New CVE entries this week

[Masami Ichikawa <masami.ichikawa@miraclelinux.com>]

Hi !

It's this week's CVE report.

This week reported 11 new CVEs and 1 updated CVE.
There are three can/usb driver bugs and three ax25 protocol bugs.

* New CVEs

CVE-2021-3714: Remote Page Deduplication Attacks

CVSS v3 score is not provided

Red hat bugzilla describes that an attacker can leak information via this issue.

Fixed status

Not fixed yet.

CVE-2022-1198: use-after-free in drivers/net/hamradio/6pack.c

CVSS v3 score is not provided

An UAF bug was found in drivers/net/hamradio/6pack.c . An attacker is
able to crash system by this vulnerability.
This bug looks to exist in 5.10, 4.19, and 4.4 kernels. However,
backpoting this patch requires fixing conflicts.

Fixed status

mainline: [efe4186e6a1b54bf38b9e05450d43b0da1fd7739]
stable/5.16: [4356343fb70c899901bce33acedf4fede797d21f]

CVE-2022-1199: Null pointer dereference and use-after-free in ax25_release()

CVSS v3 score is not provided

An UAF bug was found in net/ax25/af_ax25.c. An attacker is able to
crash system by this vulnerability.

Patches were merged in the mainline by following order.

2022-03-09: ax25: Fix NULL pointer dereference in
ax25_kill_by_device(71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac)
2022-02-09: ax25: fix NPD bug in
ax25_disconnect(7ec02f5ac8a5be5a3f20611731243dc5e1d9ba10)
2022-01-28: ax25: improve the incomplete fix to avoid UAF and NPD
bugs(4e0f718daf97d47cf7dec122da1be970f145c809)

Commit 7ec02f5 ("fix NPD bug in ax25_disconnect") changed releasing
order to sock struct to avoid NULL pointer dereference if sk is NULL.
- release_sock(sk);
  ax25_disconnect(s, ENETUNREACH);
+ release_sock(sk);

However, commit 71171ac ("ax25: Fix NULL pointer dereference in
ax25_kill_by_device") added NULL pointer check before releasing sock
struct.

+ if (!sk) {
+ spin_unlock_bh(&ax25_list_lock);
+ s->ax25_dev = NULL;
+ ax25_disconnect(s, ENETUNREACH);
+ spin_lock_bh(&ax25_list_lock);
+ goto again;
+ }

So, it looks like commit 7ec02f5 ("fix NPD bug in ax25_disconnect") is
not needed to fix this CVE to older kernels.
Additionally commit 7ec02f5 is the route cause of CVE-2022-1205.

v4.4 looks to be affected by this CVE.

Fixed status

mainline: [4e0f718daf97d47cf7dec122da1be970f145c809,
7ec02f5ac8a5be5a3f20611731243dc5e1d9ba10,
  71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac]
stable/4.19: [3072e72814de56f3c674650a8af98233ddf78b19,
5ab8de9377edde3eaf1de9872e2f01d43157cd6c]
stable/4.9: [851901d339b2ba766ffcf754d37a6f52fa07cea2,
cad71f1094834eb69f7ceec8100d300c26b43053]
stable/5.10: [b9a229fd48bfa45edb954c75a57e3931a3da6c5f,
e2201ef32f933944ee02e59205adb566bafcdf91]


CVE-2022-1204: UAF caused by binding operation when ax25 device is detaching

CVSS v3 score is not provided

An UAF bug was found in net/ax25/af_ax25.c. An attacker is able to
crash system by this vulnerability.

Patches were merged in the following order.

2022-03-29: ax25: fix UAF bug in
ax25_send_control(5352a761308397a0e6250fdc629bb3f615b94747) fixes
9fd75b6
2022-03-21: ax25: Fix refcount leaks caused by
ax25_cb_del(9fd75b66b8f68498454d685dc4ba13192ae069b0) fixes d01ffb9,
87563a0, and feef318
2022-02-09: ax25: fix UAF bugs of net_device caused by rebinding
operation(feef318c855a361a1eccd880f33e88c460eb63b4)
2022-02-03: ax25: fix reference count leaks of
ax25_dev(87563a043cef044fed5db7967a75741cc16ad2b1) fixes d01ffb9
2022-01-28: ax25: add refcount in ax25_dev to avoid UAF
bugs(d01ffb9eee4af165d83b08dd73ebdf9fe94a519b)

It looks like the route cause is commit d01ffb ("ax25: add refcount in
ax25_dev to avoid UAF bugs"). It was merged in 5.17-rc3. This commit
isn't backported to stable kernels. So, stable kernels seem not to be
affected by this CVE.

Fixed status

mainline: [d01ffb9eee4af165d83b08dd73ebdf9fe94a519b,
87563a043cef044fed5db7967a75741cc16ad2b1,
  feef318c855a361a1eccd880f33e88c460eb63b4,
9fd75b66b8f68498454d685dc4ba13192ae069b0,
  5352a761308397a0e6250fdc629bb3f615b94747]


CVE-2022-1205: Null pointer dereference and use-after-free in
net/ax25/ax25_timer.c

CVSS v3 score is not provided

A Null pointer dereference and use after free in net/ax25/ax25_timer.c.
An attacker is able to crash the system by this vulnerability.

This bug was introduced by commit 7ec02f5 ("ax25: fix NPD bug in
ax25_disconnect") which was merged in 5.17-rc4. This commit isn't
backported to stable kernels so that this bug only affects the
mainline kernel.

Fixed status

mainline: [fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009,
82e31755e55fbcea6a9dfaae5fe4860ade17cbc0]

CVE-2022-28356: llc: fix netdevice reference leaks in llc_ui_bind()

CVSS v3 score is not provided

A refcount leak bug was found in net/llc/af_llc.c.

This bug was introduced before git era.
Patch can be applied to 4.4-st.

Fixed status

mainline: [764f4eb6846f5475f1244767d24d25dd86528a4a]
stable/4.14: [0f294bc04be87f1c9e1d1a908db9fcc84ce94210]
stable/4.19: [d14193111c436fc5de33206c67c7afd45c730099]
stable/4.9: [0a7aad979bfb43c4a78d33a5f356caf4ceb28bca]
stable/5.10: [571df3393f523b59cba87e2f3e80a3a624030f9c]
stable/5.15: [e9072996108387ab19b497f5b557c93f98d96b0b]
stable/5.16: [6f5bf395c60ed2643de51f2b1041cb0882e9d97f]
stable/5.17: [ef1a6fe3563cf47ce4fd555727ca80085cf18884]
stable/5.4: [572f9a0d3f3feb8bd3422e88ad71882bc034b3ff]

CVE-2022-28388: can: usb_8dev: usb_8dev_start_xmit(): fix double
dev_kfree_skb() in error path

CVSS v3 score is not provided

A double free bug was found in usb_8dev_start_xmit() in
drivers/net/can/usb/usb_8dev.c.

Applying this fix to 4.4, it needs to modify the patch to fix conflict.

Fixed status

mainline: [3d3925ff6433f98992685a9679613a2cc97f3ce2]

CVE-2022-28389: can: mcba_usb: mcba_usb_start_xmit(): fix double
dev_kfree_skb in error path

CVSS v3 score is not provided

A double free bug in mcba_usb_start_xmit() in drivers/net/can/usb/mcba_usb.c.
This bug was introduced by commit 51f3baa ("can: mcba_usb: Add support
for Microchip CAN BUS Analyzer") which was merged in 4.12-rc1.
So, 4.9 and 4.4 kernels aren't affected by this issue.

Fixed status

mainline: [04c9b00ba83594a29813d6b1fb8fdc93a3915174]

CVE-2022-28390: can: ems_usb: ems_usb_start_xmit(): fix double
dev_kfree_skb() in error path

CVSS v3 score is not provided

A double free bug in ems_usb_start_xmit() in drivers/net/can/usb/ems_usb.c.
This patch can be applied to 4.4.y without any errors.

Fixed status

mainline: [c70222752228a62135cee3409dccefd494a24646]

CVE-2021-39802: The most severe vulnerability in this section could
lead to local escalation of privilege with no additional execution
privileges needed. User interaction is not needed for exploitation

CVSS v3 score is not provided

ac44888: Revert "FROMGIT: mm: improve mprotect(R|W) efficiency on
pages referenced once"
b44e46b: FROMGIT: mm: improve mprotect(R|W) efficiency on pages referenced once
67d075d: Revert "FROMGIT: mm: improve mprotect(R|W) efficiency on
pages referenced once"
6f9aba5: FROMGIT: mm: improve mprotect(R|W) efficiency on pages referenced once

Commit ac44888 reverts b44e46b and commit 67d075d reverts 6f9aba5.
These commits aren't in the mainline.
It seems as if this vulnerability android kernel specific.

Fixed status

Fixed in android kernel

CVE-2021-0707: dmabuf: fix use-after-free of dmabuf's file->f_inode

CVSS v3 score is not provided

An UAF bug was found in dma_buf_release().
This bug was introduced by commit 4ab59c3 ("dma-buf: Move
dma_buf_release() from fops to dentry_ops") which was merged in
v5.8-rc4.
The commit 4ab59c3 ("dma-buf: Move dma_buf_release() from fops to
dentry_ops") fixes bb2bb90 ("dma-buf: add DMA_BUF_SET_NAME ioctls")
which was merged in 5.3-rc1. Therefore, kernel 4.4, 4.9, and 4.19 are
not affected by this vulnerability.
This vulnerability was fixed in 5.11-rc3. The mainline and stable
kernels are fixed.

Fixed status

mainline: [05cd84691eafcd7959a1e120d5e72c0dd98c5d91]
stable/5.10: [a19dae4254c434a1ac8937a809fe08fd15ad3be5]
stable/5.4: [ef8133b1b47ed67873c291e9248fafd428d1767d]

* Updated CVEs

CVE-2021-33061: Intel(R) 82599 Ethernet Controllers and Adapters may
allow an authenticated user to potentially
enable denial of service via local access

Fixed in 5.18-rc1.

This patch can't be applied to 4.4.y because it modifies
ixgbe_priv_flags_strings(), ixgbe_get_priv_flags(), and
ixgbe_set_priv_flags() in
drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c but 4.4.y doesn't
have these functions and drivers/net/ethernet/intel/ixgbe/ixgbe.h
doesn't contain IXGBE_FLAG2_ macros in it.

Fixed status

mainline: [008ca35f6e87be1d60b6af3d1ae247c6d5c2531d]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com