\" " writes: > So, either I'm completely lost or CVE-2023-52656 shouldn't have been > rejected. Forgive me for mudding the problem even more. > > I think we need to unreject this CVE (CVE-2023-52656) or CVE-2023-52654 > should be amended to include the dead code removal commit.. that said, > that'll be weirder than just unrejecting this commit. > > The reason is that the commit "io_uring/af_unix: disable sending io_uring > over sockets" is not enough to fix the vulnerability in stable branches, > because e.g. bcedd497b3b4a0be56f3adf7c7542720eced0792 on 5.15 only fixes > one path (io_sqe_file_register) to reach unix_inflight(), but it is still > reachable via another path (io_sqe_fileS_register) which is only removed by > d909d381c3152393421403be4b6435f17a2378b4 ("io_uring: drop any code related > to SCM_RIGHTS"). Hm, right. this is real for some really old stable tree. thanks for the clarification. But lets agree, the above write up is literally the *only* relevant, public information on the issue (that I could find). And it only appeared because we almost wrongfully rejected it. The CVE description, the list of affected trees and everything else in the CVE report are absolute non-sense. Still, the CVE report is all downstream developers have to work on the issue. Of course, the original commit message could not have tracked the new information, but the analysis MUST be appended to the CVE description. FWIW, Fixed in 6.1.83 with commit a3812a47a320 Fixed in 6.7.11 with commit 88c49d9c8961 Fixed in 6.8 with commit 6e5e6d274956 Is nonsense, then. We check for io_is_uring_fops(file) right before it. Greg, I understand we have multiple streams for security issues, including some that might be automated through Fixes tag. But for cases like this, where a discussion apparently happened and a human did the excellent work of properly analyzing it, can we get a real CVE description beyond the original commit message? Even publishing the archives of the original report (minus, whatever, the exploit) alongside the CVE would improve the situation. The old CVE process was notoriously bad with descriptions, but this is somehow worse. > Although that patch claims "it is dead code", this claim was only true on > upstream, but not on stable branches (or at least on 5.15 where the > vulnerability was proven to be reachable). Yet, there no information about this "small" detail anywhere I can find. > My colleague poprdi@google.com sent this analysis to the CNA list, so maybe > we can continue the discussion there No. this *really* needs to be discussed on an *open* list. The CVE is out already. -- Gabriel Krisman Bertazi