On Tue, 12 Sep 2017 14:34:18 +0200, gregkh@linuxfoundation.org wrote:
On Tue, Sep 12, 2017 at 09:17:38AM +0200, Takashi Iwai wrote:
On Fri, 08 Sep 2017 19:47:32 +0200, Grygorii Tertychnyi (gtertych) wrote:
Hi Greg,
Could you please apply it for 4.4-stable. This fixes https://nvd.nist.gov/vuln/detail/CVE-2017-9985
This vulnerability is just non-issue. You can't get it working practically; it requires a modified hardware of the decade old ISA sound card, and yet the system has to load / set up the module beforehand. We should withdraw it from CVE, IMO.
I think it is worth having it in 4.4, 4.9 and 4.12 also.
... even though the code has never been tested on the real hardware? That doesn't sound good for stable kernels at all. That's why I didn't put Cc to stable in the patch.
Oh, I didn't know that, want me to drop the patch from the stable queues now?
Honestly, I don't mind. The patch should work, and even if it doesn't, it would be harmless as no one can see the breakage in practice :)
It's just ridiculous that people urge such commit for stable kernels even though they never tested / care the real cases but only look at the CVE entry.
thanks,
Takashi