On Mon, Sep 09, 2024 at 11:31:44AM -0400, Theodore Ts'o wrote: > I believe CVE-2024-43898 regarding "ext4: sanity check for NULL > pointer after ext4_force_shutdown" (commit id: 83f4414b8f84) may have > been issued in error. > > ext4_force_shutdown() is called from FS_IOC_SHUTDOWN, which requires > root privileges. "root privileges" are not something that "is this a vulnerability" normally takes into account given that there are zillions of ways of giving permissions to processes to do things that people do in crazy systems, as you know :) That being said, the commit message does not document root priviliges being needed, also, it looks like the function is called on the "normal" shutdown callback for the superblock, which I don't think is required to have root permissions, does it? But as a maintainer, it's up to you if you wish to reject a cve for your subsystem/code, so if you really want it rejected, we'll be glad to do so. thanks, greg k-h
