New CVE entries in this week

New CVE entries in this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 7 new CVEs.

* New CVEs

CVE-2021-39633: ip_gre: add validation for csum_start

CVSS v3 score is not provided

An information leak bug was found in gre_handle_offloads() which is in
net/ipv4/ip_gre.c.
This fix uses skb_checksum_start() to check data but this function was
introduced at 4.6-rc1 commit 08b64fc ("net: Store checksum result for
offloaded GSO checksums") so applying this patch requires commit
08b64fc too.

Fixed status

mainline: [1d011c4803c72f3907eccfc1ec63caefb852fcbf]
stable/4.14: [99279223a37b46dc7716ec4e0ed4b3e03f1cfa4c]
stable/4.19: [c33471daf2763c5aee2b7926202c74b75c365119]
stable/4.9: [41d5dfa408130433cc5f037ad89bed854bf936f7]
stable/5.10: [fb45459d9ddb1edd4a8b087bafe875707753cb10]
stable/5.4: [53b480e68c1c2c778b620cc7f45a2ba5dff518ca]

CVE-2021-39634: epoll: do not insert into poll queues until all sanity
checks are done

CVSS v3 score is not provided

A local attacker could gain his privilege by abusing this bug. All
stable kernels and the mainline kernels have already been fixed.

Fixed status

mainline: [f8d4f44df056c5b504b0d49683fb7279218fd207]
stable/4.14: [23fb662b13e4f75688123e1d16aa7116f602db32]
stable/4.19: [3e3bbc4d23eeb90bf282e98c7dfeca7702df3169]
stable/4.4: [ea984dfe0e7978cd294eb6a640ac27fa1834ac8d]
stable/4.9: [a16d314ccda2efa6173f2ae7d386f99c61d273a4]
stable/5.4: [8993da3d4d3a7ae721e9dafa140ba64c0e632a50]

CVE-2021-4155: xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP
just like fallocate

CVSS v3 score is not provided

An information leak bug was found in xfs by using XFS_IOC_ALLOCSP
operation via ioctl.
All stable kernels and the mainline kernel have been fixed.

Fixed status

mainline: [983d8e60f50806f90534cc5373d0ce867e5aaf79]
stable/4.14: [2af625c89bf4a41c8a0bc818d8cf30a291f216ca]
stable/4.19: [1c3564fca0e7b8c9e96245a2cb35e198b036ee9a]
stable/4.4: [56adcda55aa213e106224ff3d18ef4625e25f52b]
stable/4.9: [19e3d9a26f28f432ae89acec22ec47b2a72a502c]
stable/5.10: [16d8568378f9ee2d1e69216d39961aa72710209f]
stable/5.15: [b0e72ba9e520b95346e68800afff0db65e766ca8]
stable/5.4: [102af6edfd3a372db6e229177762a91f552e5f5e]

CVE-2021-4202: Race condition in nci_request() leads to use after free
while the device is getting removed

CVSS v3 score is not provided

Race condition bug in NFC device. A local attacker could do privilege
escalation via this bug. However, no CIP member enabled
CONFIG_NFC_NCI. All stable kernels and the mainline kernel have been
fixed.

Fixed status

mainline: [86cdf8e38792545161dbe3350a7eced558ba4d15,
48b71a9e66c2eab60564b1b1c85f4928ed04e406]
stable/4.14: [6e2944d8bbc58682691438b57620491b5a4b7cfb,
8937bfa226d4001875d8539ae811fce6d3df4c96]
stable/4.19: [62be2b1e7914b7340281f09412a7bbb62e6c8b67,
2350cffd71e74bf81dedc989fdec12aebe89a4a5]
stable/4.4: [6dc051117ba0e1dac9324593ff2c1c520f67ad21,
6f195c7691089c56cd1553a9ca3ca22790c0fe07]
stable/4.9: [4a59a3681158a182557c75bacd00d184f9b2a8f5,
57c076e64ab55adf556cc515914564d61979f7c2]
stable/5.10: [cb14b196d991c864ed2d1b6e79d68a7ce38e6538,
34e54703fb0fdbfc0a3cfc065d71e9a8353d3ac9]
stable/5.15: [96a209038a99a379444ea3ef9ae823e685ba60e7,
ed35e950d8e5658db5b45526be2c4e3778746909]
stable/5.4: [e418bb556ff801e11592851fd465415757a2ef68,
eff32973ecc3838d9a6dc5174bd24d76b120843c]

CVE-2021-4203: af_unix: fix races in sk_peer_pid and sk_peer_cred accesses

CVSS v3 score is not provided

A local attacker can cause a system crash or internal kernel
information leak via this issue.
All stable kernels and the mainline kernel have been fixed.

Fixed status

mainline: [35306eb23814444bd4021f8a1c3047d3cb0c8b2b]
stable/4.14: [9d76f723256d68eea16f0c563fc80b3c14258634]
stable/4.19: [0512a9aede6e4417c4fa6e0042a7ca8bc7e06b86]
stable/4.4: [323f0968a81b082cf02ef15b447cd35e4328385e]
stable/4.9: [09818f629bafbe20e24bac919019853ea3ac5ca4]
stable/5.10: [3db53827a0e9130d9e2cbe3c3b5bca601caa4c74]
stable/5.4: [0fcfaa8ed9d1dcbe377b202a1b3cdfd4e566114c]

CVE-2021-4204: eBPF Improper Input Validation Vulnerability

CVSS v3 score is not provided

A local attacker can escalate privileges via this bug.
This bug is affecting the 5.8 or later kernel. The commit 457f4436
("bpf: Implement BPF ring buffer and verifier support for it")
introduced this issue.

To mitigate this issue, set kernel.unprivileged_bpf_disabled to 1.

Fixed status

Not fixed yet.

CVE-2021-46283: netfilter: nf_tables: initialize set before expression setup

CVSS v3 score is not provided

A local attacker to cause a local DoS attack by this bug.
This issue was introduced at commit 65038428 (netfilter: nf_tables:
allow to specify stateful expression in set definition) which was
merged at 5.7-rc1. Before 5.7 kernels aren't affected by this issue.

Fixed status

mainline: [ad9f151e560b016b6ad3280b48e42fa11e1a5440]
stable/5.10: [36983fc2f87ea3b74a33bf460c9ee7329735b7b5]

* Updated CVEs

CVE-2021-45095: phonet: refcount leak in pep_sock_accep

Stable kernels are updated. So stable kernels and the mainline kernel
have been fixed.

Fixed status

mainline: [bcd0f93353326954817a4f9fa55ec57fb38acbb0]
stable/4.14: [a025db5658d5c10019ffed0d59026da8172897b6]
stable/4.19: [4dece2760af408ad91d6e43afc485d20386c2885]
stable/4.4: [172b3f506c24a61805b3910b9acfe7159d980b9b]
stable/4.9: [3bae29ecb2909c46309671090311230239f1bdd7]
stable/5.10: [4f260ea5537db35d2eeec9bca78a74713078a544]
stable/5.15: [9ca97a693aa8b86e8424f0047198ea3ab997d50f]
stable/5.4: [2a6a811a45fde5acb805ead4d1e942be3875b302]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: [cip-dev] New CVE entries in this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 1819 bytes --]

Hi!

> * New CVEs
> 
> CVE-2021-39633: ip_gre: add validation for csum_start
> 
> CVSS v3 score is not provided
> 
> An information leak bug was found in gre_handle_offloads() which is in
> net/ipv4/ip_gre.c.
> This fix uses skb_checksum_start() to check data but this function was
> introduced at 4.6-rc1 commit 08b64fc ("net: Store checksum result for
> offloaded GSO checksums") so applying this patch requires commit
> 08b64fc too.
> 
> Fixed status
> 
> mainline: [1d011c4803c72f3907eccfc1ec63caefb852fcbf]
> stable/4.9: [41d5dfa408130433cc5f037ad89bed854bf936f7]

So this needs more investigation and possibly 4.4 port? 08b64fc looks
quite small/simple.

> CVE-2021-39634: epoll: do not insert into poll queues until all sanity
> checks are done
> 
> CVSS v3 score is not provided
> 
> A local attacker could gain his privilege by abusing this bug. All
> stable kernels and the mainline kernels have already been fixed.
> 
> Fixed status

...and 4.19 and older is fixed, and 5.10 already contains
f8d4f44df056c5b504b0d49683fb7279218fd207, so nothing to do here. Good.

> CVE-2021-4204: eBPF Improper Input Validation Vulnerability
> 
> CVSS v3 score is not provided
> 
> A local attacker can escalate privileges via this bug.
> This bug is affecting the 5.8 or later kernel. The commit 457f4436
> ("bpf: Implement BPF ring buffer and verifier support for it")
> introduced this issue.
> 
> To mitigate this issue, set kernel.unprivileged_bpf_disabled to 1.
> 
> Fixed status
> 
> Not fixed yet.

Apparently Ubuntu has a fix for this. But I guess we can wait till it
hits mainline.

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [cip-dev] New CVE entries in this week

[Masami Ichikawa]

Hi !

On Thu, Jan 13, 2022 at 5:07 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > * New CVEs
> >
> > CVE-2021-39633: ip_gre: add validation for csum_start
> >
> > CVSS v3 score is not provided
> >
> > An information leak bug was found in gre_handle_offloads() which is in
> > net/ipv4/ip_gre.c.
> > This fix uses skb_checksum_start() to check data but this function was
> > introduced at 4.6-rc1 commit 08b64fc ("net: Store checksum result for
> > offloaded GSO checksums") so applying this patch requires commit
> > 08b64fc too.
> >
> > Fixed status
> >
> > mainline: [1d011c4803c72f3907eccfc1ec63caefb852fcbf]
> > stable/4.9: [41d5dfa408130433cc5f037ad89bed854bf936f7]
>
> So this needs more investigation and possibly 4.4 port? 08b64fc looks
> quite small/simple.
>

I checked it.
It required following patches to apply commit 1d011c4 ("ip_gre: add
validation for csum_start")

1. 7644345 ("net: Move GSO csum into SKB_GSO_CB")
2. 08b64fc ("net: Store checksum result for offloaded GSO checksums")

Commit 1d011c4 required commit 08b64fc and  08b64fc required commit
7644345. Both commit 7644345 and 08b64fc are able to apply to
stable/4.4.y tree without any modification. Commit 1d011c4 needed an
easy fix.

> > CVE-2021-39634: epoll: do not insert into poll queues until all sanity
> > checks are done
> >
> > CVSS v3 score is not provided
> >
> > A local attacker could gain his privilege by abusing this bug. All
> > stable kernels and the mainline kernels have already been fixed.
> >
> > Fixed status
>
> ...and 4.19 and older is fixed, and 5.10 already contains
> f8d4f44df056c5b504b0d49683fb7279218fd207, so nothing to do here. Good.
>
> > CVE-2021-4204: eBPF Improper Input Validation Vulnerability
> >
> > CVSS v3 score is not provided
> >
> > A local attacker can escalate privileges via this bug.
> > This bug is affecting the 5.8 or later kernel. The commit 457f4436
> > ("bpf: Implement BPF ring buffer and verifier support for it")
> > introduced this issue.
> >
> > To mitigate this issue, set kernel.unprivileged_bpf_disabled to 1.
> >
> > Fixed status
> >
> > Not fixed yet.
>
> Apparently Ubuntu has a fix for this. But I guess we can wait till it
> hits mainline.
>
> Best regards,
>                                                                 Pavel
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7457): https://lists.cip-project.org/g/cip-dev/message/7457
> Mute This Topic: https://lists.cip-project.org/mt/88386186/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: [cip-dev] New CVE entries in this week

[Masami Ichikawa]

Hi !

On Sun, Jan 30, 2022 at 6:03 AM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
> >
>
> > CVE-2022-0330: drm/i915: Flush TLBs before releasing backing store
> >
> > CVSS v3 score is not provided
> >
> > Vulnerability in the i915 driver. Without an active IOMMU malicious
> > userspace can gain access (from the
> > code executing on the GPU) to random memory pages.
> >
> > Fixed status
> >
> > mainline: [7938d61591d33394a21bdd7797a245b65428f44c]
>
> Wow. This must have been important. It looks like 5.10.95 (+4.4 and
> 4.19) was released just to get this fixed. Fix is "interesting" but...
> it should be fixed.
>

Yes. Stable kernels were fixed :)

stable/4.14: [eed39c1918f1803948d736c444bfacba2a482ad0]
stable/4.19: [b188780649081782e341e52223db47c49f172712]
stable/4.4: [db6a2082d5a2ebc5ffa41f7213a544d55f73793a]
stable/4.9: [84f4ab5b47d955ad2bb30115d7841d3e8f0994f4]
stable/5.10: [6a6acf927895c38bdd9f3cd76b8dbfc25ac03e88]
stable/5.15: [8a17a077e7e9ecce25c95dbdb27843d2d6c2f0f7]
stable/5.16: [ec1b6497a2bc0293c064337e981ea1f6cbe57930]
stable/5.4: [1b5553c79d52f17e735cd924ff2178a2409e6d0b]


> Best regards,
>                                                                 Pavel
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7517): https://lists.cip-project.org/g/cip-dev/message/7517
> Mute This Topic: https://lists.cip-project.org/mt/88710351/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: [cip-dev] New CVE entries in this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 709 bytes --]

Hi!
> 

> CVE-2022-0330: drm/i915: Flush TLBs before releasing backing store
> 
> CVSS v3 score is not provided
> 
> Vulnerability in the i915 driver. Without an active IOMMU malicious
> userspace can gain access (from the
> code executing on the GPU) to random memory pages.
> 
> Fixed status
> 
> mainline: [7938d61591d33394a21bdd7797a245b65428f44c]

Wow. This must have been important. It looks like 5.10.95 (+4.4 and
4.19) was released just to get this fixed. Fix is "interesting" but...
it should be fixed.

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [cip-dev] New CVE entries in this week

[Masami Ichikawa]

Hi !

On Thu, Jan 27, 2022 at 5:21 PM Nobuhiro Iwamatsu
<nobuhiro1.iwamatsu@toshiba.co.jp> wrote:
>
> Hi,
>
> > -----Original Message-----
> > From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On
> > Behalf Of Masami Ichikawa
> > Sent: Thursday, January 27, 2022 8:51 AM
> > To: cip-dev <cip-dev@lists.cip-project.org>
> > Subject: [cip-dev] New CVE entries in this week
> >
> > Hi !
> >
> > It's this week's CVE report.
> >
> > This week reported 4 new CVEs.
> >
> > * New CVEs
> >
> > CVE-2022-0322: sctp: account stream padding length for reconf chunk
> >
> > CVSS v3 score is not provided
> >
> > This issue was introduced by commit cc16f00 ("sctp: add support for
> > generating stream reconf ssn reset request chunk") at 4.11-rc1 so 4.9 and 4.4
> > aren't affected by this issue. All kernels have been fixed.
> >
> > Fixed status
> >
> > mainline: [a2d859e3fc97e79d907761550dbc03ff1b36479c]
> > stable/4.14: [41f0bcc7d9eac315259d4e9fb441552f60e8ec9e]
> > stable/4.19: [c57fdeff69b152185fafabd37e6bfecfce51efda]
> > stable/5.10: [d84a69ac410f6228873d05d35120f6bdddab7fc3]
> > stable/5.4: [d88774539539dcbf825a25e61234f110513f5963]
> >
> > CVE-2022-0264: bpf: Fix kernel address leakage in atomic fetch
> >
> > CVSS v3 score is not provided
> >
> > A local user who has certain privileges is able to gather kernel internal memory
> > addresses.
> > This issue was introduced by commit 38086bf ("bpf: Propagate stack bounds
> > to registers in atomics w/ BPF_FETCH") that was merged in 5.12-rc1-dontuse.
> > Fixed in 5.17-rc1. so before 5.12 kernels aren't affected this issue.
> >
> > Fixed status
> >
> > mainline: [7d3baf0afa3aa9102d6a521a8e4c41888bb79882]
> > stable/5.15: [423628125a484538111c2c6d9bb1588eb086053b]
> >
> > CVE-2022-0330: drm/i915: Flush TLBs before releasing backing store
> >
> > CVSS v3 score is not provided
> >
> > Vulnerability in the i915 driver. Without an active IOMMU malicious userspace
> > can gain access (from the code executing on the GPU) to random memory
> > pages.
> >
> > Fixed status
> >
> > mainline: [7938d61591d33394a21bdd7797a245b65428f44c]
> >
> > CVE-2021-22600: net/packet: rx_owner_map depends on pg_vec
> >
> > CVSS v3 score: NIST: not provided
> > CVSS v3 score: CNA: 6.6 medium
> >
> > A double free bug in packet_set_ring() in net/packet/af_packet.c can be
> > exploited by a local user through crafted syscalls to escalate privileges or deny
> > service.
> > This issue was introduced by commit 61fad68 ("net/packet: tpacket_rcv:
> > avoid a producer race condition"). This commit was merged in 5.6.
> > However, it was backported to 5.4, 4.19, and 4.14 so that these kernels are also
> > affected but 4.4 and 4.9 are not backported.
>
> Because commit 61fad68 was not backported to 4.4 and 4.9.
> I think we need to make sure this is also needed for 4.4.
>

I did a quick check to apply 61fad68 ("net/packet: tpacket_rcv: avoid
a producer race condition"), it seems that we may at least need
following patches.

- 58d19b1 ("packet: vnet_hdr support for tpacket_rcv")
- 55655e3 ("net/packet: fix memory leak in packet_set_ring()")

Commit 55655e3 added a goto label to fix a bug which was introduced by
a commit 7f953ab ("af_packet: TX_RING support for TPACKET_V3"). The
commit 7f953ab is not backported to 4.4.y.  Backporting commit 7f953ab
seems like a heavy task.

> >
> > Fixed status
> >
> > mainline: [ec6af094ea28f0f2dda1a6a33b14cd57e36a9755]
> > stable/4.14: [a829ff7c8ec494eca028824628a964cde543dc76]
> > stable/4.19: [18c73170de6719491f79b04c727ea8314c246b03]
> > stable/5.10: [7da349f07e457cad135df0920a3f670e423fb5e9]
> > stable/5.15: [feb116a0ecc5625d6532c616d9a10ef4ef81514b]
> > stable/5.4: [027a13973dadb64ef4f19db56c9b619ee82c3375]
> >
>
> Best regards,
>   Nobuhiro
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7496): https://lists.cip-project.org/g/cip-dev/message/7496
> Mute This Topic: https://lists.cip-project.org/mt/88710351/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

RE: [cip-dev] New CVE entries in this week

[nobuhiro1.iwamatsu]

Hi,

> -----Original Message-----
> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On
> Behalf Of Masami Ichikawa
> Sent: Thursday, January 27, 2022 8:51 AM
> To: cip-dev <cip-dev@lists.cip-project.org>
> Subject: [cip-dev] New CVE entries in this week
> 
> Hi !
> 
> It's this week's CVE report.
> 
> This week reported 4 new CVEs.
> 
> * New CVEs
> 
> CVE-2022-0322: sctp: account stream padding length for reconf chunk
> 
> CVSS v3 score is not provided
> 
> This issue was introduced by commit cc16f00 ("sctp: add support for
> generating stream reconf ssn reset request chunk") at 4.11-rc1 so 4.9 and 4.4
> aren't affected by this issue. All kernels have been fixed.
> 
> Fixed status
> 
> mainline: [a2d859e3fc97e79d907761550dbc03ff1b36479c]
> stable/4.14: [41f0bcc7d9eac315259d4e9fb441552f60e8ec9e]
> stable/4.19: [c57fdeff69b152185fafabd37e6bfecfce51efda]
> stable/5.10: [d84a69ac410f6228873d05d35120f6bdddab7fc3]
> stable/5.4: [d88774539539dcbf825a25e61234f110513f5963]
> 
> CVE-2022-0264: bpf: Fix kernel address leakage in atomic fetch
> 
> CVSS v3 score is not provided
> 
> A local user who has certain privileges is able to gather kernel internal memory
> addresses.
> This issue was introduced by commit 38086bf ("bpf: Propagate stack bounds
> to registers in atomics w/ BPF_FETCH") that was merged in 5.12-rc1-dontuse.
> Fixed in 5.17-rc1. so before 5.12 kernels aren't affected this issue.
> 
> Fixed status
> 
> mainline: [7d3baf0afa3aa9102d6a521a8e4c41888bb79882]
> stable/5.15: [423628125a484538111c2c6d9bb1588eb086053b]
> 
> CVE-2022-0330: drm/i915: Flush TLBs before releasing backing store
> 
> CVSS v3 score is not provided
> 
> Vulnerability in the i915 driver. Without an active IOMMU malicious userspace
> can gain access (from the code executing on the GPU) to random memory
> pages.
> 
> Fixed status
> 
> mainline: [7938d61591d33394a21bdd7797a245b65428f44c]
> 
> CVE-2021-22600: net/packet: rx_owner_map depends on pg_vec
> 
> CVSS v3 score: NIST: not provided
> CVSS v3 score: CNA: 6.6 medium
> 
> A double free bug in packet_set_ring() in net/packet/af_packet.c can be
> exploited by a local user through crafted syscalls to escalate privileges or deny
> service.
> This issue was introduced by commit 61fad68 ("net/packet: tpacket_rcv:
> avoid a producer race condition"). This commit was merged in 5.6.
> However, it was backported to 5.4, 4.19, and 4.14 so that these kernels are also
> affected but 4.4 and 4.9 are not backported.

Because commit 61fad68 was not backported to 4.4 and 4.9.
I think we need to make sure this is also needed for 4.4.

> 
> Fixed status
> 
> mainline: [ec6af094ea28f0f2dda1a6a33b14cd57e36a9755]
> stable/4.14: [a829ff7c8ec494eca028824628a964cde543dc76]
> stable/4.19: [18c73170de6719491f79b04c727ea8314c246b03]
> stable/5.10: [7da349f07e457cad135df0920a3f670e423fb5e9]
> stable/5.15: [feb116a0ecc5625d6532c616d9a10ef4ef81514b]
> stable/5.4: [027a13973dadb64ef4f19db56c9b619ee82c3375]
> 

Best regards,
  Nobuhiro

Re: [cip-dev] New CVE entries in this week

[Masami Ichikawa]

Hi !

On Thu, Dec 30, 2021 at 7:20 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > CVE-2021-45469: f2fs: fix to do sanity check on last xattr entry in
> > __f2fs_setxattr()
> >
> > CVSS v3 score is not provided
> >
> > OOB access bug in  __f2fs_setxattr().
> >
> > Although it is fixed in stable trees, the patch isn't merged in the
> > mainline yet at 2021/12/30. The commit 5598b24 ("f2fs: fix to do
> > sanity check on last xattr entry in __f2fs_setxattr()") is in
> > https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=dev&id=5598b24efaf4892741c798b425d543e4bed357a1
> > but not in the mainline.
> >
>
> Interesting. That's wrong and unusual for stable tree.
>
> > CVE-2021-45480: rds: memory leak in __rds_conn_create()
> >
> > CVSS v3 score is not provided
> >
> > This bug was introdued by commit aced3ce57cd3 ("RDS tcp loopback
> > connection can hang") which was merged at 5.13-rc4.
>
> It was also merged in 4.19-stable as 0a3158ac5999fe. That's why we see
> 4.19 tree needing the fix. 4.4 is not affected. Good.
>

Thank you for the information.

> > mainline: [5f9562ebe710c307adc5f666bf1a2162ee7977c0]
> > stable/4.19: [1ed173726c1a0082e9d77c7d5a85411e85bdd983]
>
> Best regards,
>                                                                 Pavel
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7310): https://lists.cip-project.org/g/cip-dev/message/7310
> Mute This Topic: https://lists.cip-project.org/mt/88025787/6028936
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10394996/6028936/1199334894/xyzzy [masami256@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Regards,
-- 
/**
* Masami Ichikawa
* personal: masami256@gmail.com
* fedora project: masami@fedoraproject.org
*/

Re: [cip-dev] New CVE entries in this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 1253 bytes --]

Hi!

> CVE-2021-45469: f2fs: fix to do sanity check on last xattr entry in
> __f2fs_setxattr()
> 
> CVSS v3 score is not provided
> 
> OOB access bug in  __f2fs_setxattr().
> 
> Although it is fixed in stable trees, the patch isn't merged in the
> mainline yet at 2021/12/30. The commit 5598b24 ("f2fs: fix to do
> sanity check on last xattr entry in __f2fs_setxattr()") is in
> https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=dev&id=5598b24efaf4892741c798b425d543e4bed357a1
> but not in the mainline.
> 

Interesting. That's wrong and unusual for stable tree.

> CVE-2021-45480: rds: memory leak in __rds_conn_create()
> 
> CVSS v3 score is not provided
> 
> This bug was introdued by commit aced3ce57cd3 ("RDS tcp loopback
> connection can hang") which was merged at 5.13-rc4.

It was also merged in 4.19-stable as 0a3158ac5999fe. That's why we see
4.19 tree needing the fix. 4.4 is not affected. Good.

> mainline: [5f9562ebe710c307adc5f666bf1a2162ee7977c0]
> stable/4.19: [1ed173726c1a0082e9d77c7d5a85411e85bdd983]

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [cip-dev] New CVE entries in this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 1405 bytes --]

Hi!

> CVE-2021-45095: phonet: refcount leak in pep_sock_accep
> 
> CVSS v3 score is not provided
> 
> This issue is a refcount leak in pep_sock_accep(). It's been fixed in
> the mainline.
> 
> Fixed status
> 
> mainline: [bcd0f93353326954817a4f9fa55ec57fb38acbb0]

This is Nokia modem stuff. It is enabled in several of our configs,
but I don't think anyone is really using it.

> CVE-2021-4149: Improper lock operation in btrfs
> 
> CVSS v3 score is not provided
> 
> There is a deadlock problem in fs/btrfs/extent-tree.c. This problem
> causes a local attacker can do a DoS attack to the system.
> The patch specifies the vulnerable kernel version is 5.4 or later.
> stable/4.4, stable/4.9, and buf value is not locked in
> btrfs_init_new_buffer(). However, stable/4.19 takes a lock in
> btrfs_init_new_buffer()
> (https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/fs/btrfs/extent-tree.c?h=linux-4.19.y#n8145)
> so it seems 4.19 has same issue.

> Fixed status
> 
> mainline: [19ea40dddf1833db868533958ca066f368862211]
> stable/5.10: [206868a5b6c14adc4098dd3210a2f7510d97a670]
> stable/5.4: [005a07c9acd6cf8a40555884f0650dfd4ec23fbe]

This may be worth looking into.

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [cip-dev] New CVE entries in this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 945 bytes --]

Hi!

> CVE-2021-3864: descendant's dumpable setting with certain SUID binaries
> 
> CVSS v3 score is not provided
> 
> This bug is able to write coredump file anyware. However, abusing this
> bug, such as arbitrary code execution is required some program. The
> PoC(https://www.openwall.com/lists/oss-security/2021/10/20/2).
> There is two mitigation techniques are suggested. So, users follow
> these mitigation technique is recommended.
> 
> Fixed status
> 
> Not fixed yet.

This one is actually quite interesting.

Untrusted users should not normally have shell access on embedded
systems, but it highlights topic of coredumps. Default config of
coredumping is unsuitable for many embedded systems; coredumps should
be probably disabled.

Best regards,
								Pavel

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [cip-dev] New CVE entries in this week

[Masami Ichikawa]

Hi !

On Thu, Dec 16, 2021 at 2:27 PM Nobuhiro Iwamatsu
<nobuhiro1.iwamatsu@toshiba.co.jp> wrote:
>
> Hi,
>
> > CVE-2021-39648: usb: gadget: configfs: Fix use-after-free issue with udc_name
> >
> > CVSS v3 score is not provided
> >
> > 4.4 kernel gadget_dev_desc_UDC_show() is bit different from later
> > kernel versions. However, it looks 4.4 also has same issue.
> >
> > Fixed status
> >
> > mainline: [64e6bbfff52db4bf6785fab9cffab850b2de6870]
> > stable/4.14: [6766064c794afeacc29b21fc09ea4dbe3cae1af3]
> > stable/4.19: [83b74059fdf1c4fa6ed261725e6f301552ad23f7]
> > stable/4.9: [225330e682fa9aaa152287b49dea1ce50fbe0a92]
> > stable/5.10: [a4b202cba3ab1a7a8b1ca92603931fba5e2032c3]
> > stable/5.4: [bcffe2de9dde74174805d5f56a990353e33b8072]
>
> I created a patch which revise this issue. I attached this mail.
>

Thank you. LGTM !

> Best regards,
>   Nobuhiro
> ________________________________________
> 差出人: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> が Masami Ichikawa <masami.ichikawa@miraclelinux.com> の代理で送信
> 送信日時: 2021年12月16日 8:49
> 宛先: cip-dev
> 件名: [cip-dev] New CVE entries in this week
>
> Hi !
>
> It's this week's CVE report.
>
> This week reported ten new CVEs and two of them aren't fixed in the
> mainline yet.
>
> * New CVEs
>
> CVE-2021-0961: In quota_proc_write of xt_quota2.c, there is a possible
> way to read kernel memory due to uninitialized data
>
> CVSS v3 score is not provided
>
> This bug is fixed in Android kernel. There is three commits to fix this bug.
>
> https://android.googlesource.com/kernel/common/+/e113eb454e92
> https://android.googlesource.com/kernel/common/+/60a4c35570d9
> https://android.googlesource.com/kernel/common/+/4b05a506bda0
>
> These commit modified net/netfilter/xt_quota2.c which is Android
> specific source. So this CVE is Android specific bug. The mainline and
> stable kernels aren't affected.
>
> Fixed status
>
> The mainline and stable kernels aren't affected.
>
> CVE-2021-39648: usb: gadget: configfs: Fix use-after-free issue with udc_name
>
> CVSS v3 score is not provided
>
> 4.4 kernel gadget_dev_desc_UDC_show() is bit different from later
> kernel versions. However, it looks 4.4 also has same issue.
>
> Fixed status
>
> mainline: [64e6bbfff52db4bf6785fab9cffab850b2de6870]
> stable/4.14: [6766064c794afeacc29b21fc09ea4dbe3cae1af3]
> stable/4.19: [83b74059fdf1c4fa6ed261725e6f301552ad23f7]
> stable/4.9: [225330e682fa9aaa152287b49dea1ce50fbe0a92]
> stable/5.10: [a4b202cba3ab1a7a8b1ca92603931fba5e2032c3]
> stable/5.4: [bcffe2de9dde74174805d5f56a990353e33b8072]
>
> CVE-2021-39656: configfs: fix a use-after-free in __configfs_open_file
>
> Bug introduced commit b0841ee was merged in 5.3-rc8. This commit isn't
> backported to 4.4 so 4.4 isn't affected.
>
> Fixed status
>
> mainline: [14fbbc8297728e880070f7b077b3301a8c698ef9]
> stable/4.14: [4769013f841ed35bdce3b11b64349d0c166ee0a2]
> stable/4.19: [9123463620132ada85caf5dc664b168f480b0cc4]
> stable/4.9: [6f5c47f0faed69f2e78e733fb18261854979e79f]
> stable/5.10: [109720342efd6ace3d2e8f34a25ea65036bb1d3b]
> stable/5.4: [73aa6f93e1e980f392b3da4fee830b0e0a4a40ff]
>
> CVE-2021-39657: scsi: ufs: Correct the LUN used in
> eh_device_reset_handler() callback
>
> CVSS v3 score is not provided
>
> Bug was fixed in 5.11-rc4. so mainline and stable kernels are already fixed.
>
> Fixed status
>
> mainline: [35fc4cd34426c242ab015ef280853b7bff101f48]
> stable/4.14: [30f2a89f9481f851bc68e51a1e7114392b052231]
> stable/4.19: [b397fcae2207963747c6f947ef4d06575553eaef]
> stable/4.4: [a4cdbf4805bfed8f39e6b25f113588064d9a6ac5]
> stable/4.9: [7bbac19e604b2443c93f01c3259734d53f776dbf]
> stable/5.10: [2536194bb3b099cc9a9037009b86e7ccfb81461c]
> stable/5.4: [97853a7eae80a695a18ce432524eaa7432199a41]
>
> CVE-2021-4090: kernel: Overflow of bmval[bmlen-1] in
> nfsd4_decode_bitmap function
>
> CVSS v3 score is not provided
>
> OOB write bug in nsfd. This bug was introduced by commit d1c263a
> ("NFSD: Replace READ* macros in nfsd4_decode_fattr()
> ") since 5.11-rc1 and fixed in 5.16-rc2. Before 5.11 kernels aren't
> affected this issue.
>
> Fixed status
>
> mainline: [c0019b7db1d7ac62c711cda6b357a659d46428fe]
> stable/5.15: [10c22d9519f3f5939de61a1500aa3a926b778d3a]
>
> CVE-2021-4093: KVM: SVM: out-of-bounds read/write in sev_es_string_io
>
> CVSS v3 score is not provided
>
> OOB read/write bug in AMD SVM mode. This bug was introduced by commit
> 7ed9abf ("KVM: SVM: Support string IO operations for an SEV-ES guest")
> which is merged since 5.11-rc1. Before 5.11 kernels aren't affected
> this issue.
>
> Fixed status
>
> mainline: [95e16b4792b0429f1933872f743410f00e590c55]
>
> CVE-2021-4095: KVM: NULL pointer dereference in kvm_dirty_ring_get()
> in virt/kvm/dirty_ring.c
>
> CVSS v3 score is not provided
>
> This issues was introduced by commit 629b534 ("KVM: x86/xen: update
> wallclock region") which is merged in 5.12-rc1-dontuse. Before
> 5.12-rc1-dontuse kernels aren't affectd this issue.
> Patch is being reviewed.
>
> Fixed status
>
> Not fixed yet.
>
> CVE-2021-3864: descendant's dumpable setting with certain SUID binaries
>
> CVSS v3 score is not provided
>
> This bug is able to write coredump file anyware. However, abusing this
> bug, such as arbitrary code execution is required some program. The
> PoC(https://www.openwall.com/lists/oss-security/2021/10/20/2).
> There is two mitigation techniques are suggested. So, users follow
> these mitigation technique is recommended.
>
> Fixed status
>
> Not fixed yet.
>
> CVE-2021-4083: fget: check that the fd still exists after getting a ref to it
>
> CVSS v3 score is not provided
>
> UAF bug in fs/file.c it causes system crash, priviledge escalation.
> The mainline and all stable kernels are aready fixed.
>
> Fixed status
>
> mainline: [054aa8d439b9185d4f5eb9a90282d1ce74772969]
> stable/4.14: [98548c3a9882a1ea993a103be7c1b499f3b88202]
> stable/4.19: [8bf31f9d9395b71af3ed33166a057cd3ec0c59da]
> stable/4.4: [8afa4ef999191477506b396fae518338b8996fec]
> stable/4.9: [a043f5a600052dc93bc3d7a6a2c1592b6ee77482]
> stable/5.10: [4baba6ba56eb91a735a027f783cc4b9276b48d5b]
> stable/5.15: [6fe4eadd54da3040cf6f6579ae157ae1395dc0f8]
> stable/5.4: [03d4462ba3bc8f830d9807e3c3fde54fad06e2e2]
>
> CVE-2021-39685: Linux Kernel USB Gadget buffer overflow
>
> CVSS v3 score is not provided
>
> Buffer overflow bug in USB gadget devices. An attacker can read and/or
> write up to 65k of kernel memory.
> It already fixed in mainline and all stable kernels.
>
> Fixed status
>
> mainline: [153a2d7e3350cc89d406ba2d35be8793a64c2038,
> 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3]
> stable/4.14: [e7c8afee149134b438df153b09af7fd928a8bc24,
> d8cd524ae4ec788011a14be17503fc224f260fe3]
> stable/4.19: [13e45e7a262dd96e8161823314679543048709b9,
> 32de5efd483db68f12233fbf63743a2d92f20ae4]
> stable/4.4: [93cd7100fe471c5f76fb942358de4ed70dbcaf35,
> af21211c327c4703c7681fa7286c4d660682e413]
> stable/4.9: [d2ca6859ea96c6d4c6ad3d6873a308a004882419,
> e4de8ca013f06ad4a0bf40420a291c23990e4131]
> stable/5.10: [7193ad3e50e596ac2192531c58ba83b9e6d2444b,
> e4de8ca013f06ad4a0bf40420a291c23990e4131]
> stable/5.15: [36dfdf11af49d3c009c711fb16f5c6e7a274505d,
> 6eea4ace62fa6414432692ee44f0c0a3d541d97a]
> stable/5.4: [fd6de5a0cd42fc43810bd74ad129d98ab962ec6b,
> 9978777c5409d6c856cac1adf5930e3c84f057be]
>
> * Updated CVEs
>
> no updated CVEs.
>
> Currently tracking CVEs
>
> CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
> Bluetooth Core Specifications 4.0 through 5.2
>
> There is no fix information.
>
> CVE-2020-26555: BR/EDR pin code pairing broken
>
> No fix information
>
> CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning
>
> No fix information.
>
> CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
> Provisioning Leads to MITM
>
> No fix information.
>
> CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning
>
> No fix information.
>
> CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning
>
> No fix information.
>
>
> Regards,
> --
> Masami Ichikawa
> Cybertrust Japan Co., Ltd.
>
> Email :masami.ichikawa@cybertrust.co.jp
>           :masami.ichikawa@miraclelinux.com
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7114): https://lists.cip-project.org/g/cip-dev/message/7114
> Mute This Topic: https://lists.cip-project.org/mt/87756776/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: [cip-dev] New CVE entries in this week

[nobuhiro1.iwamatsu]

[-- Attachment #1: Type: text/plain, Size: 7960 bytes --]

Hi,

> CVE-2021-39648: usb: gadget: configfs: Fix use-after-free issue with udc_name
> 
> CVSS v3 score is not provided
> 
> 4.4 kernel gadget_dev_desc_UDC_show() is bit different from later
> kernel versions. However, it looks 4.4 also has same issue.
> 
> Fixed status
> 
> mainline: [64e6bbfff52db4bf6785fab9cffab850b2de6870]
> stable/4.14: [6766064c794afeacc29b21fc09ea4dbe3cae1af3]
> stable/4.19: [83b74059fdf1c4fa6ed261725e6f301552ad23f7]
> stable/4.9: [225330e682fa9aaa152287b49dea1ce50fbe0a92]
> stable/5.10: [a4b202cba3ab1a7a8b1ca92603931fba5e2032c3]
> stable/5.4: [bcffe2de9dde74174805d5f56a990353e33b8072]

I created a patch which revise this issue. I attached this mail.

Best regards,
  Nobuhiro
________________________________________
差出人: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> が Masami Ichikawa <masami.ichikawa@miraclelinux.com> の代理で送信
送信日時: 2021年12月16日 8:49
宛先: cip-dev
件名: [cip-dev] New CVE entries in this week

Hi !

It's this week's CVE report.

This week reported ten new CVEs and two of them aren't fixed in the
mainline yet.

* New CVEs

CVE-2021-0961: In quota_proc_write of xt_quota2.c, there is a possible
way to read kernel memory due to uninitialized data

CVSS v3 score is not provided

This bug is fixed in Android kernel. There is three commits to fix this bug.

https://android.googlesource.com/kernel/common/+/e113eb454e92
https://android.googlesource.com/kernel/common/+/60a4c35570d9
https://android.googlesource.com/kernel/common/+/4b05a506bda0

These commit modified net/netfilter/xt_quota2.c which is Android
specific source. So this CVE is Android specific bug. The mainline and
stable kernels aren't affected.

Fixed status

The mainline and stable kernels aren't affected.

CVE-2021-39648: usb: gadget: configfs: Fix use-after-free issue with udc_name

CVSS v3 score is not provided

4.4 kernel gadget_dev_desc_UDC_show() is bit different from later
kernel versions. However, it looks 4.4 also has same issue.

Fixed status

mainline: [64e6bbfff52db4bf6785fab9cffab850b2de6870]
stable/4.14: [6766064c794afeacc29b21fc09ea4dbe3cae1af3]
stable/4.19: [83b74059fdf1c4fa6ed261725e6f301552ad23f7]
stable/4.9: [225330e682fa9aaa152287b49dea1ce50fbe0a92]
stable/5.10: [a4b202cba3ab1a7a8b1ca92603931fba5e2032c3]
stable/5.4: [bcffe2de9dde74174805d5f56a990353e33b8072]

CVE-2021-39656: configfs: fix a use-after-free in __configfs_open_file

Bug introduced commit b0841ee was merged in 5.3-rc8. This commit isn't
backported to 4.4 so 4.4 isn't affected.

Fixed status

mainline: [14fbbc8297728e880070f7b077b3301a8c698ef9]
stable/4.14: [4769013f841ed35bdce3b11b64349d0c166ee0a2]
stable/4.19: [9123463620132ada85caf5dc664b168f480b0cc4]
stable/4.9: [6f5c47f0faed69f2e78e733fb18261854979e79f]
stable/5.10: [109720342efd6ace3d2e8f34a25ea65036bb1d3b]
stable/5.4: [73aa6f93e1e980f392b3da4fee830b0e0a4a40ff]

CVE-2021-39657: scsi: ufs: Correct the LUN used in
eh_device_reset_handler() callback

CVSS v3 score is not provided

Bug was fixed in 5.11-rc4. so mainline and stable kernels are already fixed.

Fixed status

mainline: [35fc4cd34426c242ab015ef280853b7bff101f48]
stable/4.14: [30f2a89f9481f851bc68e51a1e7114392b052231]
stable/4.19: [b397fcae2207963747c6f947ef4d06575553eaef]
stable/4.4: [a4cdbf4805bfed8f39e6b25f113588064d9a6ac5]
stable/4.9: [7bbac19e604b2443c93f01c3259734d53f776dbf]
stable/5.10: [2536194bb3b099cc9a9037009b86e7ccfb81461c]
stable/5.4: [97853a7eae80a695a18ce432524eaa7432199a41]

CVE-2021-4090: kernel: Overflow of bmval[bmlen-1] in
nfsd4_decode_bitmap function

CVSS v3 score is not provided

OOB write bug in nsfd. This bug was introduced by commit d1c263a
("NFSD: Replace READ* macros in nfsd4_decode_fattr()
") since 5.11-rc1 and fixed in 5.16-rc2. Before 5.11 kernels aren't
affected this issue.

Fixed status

mainline: [c0019b7db1d7ac62c711cda6b357a659d46428fe]
stable/5.15: [10c22d9519f3f5939de61a1500aa3a926b778d3a]

CVE-2021-4093: KVM: SVM: out-of-bounds read/write in sev_es_string_io

CVSS v3 score is not provided

OOB read/write bug in AMD SVM mode. This bug was introduced by commit
7ed9abf ("KVM: SVM: Support string IO operations for an SEV-ES guest")
which is merged since 5.11-rc1. Before 5.11 kernels aren't affected
this issue.

Fixed status

mainline: [95e16b4792b0429f1933872f743410f00e590c55]

CVE-2021-4095: KVM: NULL pointer dereference in kvm_dirty_ring_get()
in virt/kvm/dirty_ring.c

CVSS v3 score is not provided

This issues was introduced by commit 629b534 ("KVM: x86/xen: update
wallclock region") which is merged in 5.12-rc1-dontuse. Before
5.12-rc1-dontuse kernels aren't affectd this issue.
Patch is being reviewed.

Fixed status

Not fixed yet.

CVE-2021-3864: descendant's dumpable setting with certain SUID binaries

CVSS v3 score is not provided

This bug is able to write coredump file anyware. However, abusing this
bug, such as arbitrary code execution is required some program. The
PoC(https://www.openwall.com/lists/oss-security/2021/10/20/2).
There is two mitigation techniques are suggested. So, users follow
these mitigation technique is recommended.

Fixed status

Not fixed yet.

CVE-2021-4083: fget: check that the fd still exists after getting a ref to it

CVSS v3 score is not provided

UAF bug in fs/file.c it causes system crash, priviledge escalation.
The mainline and all stable kernels are aready fixed.

Fixed status

mainline: [054aa8d439b9185d4f5eb9a90282d1ce74772969]
stable/4.14: [98548c3a9882a1ea993a103be7c1b499f3b88202]
stable/4.19: [8bf31f9d9395b71af3ed33166a057cd3ec0c59da]
stable/4.4: [8afa4ef999191477506b396fae518338b8996fec]
stable/4.9: [a043f5a600052dc93bc3d7a6a2c1592b6ee77482]
stable/5.10: [4baba6ba56eb91a735a027f783cc4b9276b48d5b]
stable/5.15: [6fe4eadd54da3040cf6f6579ae157ae1395dc0f8]
stable/5.4: [03d4462ba3bc8f830d9807e3c3fde54fad06e2e2]

CVE-2021-39685: Linux Kernel USB Gadget buffer overflow

CVSS v3 score is not provided

Buffer overflow bug in USB gadget devices. An attacker can read and/or
write up to 65k of kernel memory.
It already fixed in mainline and all stable kernels.

Fixed status

mainline: [153a2d7e3350cc89d406ba2d35be8793a64c2038,
86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3]
stable/4.14: [e7c8afee149134b438df153b09af7fd928a8bc24,
d8cd524ae4ec788011a14be17503fc224f260fe3]
stable/4.19: [13e45e7a262dd96e8161823314679543048709b9,
32de5efd483db68f12233fbf63743a2d92f20ae4]
stable/4.4: [93cd7100fe471c5f76fb942358de4ed70dbcaf35,
af21211c327c4703c7681fa7286c4d660682e413]
stable/4.9: [d2ca6859ea96c6d4c6ad3d6873a308a004882419,
e4de8ca013f06ad4a0bf40420a291c23990e4131]
stable/5.10: [7193ad3e50e596ac2192531c58ba83b9e6d2444b,
e4de8ca013f06ad4a0bf40420a291c23990e4131]
stable/5.15: [36dfdf11af49d3c009c711fb16f5c6e7a274505d,
6eea4ace62fa6414432692ee44f0c0a3d541d97a]
stable/5.4: [fd6de5a0cd42fc43810bd74ad129d98ab962ec6b,
9978777c5409d6c856cac1adf5930e3c84f057be]

* Updated CVEs

no updated CVEs.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: 0001-usb-gadget-configfs-Fix-use-after-free-issue-with-ud.patch --]
[-- Type: application/octet-stream, Size: 2459 bytes --]

From 8d34956ed2c9247f1bbbf63fd1b0000afd1faaee Mon Sep 17 00:00:00 2001
From: Eddie Hung <eddie.hung@mediatek.com>
Date: Tue, 29 Dec 2020 18:53:35 +0800
Subject: [PATCH] usb: gadget: configfs: Fix use-after-free issue with udc_name

commit 64e6bbfff52db4bf6785fab9cffab850b2de6870 upstream.

There is a use-after-free issue, if access udc_name
in function gadget_dev_desc_UDC_store after another context
free udc_name in function unregister_gadget.

Context 1:
gadget_dev_desc_UDC_store()->unregister_gadget()->
free udc_name->set udc_name to NULL

Context 2:
gadget_dev_desc_UDC_show()-> access udc_name

Call trace:
dump_backtrace+0x0/0x340
show_stack+0x14/0x1c
dump_stack+0xe4/0x134
print_address_description+0x78/0x478
__kasan_report+0x270/0x2ec
kasan_report+0x10/0x18
__asan_report_load1_noabort+0x18/0x20
string+0xf4/0x138
vsnprintf+0x428/0x14d0
sprintf+0xe4/0x12c
gadget_dev_desc_UDC_show+0x54/0x64
configfs_read_file+0x210/0x3a0
__vfs_read+0xf0/0x49c
vfs_read+0x130/0x2b4
SyS_read+0x114/0x208
el0_svc_naked+0x34/0x38

Add mutex_lock to protect this kind of scenario.

Signed-off-by: Eddie Hung <eddie.hung@mediatek.com>
Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
Reviewed-by: Peter Chen <peter.chen@nxp.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/1609239215-21819-1-git-send-email-macpaul.lin@mediatek.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Reference: CVE-2021-39648]
[iwamatsu: struct usb_gadget_driver does not have udc_name variable.
           Change struct gadget_info's udc_name.]
Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
---
 drivers/usb/gadget/configfs.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
index 0ef3f4e452428c..6e1172450c7345 100644
--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c
@@ -241,7 +241,16 @@ static ssize_t gadget_dev_desc_bcdUSB_store(struct config_item *item,
 
 static ssize_t gadget_dev_desc_UDC_show(struct config_item *item, char *page)
 {
-	return sprintf(page, "%s\n", to_gadget_info(item)->udc_name ?: "");
+	struct gadget_info *gi = to_gadget_info(item);
+	char *udc_name;
+	int ret;
+
+	mutex_lock(&gi->lock);
+	udc_name = gi->udc_name;
+	ret = sprintf(page, "%s\n", udc_name ?: "");
+	mutex_unlock(&gi->lock);
+
+	return ret;
 }
 
 static int unregister_gadget(struct gadget_info *gi)
-- 
2.34.1

Re: [cip-dev] New CVE entries in this week

[Masami Ichikawa]

Hi !

On Thu, Dec 9, 2021 at 6:21 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > * New CVEs
> >
> > CVE-2021-39636: "no details"
> >
> > CVSS v3 score is not provided
> >
> > There is no vulnerability details yet. However, there is five patches
> > are addressed so the bug is in the netfilter module.
> >
> > f32815d ("xtables: add xt_match, xt_target and data copy_to_user
> > functions"): merged in 4.11-rc1
> > f77bc5b ("iptables: use match, target and data copy_to_user helpers"):
> > merged in 4.11-rc1
> > e47ddb2 ("ip6tables: use match, target and data copy_to_user
> > helpers"): merged in 4.11-rc1
> > ec23189 ("xtables: extend matches and targets with .usersize"): merged
> > in 4.11-rc1
> > 1e98ffe ("netfilter: x_tables: fix pointer leaks to userspace"):
> > merged in 4.16-rc1. This fixes commit ec23189 ("xtables: extend
> > matches and targets with .usersize") that was merged in 4.11-rc1.
> >
> > Fixed status
> >
> > mainline: [f32815d21d4d8287336fb9cef4d2d9e0866214c2,
> > f77bc5b23fb1af51fc0faa8a479dea8969eb5079,
> >   e47ddb2c4691fd2bd8d25745ecb6848408899757,
> > ec23189049651b16dc2ffab35a4371dc1f491aca,
> >   1e98ffea5a8935ec040ab72299e349cb44b8defd]
> > stable/4.14: [f32815d21d4d8287336fb9cef4d2d9e0866214c2,
> > f77bc5b23fb1af51fc0faa8a479dea8969eb5079,
> >   e47ddb2c4691fd2bd8d25745ecb6848408899757,
> > ec23189049651b16dc2ffab35a4371dc1f491aca,
> >   ad10785a706e63ff155fc97860cdcc5e3bc5992d]
>
> Hmm. Fun. 1e98ffea5a8935ec040ab72299e349cb44b8defd may have a clue:
>
>     This leads to kernel pointer leaks if a match/target is set
>     and then read back to userspace.
>
> So that sounds like KASLR workaround? iptables are normally limited to
> priviledged users, and KASLR is just a technology to make exploitation
> hard. I don't think we care too much here.
>

I got it.

> > CVE-2018-25020: bpf: fix truncated jump targets on heavy expansions
> >
> > CVSS v3 score is not provided
> >
> > Fixed status
> >
> > The BPF subsystem in the kernel through 4.17-rc7 has overflow bug.
> >
> > mainline: [050fad7c4534c13c8eb1d9c2ba66012e014773cb]
>
> Fun. JITs are hard to get right. I guess "avoid BPF" and "certainly
> don't allow unpriviledged access to BPF" is good advice.
>

Yeah, I agree.

> Best regards,
>                                                                 Pavel
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7079): https://lists.cip-project.org/g/cip-dev/message/7079
> Mute This Topic: https://lists.cip-project.org/mt/87601555/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Regards,


-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: [cip-dev] New CVE entries in this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 2265 bytes --]

Hi!

> * New CVEs
> 
> CVE-2021-39636: "no details"
> 
> CVSS v3 score is not provided
> 
> There is no vulnerability details yet. However, there is five patches
> are addressed so the bug is in the netfilter module.
> 
> f32815d ("xtables: add xt_match, xt_target and data copy_to_user
> functions"): merged in 4.11-rc1
> f77bc5b ("iptables: use match, target and data copy_to_user helpers"):
> merged in 4.11-rc1
> e47ddb2 ("ip6tables: use match, target and data copy_to_user
> helpers"): merged in 4.11-rc1
> ec23189 ("xtables: extend matches and targets with .usersize"): merged
> in 4.11-rc1
> 1e98ffe ("netfilter: x_tables: fix pointer leaks to userspace"):
> merged in 4.16-rc1. This fixes commit ec23189 ("xtables: extend
> matches and targets with .usersize") that was merged in 4.11-rc1.
> 
> Fixed status
> 
> mainline: [f32815d21d4d8287336fb9cef4d2d9e0866214c2,
> f77bc5b23fb1af51fc0faa8a479dea8969eb5079,
>   e47ddb2c4691fd2bd8d25745ecb6848408899757,
> ec23189049651b16dc2ffab35a4371dc1f491aca,
>   1e98ffea5a8935ec040ab72299e349cb44b8defd]
> stable/4.14: [f32815d21d4d8287336fb9cef4d2d9e0866214c2,
> f77bc5b23fb1af51fc0faa8a479dea8969eb5079,
>   e47ddb2c4691fd2bd8d25745ecb6848408899757,
> ec23189049651b16dc2ffab35a4371dc1f491aca,
>   ad10785a706e63ff155fc97860cdcc5e3bc5992d]

Hmm. Fun. 1e98ffea5a8935ec040ab72299e349cb44b8defd may have a clue:

    This leads to kernel pointer leaks if a match/target is set
    and then read back to userspace.

So that sounds like KASLR workaround? iptables are normally limited to
priviledged users, and KASLR is just a technology to make exploitation
hard. I don't think we care too much here.

> CVE-2018-25020: bpf: fix truncated jump targets on heavy expansions
> 
> CVSS v3 score is not provided
> 
> Fixed status
> 
> The BPF subsystem in the kernel through 4.17-rc7 has overflow bug.
> 
> mainline: [050fad7c4534c13c8eb1d9c2ba66012e014773cb]

Fun. JITs are hard to get right. I guess "avoid BPF" and "certainly
don't allow unpriviledged access to BPF" is good advice.

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [cip-dev] New CVE entries in this week

[Masami Ichikawa]

Hi !

On Thu, Nov 25, 2021 at 6:09 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > > Fixed status
> > >
> > > mainline: [353050be4c19e102178ccc05988101887c25ae53]
> >
> > I attached a patch for 5.10.
>
> Thank you.
>
> Looks good to me,
>
> Reviewed-by: Pavel Machek <pavel@denx.de>
>

Thank you for the review! I send patch to the stable list.\
> Best regards,
>                                                                 Pavel
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7013): https://lists.cip-project.org/g/cip-dev/message/7013
> Mute This Topic: https://lists.cip-project.org/mt/87295441/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: [cip-dev] New CVE entries in this week

[Masami Ichikawa]

Hi !

On Thu, Nov 25, 2021 at 5:00 PM Nobuhiro Iwamatsu
<nobuhiro1.iwamatsu@toshiba.co.jp> wrote:
>
> Hi,
>
> > > CVE-2021-4001: bpf: Fix toctou on read-only map''s constant scalar tracking
> > >
> > > CVSS v3 score is not provided.
> > >
> > > This bug was introduced in 5.5-rc1 and fixed in 5.16-rc2.  Patch for 5.15 is in stable-rt tree. Patch for 5.4(https://lore.kernel.org/stable/163757721744154@kroah.com/) and 5.10(https://lore.kernel.org/stable/1637577215186161@kroah.com/) are failed to apply. However, this bug was introduced in 5.5-rc1 so 5.4 can be ignored?
> > > Fixed status
> > >
> > > mainline: [353050be4c19e102178ccc05988101887c25ae53]
> > >
> >
> > I attached a patch for 5.10.
>
> Thanks, LGTM.
> I think it would be better to add the comment of the conflict fixing.
> e.g. https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=1ada86999dc84b852fcc32962f4002e939f4beb7
>

Thank you ! I added a comment and sent patch to the stable list.

> Best regards,
>   Nobuhiro
>
> ________________________________________
> 差出人: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> が Masami Ichikawa <masami.ichikawa@miraclelinux.com> の代理で送信
> 送信日時: 2021年11月25日 14:16
> 宛先: cip-dev@lists.cip-project.org
> 件名: Re: [cip-dev] New CVE entries in this week
>
> Hi !
>
> On Thu, Nov 25, 2021 at 11:42 AM Masami Ichikawa via
> lists.cip-project.org
> <masami.ichikawa=miraclelinux.com@lists.cip-project.org> wrote:
> >
> > Hi !
> >
> > It's this week's CVE report.
> >
> > This week reported two new CVEs.
> >
> > * New CVEs
> >
> > CVE-2021-33098: Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow an authenticated user to potentially enable denial of service via local access.
> >
> > CVSS v3 score is 5.5 MEDIUM.
> >
> > Intel released fixed version of driver kit. Not sure this CVE affects mainline's source code.
> >
> > Fixed status
> >
> > Intel released fixed version of driver kit.
> >
> > CVE-2021-4001: bpf: Fix toctou on read-only map''s constant scalar tracking
> >
> > CVSS v3 score is not provided.
> >
> > This bug was introduced in 5.5-rc1 and fixed in 5.16-rc2.  Patch for 5.15 is in stable-rt tree. Patch for 5.4(https://lore.kernel.org/stable/163757721744154@kroah.com/) and 5.10(https://lore.kernel.org/stable/1637577215186161@kroah.com/) are failed to apply. However, this bug was introduced in 5.5-rc1 so 5.4 can be ignored?
> > Fixed status
> >
> > mainline: [353050be4c19e102178ccc05988101887c25ae53]
> >
>
> I attached a patch for 5.10.
>
> > * Updated CVEs
> >
> > CVE-2021-3640: UAF in sco_send_frame function
> >
> > 5.10 and 5.15 are fixed this week.
> >
> > Fixed status
> >
> > mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]
> > stable/5.10: [4dfba42604f08a505f1a1efc69ec5207ea6243de]
> > stable/5.14: [2c2b295af72e4e30d17556375e100ae65ac0b896]
> > stable/5.15: [b990c219c4c9d4993ef65ea9db73d9497e70f697]
> > stable/5.4: [d416020f1a9cc5f903ae66649b2c56d9ad5256ab]
> >
> > CVE-2021-43975: atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
> >
> > The mainline kernel was fixed in 5.16-rc2.
> >
> > Fixed status
> >
> > mainline: [b922f622592af76b57cbc566eaeccda0b31a3496]
> >
> > Currently tracking CVEs
> >
> > CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
> > Bluetooth Core Specifications 4.0 through 5.2
> >
> > There is no fix information.
> >
> > CVE-2020-26555: BR/EDR pin code pairing broken
> >
> > No fix information
> >
> > CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning
> >
> > No fix information.
> >
> > CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
> > Provisioning Leads to MITM
> >
> > No fix information.
> >
> > CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning
> >
> > No fix information.
> >
> > CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning
> >
> > No fix information.
> >
> > Regards,
> >
> > --
> > Masami Ichikawa
> > Cybertrust Japan Co., Ltd.
> >
> > Email :masami.ichikawa@cybertrust.co.jp
> >           :masami.ichikawa@miraclelinux.com
> >
> >
> >
>
> Regards,
>
> --
> Masami Ichikawa
> Cybertrust Japan Co., Ltd.
>
> Email :masami.ichikawa@cybertrust.co.jp
>           :masami.ichikawa@miraclelinux.com
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7012): https://lists.cip-project.org/g/cip-dev/message/7012
> Mute This Topic: https://lists.cip-project.org/mt/87295441/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>


-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: [cip-dev] New CVE entries in this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 1278 bytes --]

Hi!

> * Updated CVEs
> 
> CVE-2021-3640: UAF in sco_send_frame function
> 
> 5.10 and 5.15 are fixed this week.
> 
> Fixed status
> 
> mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]
> stable/5.10: [4dfba42604f08a505f1a1efc69ec5207ea6243de]
> stable/5.14: [2c2b295af72e4e30d17556375e100ae65ac0b896]
> stable/5.15: [b990c219c4c9d4993ef65ea9db73d9497e70f697]
> stable/5.4: [d416020f1a9cc5f903ae66649b2c56d9ad5256ab]

Interesting.

commit 99c23da0eed4fd20cae8243f2b51e10e66aa0951
Author: Takashi Iwai <tiwai@suse.de>

Says:

    This should be the last piece for fixing CVE-2021-3640 after a few
    already queued fixes.

Which means more than 99c23da0eed is needed to fix this one,
unfortunately it does not give us good way to identify what commits
are needed.

> CVE-2021-43975: atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
> 
> The mainline kernel was fixed in 5.16-rc2.
> 
> Fixed status
> 
> mainline: [b922f622592af76b57cbc566eaeccda0b31a3496]

This is protection of kernel against malicious hardware. I believe we
can ignore this.

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [cip-dev] New CVE entries in this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 383 bytes --]

Hi!

> > Fixed status
> >
> > mainline: [353050be4c19e102178ccc05988101887c25ae53]
> 
> I attached a patch for 5.10.

Thank you.

Looks good to me,

Reviewed-by: Pavel Machek <pavel@denx.de>

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [cip-dev] New CVE entries in this week

[nobuhiro1.iwamatsu]

Hi,

> > CVE-2021-4001: bpf: Fix toctou on read-only map''s constant scalar tracking
> >
> > CVSS v3 score is not provided.
> >
> > This bug was introduced in 5.5-rc1 and fixed in 5.16-rc2.  Patch for 5.15 is in stable-rt tree. Patch for 5.4(https://lore.kernel.org/stable/163757721744154@kroah.com/) and 5.10(https://lore.kernel.org/stable/1637577215186161@kroah.com/) are failed to apply. However, this bug was introduced in 5.5-rc1 so 5.4 can be ignored?
> > Fixed status
> >
> > mainline: [353050be4c19e102178ccc05988101887c25ae53]
> >
>
> I attached a patch for 5.10.

Thanks, LGTM.
I think it would be better to add the comment of the conflict fixing.
e.g. https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=1ada86999dc84b852fcc32962f4002e939f4beb7

Best regards,
  Nobuhiro

________________________________________
差出人: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> が Masami Ichikawa <masami.ichikawa@miraclelinux.com> の代理で送信
送信日時: 2021年11月25日 14:16
宛先: cip-dev@lists.cip-project.org
件名: Re: [cip-dev] New CVE entries in this week

Hi !

On Thu, Nov 25, 2021 at 11:42 AM Masami Ichikawa via
lists.cip-project.org
<masami.ichikawa=miraclelinux.com@lists.cip-project.org> wrote:
>
> Hi !
>
> It's this week's CVE report.
>
> This week reported two new CVEs.
>
> * New CVEs
>
> CVE-2021-33098: Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow an authenticated user to potentially enable denial of service via local access.
>
> CVSS v3 score is 5.5 MEDIUM.
>
> Intel released fixed version of driver kit. Not sure this CVE affects mainline's source code.
>
> Fixed status
>
> Intel released fixed version of driver kit.
>
> CVE-2021-4001: bpf: Fix toctou on read-only map''s constant scalar tracking
>
> CVSS v3 score is not provided.
>
> This bug was introduced in 5.5-rc1 and fixed in 5.16-rc2.  Patch for 5.15 is in stable-rt tree. Patch for 5.4(https://lore.kernel.org/stable/163757721744154@kroah.com/) and 5.10(https://lore.kernel.org/stable/1637577215186161@kroah.com/) are failed to apply. However, this bug was introduced in 5.5-rc1 so 5.4 can be ignored?
> Fixed status
>
> mainline: [353050be4c19e102178ccc05988101887c25ae53]
>

I attached a patch for 5.10.

> * Updated CVEs
>
> CVE-2021-3640: UAF in sco_send_frame function
>
> 5.10 and 5.15 are fixed this week.
>
> Fixed status
>
> mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]
> stable/5.10: [4dfba42604f08a505f1a1efc69ec5207ea6243de]
> stable/5.14: [2c2b295af72e4e30d17556375e100ae65ac0b896]
> stable/5.15: [b990c219c4c9d4993ef65ea9db73d9497e70f697]
> stable/5.4: [d416020f1a9cc5f903ae66649b2c56d9ad5256ab]
>
> CVE-2021-43975: atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
>
> The mainline kernel was fixed in 5.16-rc2.
>
> Fixed status
>
> mainline: [b922f622592af76b57cbc566eaeccda0b31a3496]
>
> Currently tracking CVEs
>
> CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
> Bluetooth Core Specifications 4.0 through 5.2
>
> There is no fix information.
>
> CVE-2020-26555: BR/EDR pin code pairing broken
>
> No fix information
>
> CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning
>
> No fix information.
>
> CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
> Provisioning Leads to MITM
>
> No fix information.
>
> CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning
>
> No fix information.
>
> CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning
>
> No fix information.
>
> Regards,
>
> --
> Masami Ichikawa
> Cybertrust Japan Co., Ltd.
>
> Email :masami.ichikawa@cybertrust.co.jp
>           :masami.ichikawa@miraclelinux.com
>
>
>

Regards,

--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: [cip-dev] New CVE entries in this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 3335 bytes --]

Hi !

On Thu, Nov 25, 2021 at 11:42 AM Masami Ichikawa via
lists.cip-project.org
<masami.ichikawa=miraclelinux.com@lists.cip-project.org> wrote:
>
> Hi !
>
> It's this week's CVE report.
>
> This week reported two new CVEs.
>
> * New CVEs
>
> CVE-2021-33098: Improper input validation in the Intel(R) Ethernet ixgbe driver for Linux before version 3.17.3 may allow an authenticated user to potentially enable denial of service via local access.
>
> CVSS v3 score is 5.5 MEDIUM.
>
> Intel released fixed version of driver kit. Not sure this CVE affects mainline's source code.
>
> Fixed status
>
> Intel released fixed version of driver kit.
>
> CVE-2021-4001: bpf: Fix toctou on read-only map''s constant scalar tracking
>
> CVSS v3 score is not provided.
>
> This bug was introduced in 5.5-rc1 and fixed in 5.16-rc2.  Patch for 5.15 is in stable-rt tree. Patch for 5.4(https://lore.kernel.org/stable/163757721744154@kroah.com/) and 5.10(https://lore.kernel.org/stable/1637577215186161@kroah.com/) are failed to apply. However, this bug was introduced in 5.5-rc1 so 5.4 can be ignored?
> Fixed status
>
> mainline: [353050be4c19e102178ccc05988101887c25ae53]
>

I attached a patch for 5.10.

> * Updated CVEs
>
> CVE-2021-3640: UAF in sco_send_frame function
>
> 5.10 and 5.15 are fixed this week.
>
> Fixed status
>
> mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]
> stable/5.10: [4dfba42604f08a505f1a1efc69ec5207ea6243de]
> stable/5.14: [2c2b295af72e4e30d17556375e100ae65ac0b896]
> stable/5.15: [b990c219c4c9d4993ef65ea9db73d9497e70f697]
> stable/5.4: [d416020f1a9cc5f903ae66649b2c56d9ad5256ab]
>
> CVE-2021-43975: atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
>
> The mainline kernel was fixed in 5.16-rc2.
>
> Fixed status
>
> mainline: [b922f622592af76b57cbc566eaeccda0b31a3496]
>
> Currently tracking CVEs
>
> CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
> Bluetooth Core Specifications 4.0 through 5.2
>
> There is no fix information.
>
> CVE-2020-26555: BR/EDR pin code pairing broken
>
> No fix information
>
> CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning
>
> No fix information.
>
> CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
> Provisioning Leads to MITM
>
> No fix information.
>
> CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning
>
> No fix information.
>
> CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning
>
> No fix information.
>
> Regards,
>
> --
> Masami Ichikawa
> Cybertrust Japan Co., Ltd.
>
> Email :masami.ichikawa@cybertrust.co.jp
>           :masami.ichikawa@miraclelinux.com
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7008): https://lists.cip-project.org/g/cip-dev/message/7008
> Mute This Topic: https://lists.cip-project.org/mt/87295441/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: 0001-bpf-Fix-toctou-on-read-only-map-s-constant-scalar-tr.patch --]
[-- Type: text/x-patch, Size: 12638 bytes --]

From d435a217fcbef826f7c3b684d530e70bdaee9142 Mon Sep 17 00:00:00 2001
From: Daniel Borkmann <daniel@iogearbox.net>
Date: Tue, 9 Nov 2021 18:48:08 +0000
Subject: [PATCH] bpf: Fix toctou on read-only map's constant scalar tracking

From: Daniel Borkmann <daniel@iogearbox.net>

commit 353050be4c19e102178ccc05988101887c25ae53 upstream

Commit a23740ec43ba ("bpf: Track contents of read-only maps as scalars") is
checking whether maps are read-only both from BPF program side and user space
side, and then, given their content is constant, reading out their data via
map->ops->map_direct_value_addr() which is then subsequently used as known
scalar value for the register, that is, it is marked as __mark_reg_known()
with the read value at verification time. Before a23740ec43ba, the register
content was marked as an unknown scalar so the verifier could not make any
assumptions about the map content.

The current implementation however is prone to a TOCTOU race, meaning, the
value read as known scalar for the register is not guaranteed to be exactly
the same at a later point when the program is executed, and as such, the
prior made assumptions of the verifier with regards to the program will be
invalid which can cause issues such as OOB access, etc.

While the BPF_F_RDONLY_PROG map flag is always fixed and required to be
specified at map creation time, the map->frozen property is initially set to
false for the map given the map value needs to be populated, e.g. for global
data sections. Once complete, the loader "freezes" the map from user space
such that no subsequent updates/deletes are possible anymore. For the rest
of the lifetime of the map, this freeze one-time trigger cannot be undone
anymore after a successful BPF_MAP_FREEZE cmd return. Meaning, any new BPF_*
cmd calls which would update/delete map entries will be rejected with -EPERM
since map_get_sys_perms() removes the FMODE_CAN_WRITE permission. This also
means that pending update/delete map entries must still complete before this
guarantee is given. This corner case is not an issue for loaders since they
create and prepare such program private map in successive steps.

However, a malicious user is able to trigger this TOCTOU race in two different
ways: i) via userfaultfd, and ii) via batched updates. For i) userfaultfd is
used to expand the competition interval, so that map_update_elem() can modify
the contents of the map after map_freeze() and bpf_prog_load() were executed.
This works, because userfaultfd halts the parallel thread which triggered a
map_update_elem() at the time where we copy key/value from the user buffer and
this already passed the FMODE_CAN_WRITE capability test given at that time the
map was not "frozen". Then, the main thread performs the map_freeze() and
bpf_prog_load(), and once that had completed successfully, the other thread
is woken up to complete the pending map_update_elem() which then changes the
map content. For ii) the idea of the batched update is similar, meaning, when
there are a large number of updates to be processed, it can increase the
competition interval between the two. It is therefore possible in practice to
modify the contents of the map after executing map_freeze() and bpf_prog_load().

One way to fix both i) and ii) at the same time is to expand the use of the
map's map->writecnt. The latter was introduced in fc9702273e2e ("bpf: Add mmap()
support for BPF_MAP_TYPE_ARRAY") and further refined in 1f6cb19be2e2 ("bpf:
Prevent re-mmap()'ing BPF map as writable for initially r/o mapping") with
the rationale to make a writable mmap()'ing of a map mutually exclusive with
read-only freezing. The counter indicates writable mmap() mappings and then
prevents/fails the freeze operation. Its semantics can be expanded beyond
just mmap() by generally indicating ongoing write phases. This would essentially
span any parallel regular and batched flavor of update/delete operation and
then also have map_freeze() fail with -EBUSY. For the check_mem_access() in
the verifier we expand upon the bpf_map_is_rdonly() check ensuring that all
last pending writes have completed via bpf_map_write_active() test. Once the
map->frozen is set and bpf_map_write_active() indicates a map->writecnt of 0
only then we are really guaranteed to use the map's data as known constants.
For map->frozen being set and pending writes in process of still being completed
we fall back to marking that register as unknown scalar so we don't end up
making assumptions about it. With this, both TOCTOU reproducers from i) and
ii) are fixed.

Note that the map->writecnt has been converted into a atomic64 in the fix in
order to avoid a double freeze_mutex mutex_{un,}lock() pair when updating
map->writecnt in the various map update/delete BPF_* cmd flavors. Spanning
the freeze_mutex over entire map update/delete operations in syscall side
would not be possible due to then causing everything to be serialized.
Similarly, something like synchronize_rcu() after setting map->frozen to wait
for update/deletes to complete is not possible either since it would also
have to span the user copy which can sleep. On the libbpf side, this won't
break d66562fba1ce ("libbpf: Add BPF object skeleton support") as the
anonymous mmap()-ed "map initialization image" is remapped as a BPF map-backed
mmap()-ed memory where for .rodata it's non-writable.

Fixes: a23740ec43ba ("bpf: Track contents of read-only maps as scalars")
Reported-by: w1tcher.bupt@gmail.com
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Reference: CVE-2021-4001
Signed-off-by: Masami Ichikawa(CIP) <masami.ichikawa@cybertrust.co.jp>
---
 include/linux/bpf.h   |  3 ++-
 kernel/bpf/syscall.c  | 57 +++++++++++++++++++++++++++----------------
 kernel/bpf/verifier.c | 17 ++++++++++++-
 3 files changed, 54 insertions(+), 23 deletions(-)

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 1f62a4eec283..474a0d852614 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -173,7 +173,7 @@ struct bpf_map {
 	atomic64_t usercnt;
 	struct work_struct work;
 	struct mutex freeze_mutex;
-	u64 writecnt; /* writable mmap cnt; protected by freeze_mutex */
+	atomic64_t writecnt;
 };
 
 static inline bool map_value_has_spin_lock(const struct bpf_map *map)
@@ -1252,6 +1252,7 @@ void bpf_map_charge_move(struct bpf_map_memory *dst,
 void *bpf_map_area_alloc(u64 size, int numa_node);
 void *bpf_map_area_mmapable_alloc(u64 size, int numa_node);
 void bpf_map_area_free(void *base);
+bool bpf_map_write_active(const struct bpf_map *map);
 void bpf_map_init_from_attr(struct bpf_map *map, union bpf_attr *attr);
 int  generic_map_lookup_batch(struct bpf_map *map,
 			      const union bpf_attr *attr,
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 5b6da64da46d..bb9a9cb1f321 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -127,6 +127,21 @@ static struct bpf_map *find_and_alloc_map(union bpf_attr *attr)
 	return map;
 }
 
+static void bpf_map_write_active_inc(struct bpf_map *map)
+{
+	atomic64_inc(&map->writecnt);
+}
+
+static void bpf_map_write_active_dec(struct bpf_map *map)
+{
+	atomic64_dec(&map->writecnt);
+}
+
+bool bpf_map_write_active(const struct bpf_map *map)
+{
+	return atomic64_read(&map->writecnt) != 0;
+}
+
 static u32 bpf_map_value_size(struct bpf_map *map)
 {
 	if (map->map_type == BPF_MAP_TYPE_PERCPU_HASH ||
@@ -588,11 +603,8 @@ static void bpf_map_mmap_open(struct vm_area_struct *vma)
 {
 	struct bpf_map *map = vma->vm_file->private_data;
 
-	if (vma->vm_flags & VM_MAYWRITE) {
-		mutex_lock(&map->freeze_mutex);
-		map->writecnt++;
-		mutex_unlock(&map->freeze_mutex);
-	}
+	if (vma->vm_flags & VM_MAYWRITE)
+		bpf_map_write_active_inc(map);
 }
 
 /* called for all unmapped memory region (including initial) */
@@ -600,11 +612,8 @@ static void bpf_map_mmap_close(struct vm_area_struct *vma)
 {
 	struct bpf_map *map = vma->vm_file->private_data;
 
-	if (vma->vm_flags & VM_MAYWRITE) {
-		mutex_lock(&map->freeze_mutex);
-		map->writecnt--;
-		mutex_unlock(&map->freeze_mutex);
-	}
+	if (vma->vm_flags & VM_MAYWRITE)
+		bpf_map_write_active_dec(map);
 }
 
 static const struct vm_operations_struct bpf_map_default_vmops = {
@@ -654,7 +663,7 @@ static int bpf_map_mmap(struct file *filp, struct vm_area_struct *vma)
 		goto out;
 
 	if (vma->vm_flags & VM_MAYWRITE)
-		map->writecnt++;
+		bpf_map_write_active_inc(map);
 out:
 	mutex_unlock(&map->freeze_mutex);
 	return err;
@@ -1086,6 +1095,7 @@ static int map_update_elem(union bpf_attr *attr)
 	map = __bpf_map_get(f);
 	if (IS_ERR(map))
 		return PTR_ERR(map);
+	bpf_map_write_active_inc(map);
 	if (!(map_get_sys_perms(map, f) & FMODE_CAN_WRITE)) {
 		err = -EPERM;
 		goto err_put;
@@ -1127,6 +1137,7 @@ static int map_update_elem(union bpf_attr *attr)
 free_key:
 	kfree(key);
 err_put:
+	bpf_map_write_active_dec(map);
 	fdput(f);
 	return err;
 }
@@ -1149,6 +1160,7 @@ static int map_delete_elem(union bpf_attr *attr)
 	map = __bpf_map_get(f);
 	if (IS_ERR(map))
 		return PTR_ERR(map);
+	bpf_map_write_active_inc(map);
 	if (!(map_get_sys_perms(map, f) & FMODE_CAN_WRITE)) {
 		err = -EPERM;
 		goto err_put;
@@ -1179,6 +1191,7 @@ static int map_delete_elem(union bpf_attr *attr)
 out:
 	kfree(key);
 err_put:
+	bpf_map_write_active_dec(map);
 	fdput(f);
 	return err;
 }
@@ -1483,6 +1496,7 @@ static int map_lookup_and_delete_elem(union bpf_attr *attr)
 	map = __bpf_map_get(f);
 	if (IS_ERR(map))
 		return PTR_ERR(map);
+	bpf_map_write_active_inc(map);
 	if (!(map_get_sys_perms(map, f) & FMODE_CAN_READ) ||
 	    !(map_get_sys_perms(map, f) & FMODE_CAN_WRITE)) {
 		err = -EPERM;
@@ -1524,6 +1538,7 @@ static int map_lookup_and_delete_elem(union bpf_attr *attr)
 free_key:
 	kfree(key);
 err_put:
+	bpf_map_write_active_dec(map);
 	fdput(f);
 	return err;
 }
@@ -1550,8 +1565,7 @@ static int map_freeze(const union bpf_attr *attr)
 	}
 
 	mutex_lock(&map->freeze_mutex);
-
-	if (map->writecnt) {
+	if (bpf_map_write_active(map)) {
 		err = -EBUSY;
 		goto err_put;
 	}
@@ -3976,6 +3990,9 @@ static int bpf_map_do_batch(const union bpf_attr *attr,
 			    union bpf_attr __user *uattr,
 			    int cmd)
 {
+	bool has_read  = cmd == BPF_MAP_LOOKUP_BATCH ||
+			 cmd == BPF_MAP_LOOKUP_AND_DELETE_BATCH;
+	bool has_write = cmd != BPF_MAP_LOOKUP_BATCH;
 	struct bpf_map *map;
 	int err, ufd;
 	struct fd f;
@@ -3988,16 +4005,13 @@ static int bpf_map_do_batch(const union bpf_attr *attr,
 	map = __bpf_map_get(f);
 	if (IS_ERR(map))
 		return PTR_ERR(map);
-
-	if ((cmd == BPF_MAP_LOOKUP_BATCH ||
-	     cmd == BPF_MAP_LOOKUP_AND_DELETE_BATCH) &&
-	    !(map_get_sys_perms(map, f) & FMODE_CAN_READ)) {
+	if (has_write)
+		bpf_map_write_active_inc(map);
+	if (has_read && !(map_get_sys_perms(map, f) & FMODE_CAN_READ)) {
 		err = -EPERM;
 		goto err_put;
 	}
-
-	if (cmd != BPF_MAP_LOOKUP_BATCH &&
-	    !(map_get_sys_perms(map, f) & FMODE_CAN_WRITE)) {
+	if (has_write && !(map_get_sys_perms(map, f) & FMODE_CAN_WRITE)) {
 		err = -EPERM;
 		goto err_put;
 	}
@@ -4010,8 +4024,9 @@ static int bpf_map_do_batch(const union bpf_attr *attr,
 		BPF_DO_BATCH(map->ops->map_update_batch);
 	else
 		BPF_DO_BATCH(map->ops->map_delete_batch);
-
 err_put:
+	if (has_write)
+		bpf_map_write_active_dec(map);
 	fdput(f);
 	return err;
 }
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index a15826a9a644..5a2b28e6816e 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3486,7 +3486,22 @@ static void coerce_reg_to_size(struct bpf_reg_state *reg, int size)
 
 static bool bpf_map_is_rdonly(const struct bpf_map *map)
 {
-	return (map->map_flags & BPF_F_RDONLY_PROG) && map->frozen;
+	/* A map is considered read-only if the following condition are true:
+	 *
+	 * 1) BPF program side cannot change any of the map content. The
+	 *    BPF_F_RDONLY_PROG flag is throughout the lifetime of a map
+	 *    and was set at map creation time.
+	 * 2) The map value(s) have been initialized from user space by a
+	 *    loader and then "frozen", such that no new map update/delete
+	 *    operations from syscall side are possible for the rest of
+	 *    the map's lifetime from that point onwards.
+	 * 3) Any parallel/pending map update/delete operations from syscall
+	 *    side have been completed. Only after that point, it's safe to
+	 *    assume that map value(s) are immutable.
+	 */
+	return (map->map_flags & BPF_F_RDONLY_PROG) &&
+	       READ_ONCE(map->frozen) &&
+	       !bpf_map_write_active(map);
 }
 
 static int bpf_map_direct_read(struct bpf_map *map, int off, int size, u64 *val)
-- 
2.33.1

Re: [cip-dev] New CVE entries in this week

[Masami Ichikawa]

Hi !

On Thu, Nov 11, 2021 at 6:21 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > CVE-2021-0929: staging: ion: move buffer kmap from begin/end_cpu_access()
> >
> > CVSS v3 score is not provided.
> >
> > ION is a memory manager which is used by Android. This CVE may affect
> > 4.4, 4.19, and 5.10 however according to the cip-kernel-config, no cip
> > member enabled ION. The ION driver has been removed since 5.11.
> >
> > Fixed status
> >
> > mainline: [3e9e0c5c764704218c0960ffdb139de075afaadf]
>
> Furthermore, CIP members should really not be using code from staging.
>
> > * Updated CVEs
> >
> > CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in
> > avc_ca_pmt()
> >
> > 4.19 and 5.X kernels have been fixed in this week. However, appliying
> > patch to 4.4 and 4.9 are failed.
> > According to the cip-kernel-config repo, no CIP member uses firewire driver.
>
> This one looks rather easy to backport. It failed only because
> reformatting of the printk.
>

Thank you for the patch! The patch looks good to me.

> > CVE-2021-3640: UAF in sco_send_frame function
> >
> > Fixed commit is 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ("Bluetooth:
> > sco: Fix lock_sock() blockage by memcpy_from_msg()"). Backport patches
> > for 4.19, 5.4, 5.10, 5.14, and 5.15 have been sent to stable mailing
> > list on Nov 9. This fix can be applied to 4.4 by git-am without error.
> >
> > mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]
>
> Would it make sense to ask why it was not applied?
>

Yes, I think so.

> Best regards,
>                                                                 Pavel
>
> diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c
> index 280b5ffea592..3a373711f5ad 100644
> --- a/drivers/media/firewire/firedtv-avc.c
> +++ b/drivers/media/firewire/firedtv-avc.c
> @@ -1169,7 +1169,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
>                 read_pos += program_info_length;
>                 write_pos += program_info_length;
>         }
> -       while (read_pos < length) {
> +       while (read_pos + 4 < length) {
> +               if (write_pos + 4 >= sizeof(c->operand) - 4) {
> +                       ret = -EINVAL;
> +                       goto out;
> +               }
>                 c->operand[write_pos++] = msg[read_pos++];
>                 c->operand[write_pos++] = msg[read_pos++];
>                 c->operand[write_pos++] = msg[read_pos++];
> @@ -1181,13 +1185,17 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
>                 c->operand[write_pos++] = es_info_length >> 8;
>                 c->operand[write_pos++] = es_info_length & 0xff;
>                 if (es_info_length > 0) {
> +                       if (read_pos >= length) {
> +                               ret = -EINVAL;
> +                               goto out;
> +                       }
>                         pmt_cmd_id = msg[read_pos++];
>                         if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
>                                 dev_err(fdtv->device, "invalid pmt_cmd_id %d "
>                                         "at stream level\n", pmt_cmd_id);
>
> -                       if (es_info_length > sizeof(c->operand) - 4 -
> -                                            write_pos) {
> +                       if (es_info_length > sizeof(c->operand) - 4 - write_pos ||
> +                           es_info_length > length - read_pos) {
>                                 ret = -EINVAL;
>                                 goto out;
>                         }
> diff --git a/drivers/media/firewire/firedtv-ci.c b/drivers/media/firewire/firedtv-ci.c
> index e63f582378bf..f07482fb8010 100644
> --- a/drivers/media/firewire/firedtv-ci.c
> +++ b/drivers/media/firewire/firedtv-ci.c
> @@ -138,6 +138,8 @@ static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg)
>         } else {
>                 data_length = msg->msg[3];
>         }
> +       if (data_length > sizeof(msg->msg) - data_pos)
> +               return -EINVAL;
>
>         return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length);
>  }
>
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#6876): https://lists.cip-project.org/g/cip-dev/message/6876
> Mute This Topic: https://lists.cip-project.org/mt/86970992/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: [cip-dev] New CVE entries in this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 3404 bytes --]

Hi!

> CVE-2021-0929: staging: ion: move buffer kmap from begin/end_cpu_access()
> 
> CVSS v3 score is not provided.
> 
> ION is a memory manager which is used by Android. This CVE may affect
> 4.4, 4.19, and 5.10 however according to the cip-kernel-config, no cip
> member enabled ION. The ION driver has been removed since 5.11.
> 
> Fixed status
> 
> mainline: [3e9e0c5c764704218c0960ffdb139de075afaadf]

Furthermore, CIP members should really not be using code from staging.

> * Updated CVEs
> 
> CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in
> avc_ca_pmt()
> 
> 4.19 and 5.X kernels have been fixed in this week. However, appliying
> patch to 4.4 and 4.9 are failed.
> According to the cip-kernel-config repo, no CIP member uses firewire driver.

This one looks rather easy to backport. It failed only because
reformatting of the printk.

> CVE-2021-3640: UAF in sco_send_frame function
> 
> Fixed commit is 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ("Bluetooth:
> sco: Fix lock_sock() blockage by memcpy_from_msg()"). Backport patches
> for 4.19, 5.4, 5.10, 5.14, and 5.15 have been sent to stable mailing
> list on Nov 9. This fix can be applied to 4.4 by git-am without error.
> 
> mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]

Would it make sense to ask why it was not applied?

Best regards,
								Pavel

diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c
index 280b5ffea592..3a373711f5ad 100644
--- a/drivers/media/firewire/firedtv-avc.c
+++ b/drivers/media/firewire/firedtv-avc.c
@@ -1169,7 +1169,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
 		read_pos += program_info_length;
 		write_pos += program_info_length;
 	}
-	while (read_pos < length) {
+	while (read_pos + 4 < length) {
+		if (write_pos + 4 >= sizeof(c->operand) - 4) {
+			ret = -EINVAL;
+			goto out;
+		}
 		c->operand[write_pos++] = msg[read_pos++];
 		c->operand[write_pos++] = msg[read_pos++];
 		c->operand[write_pos++] = msg[read_pos++];
@@ -1181,13 +1185,17 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
 		c->operand[write_pos++] = es_info_length >> 8;
 		c->operand[write_pos++] = es_info_length & 0xff;
 		if (es_info_length > 0) {
+			if (read_pos >= length) {
+				ret = -EINVAL;
+				goto out;
+			}
 			pmt_cmd_id = msg[read_pos++];
 			if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
 				dev_err(fdtv->device, "invalid pmt_cmd_id %d "
 					"at stream level\n", pmt_cmd_id);
 
-			if (es_info_length > sizeof(c->operand) - 4 -
-					     write_pos) {
+			if (es_info_length > sizeof(c->operand) - 4 - write_pos ||
+			    es_info_length > length - read_pos) {
 				ret = -EINVAL;
 				goto out;
 			}
diff --git a/drivers/media/firewire/firedtv-ci.c b/drivers/media/firewire/firedtv-ci.c
index e63f582378bf..f07482fb8010 100644
--- a/drivers/media/firewire/firedtv-ci.c
+++ b/drivers/media/firewire/firedtv-ci.c
@@ -138,6 +138,8 @@ static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg)
 	} else {
 		data_length = msg->msg[3];
 	}
+	if (data_length > sizeof(msg->msg) - data_pos)
+		return -EINVAL;
 
 	return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length);
 }

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [cip-dev] New CVE Entries in this week

[Masami Ichikawa]

Hi!

On Thu, Nov 4, 2021 at 6:57 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > CVE-2021-34981: Bluetooth CMTP Module Double Free Privilege Escalation
> > Vulnerability
> >
> > This CVE is fixed in 5.14-rc1.
> >
> > Fixed status
> >
> > mainline: [3cfdf8fcaafa62a4123f92eb0f4a72650da3a479]
> > stable/4.19: [f8be26b9950710fe50fb45358df5bd01ad18efb7]
> > stable/4.9: [77c559407276ed4a8854dafc4a5efc8608e51906]
> > stable/5.10: [1b364f8ede200e79e25df0df588fcedc322518fb]
> > stable/5.4: [fe201316ac36c48fc3cb2891dfdc8ab68058734d]
>
> This seems to be fixed in stable/4.4, too, as
> 61a811e8f5229264b822361f8b23d7638fd8c914. And cip-kernel-sec says so,
> good.
>

Thanks. I accidentally removed stable/4.4 from the above list.
CVE-2021-34981.yml contains stable/4.4 too.

> > CVE-2021-43267: tipc: fix size validations for the MSG_CRYPTO type
> >
> > This vulnerability was introduced since 5.1-rc1 so before 5.10 kernels
> > aren't affected by this issue.
> > The mainline and stable kernels have been fixed.
>
> AFAICT the vulnerability was introduced by 1ef6f7c9390f in
> 5.9-rc3. But that does not change anything for us.
>
> > * Updated CVEs
> >
> > CVE-2021-3772: Invalid chunks may be used to remotely remove existing
> > associations
> >
> > This bug is in SCTP stack that attacker may be able to send packet
> > with spoofed IP address if attacker knows IP address and port number
> > being used.
>
> AFAICT it is more of "if attacker can send packets with spoofed IP
> addresses, he can...". Many of our configs use SCTP.
>

NVD hasn't given CVSS v3 Scores yet. However Red Hat and SUSE both
give it a score of 5.9. So it looks like it's not too serious issue.
Of course, it'd be nice to have patches.

https://access.redhat.com/security/cve/CVE-2021-3772
https://www.suse.com/security/cve/CVE-2021-3772.html

> > CVE-2021-42327: drm/amdgpu: fix out of bounds write
> >
> > The parse_write_buffer_into_params() was introduced since 5.9 so
> > before 5.9 kernels aren't affected by this vulnerability.
> >
> > This CVE was fixed by 5afa7898ab7a ("drm/amdgpu: fix out of bounds
> > write"), however next commit 3f4e54bd312d ("drm/amdgpu: Fix even more
> > out of bound writes from debugfs") said that amdgpu_dm_debugfs.c
> > contains same issues so it'd be nice to apply 3f4e54bd312d
> > ("drm/amdgpu: Fix even more out of bound writes from debugfs") too.
>
> This looks quite easy to fix, OTOH CIP configs do not use amdgpu and
> it is not too serious in the fist place.
>

I agree.

> > CVE-2021-20322: new DNS Cache Poisoning Attack based on ICMP fragment
> > needed packets replies
> >
> > Update stable/5.4 and stable/4.19 fixed revisions.
> > It seems like stable/4.4 and stable/4.9 need backport following patches.
> > - 4785305c05b2 ("ipv6: use siphash in rt6_exception_hash()")
> > - a00df2caffed ("ipv6: make exception cache less predictible")
> > - 6457378fe796 ("ipv4: use siphash instead of Jenkins in
> > fnhe_hashfun()")
>
> It would not be bad to understand the problem in the first place. Yes,
> I guess different hashes have different qualities, but...
>
> Best regards,
>                                                                 Pavel
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#6860): https://lists.cip-project.org/g/cip-dev/message/6860
> Mute This Topic: https://lists.cip-project.org/mt/86807104/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>


-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: [cip-dev] New CVE Entries in this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 2734 bytes --]

Hi!

> CVE-2021-34981: Bluetooth CMTP Module Double Free Privilege Escalation
> Vulnerability
> 
> This CVE is fixed in 5.14-rc1.
> 
> Fixed status
> 
> mainline: [3cfdf8fcaafa62a4123f92eb0f4a72650da3a479]
> stable/4.19: [f8be26b9950710fe50fb45358df5bd01ad18efb7]
> stable/4.9: [77c559407276ed4a8854dafc4a5efc8608e51906]
> stable/5.10: [1b364f8ede200e79e25df0df588fcedc322518fb]
> stable/5.4: [fe201316ac36c48fc3cb2891dfdc8ab68058734d]

This seems to be fixed in stable/4.4, too, as
61a811e8f5229264b822361f8b23d7638fd8c914. And cip-kernel-sec says so,
good.

> CVE-2021-43267: tipc: fix size validations for the MSG_CRYPTO type
> 
> This vulnerability was introduced since 5.1-rc1 so before 5.10 kernels
> aren't affected by this issue.
> The mainline and stable kernels have been fixed.

AFAICT the vulnerability was introduced by 1ef6f7c9390f in
5.9-rc3. But that does not change anything for us.

> * Updated CVEs
> 
> CVE-2021-3772: Invalid chunks may be used to remotely remove existing
> associations
> 
> This bug is in SCTP stack that attacker may be able to send packet
> with spoofed IP address if attacker knows IP address and port number
> being used.

AFAICT it is more of "if attacker can send packets with spoofed IP
addresses, he can...". Many of our configs use SCTP.

> CVE-2021-42327: drm/amdgpu: fix out of bounds write
> 
> The parse_write_buffer_into_params() was introduced since 5.9 so
> before 5.9 kernels aren't affected by this vulnerability.
> 
> This CVE was fixed by 5afa7898ab7a ("drm/amdgpu: fix out of bounds
> write"), however next commit 3f4e54bd312d ("drm/amdgpu: Fix even more
> out of bound writes from debugfs") said that amdgpu_dm_debugfs.c
> contains same issues so it'd be nice to apply 3f4e54bd312d
> ("drm/amdgpu: Fix even more out of bound writes from debugfs") too.

This looks quite easy to fix, OTOH CIP configs do not use amdgpu and
it is not too serious in the fist place.

> CVE-2021-20322: new DNS Cache Poisoning Attack based on ICMP fragment
> needed packets replies
> 
> Update stable/5.4 and stable/4.19 fixed revisions.
> It seems like stable/4.4 and stable/4.9 need backport following patches.
> - 4785305c05b2 ("ipv6: use siphash in rt6_exception_hash()")
> - a00df2caffed ("ipv6: make exception cache less predictible")
> - 6457378fe796 ("ipv4: use siphash instead of Jenkins in
> fnhe_hashfun()")

It would not be bad to understand the problem in the first place. Yes,
I guess different hashes have different qualities, but...

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]