[cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05

[cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05

[Chen-Yu Tsai (Moxa)]

[-- Attachment #1: Type: text/plain, Size: 403 bytes --]

Hi everyone,

Two new CVEs this week:

- CVE-2021-31829 [bpf: stack pointer protection from speculative
arithmetic] - fixed
  Fixes just landed in mainline as part of the merge window. Fixes not
tagged for stable.

- CVE-2021-31916 [md: dm_ioctl: out-of-bounds array access] - fixed
  Likely needs backport to 4.9 and earlier.

Additionally, one old CVE is now fixed:

- CVE-2020-26541


Regards
ChenYu

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6417): https://lists.cip-project.org/g/cip-dev/message/6417
Mute This Topic: https://lists.cip-project.org/mt/82597445/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 799 bytes --]

Hi!

> Two new CVEs this week:
> 
> - CVE-2021-31829 [bpf: stack pointer protection from speculative
> arithmetic] - fixed
>   Fixes just landed in mainline as part of the merge window. Fixes not
> tagged for stable.

Could you push your changes to cip-kernel-sec?

These are queued for 5.10.35 and 4.19, I believe they may be related.

v |8373088d4 b9b34d o: 5.10| bpf: Fix masking negation logic upon negative dst register
a |fbb1ea771 b9b34d o: 4.19| bpf: Fix masking negation logic upon negative dst register
a |024fb2412 801c60 o: 5.10| bpf: Fix leakage of uninitialized bpf stack under speculation

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6418): https://lists.cip-project.org/g/cip-dev/message/6418
Mute This Topic: https://lists.cip-project.org/mt/82597445/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05

[Chen-Yu Tsai (Moxa)]

[-- Attachment #1: Type: text/plain, Size: 914 bytes --]

On Wed, May 5, 2021 at 3:51 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > Two new CVEs this week:
> >
> > - CVE-2021-31829 [bpf: stack pointer protection from speculative
> > arithmetic] - fixed
> >   Fixes just landed in mainline as part of the merge window. Fixes not
> > tagged for stable.
>
> Could you push your changes to cip-kernel-sec?

Done. Sorry about that.

> These are queued for 5.10.35 and 4.19, I believe they may be related.
>
> v |8373088d4 b9b34d o: 5.10| bpf: Fix masking negation logic upon negative dst register
> a |fbb1ea771 b9b34d o: 4.19| bpf: Fix masking negation logic upon negative dst register
> a |024fb2412 801c60 o: 5.10| bpf: Fix leakage of uninitialized bpf stack under speculation

I only looked through my inbox. And our scripts don't pick things up
from the stable-queue. In any case they will be picked up once the
stable kernels including them are released.


ChenYu

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6419): https://lists.cip-project.org/g/cip-dev/message/6419
Mute This Topic: https://lists.cip-project.org/mt/82597445/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 1231 bytes --]

Hi!

> > > Two new CVEs this week:
> > >
> > > - CVE-2021-31829 [bpf: stack pointer protection from speculative
> > > arithmetic] - fixed
> > >   Fixes just landed in mainline as part of the merge window. Fixes not
> > > tagged for stable.
> >
> > Could you push your changes to cip-kernel-sec?
> 
> Done. Sorry about that.

Thank you!

> > These are queued for 5.10.35 and 4.19, I believe they may be related.
> >
> > v |8373088d4 b9b34d o: 5.10| bpf: Fix masking negation logic upon negative dst register
> > a |fbb1ea771 b9b34d o: 4.19| bpf: Fix masking negation logic upon negative dst register
> > a |024fb2412 801c60 o: 5.10| bpf: Fix leakage of uninitialized bpf stack under speculation
> 
> I only looked through my inbox. And our scripts don't pick things up
> from the stable-queue. In any case they will be picked up once the
> stable kernels including them are released.

According to https://ubuntu.com/security/CVE-2021-31829 it is those
two patches that fix it. So this should get resolved in 5.10.35 for
us.

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6423): https://lists.cip-project.org/g/cip-dev/message/6423
Mute This Topic: https://lists.cip-project.org/mt/82597445/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 1097 bytes --]

Hi!

> - CVE-2021-31916 [md: dm_ioctl: out-of-bounds array access] - fixed
>   Likely needs backport to 4.9 and earlier.

Backport is trivial in this case.

> Additionally, one old CVE is now fixed:
> - CVE-2020-26541

This is UEFI secure boot, and it is more of "implement missing
blacklist functionality" than a bugfix.

If someone uses secure boot on UEFI, we may need to do this, but
perhaps noone is doing that.

Best regards,
								Pavel

diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index eab3f7325e31..a6e6a852c9e8 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -524,7 +524,7 @@ static int list_devices(struct dm_ioctl *param, size_t param_size)
 	 * Grab our output buffer.
 	 */
 	nl = get_result_buffer(param, param_size, &len);
-	if (len < needed) {
+	if (len < needed || len < sizeof(nl->dev)) {
 		param->flags |= DM_BUFFER_FULL_FLAG;
 		goto out;
 	}

								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6427): https://lists.cip-project.org/g/cip-dev/message/6427
Mute This Topic: https://lists.cip-project.org/mt/82597445/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05

[Chen-Yu Tsai (Moxa)]

[-- Attachment #1: Type: text/plain, Size: 1592 bytes --]

On Wed, May 5, 2021 at 4:34 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > - CVE-2021-31916 [md: dm_ioctl: out-of-bounds array access] - fixed
> >   Likely needs backport to 4.9 and earlier.
>
> Backport is trivial in this case.
>
> > Additionally, one old CVE is now fixed:
> > - CVE-2020-26541
>
> This is UEFI secure boot, and it is more of "implement missing
> blacklist functionality" than a bugfix.
>
> If someone uses secure boot on UEFI, we may need to do this, but
> perhaps noone is doing that.

No idea. All the servers I touched at work were still booting via
legacy BIOS. Mind you that these were old servers. The latest machine
we have, an AMD EPYC 7002, is UEFI only. I never looked at the
settings though.

ChenYu

> Best regards,
>                                                                 Pavel
>
> diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
> index eab3f7325e31..a6e6a852c9e8 100644
> --- a/drivers/md/dm-ioctl.c
> +++ b/drivers/md/dm-ioctl.c
> @@ -524,7 +524,7 @@ static int list_devices(struct dm_ioctl *param, size_t param_size)
>          * Grab our output buffer.
>          */
>         nl = get_result_buffer(param, param_size, &len);
> -       if (len < needed) {
> +       if (len < needed || len < sizeof(nl->dev)) {
>                 param->flags |= DM_BUFFER_FULL_FLAG;
>                 goto out;
>         }
>
>                                                                 Pavel
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6428): https://lists.cip-project.org/g/cip-dev/message/6428
Mute This Topic: https://lists.cip-project.org/mt/82597445/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] Cip-kernel-sec Updates for Week of 2021-05-05

[市川正美]

[-- Attachment #1: Type: text/plain, Size: 1669 bytes --]

Hi!

May I ask some questions?

2021年5月5日(水) 13:37 Chen-Yu Tsai (Moxa) <wens@csie.org>:
>
> Hi everyone,
>
> Two new CVEs this week:
>
> - CVE-2021-31829 [bpf: stack pointer protection from speculative
> arithmetic] - fixed
>   Fixes just landed in mainline as part of the merge window. Fixes not
> tagged for stable.
>

I'm looking into CVE-2021-31829. The issues/CVE-2021-31829.yml in
cip-kernel-sec repository describes this bug was introduced by commit
2c78ee898d8f10ae6fb2fa23a3fbaec96b1b7366.
The bug fix commit b9b34ddbe2076ade359cd5ce7537d5ed019e9807[1] has
Fixes tag which said "Fixes: 979d63d50c0c ("bpf: prevent out of bounds
speculation on pointer arithmetic")"
so, CVE-2021-31829.yml's introduced-by section may be
979d63d50c0c0f7bc537bf821e056cc9fe5abd38 ?

Also, one of a patch that fix CVE-2021-29155 has Fixes tag, that said
"Fixes: 2c78ee898d8f ("bpf: Implement CAP_BPF")[2]"
so, issues/CVE-2021-29155.yml's introduced-by section may be
2c78ee898d8f10ae6fb2fa23a3fbaec96b1b7366 ?

1:https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=b9b34ddbe2076ade359cd5ce7537d5ed019e9807
2:https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/kernel/bpf/verifier.c?id=9601148392520e2e134936e76788fc2a6371e7be

> - CVE-2021-31916 [md: dm_ioctl: out-of-bounds array access] - fixed
>   Likely needs backport to 4.9 and earlier.
>
> Additionally, one old CVE is now fixed:
>
> - CVE-2020-26541
>
>
> Regards
> ChenYu
>
> 
>

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6532): https://lists.cip-project.org/g/cip-dev/message/6532
Mute This Topic: https://lists.cip-project.org/mt/82597445/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-