Received: by 2002:a05:6500:1b8f:b0:1fa:5c73:8e2d with SMTP id df15csp172845lqb; Tue, 28 May 2024 12:01:17 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVkToTIpeqSE49wffgLOLHsH/pVFBIwBTFSLbCeTuZErhNq1KZjZoBUXQeTpeiyXu4v7d+e48ZaDH8G1fnwdXxS6ZMpsPkXCoCYH8AWNA== X-Google-Smtp-Source: AGHT+IHqiWYtr6Qweo99jmMHuwk1fFkTNxIGSlaM+zKPEORHZMstqGHgN90pR3dcJCXi3RNy4A4g X-Received: by 2002:a17:906:6d95:b0:a59:bbd6:bb39 with SMTP id a640c23a62f3a-a6264f0ebfamr922616166b.55.1716922876897; Tue, 28 May 2024 12:01:16 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716922876; cv=pass; d=google.com; s=arc-20160816; b=qdJYyWYcwDB6QjGsnCgli15Svk3W4sMMjdmeHjGcX8aki9Y68wZPOy1vxcybj8JIxC I0jX2pfLdOs2OaYfKXE62t7Qo0OTJUjJznZGikUmHgbA2dQZmcUPLI0UzPlZkoCNsDS5 ttLPvyH1o6Weorb7pqvOT57w4VvQw9ZDVF8TZx84ogXAj2BXB2oM+aPHRYQREbaieJa5 ooKcrRx66w7p6mOjgoIT01lumAUXV/LmMyNce5v0fCQNwlx6BdBiH7zu/cB02SM8bOQt fqche2+6hnGmIsT/wFMund0J8R4u6wbh62STquAIEr8wy3piS42kOMcN50A2vVVIa02f aN9g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=RRqF/NTuf+cz95l9jEJsPBWC/lwIHaYHfkD+mfpEhXo=; fh=1mVSL3i3x5R9PPNvsmJ6ap+J6EebJbxKBqsEz87eYnA=; b=MefW+Dnb3wPIyfKR9CKafB5HxBBkO5Gkk+kC1/6qZBT3zc6tE63+HsavDQoXcWkaHP ppGPAxQO+O7UCK8fI0i6SZyS2FZlX7QYQbJGfZzY4nrC7cJ9NiWo2OlFTmOBXOydK86L +Y2qlcdCvQXpEw1H6B1RnHKOnChbr7qP7QbcJyvpeANxHmfyYGhPf/+n/vJxVOLirYLR z7wFcBBy9GnJQU117ob+gK+NNmYHginU0+OPevodZiu7qW67gYR45KMHjx4A29R/+gDW 4b928S0noUs6rfLOypGgZ1ROVZFPz7604Gqft0/A6/NCgvIbmf3EXllIj64Dh6IlLfwa Ktyw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=AUkN9NUF; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-192894-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-192894-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id a640c23a62f3a-a626cc69ae4si516219966b.651.2024.05.28.12.01.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 May 2024 12:01:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-192894-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=AUkN9NUF; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-192894-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-192894-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 94E451F244FF for ; Tue, 28 May 2024 19:01:16 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8351D170822; Tue, 28 May 2024 19:01:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="AUkN9NUF" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 82B1438384; Tue, 28 May 2024 19:01:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716922869; cv=none; b=iw0C/VllGa8VZcgOcI80yIdE918TmJ8UYcgbkF28lrYjCf0bgJ0DKSt8qHqEt90GlHQlJQ2HsvJDn5a1rw1aS282vvVzUMox42w9cL5VXe2SEPJJ+lsKDjBVFBUEuyngccv63U6yV1QhVnmG+Oon62YnGUtt2CUMeHioM0V7eSE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716922869; c=relaxed/simple; bh=v2Ps8vw965nwPRGF+CGbeADDlCaTl8TAmm5pcwPfnYo=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=qMrAb1aJndJM9KV3H0i/mueVppakBIdJE04nHtb+gmVh4idlSrUVUoC3f2iIjDdYoB3k+beh55gmsgCQcw9aPq05IF0WLbUGwqif9BkwleQaWGNwEEkeaY3tVowOJ0b3oIBl8zCM8ExsRDwVVlofZsvupiqA9xOxjxzMlswher0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=AUkN9NUF; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id B4E68C3277B; Tue, 28 May 2024 19:01:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1716922869; bh=v2Ps8vw965nwPRGF+CGbeADDlCaTl8TAmm5pcwPfnYo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=AUkN9NUFe+w/vVL6Aim3THJLe+QCMfmGdrQcsIluv2mJ7n0Mc2IZQWLa3wL59hV8D d9QBNXQS7qXDGEQ+LSbm3B7h/zDEnbg8FP6L9FUfkrGa3D3TNkdLQGQVG//tqXZGbK ChsHBC1kpfDiQyi0RS9Q2gX+Z/lNfMlq528mOwnA= Date: Tue, 28 May 2024 21:01:13 +0200 From: Greg Kroah-Hartman To: Gabriel Krisman Bertazi Cc: linux-cve-announce@vger.kernel.org, cve@kernel.org, linux-kernel@vger.kernel.org, keescook@chromium.org Subject: Re: CVE-2023-52685: pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() Message-ID: <2024052811-cornfield-monday-8bb9@gregkh> References: <2024051752-CVE-2023-52685-64c5@gregkh> <87jzjeojwp.fsf@mailhost.krisman.be> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87jzjeojwp.fsf@mailhost.krisman.be> On Mon, May 27, 2024 at 08:32:54PM -0400, Gabriel Krisman Bertazi wrote: > Greg Kroah-Hartman writes: > > > Description > > =========== > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() > > > > In persistent_ram_init_ecc(), on 64-bit arches DIV_ROUND_UP() will return > > 64-bit value since persistent_ram_zone::buffer_size has type size_t which > > is derived from the 64-bit *unsigned long*, while the ecc_blocks variable > > this value gets assigned to has (always 32-bit) *int* type. Even if that > > value fits into *int* type, an overflow is still possible when calculating > > the size_t typed ecc_total variable further below since there's no cast to > > any 64-bit type before multiplication. Declaring the ecc_blocks variable > > as *size_t* should fix this mess... > > > > Found by Linux Verification Center (linuxtesting.org) with the SVACE static > > analysis tool. > > Hi Greg, > > [Cc'ing Kees, who is listed as the pstore maintainer] > > I want to dispute this CVE. The overflow is in the module > initialization path, and can only happen at boot time or if the module > is loaded with specific parameters or due to specific acpi/device tree > data. Either way, it would require root privileges to trigger. Normally root privileges isn't the issue, as many containers allow root to do things (including loading modules, crazy systems...) Anyway, I'll defer to Kees as to if this should be revoked or not. thanks, gre gk-h > > -- > Gabriel Krisman Bertazi