From: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
To: cip-dev@lists.cip-project.org
Subject: Re: [cip-dev] New CVE entries in this week
Date: Thu, 16 Dec 2021 14:58:36 +0900 [thread overview]
Message-ID: <CAODzB9pFnCDhGy0tLpAhP+AVW28_9FiES2_UvX4nxPCapN4ESw@mail.gmail.com> (raw)
In-Reply-To: <TYAPR01MB62525566919A2925279299FD92779@TYAPR01MB6252.jpnprd01.prod.outlook.com>
Hi !
On Thu, Dec 16, 2021 at 2:27 PM Nobuhiro Iwamatsu
<nobuhiro1.iwamatsu@toshiba.co.jp> wrote:
>
> Hi,
>
> > CVE-2021-39648: usb: gadget: configfs: Fix use-after-free issue with udc_name
> >
> > CVSS v3 score is not provided
> >
> > 4.4 kernel gadget_dev_desc_UDC_show() is bit different from later
> > kernel versions. However, it looks 4.4 also has same issue.
> >
> > Fixed status
> >
> > mainline: [64e6bbfff52db4bf6785fab9cffab850b2de6870]
> > stable/4.14: [6766064c794afeacc29b21fc09ea4dbe3cae1af3]
> > stable/4.19: [83b74059fdf1c4fa6ed261725e6f301552ad23f7]
> > stable/4.9: [225330e682fa9aaa152287b49dea1ce50fbe0a92]
> > stable/5.10: [a4b202cba3ab1a7a8b1ca92603931fba5e2032c3]
> > stable/5.4: [bcffe2de9dde74174805d5f56a990353e33b8072]
>
> I created a patch which revise this issue. I attached this mail.
>
Thank you. LGTM !
> Best regards,
> Nobuhiro
> ________________________________________
> 差出人: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> が Masami Ichikawa <masami.ichikawa@miraclelinux.com> の代理で送信
> 送信日時: 2021年12月16日 8:49
> 宛先: cip-dev
> 件名: [cip-dev] New CVE entries in this week
>
> Hi !
>
> It's this week's CVE report.
>
> This week reported ten new CVEs and two of them aren't fixed in the
> mainline yet.
>
> * New CVEs
>
> CVE-2021-0961: In quota_proc_write of xt_quota2.c, there is a possible
> way to read kernel memory due to uninitialized data
>
> CVSS v3 score is not provided
>
> This bug is fixed in Android kernel. There is three commits to fix this bug.
>
> https://android.googlesource.com/kernel/common/+/e113eb454e92
> https://android.googlesource.com/kernel/common/+/60a4c35570d9
> https://android.googlesource.com/kernel/common/+/4b05a506bda0
>
> These commit modified net/netfilter/xt_quota2.c which is Android
> specific source. So this CVE is Android specific bug. The mainline and
> stable kernels aren't affected.
>
> Fixed status
>
> The mainline and stable kernels aren't affected.
>
> CVE-2021-39648: usb: gadget: configfs: Fix use-after-free issue with udc_name
>
> CVSS v3 score is not provided
>
> 4.4 kernel gadget_dev_desc_UDC_show() is bit different from later
> kernel versions. However, it looks 4.4 also has same issue.
>
> Fixed status
>
> mainline: [64e6bbfff52db4bf6785fab9cffab850b2de6870]
> stable/4.14: [6766064c794afeacc29b21fc09ea4dbe3cae1af3]
> stable/4.19: [83b74059fdf1c4fa6ed261725e6f301552ad23f7]
> stable/4.9: [225330e682fa9aaa152287b49dea1ce50fbe0a92]
> stable/5.10: [a4b202cba3ab1a7a8b1ca92603931fba5e2032c3]
> stable/5.4: [bcffe2de9dde74174805d5f56a990353e33b8072]
>
> CVE-2021-39656: configfs: fix a use-after-free in __configfs_open_file
>
> Bug introduced commit b0841ee was merged in 5.3-rc8. This commit isn't
> backported to 4.4 so 4.4 isn't affected.
>
> Fixed status
>
> mainline: [14fbbc8297728e880070f7b077b3301a8c698ef9]
> stable/4.14: [4769013f841ed35bdce3b11b64349d0c166ee0a2]
> stable/4.19: [9123463620132ada85caf5dc664b168f480b0cc4]
> stable/4.9: [6f5c47f0faed69f2e78e733fb18261854979e79f]
> stable/5.10: [109720342efd6ace3d2e8f34a25ea65036bb1d3b]
> stable/5.4: [73aa6f93e1e980f392b3da4fee830b0e0a4a40ff]
>
> CVE-2021-39657: scsi: ufs: Correct the LUN used in
> eh_device_reset_handler() callback
>
> CVSS v3 score is not provided
>
> Bug was fixed in 5.11-rc4. so mainline and stable kernels are already fixed.
>
> Fixed status
>
> mainline: [35fc4cd34426c242ab015ef280853b7bff101f48]
> stable/4.14: [30f2a89f9481f851bc68e51a1e7114392b052231]
> stable/4.19: [b397fcae2207963747c6f947ef4d06575553eaef]
> stable/4.4: [a4cdbf4805bfed8f39e6b25f113588064d9a6ac5]
> stable/4.9: [7bbac19e604b2443c93f01c3259734d53f776dbf]
> stable/5.10: [2536194bb3b099cc9a9037009b86e7ccfb81461c]
> stable/5.4: [97853a7eae80a695a18ce432524eaa7432199a41]
>
> CVE-2021-4090: kernel: Overflow of bmval[bmlen-1] in
> nfsd4_decode_bitmap function
>
> CVSS v3 score is not provided
>
> OOB write bug in nsfd. This bug was introduced by commit d1c263a
> ("NFSD: Replace READ* macros in nfsd4_decode_fattr()
> ") since 5.11-rc1 and fixed in 5.16-rc2. Before 5.11 kernels aren't
> affected this issue.
>
> Fixed status
>
> mainline: [c0019b7db1d7ac62c711cda6b357a659d46428fe]
> stable/5.15: [10c22d9519f3f5939de61a1500aa3a926b778d3a]
>
> CVE-2021-4093: KVM: SVM: out-of-bounds read/write in sev_es_string_io
>
> CVSS v3 score is not provided
>
> OOB read/write bug in AMD SVM mode. This bug was introduced by commit
> 7ed9abf ("KVM: SVM: Support string IO operations for an SEV-ES guest")
> which is merged since 5.11-rc1. Before 5.11 kernels aren't affected
> this issue.
>
> Fixed status
>
> mainline: [95e16b4792b0429f1933872f743410f00e590c55]
>
> CVE-2021-4095: KVM: NULL pointer dereference in kvm_dirty_ring_get()
> in virt/kvm/dirty_ring.c
>
> CVSS v3 score is not provided
>
> This issues was introduced by commit 629b534 ("KVM: x86/xen: update
> wallclock region") which is merged in 5.12-rc1-dontuse. Before
> 5.12-rc1-dontuse kernels aren't affectd this issue.
> Patch is being reviewed.
>
> Fixed status
>
> Not fixed yet.
>
> CVE-2021-3864: descendant's dumpable setting with certain SUID binaries
>
> CVSS v3 score is not provided
>
> This bug is able to write coredump file anyware. However, abusing this
> bug, such as arbitrary code execution is required some program. The
> PoC(https://www.openwall.com/lists/oss-security/2021/10/20/2).
> There is two mitigation techniques are suggested. So, users follow
> these mitigation technique is recommended.
>
> Fixed status
>
> Not fixed yet.
>
> CVE-2021-4083: fget: check that the fd still exists after getting a ref to it
>
> CVSS v3 score is not provided
>
> UAF bug in fs/file.c it causes system crash, priviledge escalation.
> The mainline and all stable kernels are aready fixed.
>
> Fixed status
>
> mainline: [054aa8d439b9185d4f5eb9a90282d1ce74772969]
> stable/4.14: [98548c3a9882a1ea993a103be7c1b499f3b88202]
> stable/4.19: [8bf31f9d9395b71af3ed33166a057cd3ec0c59da]
> stable/4.4: [8afa4ef999191477506b396fae518338b8996fec]
> stable/4.9: [a043f5a600052dc93bc3d7a6a2c1592b6ee77482]
> stable/5.10: [4baba6ba56eb91a735a027f783cc4b9276b48d5b]
> stable/5.15: [6fe4eadd54da3040cf6f6579ae157ae1395dc0f8]
> stable/5.4: [03d4462ba3bc8f830d9807e3c3fde54fad06e2e2]
>
> CVE-2021-39685: Linux Kernel USB Gadget buffer overflow
>
> CVSS v3 score is not provided
>
> Buffer overflow bug in USB gadget devices. An attacker can read and/or
> write up to 65k of kernel memory.
> It already fixed in mainline and all stable kernels.
>
> Fixed status
>
> mainline: [153a2d7e3350cc89d406ba2d35be8793a64c2038,
> 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3]
> stable/4.14: [e7c8afee149134b438df153b09af7fd928a8bc24,
> d8cd524ae4ec788011a14be17503fc224f260fe3]
> stable/4.19: [13e45e7a262dd96e8161823314679543048709b9,
> 32de5efd483db68f12233fbf63743a2d92f20ae4]
> stable/4.4: [93cd7100fe471c5f76fb942358de4ed70dbcaf35,
> af21211c327c4703c7681fa7286c4d660682e413]
> stable/4.9: [d2ca6859ea96c6d4c6ad3d6873a308a004882419,
> e4de8ca013f06ad4a0bf40420a291c23990e4131]
> stable/5.10: [7193ad3e50e596ac2192531c58ba83b9e6d2444b,
> e4de8ca013f06ad4a0bf40420a291c23990e4131]
> stable/5.15: [36dfdf11af49d3c009c711fb16f5c6e7a274505d,
> 6eea4ace62fa6414432692ee44f0c0a3d541d97a]
> stable/5.4: [fd6de5a0cd42fc43810bd74ad129d98ab962ec6b,
> 9978777c5409d6c856cac1adf5930e3c84f057be]
>
> * Updated CVEs
>
> no updated CVEs.
>
> Currently tracking CVEs
>
> CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
> Bluetooth Core Specifications 4.0 through 5.2
>
> There is no fix information.
>
> CVE-2020-26555: BR/EDR pin code pairing broken
>
> No fix information
>
> CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning
>
> No fix information.
>
> CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
> Provisioning Leads to MITM
>
> No fix information.
>
> CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning
>
> No fix information.
>
> CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning
>
> No fix information.
>
>
> Regards,
> --
> Masami Ichikawa
> Cybertrust Japan Co., Ltd.
>
> Email :masami.ichikawa@cybertrust.co.jp
> :masami.ichikawa@miraclelinux.com
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7114): https://lists.cip-project.org/g/cip-dev/message/7114
> Mute This Topic: https://lists.cip-project.org/mt/87756776/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.
Email :masami.ichikawa@cybertrust.co.jp
:masami.ichikawa@miraclelinux.com
next prev parent reply other threads:[~2021-12-16 5:59 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-15 23:49 New CVE entries in this week Masami Ichikawa
2021-12-16 5:26 ` [cip-dev] " nobuhiro1.iwamatsu
2021-12-16 5:58 ` Masami Ichikawa [this message]
2021-12-16 8:49 ` Pavel Machek
-- strict thread matches above, loose matches on Subject: below --
2022-01-26 23:51 Masami Ichikawa
2022-01-27 8:21 ` [cip-dev] " nobuhiro1.iwamatsu
2022-01-28 6:18 ` Masami Ichikawa
2022-01-29 21:03 ` Pavel Machek
2022-01-31 0:00 ` Masami Ichikawa
2022-01-12 23:39 Masami Ichikawa
2022-01-13 8:07 ` [cip-dev] " Pavel Machek
2022-01-13 12:41 ` Masami Ichikawa
2021-12-29 23:29 Masami Ichikawa
2021-12-30 10:20 ` [cip-dev] " Pavel Machek
2021-12-30 23:05 ` Masami Ichikawa
2021-12-23 0:48 Masami Ichikawa
2021-12-23 17:11 ` [cip-dev] " Pavel Machek
2021-12-08 23:44 Masami Ichikawa
2021-12-09 9:20 ` [cip-dev] " Pavel Machek
2021-12-09 14:12 ` Masami Ichikawa
[not found] <16BAA9D56D09F20A.23256@lists.cip-project.org>
2021-11-25 5:16 ` Masami Ichikawa
2021-11-25 8:00 ` nobuhiro1.iwamatsu
2021-11-25 12:00 ` Masami Ichikawa
2021-11-25 9:09 ` Pavel Machek
2021-11-25 12:01 ` Masami Ichikawa
2021-11-25 2:41 Masami Ichikawa
2021-11-25 9:14 ` [cip-dev] " Pavel Machek
2021-11-10 23:52 Masami Ichikawa
2021-11-11 9:21 ` [cip-dev] " Pavel Machek
2021-11-11 12:47 ` Masami Ichikawa
2021-11-04 1:11 New CVE Entries " Masami Ichikawa
2021-11-04 9:57 ` [cip-dev] " Pavel Machek
2021-11-04 13:04 ` Masami Ichikawa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAODzB9pFnCDhGy0tLpAhP+AVW28_9FiES2_UvX4nxPCapN4ESw@mail.gmail.com \
--to=masami.ichikawa@miraclelinux.com \
--cc=cip-dev@lists.cip-project.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.