* [cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05
@ 2021-05-05 4:36 Chen-Yu Tsai (Moxa)
2021-05-05 7:51 ` Pavel Machek
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Chen-Yu Tsai (Moxa) @ 2021-05-05 4:36 UTC (permalink / raw)
To: cip-dev; +Cc: Pavel Machek, Nobuhiro Iwamatsu, masashi.kudo
[-- Attachment #1: Type: text/plain, Size: 403 bytes --]
Hi everyone,
Two new CVEs this week:
- CVE-2021-31829 [bpf: stack pointer protection from speculative
arithmetic] - fixed
Fixes just landed in mainline as part of the merge window. Fixes not
tagged for stable.
- CVE-2021-31916 [md: dm_ioctl: out-of-bounds array access] - fixed
Likely needs backport to 4.9 and earlier.
Additionally, one old CVE is now fixed:
- CVE-2020-26541
Regards
ChenYu
[-- Attachment #2: Type: text/plain, Size: 428 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6417): https://lists.cip-project.org/g/cip-dev/message/6417
Mute This Topic: https://lists.cip-project.org/mt/82597445/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05
2021-05-05 4:36 [cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05 Chen-Yu Tsai (Moxa)
@ 2021-05-05 7:51 ` Pavel Machek
2021-05-05 7:56 ` Chen-Yu Tsai (Moxa)
2021-05-05 8:34 ` Pavel Machek
2021-06-18 2:21 ` 市川正美
2 siblings, 1 reply; 7+ messages in thread
From: Pavel Machek @ 2021-05-05 7:51 UTC (permalink / raw)
To: Chen-Yu Tsai; +Cc: cip-dev, Pavel Machek, Nobuhiro Iwamatsu, masashi.kudo
[-- Attachment #1.1: Type: text/plain, Size: 799 bytes --]
Hi!
> Two new CVEs this week:
>
> - CVE-2021-31829 [bpf: stack pointer protection from speculative
> arithmetic] - fixed
> Fixes just landed in mainline as part of the merge window. Fixes not
> tagged for stable.
Could you push your changes to cip-kernel-sec?
These are queued for 5.10.35 and 4.19, I believe they may be related.
v |8373088d4 b9b34d o: 5.10| bpf: Fix masking negation logic upon negative dst register
a |fbb1ea771 b9b34d o: 4.19| bpf: Fix masking negation logic upon negative dst register
a |024fb2412 801c60 o: 5.10| bpf: Fix leakage of uninitialized bpf stack under speculation
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
[-- Attachment #2: Type: text/plain, Size: 428 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6418): https://lists.cip-project.org/g/cip-dev/message/6418
Mute This Topic: https://lists.cip-project.org/mt/82597445/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05
2021-05-05 7:51 ` Pavel Machek
@ 2021-05-05 7:56 ` Chen-Yu Tsai (Moxa)
2021-05-05 8:17 ` Pavel Machek
0 siblings, 1 reply; 7+ messages in thread
From: Chen-Yu Tsai (Moxa) @ 2021-05-05 7:56 UTC (permalink / raw)
To: Pavel Machek; +Cc: cip-dev, Nobuhiro Iwamatsu, masashi.kudo
[-- Attachment #1: Type: text/plain, Size: 914 bytes --]
On Wed, May 5, 2021 at 3:51 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > Two new CVEs this week:
> >
> > - CVE-2021-31829 [bpf: stack pointer protection from speculative
> > arithmetic] - fixed
> > Fixes just landed in mainline as part of the merge window. Fixes not
> > tagged for stable.
>
> Could you push your changes to cip-kernel-sec?
Done. Sorry about that.
> These are queued for 5.10.35 and 4.19, I believe they may be related.
>
> v |8373088d4 b9b34d o: 5.10| bpf: Fix masking negation logic upon negative dst register
> a |fbb1ea771 b9b34d o: 4.19| bpf: Fix masking negation logic upon negative dst register
> a |024fb2412 801c60 o: 5.10| bpf: Fix leakage of uninitialized bpf stack under speculation
I only looked through my inbox. And our scripts don't pick things up
from the stable-queue. In any case they will be picked up once the
stable kernels including them are released.
ChenYu
[-- Attachment #2: Type: text/plain, Size: 428 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6419): https://lists.cip-project.org/g/cip-dev/message/6419
Mute This Topic: https://lists.cip-project.org/mt/82597445/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05
2021-05-05 7:56 ` Chen-Yu Tsai (Moxa)
@ 2021-05-05 8:17 ` Pavel Machek
0 siblings, 0 replies; 7+ messages in thread
From: Pavel Machek @ 2021-05-05 8:17 UTC (permalink / raw)
To: Chen-Yu Tsai; +Cc: Pavel Machek, cip-dev, Nobuhiro Iwamatsu, masashi.kudo
[-- Attachment #1.1: Type: text/plain, Size: 1231 bytes --]
Hi!
> > > Two new CVEs this week:
> > >
> > > - CVE-2021-31829 [bpf: stack pointer protection from speculative
> > > arithmetic] - fixed
> > > Fixes just landed in mainline as part of the merge window. Fixes not
> > > tagged for stable.
> >
> > Could you push your changes to cip-kernel-sec?
>
> Done. Sorry about that.
Thank you!
> > These are queued for 5.10.35 and 4.19, I believe they may be related.
> >
> > v |8373088d4 b9b34d o: 5.10| bpf: Fix masking negation logic upon negative dst register
> > a |fbb1ea771 b9b34d o: 4.19| bpf: Fix masking negation logic upon negative dst register
> > a |024fb2412 801c60 o: 5.10| bpf: Fix leakage of uninitialized bpf stack under speculation
>
> I only looked through my inbox. And our scripts don't pick things up
> from the stable-queue. In any case they will be picked up once the
> stable kernels including them are released.
According to https://ubuntu.com/security/CVE-2021-31829 it is those
two patches that fix it. So this should get resolved in 5.10.35 for
us.
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
[-- Attachment #2: Type: text/plain, Size: 428 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6423): https://lists.cip-project.org/g/cip-dev/message/6423
Mute This Topic: https://lists.cip-project.org/mt/82597445/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05
2021-05-05 4:36 [cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05 Chen-Yu Tsai (Moxa)
2021-05-05 7:51 ` Pavel Machek
@ 2021-05-05 8:34 ` Pavel Machek
2021-05-05 11:15 ` Chen-Yu Tsai (Moxa)
2021-06-18 2:21 ` 市川正美
2 siblings, 1 reply; 7+ messages in thread
From: Pavel Machek @ 2021-05-05 8:34 UTC (permalink / raw)
To: Chen-Yu Tsai; +Cc: cip-dev, Pavel Machek, Nobuhiro Iwamatsu, masashi.kudo
[-- Attachment #1.1: Type: text/plain, Size: 1097 bytes --]
Hi!
> - CVE-2021-31916 [md: dm_ioctl: out-of-bounds array access] - fixed
> Likely needs backport to 4.9 and earlier.
Backport is trivial in this case.
> Additionally, one old CVE is now fixed:
> - CVE-2020-26541
This is UEFI secure boot, and it is more of "implement missing
blacklist functionality" than a bugfix.
If someone uses secure boot on UEFI, we may need to do this, but
perhaps noone is doing that.
Best regards,
Pavel
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index eab3f7325e31..a6e6a852c9e8 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -524,7 +524,7 @@ static int list_devices(struct dm_ioctl *param, size_t param_size)
* Grab our output buffer.
*/
nl = get_result_buffer(param, param_size, &len);
- if (len < needed) {
+ if (len < needed || len < sizeof(nl->dev)) {
param->flags |= DM_BUFFER_FULL_FLAG;
goto out;
}
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
[-- Attachment #2: Type: text/plain, Size: 428 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6427): https://lists.cip-project.org/g/cip-dev/message/6427
Mute This Topic: https://lists.cip-project.org/mt/82597445/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05
2021-05-05 8:34 ` Pavel Machek
@ 2021-05-05 11:15 ` Chen-Yu Tsai (Moxa)
0 siblings, 0 replies; 7+ messages in thread
From: Chen-Yu Tsai (Moxa) @ 2021-05-05 11:15 UTC (permalink / raw)
To: Pavel Machek; +Cc: cip-dev, Nobuhiro Iwamatsu, masashi.kudo
[-- Attachment #1: Type: text/plain, Size: 1592 bytes --]
On Wed, May 5, 2021 at 4:34 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > - CVE-2021-31916 [md: dm_ioctl: out-of-bounds array access] - fixed
> > Likely needs backport to 4.9 and earlier.
>
> Backport is trivial in this case.
>
> > Additionally, one old CVE is now fixed:
> > - CVE-2020-26541
>
> This is UEFI secure boot, and it is more of "implement missing
> blacklist functionality" than a bugfix.
>
> If someone uses secure boot on UEFI, we may need to do this, but
> perhaps noone is doing that.
No idea. All the servers I touched at work were still booting via
legacy BIOS. Mind you that these were old servers. The latest machine
we have, an AMD EPYC 7002, is UEFI only. I never looked at the
settings though.
ChenYu
> Best regards,
> Pavel
>
> diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
> index eab3f7325e31..a6e6a852c9e8 100644
> --- a/drivers/md/dm-ioctl.c
> +++ b/drivers/md/dm-ioctl.c
> @@ -524,7 +524,7 @@ static int list_devices(struct dm_ioctl *param, size_t param_size)
> * Grab our output buffer.
> */
> nl = get_result_buffer(param, param_size, &len);
> - if (len < needed) {
> + if (len < needed || len < sizeof(nl->dev)) {
> param->flags |= DM_BUFFER_FULL_FLAG;
> goto out;
> }
>
> Pavel
> --
> DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: Type: text/plain, Size: 428 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6428): https://lists.cip-project.org/g/cip-dev/message/6428
Mute This Topic: https://lists.cip-project.org/mt/82597445/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05
2021-05-05 4:36 [cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05 Chen-Yu Tsai (Moxa)
2021-05-05 7:51 ` Pavel Machek
2021-05-05 8:34 ` Pavel Machek
@ 2021-06-18 2:21 ` 市川正美
2 siblings, 0 replies; 7+ messages in thread
From: 市川正美 @ 2021-06-18 2:21 UTC (permalink / raw)
To: cip-dev
[-- Attachment #1: Type: text/plain, Size: 1669 bytes --]
Hi!
May I ask some questions?
2021年5月5日(水) 13:37 Chen-Yu Tsai (Moxa) <wens@csie.org>:
>
> Hi everyone,
>
> Two new CVEs this week:
>
> - CVE-2021-31829 [bpf: stack pointer protection from speculative
> arithmetic] - fixed
> Fixes just landed in mainline as part of the merge window. Fixes not
> tagged for stable.
>
I'm looking into CVE-2021-31829. The issues/CVE-2021-31829.yml in
cip-kernel-sec repository describes this bug was introduced by commit
2c78ee898d8f10ae6fb2fa23a3fbaec96b1b7366.
The bug fix commit b9b34ddbe2076ade359cd5ce7537d5ed019e9807[1] has
Fixes tag which said "Fixes: 979d63d50c0c ("bpf: prevent out of bounds
speculation on pointer arithmetic")"
so, CVE-2021-31829.yml's introduced-by section may be
979d63d50c0c0f7bc537bf821e056cc9fe5abd38 ?
Also, one of a patch that fix CVE-2021-29155 has Fixes tag, that said
"Fixes: 2c78ee898d8f ("bpf: Implement CAP_BPF")[2]"
so, issues/CVE-2021-29155.yml's introduced-by section may be
2c78ee898d8f10ae6fb2fa23a3fbaec96b1b7366 ?
1:https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=b9b34ddbe2076ade359cd5ce7537d5ed019e9807
2:https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/kernel/bpf/verifier.c?id=9601148392520e2e134936e76788fc2a6371e7be
> - CVE-2021-31916 [md: dm_ioctl: out-of-bounds array access] - fixed
> Likely needs backport to 4.9 and earlier.
>
> Additionally, one old CVE is now fixed:
>
> - CVE-2020-26541
>
>
> Regards
> ChenYu
>
>
>
Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.
Email :masami.ichikawa@cybertrust.co.jp
:masami.ichikawa@miraclelinux.com
[-- Attachment #2: Type: text/plain, Size: 428 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6532): https://lists.cip-project.org/g/cip-dev/message/6532
Mute This Topic: https://lists.cip-project.org/mt/82597445/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-06-18 2:22 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-05 4:36 [cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05 Chen-Yu Tsai (Moxa)
2021-05-05 7:51 ` Pavel Machek
2021-05-05 7:56 ` Chen-Yu Tsai (Moxa)
2021-05-05 8:17 ` Pavel Machek
2021-05-05 8:34 ` Pavel Machek
2021-05-05 11:15 ` Chen-Yu Tsai (Moxa)
2021-06-18 2:21 ` 市川正美
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.