* [cip-dev] Bluetooth CVEs deciphered?
@ 2020-10-15 18:06 Pavel Machek
2020-10-15 18:09 ` [cip-dev] CVE-2020-24490: backporting a2ec905d to 4.4 Pavel Machek
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Pavel Machek @ 2020-10-15 18:06 UTC (permalink / raw)
To: cip-dev, wens
[-- Attachment #1.1: Type: text/plain, Size: 9451 bytes --]
Hi!
I believe Google has good information which CVE corresponds to which
patch, and I used that to improve cip-kernel-sec. Result is here. Can
you take a look before I start fighting yml?
Best regards,
Pavel
diff --git a/issues/CVE-2020-12351.yml b/issues/CVE-2020-12351.yml
index 63f8b60..b7f519b 100644
--- a/issues/CVE-2020-12351.yml
+++ b/issues/CVE-2020-12351.yml
@@ -1,37 +1,9 @@
-description: INTEL-SA-00435
+description: |
+ A heap-based type confusion affecting Linux kernel 4.8 and higher was discovered in net/bluetooth/l2cap_core.c.
+advisory: |
references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
-comments:
- debian/carnil: |-
- CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
- issues covered by a set of commits/patches sent upstream but
- there is no clear association from the CVEs to the commits. So
- duplicate this entry for now to all three CVEs.
- The commits are:
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
- which are not yet in mainline, and
- a2ec905d1e16 ("Bluetooth: fix kernel oops in
- store_pending_adv_report") which is in 5.8 (and which was
- backported to 5.7.13, 5.4.56 and 4.19.137).
- The "fixed version" information in INTEL-SA-00435 is thus as
- well contradictory as it mentions the issue to be fixed in 5.9
- or later.
- wens: |-
- The four patches are already in net-next as of 2020-10-14 and should hit
- mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
- initializing all members") fixes commits going all the way back to
- 3.6, when A2MP was added.
- Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
- ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
- nine are the various "not fully initialized stack variables"; the last
- two are the sk_filter and BT_HS ones, respectfully.
+ https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq
+aliases:
+ GHSA-h637-c88j-47wq
introduced-by:
- mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
- a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
- 6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
- aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
- 8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
- dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+ mainline: dbb50887c8f619fc5c3489783ebc3122bc134a31
diff --git a/issues/CVE-2020-12352.yml b/issues/CVE-2020-12352.yml
index 63f8b60..372e3ce 100644
--- a/issues/CVE-2020-12352.yml
+++ b/issues/CVE-2020-12352.yml
@@ -1,37 +1,13 @@
-description: INTEL-SA-00435
+description: |
+ BadChoice: Stack-Based Information Leak (BleedingTooth)
+ A stack-based information leak affecting Linux kernel 3.6 and higher was discovered in net/bluetooth/a2mp.c.
+advisory: |
references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
-comments:
- debian/carnil: |-
- CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
- issues covered by a set of commits/patches sent upstream but
- there is no clear association from the CVEs to the commits. So
- duplicate this entry for now to all three CVEs.
- The commits are:
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
- which are not yet in mainline, and
- a2ec905d1e16 ("Bluetooth: fix kernel oops in
- store_pending_adv_report") which is in 5.8 (and which was
- backported to 5.7.13, 5.4.56 and 4.19.137).
- The "fixed version" information in INTEL-SA-00435 is thus as
- well contradictory as it mentions the issue to be fixed in 5.9
- or later.
- wens: |-
- The four patches are already in net-next as of 2020-10-14 and should hit
- mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
- initializing all members") fixes commits going all the way back to
- 3.6, when A2MP was added.
- Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
- ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
- nine are the various "not fully initialized stack variables"; the last
- two are the sk_filter and BT_HS ones, respectfully.
+ https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq
+aliases:
+ GHSA-7mh3-gq28-gfrq
introduced-by:
- mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
- a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
- 6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
- aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
- 8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
- dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+ mainline:
+ 47f2d97d38816aaca94c9b6961c6eff1cfcd0bd6
+ 8e2a0d92c56ec6955526a8b60838c9b00f70540d
+fixed-by:
\ No newline at end of file
diff --git a/issues/CVE-2020-24490.yml b/issues/CVE-2020-24490.yml
index 63f8b60..8fe3617 100644
--- a/issues/CVE-2020-24490.yml
+++ b/issues/CVE-2020-24490.yml
@@ -1,37 +1,25 @@
-description: INTEL-SA-00435
+description: |
+ BadVibes: Heap-Based Buffer Overflow (BleedingTooth)
+ A heap-based buffer overflow affecting Linux kernel 4.19 and higher was discovered in net/bluetooth/hci_event.c.
+advisory: |
+
references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
+ https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649
+aliases:
+ GHSA-ccx2-w2r4-x649
comments:
- debian/carnil: |-
- CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
- issues covered by a set of commits/patches sent upstream but
- there is no clear association from the CVEs to the commits. So
- duplicate this entry for now to all three CVEs.
- The commits are:
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
- which are not yet in mainline, and
- a2ec905d1e16 ("Bluetooth: fix kernel oops in
- store_pending_adv_report") which is in 5.8 (and which was
- backported to 5.7.13, 5.4.56 and 4.19.137).
- The "fixed version" information in INTEL-SA-00435 is thus as
- well contradictory as it mentions the issue to be fixed in 5.9
- or later.
- wens: |-
- The four patches are already in net-next as of 2020-10-14 and should hit
- mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
- initializing all members") fixes commits going all the way back to
- 3.6, when A2MP was added.
- Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
- ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
- nine are the various "not fully initialized stack variables"; the last
- two are the sk_filter and BT_HS ones, respectfully.
+ Pavel Machek:
+ This actually looks like most severe from the recent bluetooth stuff.
+
+ Fix is not one-liner but also not scary. Adds checking at expected places.
introduced-by:
- mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
- a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
- 6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
- aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
- 8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
- dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+ mainline:
+ c215e9397b00b3045a668120ed7dbd89f2866e74
+ b2cc9761f144e8ef714be8c590603073b80ddc13
+fixed-by:
+ mainline:
+ a2ec905d1e160a33b2e210e45ad30445ef26ce0e
+ 4.19:
+ 5df9e5613d1c51e16b1501a4c75e139fbbe0fb6c
+ -- needs to be backported to 4.4?
+
\ No newline at end of file
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 420 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5584): https://lists.cip-project.org/g/cip-dev/message/5584
Mute This Topic: https://lists.cip-project.org/mt/77534365/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [cip-dev] CVE-2020-24490: backporting a2ec905d to 4.4.
2020-10-15 18:06 [cip-dev] Bluetooth CVEs deciphered? Pavel Machek
@ 2020-10-15 18:09 ` Pavel Machek
2020-10-15 18:13 ` [cip-dev] Backport c797110d for CVE-2020-25645 [net: geneve] Pavel Machek
2020-10-15 20:30 ` [cip-dev] Bluetooth CVEs deciphered? Pavel Machek
2 siblings, 0 replies; 4+ messages in thread
From: Pavel Machek @ 2020-10-15 18:09 UTC (permalink / raw)
To: cip-dev, wens
[-- Attachment #1.1: Type: text/plain, Size: 3499 bytes --]
CVE-2020-24490: backporting a2ec905d to 4.4.
Yes, "ext_adv" is always false here, so code could be simplified, but
I believe this is good enough for -stable.
Best regards,
Pavel
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 03319ab8a7c6..3794616cd87b 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1133,6 +1133,9 @@ static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
{
struct discovery_state *d = &hdev->discovery;
+ if (len > HCI_MAX_AD_LENGTH)
+ return;
+
bacpy(&d->last_adv_addr, bdaddr);
d->last_adv_addr_type = bdaddr_type;
d->last_adv_rssi = rssi;
@@ -4743,7 +4746,8 @@ static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
u8 bdaddr_type, bdaddr_t *direct_addr,
- u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
+ u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
+ bool ext_adv)
{
struct discovery_state *d = &hdev->discovery;
struct smp_irk *irk;
@@ -4752,6 +4756,11 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
u32 flags;
u8 *ptr, real_len;
+ if (!ext_adv && len > HCI_MAX_AD_LENGTH) {
+ BT_ERR_RATELIMITED("legacy adv larger than 31 bytes");
+ return;
+ }
+
/* Find the end of the data in case the report contains padded zero
* bytes at the end causing an invalid length value.
*
@@ -4812,7 +4821,7 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
*/
conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
direct_addr);
- if (conn && type == LE_ADV_IND) {
+ if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) {
/* Store report for later inclusion by
* mgmt_device_connected
*/
@@ -4866,7 +4875,7 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
* event or send an immediate device found event if the data
* should not be stored for later.
*/
- if (!has_pending_adv_report(hdev)) {
+ if (!ext_adv && !has_pending_adv_report(hdev)) {
/* If the report will trigger a SCAN_REQ store it for
* later merging.
*/
@@ -4901,7 +4910,8 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
/* If the new report will trigger a SCAN_REQ store it for
* later merging.
*/
- if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
+ if (!ext_adv && (type == LE_ADV_IND ||
+ type == LE_ADV_SCAN_IND)) {
store_pending_adv_report(hdev, bdaddr, bdaddr_type,
rssi, flags, data, len);
return;
@@ -4940,7 +4950,7 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
rssi = ev->data[ev->length];
process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
ev->bdaddr_type, NULL, 0, rssi,
- ev->data, ev->length);
+ ev->data, ev->length, false);
ptr += sizeof(*ev) + ev->length + 1;
}
@@ -5137,7 +5147,8 @@ static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
ev->bdaddr_type, &ev->direct_addr,
- ev->direct_addr_type, ev->rssi, NULL, 0);
+ ev->direct_addr_type, ev->rssi, NULL, 0,
+ false);
ptr += sizeof(*ev);
}
--
http://www.livejournal.com/~pavelmachek
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 420 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5585): https://lists.cip-project.org/g/cip-dev/message/5585
Mute This Topic: https://lists.cip-project.org/mt/77534428/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [cip-dev] Backport c797110d for CVE-2020-25645 [net: geneve]
2020-10-15 18:06 [cip-dev] Bluetooth CVEs deciphered? Pavel Machek
2020-10-15 18:09 ` [cip-dev] CVE-2020-24490: backporting a2ec905d to 4.4 Pavel Machek
@ 2020-10-15 18:13 ` Pavel Machek
2020-10-15 20:30 ` [cip-dev] Bluetooth CVEs deciphered? Pavel Machek
2 siblings, 0 replies; 4+ messages in thread
From: Pavel Machek @ 2020-10-15 18:13 UTC (permalink / raw)
To: cip-dev, wens
[-- Attachment #1.1: Type: text/plain, Size: 4053 bytes --]
Backport c797110d for CVE-2020-25645.
This ... builds. I would not mind getting some testing here.
Best regards,
Pavel
diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
index ec13e2ae6d16..840ad2e29dbb 100644
--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -711,7 +711,8 @@ free_dst:
static struct rtable *geneve_get_v4_rt(struct sk_buff *skb,
struct net_device *dev,
struct flowi4 *fl4,
- struct ip_tunnel_info *info)
+ struct ip_tunnel_info *info,
+ __be16 dport, __be16 sport)
{
struct geneve_dev *geneve = netdev_priv(dev);
struct rtable *rt = NULL;
@@ -720,6 +721,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb,
memset(fl4, 0, sizeof(*fl4));
fl4->flowi4_mark = skb->mark;
fl4->flowi4_proto = IPPROTO_UDP;
+ fl4->fl4_dport = dport;
+ fl4->fl4_sport = sport;
if (info) {
fl4->daddr = info->key.u.ipv4.dst;
@@ -754,7 +757,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb,
static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb,
struct net_device *dev,
struct flowi6 *fl6,
- struct ip_tunnel_info *info)
+ struct ip_tunnel_info *info,
+ __be16 dport, __be16 sport)
{
struct geneve_dev *geneve = netdev_priv(dev);
struct geneve_sock *gs6 = geneve->sock6;
@@ -764,6 +768,8 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb,
memset(fl6, 0, sizeof(*fl6));
fl6->flowi6_mark = skb->mark;
fl6->flowi6_proto = IPPROTO_UDP;
+ fl6->fl6_dport = dport;
+ fl6->fl6_sport = sport;
if (info) {
fl6->daddr = info->key.u.ipv6.dst;
@@ -834,13 +840,14 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev,
goto tx_error;
}
- rt = geneve_get_v4_rt(skb, dev, &fl4, info);
+ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
+ rt = geneve_get_v4_rt(skb, dev, &fl4, info,
+ info->key.tp_dst, sport);
if (IS_ERR(rt)) {
err = PTR_ERR(rt);
goto tx_error;
}
- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
skb_reset_mac_header(skb);
if (info) {
@@ -916,13 +923,14 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev,
}
}
- dst = geneve_get_v6_dst(skb, dev, &fl6, info);
+ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
+ dst = geneve_get_v6_dst(skb, dev, &fl6, info,
+ info->key.tp_dst, sport);
if (IS_ERR(dst)) {
err = PTR_ERR(dst);
goto tx_error;
}
- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
skb_reset_mac_header(skb);
if (info) {
@@ -1011,9 +1019,14 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb)
struct dst_entry *dst;
struct flowi6 fl6;
#endif
+ __be16 sport;
if (ip_tunnel_info_af(info) == AF_INET) {
- rt = geneve_get_v4_rt(skb, dev, &fl4, info);
+ sport = udp_flow_src_port(geneve->net, skb,
+ 1, USHRT_MAX, true);
+
+ rt = geneve_get_v4_rt(skb, dev, &fl4, info,
+ info->key.tp_dst, sport);
if (IS_ERR(rt))
return PTR_ERR(rt);
@@ -1021,7 +1034,11 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb)
info->key.u.ipv4.src = fl4.saddr;
#if IS_ENABLED(CONFIG_IPV6)
} else if (ip_tunnel_info_af(info) == AF_INET6) {
- dst = geneve_get_v6_dst(skb, dev, &fl6, info);
+ sport = udp_flow_src_port(geneve->net, skb,
+ 1, USHRT_MAX, true);
+
+ dst = geneve_get_v6_dst(skb, dev, &fl6, info,
+ info->key.tp_dst, sport);
if (IS_ERR(dst))
return PTR_ERR(dst);
@@ -1032,8 +1049,7 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb)
return -EINVAL;
}
- info->key.tp_src = udp_flow_src_port(geneve->net, skb,
- 1, USHRT_MAX, true);
+ info->key.tp_src = sport;
info->key.tp_dst = geneve->dst_port;
return 0;
}
--
http://www.livejournal.com/~pavelmachek
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 420 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5586): https://lists.cip-project.org/g/cip-dev/message/5586
Mute This Topic: https://lists.cip-project.org/mt/77534528/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [cip-dev] Bluetooth CVEs deciphered?
2020-10-15 18:06 [cip-dev] Bluetooth CVEs deciphered? Pavel Machek
2020-10-15 18:09 ` [cip-dev] CVE-2020-24490: backporting a2ec905d to 4.4 Pavel Machek
2020-10-15 18:13 ` [cip-dev] Backport c797110d for CVE-2020-25645 [net: geneve] Pavel Machek
@ 2020-10-15 20:30 ` Pavel Machek
2 siblings, 0 replies; 4+ messages in thread
From: Pavel Machek @ 2020-10-15 20:30 UTC (permalink / raw)
To: cip-dev, wens
[-- Attachment #1.1: Type: text/plain, Size: 9766 bytes --]
Hi!
> I believe Google has good information which CVE corresponds to which
> patch, and I used that to improve cip-kernel-sec. Result is here. Can
> you take a look before I start fighting yml?
I believe I indentified the other 2 fixes, too. Here's updated diff.
Best regards,
Pavel
diff --git a/issues/CVE-2020-12351.yml b/issues/CVE-2020-12351.yml
index 63f8b60..a28487e 100644
--- a/issues/CVE-2020-12351.yml
+++ b/issues/CVE-2020-12351.yml
@@ -1,37 +1,14 @@
-description: INTEL-SA-00435
+description: |
+ A heap-based type confusion affecting Linux kernel 4.8 and higher was discovered in net/bluetooth/l2cap_core.c.
+advisory: |
references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
-comments:
- debian/carnil: |-
- CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
- issues covered by a set of commits/patches sent upstream but
- there is no clear association from the CVEs to the commits. So
- duplicate this entry for now to all three CVEs.
- The commits are:
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
- which are not yet in mainline, and
- a2ec905d1e16 ("Bluetooth: fix kernel oops in
- store_pending_adv_report") which is in 5.8 (and which was
- backported to 5.7.13, 5.4.56 and 4.19.137).
- The "fixed version" information in INTEL-SA-00435 is thus as
- well contradictory as it mentions the issue to be fixed in 5.9
- or later.
- wens: |-
- The four patches are already in net-next as of 2020-10-14 and should hit
- mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
- initializing all members") fixes commits going all the way back to
- 3.6, when A2MP was added.
- Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
- ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
- nine are the various "not fully initialized stack variables"; the last
- two are the sk_filter and BT_HS ones, respectfully.
+ https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq
+aliases:
+ GHSA-h637-c88j-47wq
introduced-by:
- mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
- a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
- 6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
- aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
- 8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
- dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+ mainline: dbb50887c8f619fc5c3489783ebc3122bc134a31
+
+ (no Fixed: tag matching dbb50887c8 in -next).
+
+Probably this fixes it?
+ f19425641cb2572a33cb074d5e30283720bd4d22 .. yep.
\ No newline at end of file
diff --git a/issues/CVE-2020-12352.yml b/issues/CVE-2020-12352.yml
index 63f8b60..64b731d 100644
--- a/issues/CVE-2020-12352.yml
+++ b/issues/CVE-2020-12352.yml
@@ -1,37 +1,19 @@
-description: INTEL-SA-00435
+description: |
+ BadChoice: Stack-Based Information Leak (BleedingTooth)
+ A stack-based information leak affecting Linux kernel 3.6 and higher was discovered in net/bluetooth/a2mp.c.
+advisory: |
references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
-comments:
- debian/carnil: |-
- CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
- issues covered by a set of commits/patches sent upstream but
- there is no clear association from the CVEs to the commits. So
- duplicate this entry for now to all three CVEs.
- The commits are:
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
- which are not yet in mainline, and
- a2ec905d1e16 ("Bluetooth: fix kernel oops in
- store_pending_adv_report") which is in 5.8 (and which was
- backported to 5.7.13, 5.4.56 and 4.19.137).
- The "fixed version" information in INTEL-SA-00435 is thus as
- well contradictory as it mentions the issue to be fixed in 5.9
- or later.
- wens: |-
- The four patches are already in net-next as of 2020-10-14 and should hit
- mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
- initializing all members") fixes commits going all the way back to
- 3.6, when A2MP was added.
- Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
- ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
- nine are the various "not fully initialized stack variables"; the last
- two are the sk_filter and BT_HS ones, respectfully.
+ https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq
+aliases:
+ GHSA-7mh3-gq28-gfrq
introduced-by:
- mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
- a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
- 6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
- aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
- 8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
- dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+ mainline:
+ 47f2d97d38816aaca94c9b6961c6eff1cfcd0bd6
+ 8e2a0d92c56ec6955526a8b60838c9b00f70540d ?
+fixed-by:
+ probably this: eddb7732119d53400f48a02536a84c509692faa8
+
+Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Thu Aug 6 11:17:11 2020 -0700
+
+
\ No newline at end of file
diff --git a/issues/CVE-2020-24490.yml b/issues/CVE-2020-24490.yml
index 63f8b60..8fe3617 100644
--- a/issues/CVE-2020-24490.yml
+++ b/issues/CVE-2020-24490.yml
@@ -1,37 +1,25 @@
-description: INTEL-SA-00435
+description: |
+ BadVibes: Heap-Based Buffer Overflow (BleedingTooth)
+ A heap-based buffer overflow affecting Linux kernel 4.19 and higher was discovered in net/bluetooth/hci_event.c.
+advisory: |
+
references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
+ https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649
+aliases:
+ GHSA-ccx2-w2r4-x649
comments:
- debian/carnil: |-
- CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
- issues covered by a set of commits/patches sent upstream but
- there is no clear association from the CVEs to the commits. So
- duplicate this entry for now to all three CVEs.
- The commits are:
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
- which are not yet in mainline, and
- a2ec905d1e16 ("Bluetooth: fix kernel oops in
- store_pending_adv_report") which is in 5.8 (and which was
- backported to 5.7.13, 5.4.56 and 4.19.137).
- The "fixed version" information in INTEL-SA-00435 is thus as
- well contradictory as it mentions the issue to be fixed in 5.9
- or later.
- wens: |-
- The four patches are already in net-next as of 2020-10-14 and should hit
- mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
- initializing all members") fixes commits going all the way back to
- 3.6, when A2MP was added.
- Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
- ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
- nine are the various "not fully initialized stack variables"; the last
- two are the sk_filter and BT_HS ones, respectfully.
+ Pavel Machek:
+ This actually looks like most severe from the recent bluetooth stuff.
+
+ Fix is not one-liner but also not scary. Adds checking at expected places.
introduced-by:
- mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
- a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
- 6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
- aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
- 8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
- dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+ mainline:
+ c215e9397b00b3045a668120ed7dbd89f2866e74
+ b2cc9761f144e8ef714be8c590603073b80ddc13
+fixed-by:
+ mainline:
+ a2ec905d1e160a33b2e210e45ad30445ef26ce0e
+ 4.19:
+ 5df9e5613d1c51e16b1501a4c75e139fbbe0fb6c
+ -- needs to be backported to 4.4?
+
\ No newline at end of file
--
http://www.livejournal.com/~pavelmachek
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 420 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5587): https://lists.cip-project.org/g/cip-dev/message/5587
Mute This Topic: https://lists.cip-project.org/mt/77534365/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-10-15 20:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-15 18:06 [cip-dev] Bluetooth CVEs deciphered? Pavel Machek
2020-10-15 18:09 ` [cip-dev] CVE-2020-24490: backporting a2ec905d to 4.4 Pavel Machek
2020-10-15 18:13 ` [cip-dev] Backport c797110d for CVE-2020-25645 [net: geneve] Pavel Machek
2020-10-15 20:30 ` [cip-dev] Bluetooth CVEs deciphered? Pavel Machek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).