On 05/15/2018 10:36 AM, Schmauss, Erik wrote:
But I'm going to push back on this. The kernel security team said something like "this is crazy, if you control ACPI tables you have bigger problems" when this bug was reported and told the developer to just submit this as a normal code cleanup.
Granting this a CVE was, in my opinion, a total mistake as well. This doesn't fix any "real" problem that anyone can hit in the wild from what I can tell. And again, if you can modify ACPI tables, there are much bigger problems you can cause on the hardware.
Agreed. Could we somehow close this CVE?
Please do, you can submit a request for it to be rejected on the main CVE site somewhere. I've done it once in the past.
Ok. I'll do this.
Thanks!
Please do the same for CVE-2017-13694 (not in Linus' tree) as well as this one CVE-2017-13695 (in Linus' tree) as they are both associated with crafted ACPI tables.
I am rescinding my request to have these in stable for security concerns.
If the AML is correct, it's fine. Almost all OEMs use ASL compilers like iASL to ensure correctness of ASL/AML.
That probably is enough to push back on stable, really an academic defence in depth measure.
This patch might be nice to have for when users wish to alter their ACPI tables by hand and those altered ACPI tables cause this memory leak. If you wish to account for memory leaks that result from these hand-crafted AML files, then you should add this patch. Otherwise, it's not necessary.
Linus' tree has this, should deal with those advanced developers/users that wish to alter their ACPI tables by hand? The leak is probably a smaller issue than what can happen if someone decides to adjust them by hand ;-}
-- Mark