Re: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array

[Sasha Levin]

On Thu, Feb 29, 2024 at 06:11:40PM +0100, Jiri Kosina wrote:
> On Thu, 29 Feb 2024, Sasha Levin wrote:
>
> > >> It's pretty trivial to get root on most of the "enterprise" kernels
> > >
> > >Wow, that's a very strong statement you are making here, and I'd now
> > >really like to ask you to back that up with some real data.
> >
> > Is something like https://www.suse.com/security/cve/CVE-2023-52447.html
> > a good example?
>
> - this fix is on our list/queue to be integrated into one of our kernel
>  branches, and was even beore it just got CVE assigned, as it references
>  a commit in Fixes: that we have present in one of our branches, but
>  hasn't been processed yet, mainly because we don't allow unprivileged
>  BPF

This comment touches on two points raised in this thread:

Greg's point that instead of taking all the fixes, they end up in queues
waiting to be processed, which means that the trees en up being
vulnerable during that time.

Kees's point that exploitation is rarely a single issue coming in to
play, but is usually a long chain of different exploits coming together
to achieve a goal.

> - you pointed to a fix for UAF in BPF, which definitely is a good fix to
>  have, I don't even dispute that CVE is justified in this particular
>  case. What I haven't yet seen though how this connects to in my view
>  rather serious 'trivial to get root' statement

Yes, the patch reads like a fix for a UAF.

--
Thanks,
Sasha