On Tue, Jun 03, 2025 at 12:38:11PM +0200, Attila Szasz wrote: > Hi, > > I believe I’ve already shared my main thoughts on this topic on LKML. The > discussion between Vyukov and Ts’o is particularly insightful. As I > mentioned earlier, it's worth remembering that unprivileged mounting via > user namespaces was seriously considered for even block filesystems before, > but it was ultimately deemed too difficult—largely due to economic > constraints rather than purely technical ones. > > That said, there are four points I still feel are worth adding: > > 1) Maintainers may have missed this, but regardless of the rejected CVE, > their CVE automation tooling seems to have picked up the fix as a regular > patch. It included an ASAN report with the "out-of-bounds" keyword, so > there is now (again) a CVE for my finding: > > https://lore.kernel.org/linux-cve-announce/2025050117-CVE-2025-37782-7cc2@gregkh/ > > NVD may not yet realize it, but CVE-2025-37782 and CVE-2025-0927 refer > to the same bug.
The kernel CNA did not realize it either, and so this CVE is now rejected. Next time you can let us know directly :) thanks, greg k-h
