20 Mar
2024
20 Mar
'24
1:44 p.m.
On Wed, Mar 20, 2024 at 09:26:29AM +0100, Neil Armstrong wrote:
On 20/03/2024 06:28, Dan Carpenter wrote:
On Tue, Mar 19, 2024 at 03:53:24PM +0100, Neil Armstrong wrote:
While meson_sm_read_efuse() doesn't overflow, the string is not zero terminated and env_set() will buffer overflow and add random characters to environment.
In the Linux kernel we would give this a CVE because it's information disclosure bug...
Yes probably
Yes, but this isn't the Linux kernel and we aren't a CNA. I don't object to someone getting a CVE if so inclined, but we don't have the resources to follow in the kernel's footsteps here either.
--
Tom