Re: Backport fix for CVE-2023-2176 (8d037973 and 0e158630) to v6.1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Mar 04, 2024 at 02:21:22PM +0530, Ajay Kaher wrote:
> On Mon, Mar 4, 2024 at 12:14 PM Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> >
> > On Thu, Feb 29, 2024 at 02:05:39PM +0530, Ajay Kaher wrote:
> > > On Thu, Feb 29, 2024 at 12:13 AM Brennan Lamoreaux
> > > <brennan.lamoreaux@xxxxxxxxxxxx> wrote:
> > > >
> > > > > If you provide a working backport of that commit, we will be glad to
> > > > > apply it.  As-is, it does not apply at all, which is why it was never
> > > > > added to the 6.1.y tree.
> > > >
> > > > Oh, apologies for requesting if they don't apply. I'd be happy to submit
> > > > working backports for these patches, but I am not seeing any issues applying/building
> > > > the patches on my machine... Both patches in sequence applied directly and my
> > > > local build was successful.
> > > >
> > > > This is the workflow I tested:
> > > >
> > > > git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
> > > > git checkout FETCH_HEAD
> > > > git cherry-pick -x 8d037973d48c026224ab285e6a06985ccac6f7bf
> > > > git cherry-pick -x 0e15863015d97c1ee2cc29d599abcc7fa2dc3e95
> > > > make allyesconfig
> > > > make
> > > >
> > > > Please let me know if I've made a mistake with the above commands, or if these patches aren't applicable
> > > > for some other reason.
> > > >
> > >
> > > I guess the reason is:
> > >
> > > 8d037973d48c026224ab285e6a06985ccac6f7bf doesn't have "Fixes:" and is
> > > not sent to stable@xxxxxxxxxxxxxxx.
> > > And 0e15863015d97c1ee2cc29d599abcc7fa2dc3e95 is to Fix
> > > 8d037973d48c026224ab285e6a06985ccac6f7bf,
> > > so no need of 0e158 if 8d03 not backported to that particular branch.
> >
> > Ok, so there's nothing to do here, great!  If there is, please let us
> > know.
> >
> 
> In my previous mail, I was guessing why 8d037973d48c commit was not
> backported to v6.1.
> 
> However Brennan's concern is:
> 
> As per CVE-2023-2176, because of improper cleanup local users can
> crash the system.
> And this crash was reported in v5.19, refer:
> https://lore.kernel.org/all/ec81a9d50462d9b9303966176b17b85f7dfbb96a.1670749660.git.leonro@xxxxxxxxxx/#t
> 
> However, fix i.e. 8d037973d48c applied to master from v6.3-rc1 and not
> backported to any stable or LTS.
> So v6.1 is still vulnarbile, so 8d037973d48c and 0e15863015d9 should
> be backported to v6.1.

Ah, thanks, sorry for the confusion.  Both now queued up.

greg k-h




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux