23 Oct
2023
23 Oct
'23
5:44 a.m.
On Fri, Oct 20, 2023 at 08:25:49AM -0600, Keith Busch wrote:
Jens repeated what he told me offline on this thread here, and dropped the pull request that contained this patch:
https://lists.infradead.org/pipermail/linux-nvme/2023-October/042684.html
BTW, don't you still need someone with root access to change the permissions on the device handle in order for an unpriveledged user to reach this hole? It's not open access by default, you still have to opt-in.
Yes, you need someone with root access to change the device node persmissions. But we allowed that under the assumption it is safe to do so, which it turns out it is not.