AMD crash bug

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

AMD crash bug

Kurt Seifried-2
So a Linux/Windows kernel crash triggered by a normal user would get a CVE. Why doesn't this get a CVE? Especially as it's fixable with a microcode update...


I think we need to cover hardware cases where it bricks/crashes the system/hardware at a minimum. 

Also I always thought AMD was a CNA, but they're not?

--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AMD crash bug

Landfield, Kent B
I agree. This seems to be in need of a CVE. Is AMD aware of it?

Kent Landfield
+1.817.637.8026 

On Mar 23, 2017, at 7:34 PM, Kurt Seifried <[hidden email]> wrote:

So a Linux/Windows kernel crash triggered by a normal user would get a CVE. Why doesn't this get a CVE? Especially as it's fixable with a microcode update...


I think we need to cover hardware cases where it bricks/crashes the system/hardware at a minimum. 

Also I always thought AMD was a CNA, but they're not?

--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AMD crash bug

Pascal Meunier
IMO giving an ID to vulnerable microcode fits the goals of the CVE, both
originally and now.  Lovely catch, Kurt.  

Pascal

On Fri, 2017-03-24 at 00:43 +0000, Landfield, Kent B wrote:

> I agree. This seems to be in need of a CVE. Is AMD aware of it?
>
> Kent Landfield
> +1.817.637.8026
>
> On Mar 23, 2017, at 7:34 PM, Kurt Seifried <[hidden email]<mailto:[hidden email]>> wrote:
>
> So a Linux/Windows kernel crash triggered by a normal user would get a CVE. Why doesn't this get a CVE? Especially as it's fixable with a microcode update...
>
> http://forum.hwbot.org/showthread.php?t=167605
> http://forum.hwbot.org/showpost.php?p=480524
> https://news.ycombinator.com/item?id=13924192
>
> I think we need to cover hardware cases where it bricks/crashes the system/hardware at a minimum.
>
> Also I always thought AMD was a CNA, but they're not?
>
> --
> Kurt Seifried
> [hidden email]<mailto:[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: AMD crash bug

Kurt Seifried
I'm not sure that the microcode is vulnerable per se, simply that they fixed it via a microcode update (which again blurs the line between hardware/software rather a lot if this is a "hardware" bug =). .

On Thu, Mar 23, 2017 at 7:13 PM, Pascal Meunier <[hidden email]> wrote:
IMO giving an ID to vulnerable microcode fits the goals of the CVE, both
originally and now.  Lovely catch, Kurt.

Pascal

On Fri, 2017-03-24 at 00:43 +0000, Landfield, Kent B wrote:
> I agree. This seems to be in need of a CVE. Is AMD aware of it?
>
> Kent Landfield
> <a href="tel:%2B1.817.637.8026" value="+18176378026">+1.817.637.8026
>
> On Mar 23, 2017, at 7:34 PM, Kurt Seifried <[hidden email]<mailto:[hidden email]>> wrote:
>
> So a Linux/Windows kernel crash triggered by a normal user would get a CVE. Why doesn't this get a CVE? Especially as it's fixable with a microcode update...
>
> http://forum.hwbot.org/showthread.php?t=167605
> http://forum.hwbot.org/showpost.php?p=480524
> https://news.ycombinator.com/item?id=13924192
>
> I think we need to cover hardware cases where it bricks/crashes the system/hardware at a minimum.
>
> Also I always thought AMD was a CNA, but they're not?
>
> --
> Kurt Seifried
> [hidden email]<mailto:[hidden email]>



--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AMD crash bug

Adinolfi, Daniel R

Folks,

 

To follow up on this issue, it has been given a CVE ID: <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7262>

 

Please let us know if there are any questions.

 

Thanks.

 

-Dan

 

From: <[hidden email]> on behalf of Kurt Seifried <[hidden email]>
Date: Friday, March 24, 2017 at 16:25
To: Pascal Meunier <[hidden email]>
Cc: "Landfield, Kent B" <[hidden email]>, Kurt Seifried <[hidden email]>, cve-editorial-board-list <[hidden email]>
Subject: Re: AMD crash bug

 

I'm not sure that the microcode is vulnerable per se, simply that they fixed it via a microcode update (which again blurs the line between hardware/software rather a lot if this is a "hardware" bug =). .

 

On Thu, Mar 23, 2017 at 7:13 PM, Pascal Meunier <[hidden email]> wrote:

IMO giving an ID to vulnerable microcode fits the goals of the CVE, both
originally and now.  Lovely catch, Kurt.

Pascal

On Fri, 2017-03-24 at 00:43 +0000, Landfield, Kent B wrote:
> I agree. This seems to be in need of a CVE. Is AMD aware of it?
>
> Kent Landfield
> <a href="tel:%2B1.817.637.8026">+1.817.637.8026
>
> On Mar 23, 2017, at 7:34 PM, Kurt Seifried <[hidden email]<mailto:[hidden email]>> wrote:
>
> So a Linux/Windows kernel crash triggered by a normal user would get a CVE. Why doesn't this get a CVE? Especially as it's fixable with a microcode update...
>
> http://forum.hwbot.org/showthread.php?t=167605
> http://forum.hwbot.org/showpost.php?p=480524
> https://news.ycombinator.com/item?id=13924192
>
> I think we need to cover hardware cases where it bricks/crashes the system/hardware at a minimum.
>
> Also I always thought AMD was a CNA, but they're not?
>
> --
> Kurt Seifried
> [hidden email]<mailto:[hidden email]>



 

--


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]