Re: CVE-2024-35918: randomize_kstack: Improve entropy diffusion

From: Kees Cook
Date: Mon Jul 29 2024 - 20:15:59 EST

Next message: Stephen Boyd: "Re: [PATCH v2 2/2] clk: clk-conf: support assigned-clock-rates-u64"
Previous message: Saravana Kannan: "Re: [PATCH] driver core: Don't log intentional skip of device link creation as error"
In reply to: Michal Koutný: "Re: CVE-2024-35918: randomize_kstack: Improve entropy diffusion"
Next in thread: Greg Kroah-Hartman: "Re: CVE-2024-35918: randomize_kstack: Improve entropy diffusion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jul 29, 2024 at 04:35:52PM +0200, Michal Koutný wrote:
> On Sat, Jul 27, 2024 at 09:34:18AM GMT, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> > We assigned a CVE to 9c573cd313433 as it was implied by many that this
> > was "fixing a weakness" in the security feature in 39218ff4c625d. If
> > this is not the case, then we can revoke this CVE.
>
> If 9c573cd313433 (fixup) is fixing a weakness of too few bits in stack offset
> randomization, then 39218ff4c625d (feature) is fixing such a weakness too.
>
> Or equivalently, if 39218ff4c625d is not fixing a weakness of too few
> bits in stack offset randomization, then 9c573cd313433 is not fixing it
> neither.
>
> By this reasoning I'd be for stripping this CVE. Both patches would thus
> be equal. (As suggested by Kees.)
> (Also to avoid going into the rabbit hole of how many bits of
> randomization are enough.)

Yeah, I think it's best to have neither be a CVE.

--
Kees Cook

Next message: Stephen Boyd: "Re: [PATCH v2 2/2] clk: clk-conf: support assigned-clock-rates-u64"
Previous message: Saravana Kannan: "Re: [PATCH] driver core: Don't log intentional skip of device link creation as error"
In reply to: Michal Koutný: "Re: CVE-2024-35918: randomize_kstack: Improve entropy diffusion"
Next in thread: Greg Kroah-Hartman: "Re: CVE-2024-35918: randomize_kstack: Improve entropy diffusion"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]