On Tue, 25 Apr 2023 at 16:47, Greg KH gregkh@linuxfoundation.org wrote:
On Tue, Apr 25, 2023 at 04:08:30PM +0200, Kristof Havasi wrote:
Hi there,
I was evaluating CVE-2022-3567 and CVE-2022-3566 which both revolt around load tearing and reference an ancient Kernel commit:
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
I am not sure whether they are applicable to the v5.4.y branch as well.
I do not know, what specific commits are you referring to? CVEs mean nothing, they are not valid identifiers, sorry.
And have you tried applying them to the older kernels and testing to see if they solve any specific issue?
Or better yet, why use the older kernels, why not stick to the most recent one? What is preventing you from switching?
Thank you for the quick response!
I meant the following commits: f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57 and 364f997b5cfe1db0d63a390fe7c801fa2b3115f6
The v5.4 kernel is used in an embedded device where due to certification processes a quick upgrade of the Kernel isn't realistic until at least another year.
The patches are quite small, I could cherry-pick them on the latest v5.4 tag, and the kernel builds... only for f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57 USER_SOCKPTR isn't available in 5.4, so I sticked to `char __user *`.
I will get a device tomorrow and try whether I can netcat between them via IPv4 and v6. Any other tests, which would be needed?
Best Regards, Kristof