Re: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array
From: Pavel Machek
Date: Thu Feb 29 2024 - 05:06:37 EST
On Thu 2024-02-29 09:35:28, Greg Kroah-Hartman wrote:
> On Thu, Feb 29, 2024 at 09:22:51AM +0100, Michal Hocko wrote:
> > On Wed 28-02-24 09:12:15, Kees Cook wrote:
> > > On Wed, Feb 28, 2024 at 01:04:14PM +0100, Michal Hocko wrote:
> > > > On Tue 27-02-24 10:35:40, Kees Cook wrote:
> > > > > On Mon, Feb 26, 2024 at 04:25:09PM +0100, Michal Hocko wrote:
> > > > [...]
> > > > > > Does that mean that any potentially incorrect input provided by an admin is
> > > > > > considered CVE now?
> > > > >
> > > > > Yes. Have you seen what USER_NS does? There isn't a way to know how
> > > > > deployments are using Linux, and this is clearly a "weakness" as defined
> > > > > by CVE. It is better to be over zealous than miss things.
> > > >
> > > > If we are over zealous to the point when almost any fix is marked CVE
> > > > then the special marking simply stops making any sense IMHO.
> > >
> > > Perhaps, but the volume of fixes is high, and I think it's better to
> > > over estimate than under estimate -- the work needed to actually
> > > evaluate all these changes is huge: it's better to take everything from
> > > -stable.
> >
> > This is simply not feasible for many downstream kernels and reasons have
> > been discussed many times.
>
> How does taking 10 patches differ from taking 200 patches? Your
> testing/infrastructure issues should be the same, right?
It is more work to review 200 patches than to review 10. As you would
know if you actually reviewed -stable patches or at least AUTOSEL
ones.
Pavel
--
People of Russia, stop Putin before his war on Ukraine escalates.
Attachment:
signature.asc
Description: PGP signature