From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Cc: cve@kernel.org, linux-kernel@vger.kernel.org,
Darren Kenny <darren.kenny@oracle.com>
Subject: Re: CVE-2023-52471: ice: Fix some null pointer dereference issues in ice_ptp.c
Date: Mon, 26 Feb 2024 06:39:16 +0100 [thread overview]
Message-ID: <2024022654-designer-rack-c644@gregkh> (raw)
In-Reply-To: <ad071ad2-693f-4689-a324-37e80495635a@oracle.com>
On Mon, Feb 26, 2024 at 12:21:40AM +0530, Harshit Mogalapalli wrote:
> Hi Greg,
>
> On 25/02/24 13:46, Greg Kroah-Hartman wrote:
> > Description
> > ===========
> >
> > In the Linux kernel, the following vulnerability has been resolved:
> >
> > ice: Fix some null pointer dereference issues in ice_ptp.c
> >
> > devm_kasprintf() returns a pointer to dynamically allocated memory
> > which can be NULL upon failure.
> >
>
> I have a question about this and couple of other CVEs:
>
> CVE-2023-52465: -- devm_kzalloc() and devm_kasprintf() failures
> CVE-2023-52467: -- kasprintf() failure
> CVE-2023-52471: -- devm_kasprintf() failure
> CVE-2023-52472: -- allocation failure
>
> As it's widely believed that small kmallocs cannot fail, is it worth having
> CVEs for the above bug fixes ?
If you believe that, then sure, don't worry about these individual
commits. But if you don't believe it (after all, why would we add
checks if the code could never fail?), then perhaps you should take
them.
In other words, why would you NOT take a known fix for a weakess in the
codebase?
thanks,
greg k-h
prev parent reply other threads:[~2024-02-26 5:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-25 8:16 CVE-2023-52471: ice: Fix some null pointer dereference issues in ice_ptp.c Greg Kroah-Hartman
2024-02-25 18:51 ` Harshit Mogalapalli
2024-02-26 5:39 ` Greg Kroah-Hartman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024022654-designer-rack-c644@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=cve@kernel.org \
--cc=darren.kenny@oracle.com \
--cc=harshit.m.mogalapalli@oracle.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.