New CVE entries this week

New CVE entries this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 4626 bytes --]

Hi !

It's this week's CVE report.

This week reported 5 new CVEs.

* New CVEs

CVE-2021-3894: sctp: local DoS: unprivileged user can cause BUG()

CVSS v3 score is not provided

A local unprivileged user can cause local DoS by sctp subsystem.
The commit a2d859e3fc97 ("sctp: account stream padding length for
reconf chunk") may fix this issue.

Fixed status

Not fixed yet.

CVE-2022-0487: Use after free in moxart_remove

CVSS v3 score is not provided

UAF bug was found in moxart_remove() in drivers/mmc/host/moxart-mmc.c.
The mainline was fixed. Stable kernels are being reviewed.

Apply patch bd2db32 ("moxart: fix potential use-after-free on remove
path") to 4.4 needs to a bit modify code. However, it seems no CIP
member enables CONFIG_MMC_MOXART.

Fixed status

mainline: [bd2db32e7c3e35bd4d9b8bbff689434a50893546]

CVE-2022-0492: cgroup-v1: Require capabilities to set release_agent

CVSS v3 score is not provided

There was a bug in cgroups v1 release_agent feature to escalate
privilege and bypass namespace isolation.
The mainline and 5.X series were fixed but failed to applied the fix
to all 4.X series. This issue is affected to 2.6.24-rc1 or later
version.

Applying the commit 24f6008 ("cgroup-v1: Require capabilities to set
release_agent") depends on the following commits.

- a3ff937 ("prefix-handling analogues of errorf() and friends ")
This commit was introduced at 5.6-rc1. It added invalfc macro to
include/linux/fs_context.h. 5.4 uses cg_invalf macro which calls
invalfc in it.

- 8d2451f ("https://github.com/torvalds/linux/commit/8d2451f4994fa60a57617282bab91b98266a00b1").
This commit was introduced at 5.1-rc1. It added cgroup1_parse_param().

So 4.X series do other way to fix this issue (e.g.
https://lore.kernel.org/stable/20220209191248.652388187@linuxfoundation.org/).
4.9, 4.14, and 4.19 are being reviewed.

4.X series use struct cgroup_namespace to get namespace object which
was introduced at 4.6-rc1. So fixing 4.4 needs the other way to get
namespace object instead of struct cgroup_namespace.

Fixed status

mainline: [24f6008564183aa120d07c03d9289519c2fe02af]
stable/5.10: [1fc3444cda9a78c65b769e3fa93455e09ff7a0d3]
stable/5.15: [4b1c32bfaa02255a5df602b41587174004996477]
stable/5.16: [9c9dbb954e618e3d9110f13cc02c5db1fb73ea5d]
stable/5.4: [0e8283cbe4996ae046cd680b3ed598a8f2b0d5d8]

CVE-2022-24448: NFSv4: Handle case where the lookup of a directory fails

CVSS v3 score is not provided

Server returns uninitialized data in the file descriptor in nfs_atomic_open().
The mainline and stable kernels are fixed.

I attached 0001-NFSv4-Handle-case-where-the-lookup-of-a-directory-fa.patch
for 4.4.y.

Fixed status

mainline: [ac795161c93699d600db16c1a8cc23a65a1eceaf]
stable/4.14: [516f348b759f6a92819820a3f56d678458e22cc8]
stable/4.19: [b00b4c6faad0f21e443fb1584f7a8ea222beb0de]
stable/4.9: [8788981e120694a82a3672e062fe4ea99446634a]
stable/5.10: [ce8c552b88ca25d775ecd0a0fbef4e0e03de9ed2]
stable/5.15: [4c36ca387af4a9b5d775e46a6cb9dc2d151bf057]
stable/5.16: [f0583af88e7dd413229ea5e670a0db36fdf34ba2]
stable/5.4: [0dfacee40021dcc0a9aa991edd965addc04b9370]

CVE-2022-0480: memcg: enable accounting for file lock caches

CVSS v3 score is not provided

A user can cause host memory exhaustion becase of memcg doesn't limit
the number of POSIX file locks.
This issues was fixed in 5.15-rc1.

Patch cannot be applied to 4.4 because this fix uses SLAB_ACCOUNT flag
which was introduced by commit 230e9fc ("slab: add SLAB_ACCOUNT flag
") at 4.5-rc1 is not backported to 4.4.

Fixed status

mainline: [0f12156dff2862ac54235fc72703f18770769042]

* Updated CVEs

CVE-2018-25020: bpf: fix truncated jump targets on heavy expansions

This issue was fixed in 4.17-rc7. 4.14 was fixed this week.

Fixed status

mainline: [050fad7c4534c13c8eb1d9c2ba66012e014773cb]
stable/4.14: [6824208b59a4727b8a8653f83d8e685584d04606]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: 0001-NFSv4-Handle-case-where-the-lookup-of-a-directory-fa.patch --]
[-- Type: text/x-patch, Size: 1611 bytes --]

From 912c6e22cf82aa5bb63e5f27a3a39490e758f7ab Mon Sep 17 00:00:00 2001
From: Trond Myklebust <trond.myklebust@hammerspace.com>
Date: Thu, 6 Jan 2022 18:24:02 -0500
Subject: [PATCH] NFSv4: Handle case where the lookup of a directory fails

If the application sets the O_DIRECTORY flag, and tries to open a
regular file, nfs_atomic_open() will punt to doing a regular lookup.
If the server then returns a regular file, we will happily return a
file descriptor with uninitialised open state.

The fix is to return the expected ENOTDIR error in these cases.

Reported-by: Lyu Tao <tao.lyu@epfl.ch>
Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
[Fix merge conflict in nfs_atomic_open().]
Reference: CVE-2022-24448
Signed-off-by: Masami Ichikawa(CIP) <masami.ichikawa@cybertrust.co.jp>
---
 fs/nfs/dir.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index ba7e98d8ce09..7c1f83632d63 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -1577,6 +1577,19 @@ out:
 
 no_open:
 	res = nfs_lookup(dir, dentry, lookup_flags);
+	if (!res) {
+		inode = d_inode(dentry);
+		if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
+		    !S_ISDIR(inode->i_mode))
+			res = ERR_PTR(-ENOTDIR);
+	} else if (!IS_ERR(res)) {
+		inode = d_inode(res);
+		if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
+		    !S_ISDIR(inode->i_mode)) {
+			dput(res);
+			res = ERR_PTR(-ENOTDIR);
+		}
+	}	
 	err = PTR_ERR(res);
 	if (IS_ERR(res))
 		goto out;
-- 
2.35.1

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 6 new CVEs and 3 updated CVEs.

* New CVEs

CVE-2023-4244: A use-after-free vulnerability in the Linux kernel's netfilter

CVSS v3 score is 7.0 HIGH (NIST).
CVSS v3 score is 7.8 HIGH (CNA).

A use-after-free vulnerability in the Linux kernel's netfilter:
nf_tables component can be exploited to achieve local privilege
escalation. Due to a race condition between nf_tables netlink control
plane transaction and nft_set element garbage collection, it is
possible to underflow the reference counter causing a use-after-free
vulnerability.

It may be a duplicate of CVE-2023-4563.

Fixed status
mainline: [5f68718b34a531a556f2f50300ead2862278da26,
f6c383b8c31a93752a52697f8430a71dcbc46adf,
  c92db3030492b8ad1d0faace7a93bbcf53850d0c,
a2dd0233cbc4d8a0abb5f64487487ffc9265beb5]

CVE-2023-4881: netfilter: nftables: exthdr: fix 4-byte stack OOB write

CVSS v3 score is 7.1 HIGH(NIST).
CVSS v3 score is 6.1 MEDIUM (CNA).

A stack based out-of-bounds write flaw was found in the netfilter
subsystem in the Linux kernel.
If the expression length is a multiple of 4 (register size), the
`nft_exthdr_eval` family of
functions writes 4 NULL bytes past the end of the `regs` argument,
leading to stack corruption
and potential information disclosure or a denial of service.

The commit fd94d9d fixes commit 49499c3 ("netfilter: nf_tables: switch
registers to 32 bit addressing") in 4.1-rc1,
935b7f6 ("netfilter: nft_exthdr: add TCP option matching") in
4.11-rc1, 133dc20 ("netfilter:
nft_exthdr: Support SCTP chunks") in 5.14-rc1, and dbb5281
("netfilter: nf_tables: add support
for matching IPv4 options") in 5.3-rc1.

Fixed status
mainline: [fd94d9dadee58e09b49075240fe83423eb1dcd36]

CVE-2023-4921: net: sched: sch_qfq: Fix UAF in qfq_dequeue()

CVSS v3 score is not provided (NIST).
CVSS v3 score is 7.8 HIGH (CNA).

A use-after-free vulnerability in the Linux kernel's net/sched:
sch_qfq component can be exploited to
achieve local privilege escalation. When the plug qdisc is used as a
class of the qfq qdisc, sending
network packets triggers use-after-free in qfq_dequeue() due to the
incorrect .peek handler of sch_plug
and lack of error checking in agg_dequeue().

This vulnerability was introduced by commit 462dbc9 ("pkt_sched: QFQ
Plus: fair-queueing service at DRR cost") in 3.8-rc1.

Fixed status
mainline: [8fc134fee27f2263988ae38920bc03da416b03d8]

CVE-2023-3865: ksmbd: fix out-of-bound read in smb2_write

CVSS v3 score is not provided.

This vulnerability allows remote attackers to disclose sensitive
information on affected installations of Linux Kernel.
Authentication may or may not be required to exploit this
vulnerability, depending upon configuration. Furthermore,
only systems with ksmbd enabled are vulnerable.

The specific flaw exists within the parsing of smb2_hdr structure. The
issue results from the lack of proper validation
of user-supplied data, which can result in a read past the end of an
allocated buffer. An attacker can leverage this in
conjunction with other vulnerabilities to execute arbitrary code in
the context of the kernel.

Vulnerable function ksmbd_smb2_check_message() was introduced by
commit e2f3448("cifsd: add server-side procedures for SMB3")
in 5.15-rc1.

Fixed status
mainline: [5fe7f7b78290638806211046a99f031ff26164e1]
stable/5.15: [3813eee5154d6a4c5875cb4444cb2b63bac8947f]
stable/6.1: [c86211159bc3178b891e0d60e586a32c7b6a231b]

CVE-2023-3866: ksmbd: validate session id and tree id in the compound request

CVSS v3 score is not provided.

This vulnerability allows remote attackers to create a
denial-of-service condition on affected installations of Linux Kernel.
Authentication is not required to exploit this vulnerability, but only
systems with ksmbd enabled are vulnerable.

The specific flaw exists within the handling of chained requests. The
issue results from dereferencing a NULL pointer.
An attacker can leverage this vulnerability to create a
denial-of-service condition on the system.

It was introduced by commit e2f3448("cifsd: add server-side procedures
for SMB3") in 5.15-rc1.

Fixed status
mainline: [5005bcb4219156f1bf7587b185080ec1da08518e]
stable/5.15: [eb947403518ea3d93f6d89264bb1f5416bb0c7d0]
stable/6.1: [854156d12caa9d36de1cf5f084591c7686cc8a9d]

CVE-2023-3867: ksmbd: add missing compound request handing in some commands

CVSS v3 score is not provided.

This vulnerability allows remote attackers to disclose sensitive
information on affected installations of Linux Kernel.
Authentication is not required to exploit this vulnerability. However,
only systems with ksmbd enabled are vulnerable.

The specific flaw exists within the handling of session setup
commands. The issue results from the lack of proper validation
of user-supplied data, which can result in a read past the end of an
allocated buffer. An attacker can leverage this in
conjunction with other vulnerabilities to execute arbitrary code in
the context of the kernel.

This vulnerability was introduced by commit 7b7d709e("ksmbd: add
missing compound request handing in some commands") in 6.5-rc1.

Fixed status
mainline: [7b7d709ef7cf285309157fb94c33f625dd22c5e1]
stable/6.1: [869ef4f2965bbb91157dad220133f76c16faba9b]
stable/6.4: [ffaa0c85edd9245594a94918c09db9163b71767a]

* Updated CVEs

CVE-2023-25775: improper access control flaw in RDMA driver

stable 6.1, 6.4, and 6.5 were fixed.

Fixed status
mainline: [bb6d73d9add68ad270888db327514384dfa44958]
stable/6.1: [f01cfec8d3456bf389918eb898eda11f46d8b1b7]
stable/6.4: [ceba966f1d6391800cab3c1c9ac1661b5166bc5b]
stable/6.5: [782c5702b933477b088e80e6d07b9493145b2916]

CVE-2023-37453: i out-of-bounds in read_descriptors in drivers/usb/core/sysfs

stable 6.1, 6.4, and 6.5 were fixed.

Fixed status
stable/6.1: [8186596a663506b1124bede9fde6f243ef9f37ee]
stable/6.4: [b4a074b1fb222164ed7d5c0b8c922dc4a0840848]
stable/6.5: [b9fbfb349eacc0820f91c797d7f0a3ac7a4935b5]

CVE-2023-4623: net/sched: sch_hfsc: Ensure inner classes have fsc curve

stable 6.1, 6.4, and 6.5 were fixed.

Fixed status
mainline: [b3d26c5702c7d6c45456326e56d2ccf3f103e60f]
stable/6.1: [a1e820fc7808e42b990d224f40e9b4895503ac40]
stable/6.4: [5293f466d41d6c2eaad8b833576ea3dbee630dc2]
stable/6.5: [eb07894c51c7d6bb8d00948a3e6e7b52c791e93e]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 5 new CVEs and 5 updated CVEs.

* New CVEs

CVE-2023-4206: net/sched: cls_route: No longer copy tcf_result on
update to avoid use-after-free

CVSS v3 score is not provided (NIST).
CVSS v3 score is 7.8 HIGH (CNA).

A use-after-free vulnerability in the Linux kernel's net/sched:
cls_route component can be exploited to achieve local privilege
escalation. When route4_change() is called on an existing filter,
the whole tcf_result struct is always copied into the new instance of
the filter. This causes a problem when updating a filter bound to a
class, as tcf_unbind_filter() is always called on the
old instance in the success path, decreasing filter_cnt of the still
referenced class and allowing it to be deleted, leading to a
use-after-free.

All stable kernels, cip/4.19, cip/4.4, cip/4.4-st, cip/5.10, cip/6.1,
and cip/6.1-rt have been fixed.

Fixed status
mainline: [b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8]
stable/4.14: [226d84d54a9339b7045aff36c8f56d6ee9270476]
stable/4.19: [ad8f36f96696a7f1d191da66637c415959bab6d8]
stable/5.10: [aaa71c4e8ad98828ed50dde3eec8e0d545a117f7]
stable/5.15: [79c3d81c9ad140957b081c91908d7e2964dc603f]
stable/5.4: [1c8262f31fd2d23d1cfd2539715d976c2a99e582]
stable/6.1: [d4d3b53a4c66004e8e864fea744b3a2b86a73b62]
stable/6.4: [a836184b670f59e24d3a0f7c07115ec6e6ce6900]

CVE-2023-4207: net/sched: cls_fw: No longer copy tcf_result on update
to avoid use-after-free

CVSS v3 score is not provided (NIST).
CVSS v3 score is 7.8 HIGH (CNA).

A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw
component can be exploited to achieve local privilege escalation. When
fw_change() is called on an existing filter, the whole
tcf_result struct is always copied into the new instance of the
filter. This causes a problem when updating a filter bound to a class,
as tcf_unbind_filter() is always called on the old instance in
the success path, decreasing filter_cnt of the still referenced class
and allowing it to be deleted, leading to a use-after-free.

This bug was introduced by commit e35a8ee ("net: sched: fw use RCU")
in 3.18-rc1.

Fixed status
mainline: [76e42ae831991c828cffa8c37736ebfb831ad5ec]
stable/5.10: [a8d478200b104ff356f51e1f63499fe46ba8c9b8]
stable/5.15: [9edf7955025a602ab6bcc94d923c436e160a10e3]
stable/5.4: [83e3d4b0ae373dcba30c68bf28f8d179191a297a]
stable/6.1: [7f691439b29be0aae68f83ad5eecfddc11007724]
stable/6.4: [7d848d718aeb3b482e177b682dd04e76dd413afb]

CVE-2023-4208: net/sched: cls_u32: No longer copy tcf_result on update
to avoid use-after-free

CVSS v3 score is not provided (NIST).
CVSS v3 score is 7.8 HIGH (CNA).

A use-after-free vulnerability in the Linux kernel's net/sched:
cls_u32 component can be exploited to achieve local privilege
escalation. When u32_change() is called on an existing filter,
the whole tcf_result struct is always copied into the new instance of
the filter. This causes a problem when updating a filter bound to a
class, as tcf_unbind_filter() is always called on the
old instance in the success path, decreasing filter_cnt of the still
referenced class and allowing it to be deleted, leading to a
use-after-free.

All stable kernels, cip/4.19, cip/4.4, cip/4.4-st, cip/5.10, cip/6.1,
and cip/6.1-rt have been fixed.
It was introduced by commit de5df63 ("net: sched: cls_u32 changes to
knode must appear atomic to readers") in 3.18-rc1.

Fixed status
mainline: [3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81]
stable/4.14: [f0f874147a5b00eae875c24281531f8de7900079]
stable/4.19: [4aae24015ecd70d824a953e2dc5b0ca2c4769243]
stable/5.10: [b4256c99a7116c9514224847e8aaee2ecf110a0a]
stable/5.15: [262430dfc618509246e07acd26211cb4cca79ecc]
stable/5.4: [be785808db32b595728c4042d002c83d0dd4b66f]
stable/6.1: [aab2d095ce4dd8d01ca484c0cc641fb497bf74db]
stable/6.4: [4b717802428fa02cbcbb61209f638f65f9cd4710]

CVE-2023-4622: af_unix: Fix null-ptr-deref in unix_stream_sendpage().

CVSS v3 score is not provided (NIST).
CVSS v3 score is 7.8 HIGH (CNA).

A use-after-free vulnerability in the Linux kernel's af_unix component
can be exploited to achieve local privilege escalation. The
unix_stream_sendpage() function tries to add data to
the last skb in the peer's recv queue without locking the queue. Thus
there is a race where unix_stream_sendpage() could access an skb
locklessly that is being released by garbage
collection, resulting in use-after-free.

It looks as if Linux 4.4 is affected by this bug too.

Fixed status
mainline: [57d44a354a43edba4ef9963327d4657d12edbfbc]
stable/4.19: [bd6303bef49970ac7f9278a94473b587e19d1ee2]
stable/5.10: [c080cee930303124624fe64fc504f66c815ee6b9]
stable/6.1: [790c2f9d15b594350ae9bca7b236f2b1859de02c]

CVE-2023-4623: net/sched: sch_hfsc: Ensure inner classes have fsc curve

CVSS v3 score is not provided (NIST).
CVSS v3 score is 7.8 HIGH (CNA).

A use-after-free vulnerability in the Linux kernel's net/sched:
sch_hfsc (HFSC qdisc traffic control) component can be exploited to
achieve local privilege escalation. If a class with
 link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent
without a link-sharing curve, then init_vf() will call vttree_insert()
on the parent, but vttree_remove() will be
skipped in update_vf(). This leaves a dangling pointer that can cause
a use-after-free.

This bug was introduced in 2.6.12 or earlier so all stable kernels are affected.

Fixed status
mainline: [b3d26c5702c7d6c45456326e56d2ccf3f103e60f]

* Updated CVEs

CVE-2022-45886: A use-after-free bug was found in
drivers/media/dvb-core/dvb_net.c

The mainline and stable kernels were fixed. Applying this fix to 4.14
and 4.4 will fail. Because these kernels locate dvb_net.h in
drivers/media/dvb-core/dvb_net.h instead of include/media/dvb_net.h.

Fixed status
mainline: [4172385b0c9ac366dcab78eda48c26814b87ed1a]
stable/4.19: [7bb9c6e05efcecb15b0354d574efbc36ca321d75]
stable/5.10: [2ea7d26ed851db7176e4bfa8174c8a1380255bbe]
stable/5.15: [50831747cb3a880dd4bdebe3fc3c81de9e21582d]
stable/5.4: [ed47886a73dbc0477ae09a4a979e27317cf2b52d]
stable/6.1: [93b5dfebcb1821dde466e29404fcf1fb919f4c72]

CVE-2022-45887: media: ttusb-dec: Fix memory leak in ttusb_dec_exit_dvb()

The mainline, stable kernels, and cip kernels were fixed.

Fixed status
mainline: [517a281338322ff8293f988771c98aaa7205e457]
stable/4.14: [cf412b0543b77d01f74ae2303d7f8a97e6bff686]
stable/4.19: [3e5af0745a4702ab0df2f880bfe0431eb30f9164]
stable/5.10: [eb37fef417a246fe54530901a3ea9c0abc914fc2]
stable/5.15: [d6c47b23599253d7d866e1e8d60cd410855c1be5]
stable/5.4: [08b20cb8e5b9d69bb3b83c1ad30a702767a9f0ef]
stable/6.1: [ea2938c27b0212aaab6702c16b7385e073b35643]

CVE-2023-31083: BUG: general protection fault in hci_uart_tty_ioctl

Fixed in the mainline.

Fixed status
mainline: [9c33663af9ad115f90c076a1828129a3fbadea98]

CVE-2023-1989: Bluetooth: btsdio: fix use after free bug in
btsdio_remove due to unfinished work

Added a commit 73f7b171b ("Bluetooth: btsdio: fix use after free bug
in btsdio_remove due to race condition") to mainline and stable/6.1.

Fixed status
mainline: [1e9ac114c4428fdb7ff4635b45d4f46017e8916f,
73f7b171b7c09139eb3c6a5677c200dc1be5f318]
stable/4.14: [95eacef5692545f199fae4e52abfbfa273acb351]
stable/4.19: [af4d48754d5517d33bac5e504ff1f1de0808e29e]
stable/5.10: [da3d3fdfb4d523c5da30e35a8dd90e04f0fd8962]
stable/5.15: [8efae2112d910d8e5166dd0a836791b08721eef1]
stable/5.4: [a18fb433ceb56e0787546a9d77056dd0f215e762]
stable/6.1: [cbf8deacb7053ce3e3fed64b277c6c6989e65bba,
179c65828593aff1f444e15debd40a477cb23cf4]
stable/6.2: [c59c65a14e8f7d738429648833f3bb3f9df0513f]

CVE-2023-37453: out-of-bounds in read_descriptors in drivers/usb/core/sysfs

The mainline was fixed.
This bug was introduced by commit 45bf39f ("USB: core: Don't hold
device lock while reading the "descriptors" sysfs file"). All stable
kernels and cip kernels are affected.

Fixed status
mainline: [ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 4 new CVEs and 5 updated CVEs.

* New CVEs

CVE-2023-4563: Use-after-free in nft_verdict_dump due to a race
between set GC and transaction

CVSS v3 score is not provided.

A use-after-free bug was found in the nftable. It allows a local
attacker to crash the system or may lead to kernel information leak.

Fixed status
mainline: [24138933b97b055d486e8064b4a1721702442a9b,
5f68718b34a531a556f2f50300ead2862278da26,
f6c383b8c31a93752a52697f8430a71dcbc46adf,
c92db3030492b8ad1d0faace7a93bbcf53850d0c,
a2dd0233cbc4d8a0abb5f64487487ffc9265beb5,
6a33d8b73dfac0a41f3877894b38082bd0c9a5bc,
02c6c24402bf1c1e986899c14ba22a10b510916b,
23185c6aed1ffb8fc44087880ba2767aba493779]

CVE-2023-4569: [nf] netfilter: nf_tables: deactivate catchall elements
in next generation

CVSS v3 score is not provided (NIST).
CVSS v3 score is 5.5 MEDIUM (CNA).

A memory leak flaw was found in nft_set_catchall_flush in
net/netfilter/nf_tables_api.c in the Linux Kernel.
This issue may allow a local attacker to cause a double-deactivations
of catchall elements, which results in a memory leak.

This bug was introduced by commit aaa3104 ("netfilter: nftables: add
catch-all set element support") in 5.13-rc1
so before Linux 5.13 are not affected.

Fixed status
mainline: [90e5b3462efa37b8bba82d7c4e63683856e188af]
stable/5.15: [1adaec4758d1cefbf348a291ad9b752aaa10f8d3]
stable/6.1: [00ea7eb1c69eec91cdf9259f0e427c56e7999fcd]
stable/6.4: [83ff16e449a675e215125d97a2c4a7f097d291d0]

CVE-2023-25775: improper access control flaw in RDMA driver

CVSS v3 score is 9.8 HIGH (NIST).
CVSS v3 score is 5.5 MEDIUM (CNA).

Improper access control in the Intel(R) Ethernet Controller RDMA
driver for linux before version
1.9.30 may allow an unauthenticated user to potentially enable
escalation of privilege via network access.

This issue was introduced by commit b48c24c2 ("RDMA/irdma: Implement
device supported verb APIs") in 5.14-rc1.
Before 5.14 kernels are not affected.

Fixed status
mainline: [bb6d73d9add68ad270888db327514384dfa44958]

CVE-2023-4611: mm/mempolicy: Take VMA lock before replacing policy

CVSS v3 score is not provided (NIST).
CVSS v3 score is 7.0 HIGH (CNA).

A use-after-free flaw was found in mm/mempolicy.c in the memory
management subsystem in the Linux Kernel.
This issue is caused by a race between mbind() and VMA-locked page
fault, and may allow a local attacker
to crash the system or lead to a kernel information leak.

This issue was introduced by commit 5e31275 ("mm: add per-VMA lock and
helper functions to control it") in 6.4-rc1.
Before 6.4 kernels are not affected.

Fixed status
mainline: [6c21e066f9256ea1df6f88768f6ae1080b7cf509]
stable/6.4: [e872d6b6ea4947fb87f0d6ea1ef814019dbed89e]

* Updated CVEs

CVE-2023-3772: xfrm: add NULL check in xfrm_update_ae_params

stable 4.14, 4.19, 5.4, 5.10, and 5.15 were fixed.

Fixed status
mainline: [00374d9b6d9f932802b55181be9831aa948e5b7c]
stable/4.14: [ed1cba039309c80b49719fcff3e3d7cdddb73d96]
stable/4.19: [44f69c96f8a147413c23c68cda4d6fb5e23137cd]
stable/5.10: [bd30aa9c7febb6e709670cd5154194189ca3b7b5]
stable/5.15: [075448a2eb753f813fe873cfa52853e9fef8eedb]
stable/5.4: [8046beb890ebc83c5820188c650073e1c6066e67]
stable/6.1: [87b655f4936b6fc01f3658aa88a22c923b379ebd]
stable/6.4: [53df4be4f5221e90dc7aa9ce745a9a21bb7024f4]

CVE-2023-3773: xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH

stable/5.10 and stable/5.15 were fixed.

Fixed status
mainline: [5e2424708da7207087934c5c75211e8584d553a0]
stable/5.10: [614811692e21cef324d897202ad37c17d4390da3]
stable/5.15: [8e5e967348caead2e03f047af28a4bcd79b80b9c]
stable/6.1: [a442cd17019385c53bbddf3bb92d91474081916b]
stable/6.4: [a9020514f175ef15bb68eea9345782abfd9afea3]

CVE-2023-4273: exfat: check if filename entries exceeds max filename length

stable 5.15 was fixed.

Fixed status
mainline: [d42334578eba1390859012ebb91e1e556d51db49]
stable/5.10: [381f7df0f3c3bd7dceb3e2b2b64c2f6247e2ac19]
stable/5.15: [6b64974e02ea82d0bae917f1fa79495a1a59b5bf]
stable/6.1: [c2fdf827f8fc6a571e1b7cc38a61041f0321adf5]
stable/6.4: [e1a73ba43cf883cb37f6331aca5a4c5be6350982]

CVE-2023-1077: sched/rt: pick_next_rt_entity(): check list_entry

stable/4.19 was fixed.

Fixed status
mainline: [7c4a5b89a0b5a57a64b601775b296abf77a9fe97]
stable/4.19: [84d90fb72a053c034b018fcc3cfaa6f606faf1c6]
stable/5.10: [80a1751730b302d8ab63a084b2fa52c820ad0273]
stable/5.15: [2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7]
stable/5.4: [084cd75643b61fb924f70cba98a71dea14942938]
stable/6.1: [6b4fcc4e8a3016e85766c161daf0732fca16c3a3]
stable/6.2: [1099004ae1664703ec573fc4c61ffb24144bcb63]

CVE-2023-2430: io_uring/msg_ring: fix missing lock on overflow for IOPOLL

stable/6.1 was fixed.

Fixed status
mainline: [e12d7a46f65ae4b7d58a5e0c1cbfa825cf8d830d]
stable/6.1: [22a406b3629a10979916ea7cace47858410117b5]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 5 new CVEs and 3 updated CVEs.

When I was reviewing CVE-2022-40307, I found commit
7f7838c92740fa423a5a3f12c00ed02d92851254
("efi: capsule-loader: Fix use-after-free in efi_capsule_write") is
not in the cip/4.4-st.
However, this commit exists in both cip/4.4 and cip/4.4-rt.

* New CVEs

CVE-2023-4385: A NULL pointer dereference bug was found in jfs file system

CVSS v3 score is not provided (NIST).
CVSS v3 score is 5.5 MEDIUM (CNA).

A NULL pointer dereference flaw was found in dbFree in
fs/jfs/jfs_dmap.c in the journaling
file system (JFS) in the Linux Kernel. This issue may allow a local
attacker to crash the
system due to a missing sanity check.

All stable kernels and cip kernels are fixed.

Fixed status
mainline: [0d4837fdb796f99369cf7691d33de1b856bcaf1f]
stable/4.14: [070ddf59cf17faf6aae7d89f78e0510c94d07940]
stable/4.19: [c381558c278a540c61dfef1f2b77ab817d5d302d]
stable/5.10: [9dfa8d087bb854f613fcdbf1af4fb02c0b2d1e4f]
stable/5.15: [4b9380d92c66cdc66987f65130789abad5c1af6f]
stable/5.4: [e54fd01178ebd5b13ef9e2fc0f3006765f37ee3c]

CVE-2023-4387: A use-after-free bug was found in vmxnet3 driver

CVSS v3 score is 7.1 HIGH (NIST).
CVSS v3 score is 6.6 MEDIUM (CNA).

A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in
drivers/net/vmxnet3/vmxnet3_drv.c
in VMware's vmxnet3 ethernet NIC driver in the Linux Kernel.
This issue could allow a local attacker to crash the system due to a
double-free while cleaning
up vmxnet3_rq_cleanup_all, which could also lead to a kernel
information leak problem.

All stable kernels and cip kernels are fixed.

Fixed status
mainline: [9e7fef9521e73ca8afd7da9e58c14654b02dfad8]
stable/4.14: [2bee202d0649cb53b9860fe15d0642167bffd6bf]
stable/4.19: [3adaaf3472e8ea410cb1330e5dd8372b0483dc78]
stable/5.10: [a54d86cf418427584e0a3cd1e89f757c92df5e89]
stable/5.15: [4ad09fdef55b70f16f8d385981b864ac75cf1354]
stable/5.4: [32f779e6fbbe0c0860a00777b7e3dee6b5ec0c1c]

CVE-2023-4389: A mishandling reference count flaw causes system crash
or kernel information leak

CVSS v3 score is 7.1 HIGH (NIST).
CVSS v3 score is 7.0 HIGH (CNA).

A flaw was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in the
btrfs filesystem in the Linux
Kernel due to a double decrement of the reference count. This issue
may allow a local attacker
with user privilege to crash the system or may lead to leaked internal
kernel information.

This bug was introduced by commit bc44d7c ("btrfs: push
btrfs_grab_fs_root into btrfs_get_fs_root")
in 5.7-rc1 and fixed in 5.18-rc3. So, before Linux 5.7 are not
affected by this issue.

All stable kernels and cip kernels are fixed.

Fixed status
mainline: [168a2f776b9762f4021421008512dd7ab7474df1]
stable/5.10: [1d2eda18f6ffbd9902594469c6e1a055014eb2ac]
stable/5.15: [252db93fd0bd5ca07c9b933ed94e93a4a43e8901]

CVE-2023-4394: A use-after-free bug was found in fs/btrfs/volumes.c

CVSS v3 score is 6.0 MEDIUM (NIST).
CVSS v3 score is 6.7 MEDIUM (CNA).

A use-after-free flaw was found in btrfs_get_dev_args_from_path in
fs/btrfs/volumes.c in btrfs file-system in the Linux Kernel. This flaw
allows a local attacker with special privileges to cause a system
crash or leak internal kernel information

This bug was introduced by commit faa775c ("btrfs: add a
btrfs_get_dev_args_from_path helper") in 5.16-rc1 and fixed in
6.0-rc3.
The commit faa775c was backported to 5.15 so that it was affected by
this vulnerability. before Linux 5.15 doesn't contain the commit so
they are not affected.

All stable kernels and cip kernels are fixed.

Fixed status
mainline: [9ea0106a7a3d8116860712e3f17cd52ce99f6707]
stable/5.15: [5f52402c77013e4a826394b807dd5ea4dc83bd72]

CVE-2023-4459: net: vmxnet3: fix possible NULL pointer dereference in
vmxnet3_rq_cleanup()

CVSS v3 score is not provided (NIST).
CVSS v3 score is 6.5 MEDIUM (CNA).

A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in
drivers/net/vmxnet3/vmxnet3_drv.c in
the networking sub-component in vmxnet3 in the Linux Kernel. This
issue may allow a local attacker with
normal user privilege to cause a denial of service due to a missing
sanity check during cleanup.

This bug was fixed in 5.18. All stable kernels and CIP kernels have been fixed.

Fixed status
mainline: [edf410cb74dc612fd47ef5be319c5a0bcd6e6ccd]
stable/4.14: [5fd9a74bf04a1eae5dbde8ca8585106d4410427f]
stable/4.19: [248a37ffd81c7121d30702d8caa31db48450680d]
stable/5.10: [6e2caee5cddc3d9e0ad0484c9c21b9f10676c044]
stable/5.15: [e35387a91318ccdec4a30b58d967391e011e34fa]
stable/5.4: [dc64e8874e87dc1c1c723a1c6da7efc3305c18da]

* Updated CVEs

CVE-2023-0160: possibility of deadlock in libbpf function sock_hash_delete_elem

This bug was introduced by commit 604326b ("bpf, sockmap: convert to
generic sk_msg interface") in 4.20-rc1.
This commit is not backported to old stable kernels so 4.19, 4.14,
4.9, and 4.4 are not affected.

Fixed status
mainline: [ed17aa92dc56b6d8883e4b7a8f1c6fbf5ed6cd29]
stable/5.10: [2f9307222227410453e33654f5d9ed6459351455]
stable/5.15: [f333854dce4a079783f00c201869b9ee8f7ff3c3]
stable/5.4: [c229821510dfe35e89899b00ec34f9f5876fbbd2]
stable/6.1: [1d4ac7b0ffc9dc683b8dafc78b8b93177071a02c]

CVE-2023-3772: xfrm: add NULL check in xfrm_update_ae_params

The mainline and stable/6.1, stable/6.4 were fixed.

Fixed status
mainline: [00374d9b6d9f932802b55181be9831aa948e5b7c]
stable/6.1: [87b655f4936b6fc01f3658aa88a22c923b379ebd]
stable/6.4: [53df4be4f5221e90dc7aa9ce745a9a21bb7024f4]

CVE-2023-3773: xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH

The mainline and stable/6.1, stable/6.4 were fixed.

Fixed status
mainline: [5e2424708da7207087934c5c75211e8584d553a0]
stable/6.1: [a442cd17019385c53bbddf3bb92d91474081916b]
stable/6.4: [a9020514f175ef15bb68eea9345782abfd9afea3]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 2 new CVEs and 19 updated CVEs.

* New CVEs

CVE-2023-4128: net/sched: Use-after-free vulnerabilities in the
net/sched classifiers: cls_fw, cls_u32 and cls_route

CVSS v3 score is not provided (NIST).
CVSS v3 score is 7.8 HIGH (CNA).

A use-after-free flaw was found in net/sched/cls_fw.c in classifiers
(cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows
a local attacker to perform a local privilege escalation due to
incorrect handling of the existing filter, leading to a kernel
information leak issue.

This bug was introduced in 3.18-rc1.

Fixed status
mainline: [3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81,
76e42ae831991c828cffa8c37736ebfb831ad5ec,
  b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8]

CVE-2023-40283: Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb

CVSS v3 score is not provided.

An issue was discovered in l2cap_sock_release in
net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is
a use-after-free because the children of an sk are mishandled.

Linux 4.4 seems to be affected too.

Fixed status
mainline: [1728137b33c00d5a2b5110ed7aafb42e7c32e4a1]
stable/4.14: [51822644a047eac2310fab0799b64e3430b5a111]
stable/4.19: [82cdb2ccbe43337798393369f0ceb98699fe6037]
stable/5.10: [06f87c96216bc5cd1094c23492274f77f1d5dd3b]
stable/5.15: [fbe5a2fed8156cc19eb3b956602b0a1dd46a302d]
stable/5.4: [a2da00d1ea1abfb04f846638e210b5b5166e3c9c]
stable/6.1: [29fac18499332211b2615ade356e2bd8b3269f98]
stable/6.4: [10426afe65c8bf7b24dd0c7be4dcc65f86fc99f9]

* Updated CVEs

CVE-2022-20166: drivers core: Use sysfs_emit and sysfs_emit_at for
show(device *...) functions

stable/4.19 was fixed.

Fixed status
mainline: [aa838896d87af561a33ecefea1caa4c15a68bc47]
stable/4.19: [3ce2cd63e8ee037644db0cbea65e6c40ab6cc178]
stable/5.4: [9e9241d3345af3f2a78a5b60701a9cf0d15bf942]

CVE-2023-1206: hash collisions in the IPv6 connection lookup table

stable 4.14, 4.19, 5.10, and 5.4 were fixed.

Fixed status
mainline: [d11b0df7ddf1831f3e170972f43186dad520bfcc]
stable/4.14: [ebfedbfb36eecab2d4bfa6faeaad763cbfe3a0e8]
stable/4.19: [8fa0dea2fc96f192d81a12434e48deda2e556320]
stable/5.10: [0cd74fbd3b8327e60525e1ec4a6c28895693909f]
stable/5.15: [ecb741a17cb2abf693b34d8e05a1e7e40494afb6]
stable/5.4: [d87d67c8bdd13b2d4f7414ba97c54ba825337c47]
stable/6.1: [51aea7e9d5212adb8a3d198510cfcde4125988f9]
stable/6.4: [1e50c11ed44e28a57c6215a5e7643ae85c6297fa]

CVE-2023-1611: Kernel: race between quota disable and quota assign
ioctls in fs/btrfs/ioctl.c

stable 5.4 was fixed.

Fixed status
mainline: [2f1a6be12ab6c8470d5776e68644726c94257c54]
stable/5.10: [5f6347034341bf45056ca1ec3fa72040152ecf83]
stable/5.15: [c976f9233ef926e090db5614a837824a0bcab3fb]
stable/5.4: [0e0f324c259d87639bda61a0bdea9c32c4aecdc6]
stable/6.1: [a38ff2024805a30d9b96f52557c6ea0bbc31252a]
stable/6.2: [4caab245b0469ce9258ba099a41e909f5d307b33]

CVE-2023-20588: 'x86/CPU/AMD: Do not leak quotient data after a division by 0

stable 5.10, 5.15, 6.1, and 6.4 were fixed.

Fixed status
mainline: [77245f1c3c6495521f6a3af082696ee2f8ce3921]
stable/5.10: [b6fc2fbf89089ecfb8eb9a89a7fc91d444f4fec7]
stable/5.15: [a74878207b02060c5feaf88b5566208ed08eb78d]
stable/6.1: [f2615bb47be4f53be92c81a6a8aa286c92ef04d9]
stable/6.4: [c9c0b889e2d33d49b06bb716b95a192ed3449173]

CVE-2023-3006: arm64: Add AMPERE1 to the Spectre-BHB affected list

stable 5.4 was fixed.

Fixed status
mainline: [0e5d5ae837c8ce04d2ddb874ec5f920118bd9d31]
stable/5.10: [52a43b82006dc88f996bd06da5a3fcfef85220c8]
stable/5.15: [52c2329147cf5d956dcaa3a91c886c550e7bdd39]
stable/5.4: [f41cab7a4653a5b39e49f1385fca53c0b8f93324]

CVE-2023-3212: gfs2: Don''t deref jdesc in evict

stable 4.14 and 4.19 were fixed.

Fixed status
mainline: [504a10d9e46bc37b23d0a1ae2f28973c8516e636]
stable/4.14: [6fb4b344382879bd4f8cc8394f6fff77c1388b15]
stable/4.19: [d3af9cea9a1ce56f427e41e5ffcdafe9280f099f]
stable/5.10: [d03d31d3a206093b9b8759dddf0ba9bd843606ba]
stable/5.15: [fd8b4e28f400a067e6ef84569816967be1f0642b]
stable/5.4: [23f98fe887ce3e7c8bd111f37e62735c5018c534]
stable/6.1: [5ae4a618a1558d2b536fdd5d42e53d3e2d73870c]
stable/6.3: [14c454764a37b194dc916c07488ce7339c82bc4f]

CVE-2023-35001: nf_tables nft_byteorder_eval OOB read/write

stable 4.14 and 4.19 were fixed.

Fixed status
mainline: [caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd]
stable/4.14: [185a79c8be264720b0b89ce2cc42ca2582dbce6f]
stable/4.19: [025fd7efe2639773540a5e425b7bc0dc10b6b023]
stable/5.10: [ea213922249c7e448d217a0a0441c6f86a8155fd]
stable/5.15: [870dcc31c0cf47cb15a568ade4168dc644b3ccfb]
stable/5.4: [b7d636c924eb275651bfb036eb8eca49c3f7bc24]
stable/6.1: [40f83dd66a823400d8592e3b71e190e3ad978eb5]
stable/6.4: [b79c09c2bf2d7643902a6ef26152de602c5c5e4b]

CVE-2023-3609: net/sched: cls_u32: Fix reference counter leak leading
to overflow

stable 4.14 and 4.19 were fixed.

Fixed status
mainline: [04c55383fa5689357bcdd2c8036725a55ed632bc]
stable/4.14: [a7f178f8439e939efdd12d190783eb0fabf5990d]
stable/4.19: [8ffaf24a377519e4396f03da5ccda082edae1ac9]
stable/5.10: [af6eaa57986e82d7efd81984ee607927c6de61e4]
stable/5.15: [0e1098d72fa462944c68262e1b5cca045dcb555e]
stable/5.4: [46305daf8064598a4008af1728651296815a74ed]
stable/6.1: [07f9cc229b44cbcee6385802d390091d915f38c3]

CVE-2023-3611: net/sched: sch_qfq: account for stab overhead in qfq_enqueue

stable 4.14, 4.19, and 5.4 were fixed.

Fixed status
mainline: [3e337087c3b5805fe0b8a46ba622a962880b5d64]
stable/4.14: [c3f21ea515cb4ad7db86ddb511cead2f09e1c1e6]
stable/4.19: [ee3bc829f9b4df96d208d58b654e400fa1f3b46c]
stable/5.10: [8359ee85fd6dabc5c134ed69fb22faadd8a44071]
stable/5.15: [91d3554ab1fc2804c36a815c0f79502d727a41e6]
stable/5.4: [cf8ecd6ea68099a38e94e9b82cf58f6fd4cdf3c9]
stable/6.1: [70feebdbfad85772ab3ef152812729cab5c6c426]
stable/6.4: [bd2333fa86dc520823e8c317980b29ba91ee6b87]

CVE-2023-3776: net/sched: cls_fw: Fix improper refcount update leads
to use-after-free

stable 4.14 and 4.19 were fixed.

Fixed status
mainline: [0323bce598eea038714f941ce2b22541c46d488f]
stable/4.14: [fa020e39526994c7248f241f75d615b0df5d7671]
stable/4.19: [612f468cfc3df83777ae21058419b1fc8e9037eb]
stable/5.10: [80e0e8d5f54397c5048fa2274144134dd9dc91b5]
stable/5.15: [5b55f2d6ef403fcda93ae4eb4d8c1ba164c66e92]
stable/5.4: [808211a8d427404331e39e3b8c94ab5242eef8f5]
stable/6.1: [c91fb29bb07ee4dd40aabd1e41f19c0f92ac3199]
stable/6.4: [0a2e3f49febda459252f58cec2d659623d582800]

CVE-2023-3995: netfilter: nf_tables: disallow rule addition to bound
chain via NFTA_RULE_CHAIN_ID

stable 5.10 was fixed.

Fixed status
mainline: [0ebc1064e4874d5987722a2ddbc18f94aa53b211]
stable/5.10: [308a43f1521d5b7220693d0865b23e8dad3ed137]
stable/5.15: [5bee91121ccea8d69cea51632e9a1dd348ee49a1]
stable/6.1: [268cb07ef3ee17b5454a7c4b23376802c5b00c79]
stable/6.4: [14448359681062bf51d9c67e0264869548b79853]

CVE-2023-4015: netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR

stable 5.10 was fixed.

Fixed status
mainline: [0a771f7b266b02d262900c75f1e175c7fe76fec2]
stable/5.10: [ab5a97a94b57324df76d659686ac2d30494170e6]
stable/5.15: [98bcfcaecc76c4be288278c213b47d36292f40fa]
stable/6.1: [4237462a073e24f71c700f3e5929f07b6ee1bcaa]
stable/6.4: [027d00132487bcf2a4ee7493bb8de9d6331d48e3]

CVE-2023-4128: net/sched: Use-after-free vulnerabilities in the
net/sched classifiers: cls_fw, cls_u32 and cls_route

stable 4.19, 5.10, 5.15, 5.4, 6.1, and 6.4 were fixed.

Fixed status
mainline: [3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81,
76e42ae831991c828cffa8c37736ebfb831ad5ec,
  b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8]
stable/4.19: [4aae24015ecd70d824a953e2dc5b0ca2c4769243,
ad8f36f96696a7f1d191da66637c415959bab6d8]
stable/5.10: [b4256c99a7116c9514224847e8aaee2ecf110a0a,
a8d478200b104ff356f51e1f63499fe46ba8c9b8,
  aaa71c4e8ad98828ed50dde3eec8e0d545a117f7]
stable/5.15: [262430dfc618509246e07acd26211cb4cca79ecc,
9edf7955025a602ab6bcc94d923c436e160a10e3,
  79c3d81c9ad140957b081c91908d7e2964dc603f]
stable/5.4: [be785808db32b595728c4042d002c83d0dd4b66f,
83e3d4b0ae373dcba30c68bf28f8d179191a297a,
  1c8262f31fd2d23d1cfd2539715d976c2a99e582]
stable/6.1: [aab2d095ce4dd8d01ca484c0cc641fb497bf74db,
7f691439b29be0aae68f83ad5eecfddc11007724,
  d4d3b53a4c66004e8e864fea744b3a2b86a73b62]
stable/6.4: [4b717802428fa02cbcbb61209f638f65f9cd4710,
7d848d718aeb3b482e177b682dd04e76dd413afb,
  a836184b670f59e24d3a0f7c07115ec6e6ce6900]

CVE-2023-4132: smsusb: use-after-free caused by do_submit_urb()

stable 4.14 was fixed. Added one more fixed commit to 4.19.

Fixed status
mainline: [ebad8e731c1c06adf04621d6fd327b860c0861b5,
6f489a966fbeb0da63d45c2c66a8957eab604bf6]
stable/4.14: [c379272ea9c2ee36f0a1327b0fb8889c975093f7,
45224862e49e1fde86cbd26c7612f029b4e2e662]
stable/4.19: [1477b00ff582970df110fc9e15a5e2021acb9222,
54073c46cbbd2c0c03d6f7d481540cb95cf181a1]
stable/5.10: [42f8ba8355682f6c4125b75503cac0cef4ac91d3,
d87ef4e857b790f1616809eccda6b4d0c9c3da11]
stable/5.15: [114f768e7314ca9e1fdbebe11267c4403e89e7f2,
784a8027b8ac5a876d71cb3d3d4d97b2b6cb5920]
stable/5.4: [a41bb59eff7a58a6772f84a5b70ad7ec26dad074,
d485150c9a52167a6175f542397a098b4cd89dc9]
stable/6.1: [479796534a450fd44189080d51bebefa3b42c6fc,
8abb53c5167cfb5bb275512a3da4ec2468478626]
stable/6.4: [ebad8e731c1c06adf04621d6fd327b860c0861b5,
ae65238d3f5a2df48341a7112820e04fb1017422]

CVE-2023-4147: netfilter: nf_tables: disallow rule addition to bound
chain via NFTA_RULE_CHAIN_ID

stable 5.10 was fixed.

Fixed status
mainline: [0ebc1064e4874d5987722a2ddbc18f94aa53b211]
stable/5.10: [308a43f1521d5b7220693d0865b23e8dad3ed137]
stable/5.15: [5bee91121ccea8d69cea51632e9a1dd348ee49a1]
stable/6.1: [268cb07ef3ee17b5454a7c4b23376802c5b00c79]
stable/6.4: [14448359681062bf51d9c67e0264869548b79853]

CVE-2023-4194: tap: tap_open(): correctly initialize socket uid next
fix of i_uid to current_fsuid

stable 5.10, 5.15, 5.4, 6.1, and 6.4 were fixed.

Fixed status
mainline: [9bc3047374d5bec163e83e743709e23753376f0c,
5c9241f3ceab3257abe2923a59950db0dc8bb737]
stable/5.10: [5ea23f1cb67e4468db7ff651627892c9217fec24,
33a339e717be2c88b7ad11375165168d5b40e38e]
stable/5.15: [4ed3eed99ee6137cf6682621657f0e7699957f56,
32ca6a55e10ed9736672565d64771f6ea74e4341]
stable/5.4: [1d53ea776760097186258ced06d468bf26adb437,
1202deb153d68d569439a4d1772eba20daa95589]
stable/6.1: [b6846d7c408b33e4701f4f5ca28932e2a08e0a2e,
767800fc402deac438c5aed9c82f0e71a70c86fd]
stable/6.4: [36161e7d40e7293d7f213e16d881042d15c8a53a,
ea6cce8d689930ba480f7b02af8d9fc686534ab0]

CVE-2023-4273: exfat: check if filename entries exceeds max filename length

stable 5.10, 6.1, and 6.4 were fixed.

Fixed status
mainline: [d42334578eba1390859012ebb91e1e556d51db49]
stable/5.10: [381f7df0f3c3bd7dceb3e2b2b64c2f6247e2ac19]
stable/6.1: [c2fdf827f8fc6a571e1b7cc38a61041f0321adf5]
stable/6.4: [e1a73ba43cf883cb37f6331aca5a4c5be6350982]

CVE-2023-33250: a use-after-free bug was found in iopt_unmap_iova_range

The mainline and stable/6.4 were fixed.
It introduced by commit 51fe614 ("iommufd: Data structure to provide
IOVA to PFN mapping") in 6.2-rc1.
Before Linux 6.2  are not affected.

Fixed status
mainline: [dbe245cdf5189e88d680379ed13901356628b650,
804ca14d04df09bf7924bacc5ad22a4bed80c94f]
stable/6.4: [dbe65261fe1367dc307a89466a1a75c0d80b8233,
19d93648142a4cfe5bf36278f3beee582605cd01]

CVE-2023-4155: KVM: SEV: only access GHCB fields once

stable 6.1 and 6.4 were fixed.

Fixed status
mainline: [7588dbcebcbf0193ab5b76987396d0254270b04a]
stable/6.1: [5bdf1c1f346c81996b6e36b5efd5c92aeda4fbe4]
stable/6.4: [ab8e9a874574ce511eca21caa5d7ef5426963a54]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 19 new CVEs and 1 updated CVEs.

There is a new speculative-execution vulnerability reported as CVE-2022-40982.
More details on the https://downfall.page/ .

Also, there is another AMD CPU specific bug called Inception(CVE-2023-20569).
More details on the https://comsec.ethz.ch/research/microarch/inception/ .

The Debian and Ubuntu assigned CVE-2022-3533 and CVE-2022-3606 to
libbpf package because they create libbpf package
from libbpf's upstream source not linux kernel. But NVD sets cpe to
linux kernel. So, we need to track this CVEs.

I think I'll create a script that get CVE information from NVD to
track such CVEs.

* New CVEs

CVE-2023-21400: io_uring: ensure IOPOLL locks around deferred work

CVSS v3 score is 6.7 MEDIUM.

In multiple functions of io_uring.c, there is a possible kernel memory
corruption due to improper locking. This could lead to local
escalation of privilege in the kernel with System execution privileges
needed. User interaction is not needed for exploitation.

The commit log said that

"""
No direct upstream commit exists for this issue. It was fixed in
5.18 as part of a larger rework of the completion side.
"""

I couldn't find actual fixed commit in 5.18 so added commit hash which
is tagged to 5.18.

Fixed status
stable/5.10: [810e401b34c4c4c244d8b93b9947ea5b3d4d49f8]
mainline: [4b0986a3613c92f4ec1bdc7f60ec66fea135991f]

CVE-2022-3533: libbpf: Fix memory leak in parse_usdt_arg()

CVSS v3 score is 5.7 MEDIUM(NIST).
CVSS v3 score is 3.5 LOW(CNA).

A vulnerability was found in Linux Kernel. It has been rated as
problematic. This issue affects the function parse_usdt_arg
of the file tools/lib/bpf/usdt.c of the component BPF. The
manipulation of the argument reg_name leads to memory leak.
It is recommended to apply a patch to fix this issue. The associated
identifier of this vulnerability is VDB-211031.

This CVE was introduced by commit 0f86199 ("libbpf: Usdt aarch64 arg
parsing support") in 5.19-rc1 then fixed in v6.2-rc1

Fixed status
mainline: [0dc9254e03704c75f2ebc9cbef2ce4de83fba603]
stable/6.1: [13866e924a5760ee1ba9aa64dbfb5b44f4138c01]

CVE-2022-3606: libbpf: Fix null-pointer dereference in find_prog_by_sec_insn()

CVSS v3 score is 5.5 MEDIUM(NIST).
CVSS v3 score is 3.5 LOW(CNA).

A vulnerability was found in Linux Kernel. It has been classified as
problematic. This affects the function find_prog_by_sec_insn
of the file tools/lib/bpf/libbpf.c of the component BPF. The
manipulation leads to null pointer dereference. It is recommended to
apply a patch to fix this issue. The identifier VDB-211749 was
assigned to this vulnerability.

This CVE was introduced by commit db2b8b0 ("libbpf: Support CO-RE
relocations for multi-prog sections") in 5.10-rc1 then fixed in
6.2-rc1.

Fixed status
mainline: [d0d382f95a9270dcf803539d6781d6bd67e3f5b2]
stable/5.10: [85b297d7986c64f36825020b848f09f0415f325a]
stable/5.15: [67061355776e9f95bf28097cc8a32bde428a6d80]
stable/6.1: [ecb0f3d7dd137828940d14b7706096a96b43d815]

CVE-2023-3777: netfilter: nf_tables: skip bound chain on rule flush

CVSS v3 score is not provided.

This bug was introduced by commit d0e2c7d ("netfilter: nf_tables: add
NFT_CHAIN_BINDING") in 5.9-rc1.
Before 5.9 kernels are not affected.

CVE-2023-3777, CVE-2023-3995, and CVE-2023-4147 are introduced by same commit.

Fixed status
mainline: [6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8]
stable/5.10: [30e5460d69e631c0e84db37dba2d8f98648778d4]
stable/5.15: [10013f764ad2957de08968bd02870b6b7683e3f6]
stable/6.1: [e18922ce3e3169eb97838d1dcba2d679bcca446c]
stable/6.4: [ab87c6b43822a56ae0aadc715364b5f8d4a96037]

CVE-2023-3995: netfilter: nf_tables: disallow rule addition to bound
chain via NFTA_RULE_CHAIN_ID

CVSS v3 score is not provided.

This bug was introduced by commit d0e2c7d ("netfilter: nf_tables: add
NFT_CHAIN_BINDING") in 5.9-rc1.
Before 5.9 kernels are not affected.

Fixed status
mainline: [0ebc1064e4874d5987722a2ddbc18f94aa53b211]
stable/5.15: [5bee91121ccea8d69cea51632e9a1dd348ee49a1]
stable/6.1: [268cb07ef3ee17b5454a7c4b23376802c5b00c79]
stable/6.4: [14448359681062bf51d9c67e0264869548b79853]

CVE-2023-4015: netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR

CVSS v3 score is not provided.

This bug was introduced by commit 4bedf9e ("netfilter: nf_tables: fix
chain binding transaction logic") in 6.4.
This patch was backported to 5.10, 5.15, and 6.1. So 4.4, 4.14, 4.19,
and 5.4 are not affected.

Fixed status
mainline: [0a771f7b266b02d262900c75f1e175c7fe76fec2]
stable/5.15: [98bcfcaecc76c4be288278c213b47d36292f40fa]
stable/6.1: [4237462a073e24f71c700f3e5929f07b6ee1bcaa]
stable/6.4: [027d00132487bcf2a4ee7493bb8de9d6331d48e3]

CVE-2023-4132: smsusb: use-after-free caused by do_submit_urb()

CVSS v3 score is not provided(NIST).
CVSS v3 score is 5.5 MEDIUM(CNA).

A use-after-free vulnerability was found in the siano smsusb module in
the Linux kernel.
The bug occurs during device initialization when the siano device is plugged in.
This flaw allows a local user to crash the system, causing a denial of
service condition.

Commit ebad8e73 ("media: usb: siano: Fix use after free bugs caused by
do_submit_urb") fixes a use-after-free bug in
do_submit_urb(). Commit 6f489a9 fixes a bug that was introduced by ebad8e73.

Linux 4.19 backported ebad8e73 ("media: usb: siano: Fix use after free
bugs caused by do_submit_urb") but
6f489a9 ("media: usb: siano: Fix warning due to null work_func_t
function pointer") is not yet.

Fixed status
mainline: [ebad8e731c1c06adf04621d6fd327b860c0861b5,
6f489a966fbeb0da63d45c2c66a8957eab604bf6]
stable/4.19: [1477b00ff582970df110fc9e15a5e2021acb9222]
stable/5.10: [42f8ba8355682f6c4125b75503cac0cef4ac91d3,
d87ef4e857b790f1616809eccda6b4d0c9c3da11]
stable/5.15: [114f768e7314ca9e1fdbebe11267c4403e89e7f2,
784a8027b8ac5a876d71cb3d3d4d97b2b6cb5920]
stable/5.4: [a41bb59eff7a58a6772f84a5b70ad7ec26dad074,
d485150c9a52167a6175f542397a098b4cd89dc9]
stable/6.1: [479796534a450fd44189080d51bebefa3b42c6fc,
8abb53c5167cfb5bb275512a3da4ec2468478626]
stable/6.4: [ebad8e731c1c06adf04621d6fd327b860c0861b5,
ae65238d3f5a2df48341a7112820e04fb1017422]

CVE-2023-4133: cxgb4: fix use after free bugs caused by circular
dependency problem

CVSS v3 score is not provided(NIST).
CVSS v3 score is 5.5 MEDIUM(CNA).

A use-after-free vulnerability was found in the cxgb4 driver in the
Linux kernel.
The bug occurs when the cxgb4 device is detaching due to a possible
rearming of the flower_stats_timer from the work queue.
This flaw allows a local user to crash the system, causing a denial of
service condition.

This bug was introduced by commit e0f911c ("cxgb4: fetch stats for
offloaded tc flower flows") in 4.15-rc1.

Fixed status
mainline: [e50b9b9e8610d47b7c22529443e45a16b1ea3a15]

CVE-2023-4134: Input: cyttsp4_core - change del_timer_sync() to
timer_shutdown_sync()

CVSS v3 score is not provided.

A use-after-free bug was found in the Cypress TrueTouch Gen4 Touchscreen Driver.
This bug was introduced by commit 17fb156 ("Input: cyttsp4 - add core
driver for Cypress TMA4XX touchscreen devices") in 3.11-rc1.

Fixed status
mainline: [dbe836576f12743a7d2d170ad4ad4fd324c4d47a]
stable/6.4: [28dc11949357f10712bd641b724ab373a92318de]

CVE-2023-4147: netfilter: nf_tables: disallow rule addition to bound
chain via NFTA_RULE_CHAIN_ID

CVSS v3 score is not provided(NIST).
CVSS v3 score is 7.8 HIGH(CNA).

A use-after-free bug was found in the netfilter subsystem, if bail out
with EOPNOTSUPP when adding rule to bound chain via
NFTA_RULE_CHAIN_ID. This bug was introduced by commit d0e2c7d
("netfilter: nf_tables: add NFT_CHAIN_BINDING")in 5.i-rc1.
Before 5.9 kernels are not affected.

Fixed status
mainline: [0ebc1064e4874d5987722a2ddbc18f94aa53b211]
stable/5.15: [5bee91121ccea8d69cea51632e9a1dd348ee49a1]
stable/6.1: [268cb07ef3ee17b5454a7c4b23376802c5b00c79]
stable/6.4: [14448359681062bf51d9c67e0264869548b79853]

CVE-2023-4194: tap: tap_open(): correctly initialize socket uid next
fix of i_uid to current_fsuid

CVSS v3 score is not provided(NIST).
CVSS v3 score is 5.5 MEDIUM(CNA).

A flaw was found in the Linux kernel's TUN/TAP functionality. This
issue could allow a local user to bypass network filters and gain
unauthorized access to some resources. The original patches fixing
CVE-2023-1076 are incorrect or incomplete. The problem is
that the following upstream commits - a096ccca6e50 ("tun:
tun_chr_open(): correctly initialize socket uid"),
- 66b2c338adce ("tap: tap_open(): correctly initialize socket uid"),
pass "inode->i_uid" to sock_init_data_uid() as the last
parameter and that turns out to not be accurate

Both commits a096ccca6e50 and 66b2c338adce are not exists in 4.x
kernels so these kernels aren't affected by this CVE.

Fixed status
mainline: [9bc3047374d5bec163e83e743709e23753376f0c,
5c9241f3ceab3257abe2923a59950db0dc8bb737]

CVE-2023-4205: UBSAN: OOB in do_journal_end with the fail of
array-index-out-of-bounds in fs reiserfs

CVSS v3 score is not provided(NIST).
CVSS v3 score is 5.5 MEDIUM(CNA).

An out-of-bounds memory access flaw was found in the Linux kernel’s
do_journal_end function when the fails
array-index-out-of-bounds in fs/reiserfs/journal.c could happen. This
flaw allows a local user to crash the system.

Fixed status
Not fixed yet

CVE-2023-4155: KVM: SEV: only access GHCB fields once

CVSS v3 score is not provided.

KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can exploit a
vulnerability, invoking recursive VMGEXIT
handler through a double fetch race condition.The issue arises from a
shared GHCB page used by sev_handle_vmgexit()
and sev_es_validate_vmgexit(), allowing quick swapping of values and
bypassing validation.
Although exploiting recursion in the Linux kernel has been feasible,
the impact is mitigated by stack guard pages,
yet attackers could potentially trigger a DoS or guest-to-host escape
in kernel configurations without stack guard pages.

This CVE was introduced by commit 291bd20 ("KVM: SVM: Add initial
support for a VMGEXIT VMEXIT") in 5.11-rc1.

Fixed status
mainline: [7588dbcebcbf0193ab5b76987396d0254270b04a]

CVE-2022-40982: Downfall vulnerability

CVSS v3 score is not provided.

Downfall attacks exploit a major weakness in modern processors used in
personal and cloud computers, enabling data theft between users
sharing the same system.
CVE-2022-40982 is the identified vulnerability that allows malicious
apps to steal sensitive data like passwords and banking details.
Memory optimization features in Intel processors inadvertently expose
internal hardware registers, leading to the vulnerability exploited
through
Gather Data Sampling (GDS) and Gather Value Injection (GVI) techniques.

Fixed status
mainline: [8974eb588283b7d44a7c91fa09fcbaf380339f3a,
553a5c03e90a6087e88f8ff878335ef0621536fb,
  53cf5797f114ba2bd86d23a862302119848eff19,
81ac7e5d741742d650b4ed6186c4826c1a0631a7,
  1b0fc0345f2852ffe54fb9ae0e12e2ee69ad6a20]
stable/4.14: [cdc2724c9d060a8fa9652a9aa6347d8324f6cd82,
74a10924f5b5b7b997745be50595129a418b8b4d,
  c9a54e5b917ea4c365e47ccb183d903df940eb94,
2f17bdaa6f1c15d1a17bdc3fa26bc3598b22ae95,
  3c385319a284829b9c669e46908c474845002581]
stable/4.19: [ecc9d725a30dc53046f3739be9b7ac800d66c11b,
047ac82a3a9792264ec261f8812a14df28f28302,
  c3188cac78ced4eafdc4280feaeb08a47585151d,
6c18fb3d9d3876a709b43c42c8d45a8a4e5ca6f0,
  edb21f8093a187c9e17acb507900eaab80e516df,
c0f82528e7afa445c5e8d67e2a7615e1ed87aa00,
  15f5646fd2dbfa7298216418d383be36b470d01b,
b698b5d11a169b4d41d7afe488ab3c408e39e5bc,
  504aece3f6bcf88b31a809b3bbbe6b1931f78d18,
ecc68c37bba469401a2cdc1a73661c31ef014742,
  82f4acbce852b4795c32d38be2b164af27d1d125,
211ec614c9f107dfd1c3a1c14d097be474bb6b53,
  7c7bb95ece11a94b9fa1cf117cf27ce6324bbe3b,
542dac06335106f81149ae96577f28d6123506e0,
  2323f105866e6a456b219b9e3cde53d560464c43,
e81494b7259b6b1ab81a9f9be3385b4aa99a7a59,
  91e24758cd8e53b030146fbe7ff5c2b258e60c66,
0461f6027566f1bc68c7de160213813d340abf75,
  1af834f2f4f824fd36130d3efe52922aec5a852c,
64f142253bd20cf39de9f931bb910f0e6de0d268,
  b8d22bdfef99923c3727950ae4158ee07ecc8740]
stable/5.10: [6e606e681873b37aa252486d43be4cf007544e85,
e5eb18e164d08986543f8259d0cc10e120fb8746,
  c0fff20d4efa3bdb3ef203a8ae6e703e0c010199,
12d93c6c98d5478128d90ad4fbdf705753a0197e,
  1cd3fc18eb169e2f81a34eeaf8147f9395ee8a11,
75bb54c951e92714a50cdc063f9953d11e8d36a2,
  3c45134b38b417d17103f1f0b9a8b32f98ac358c,
2edb3b39ca793bf13a123ea6a25da640be36e7a5,
  b05031c2bca790afed717bc59cde2dac722efb94,
bf2fa3a9d0e65326917273d17a8e9c6880d7b97c,
  09658b81d158c15112a56323d8db8fed83e8cd4a,
18fcd72da1ed6166f1cbb03f713bed50c839fc22,
  7a2f42bce9ab23fb9e59fe6de45bfedb5d611eee,
2462bc3ef0611646d94658ff250bb16669347361,
  4ae1cbb730bd574d57d3996d4c20974972d47009,
288a2f6bc1ce03ddb3f05fd8c79b00d5d7160b4a,
  363c98f9cfa8124cc49b2dfc5d48666b138f7e2e,
7db4ddcb8d8e356387a773728b2479d390488b1e,
  eb13cce488745176db654b20ea438f4b5b91ab9c,
583016037a092e4189c86bad7946c6d88669b4ca,
  f076d081787803b972a9939e477c6456f0c8fd70,
6ee042fd240fb669f4637f8cd89899b15911e5df,
  1ff14defdfc9180bfcfd76a70463a5feb188a5db,
79972c2b95eca5e7d3d237d728339b21e9075629,
  6750468784314bc8a336f80493cd82cde2afa655]
stable/5.15: [348a89e2018428c3e55a87cdd9ae3cbd6cc8248a,
0cc5643b63aef90165488dabaeff92697925baa6,
  59d78655f808eb82a103f0fb79df9aa20ee2c7c1,
348741a9e4d37d83024b45acce9b65233127f8b2,
  0242a8bdef560523b5d81f5979854266092ab0a6]
stable/5.4: [f68f9f2df68e246548bdc1a2279c55f98c4ca473,
e35c6579436504435c04f6908c364a9a37e353e8,
  ed56430ab2532bf5c91e91e9b4eb9d094d0f36fa,
e56c1e0f91343007dbeb5e05e0b09f5c9e8a5560,
  3e21d8b0f3a9c0acc8d4f0d6829efbdad4157830]
stable/6.1: [d5501f2ff80d30d615d59531825d3a5f0bb0d35d,
7918a3555a2502a4d86b831da089f3b985d1bca9,
  e2e06240ae4780977387906e2e11774283ca7997,
403e4cc67e4cf9226c57a7cb27c7f4365d2143b7,
  08e86d42e2c916e362d124e3bc6c824eb1862498,
489ae02c89936c7e40f04191e8c160ac53649526,
  6a90583dbd9b794071b8b54d8c36f40a459d1051,
84f585542ec69226311be5a4500a4b3cbad6fb5b,
  ce97072e10cc844fac8176681b2cb17bf3eaaa7b,
8beabde0ed8d31e45a3d9484f0591a18c0c94cc7,
  a3342c60dcc58007cc14b2cf1ebc7e2b563423a8,
8183a89caf67a1f56f1da1d6081e26a0ae7a5fdf,
  b0837880fa65fa4a6dc407b42e9b33e18f7b44e3,
c956807d8462e94a1450dc0737728c25917b1d67,
  9e8d9d399094dd911059ff337dd8a104f052e1ca,
e26932942b2c505d5e8a9f263cbe66de4fab1b24,
  f25ad76d92176f41a543a812972e9937ce4f7d08,
c66ebe070d9641c9339e42e1c2d707a5052e9904,
  92fc27c79bc7f3e2bfd2b88e197762566daf02a1,
c04579e95492dff342cb4976dd2f5728c0f87eee,
  b6fd07c41b4c64faff368728cef13439ee62860d,
baa7b7501e41344f95da0bd3042dd04110d58edb,
  7f3982de36c6620c2faae6fd960fa4021d71e16a,
d972c8c08f96518ff02efd87c4fef594a833f6ea,
  9ae15aaff39c831e2f9d8b029e85a2d70c7c8a68,
e0fd83a193c530fdeced8b2e2ec83039ffdb884b,
  051f5dcf144aa7659c4f4be04c66c3eda9b1bad3,
dacb0bac2edb649ce01c25da9f8898769516d716]
stable/6.4: [ff0642207e24f9a7011e8982ab7da1e16db75a38,
c73393948612b24b1298c6a4bf88276d5216648e,
  4da542e6b2bbcb05305de5c3bfd52bcfa0a3b93e,
6f29afbba8fc7f79790add4725a78064791bbd50,
  7be4a6b1128c2d6136c591b055b834d81198749e]

CVE-2023-20569: Speculative Return Stack Overflow (SRSO)

CVSS v3 score is not provided.

A side channel vulnerability on some of the AMD CPUs may allow an
attacker to influence the return address prediction.
This may result in speculative execution at an attacker-controlled
address, potentially leading to information disclosure.

AMD published vulnerability information on their security page.
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html

Fixed status
mainline: [0e52740ffd10c6c316837c6c128f460f1aaba1ea,
fb3bd914b3ec28f5fb697ac55c4846ac2d542855,
  79113e4060aba744787a81edb9014f2865193854,
1b5277c0ea0b247393a9c426769fde18cff5e2f6,
  233d6f68b98d480a7c42ebe78c38f79d44741ca9,
d893832d0e1ef41c72cdae444268c1d64a2be8ad,
  238ec850b95a02dcdff3edc86781aa913549282f,
3bbbe97ad83db8d9df06daf027b0840188de625d,
  5a15d8348881e9371afdf9f5357a135489496955]
stable/5.10: [baf6d6c39e2390ef91bec12d057294dd507d1115,
437fa179f2136d349fda78331fd28696e40def9d,
  9b7fe7c6fbc007564f97805ff45882e79f0c70d0,
073a28a9b50662991e7d6956c2cf2fc5d54f28cd,
  34f23ba8a399ecd38b45c84da257b91d278e88aa,
3f9b7101bea1dcb63410c016ceb266f6e9f733c9,
  df76a59feba549825f426cb1586bfa86b49c08fa,
e47af0c255aed7da91202f26250558a8e34e1c26,
  4acaea47e3bcb7cd55cc56c7fd4e5fb60eebdada,
384d41bea948a18288aff668b7bdf3b522b7bf73,
  4873939c0e1cec2fd04a38ddf2c03a05e4eeb7ef,
8457fb5740b14311a8941044ff4eb5a3945de9b2]
stable/6.1: [dfede4cb8ef732039b7a479d260bd89d3b474f14,
dec3b91f2c4b2c9b24d933e2c3f17493e30149ac,
  ac41e90d8daa8815d8bee774a1975435fbfe1ae7,
9139f4b6dd4fe1003ba79ab317d1a9f48849b369,
  98f62883e7519011bf63f85381d637f65d7f180e,
79c8091888ef61aac79ef72122d1e6cd0b620669,
  c9ae63d773ca182c4ef63fbdd22cdf090d9c1cd7,
c7f2cd04554259c2474c4f9fa134528bc2826b22,
  77cf32d0dbfbf575fe66561e069228c532dc1da9,
4f25355540ad4d40dd3445f66159a321dad29cc8]

CVE-2023-21264: KVM: arm64: Implement do_share() helper for sharing memory

CVSS v3 score is not provided.

This bug was introduced by commit e82edcc ("KVM: arm64: Implement
do_share() helper for sharing memory") in 5.17-rc1.

The commit e82edcc introduced a new helper function to establish
shared-memory regions between components.
It uses pte for host-initiated memory transition but it wasn't good
way to do so.

Fixed status
mainline: [09cce60bddd6461a93a5bf434265a47827d1bc6f]

CVE-2023-34319: xen/netback: Fix buffer overrun triggered by unusual packet

CVSS v3 score is not provided.

An unprivileged guest can cause Denial of Service (DoS) of the host by
sending network packets to the backend, causing the backend to crash.

It introduced by commit ad7f402 ("xen/netback: Ensure protocol headers
don't fall in the non-linear area") in 6.1.
This commit was backported to all stable kernels(include cip/4.4,
cip/4.4-rt, cip/4.4-st).

Fixed status
mainline: [534fc31d09b706a16d83533e16b5dc855caf7576]
stable/4.14: [e1142d87c185c7d7bbf05d175754638b5b9dbf16]
stable/4.19: [11e6919ae028b5de1fc48007354ea07069561b31]
stable/5.10: [f9167a2d6b943f30743de6ff8163d1981c34f9a9]
stable/5.15: [b14a3924c2675c22e07a5a190223b6b6cdc2867d]
stable/5.4: [bc7b9a6c2ca42b116b0f24dbaa52b5a07d96d1d6]
stable/6.1: [fa5b932b77c815d0e416612859d5899424bb4212]
stable/6.4: [cf482893f721f76ac60c0a43482a59b2f194156b]

CVE-2023-20588: x86/CPU/AMD: Do not leak quotient data after a division by 0

CVSS v3 score is not provided.

A division-by-zero error on some AMD processors can potentially return
speculative data resulting in loss of confidentiality.

Affected CPUs are listed on the AMD's security advisory page
(https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7007.html).

Fixed status
mainline: [77245f1c3c6495521f6a3af082696ee2f8ce3921]

CVE-2023-4273: exfat: check if filename entries exceeds max filename length

CVSS v3 score is not provided (NIST).
CVSS v3 score is 6.0 MEDIUM (CNA).

A flaw was found in the exFAT driver of the Linux kernel. The
vulnerability exists in the implementation of the file name
reconstruction function, which is responsible for reading file name
entries from a directory index and merging file name
parts belonging to onefile into a single long file name. Since the
file name characters are copied into a stack variable,
a local privileged attacker could use this flaw to overflow the kernel stack.

The exfat_get_uniname_from_ext_entry() doesn't check filename length
so it will overwrite more thant max filename length.
This function was introduced by commit ca06197 ("exfat: add directory
operations") in 5.7-rc1.

Fixed status
mainline: [d42334578eba1390859012ebb91e1e556d51db49]

* Updated CVEs

CVE-2023-1206: hash collisions in the IPv6 connection lookup table

The mainline, 5.15, 6.1, and 6.4 were fixed.

Fixed status
mainline: [d11b0df7ddf1831f3e170972f43186dad520bfcc]
stable/5.15: [ecb741a17cb2abf693b34d8e05a1e7e40494afb6]
stable/6.1: [51aea7e9d5212adb8a3d198510cfcde4125988f9]
stable/6.4: [1e50c11ed44e28a57c6215a5e7643ae85c6297fa]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 3 new CVEs and 10 updated CVEs.

* New CVEs

CVE-2023-3812: An out-of-bounds memory access flaw was found in the
TUN/TAP device driver

CVSS v3 score is not provided(NIST).
CVSS v3 score is 7.8 HIGH.

An out-of-bounds memory access flaw was found in the Linux kernel’s
TUN/TAP device driver functionality in how a user generates a
malicious (too big) networking packet when napi frags is enabled. This
flaw allows a local user to crash or potentially escalate their
privileges on the system.

This issue was introduced by commit 90e33d4 ("tun: enable
napi_gro_frags() for TUN/TAP driver") in 4.15-rc1.
This patch is not backported to 4.14 and 4.4.

Fixed status
mainline: [363a5328f4b0517e59572118ccfb7c626d81dca9]
stable/4.19: [aa815bf32acf560dad63c3dc46bc7b98ca9a9672]
stable/5.10: [3583826b443a63681deaa855048d3f2b742af47e]
stable/5.15: [dcc79cf735b8ec4bedaa82c53bed8c62721c042b]
stable/5.4: [ca791952d42c5b40d548ff6c4a879216039b0ca1]

CVE-2023-4004 :A use-after-free flaw was found in the netfilter subsystem

CVSS v3 score is not provided(NIST).
CVSS v3 score is 7.8 HIGH(CNA).

A use-after-free flaw was found in the Linux kernel's netfilter in the
way a user triggers the nft_pipapo_remove function with the element,
without a NFT_SET_EXT_KEY_END. This issue could allow a local user to
crash the system or potentially escalate their privileges on the
system.

Introduced by commit 3c4287f ("nf_tables: Add set type for arbitrary
concatenation of ranges") in 5.6-rc1.
This patch is not backported to older stable kernels.

Fixed status
mainline: [87b5a5c209405cb6b57424cdfa226a6dbd349232]
stable/5.10: [3a91099ecd59a42d1632fcb152bf7222f268ea2b]
stable/5.15: [706ce3c81b5c8e262a8bcf116ea689d0710c3a13]
stable/6.1: [90c3955beb858bb52a9e5c4380ed0e520e3730d1]
stable/6.4: [48dbb5d24c667bf26bc2fea8caa7fe51fcc6aa62]

CVE-2023-4010: A bug was found in the usb_giveback_urb function causes DoS.

CVSS v3 score is not provided(NIST).
CVSS v3 score is 4.6 MEDIUM.

A flaw was found in the USB Host Controller Driver framework in the
Linux kernel. The usb_giveback_urb function has a logic loophole in
its implementation. Due to the inappropriate judgment condition of the
goto statement, the function cannot return under the input of a
specific malformed descriptor file, so it falls into an endless loop,
resulting in a denial of service.

A reporter described this bug on the
github(https://github.com/wanrenmi/a-usb-kernel-bug) that said the
vulnerability is in the usb_giveback_urb(). But that function is not
found in any kernel versions. There is a usb_giveback_urb_bh() in
drivers/usb/core/hcd.c instead.

Fixed status
Not fixed yet.

* Updated CVEs

CVE-2023-2898: f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io()

Stable 5.10 was fixed.

Fixed status
mainline: [d8189834d4348ae608083e1f1f53792cfcc2a9bc]
stable/5.10: [b39ef5b52f10b819bd0ceeb22e8f7df7800880ca]
stable/5.15: [982c29e0d27a48d65fd0fa0d1bcee501eeb06e76]
stable/6.1: [ebe83e9bb8a6b3db28603fe938ee80ccaa01ed53]
stable/6.4: [5619e9aabbd2b369cde2114ad6f55f6eb3e0b5be]

CVE-2023-3117: A use-after-free flaw was found in the Netfilter subsystem

Stable 5.10 was fixed.

Fixed status
mainline: [1240eb93f0616b21c675416516ff3d74798fdc97]
stable/5.10: [8180fc2fadd48dde4966f2db2c716c2ce7510d0b]
stable/5.15: [44ebe988cb38e720b91826f4d7c31692061ca04a]
stable/6.1: [4aaa3b730d16c13cc3feaa127bfca1af201d969d]

CVE-2023-31248: nf_tables UAF when using nft_chain_lookup_byid

Stable 5.10 was fixed.

Fixed status
mainline: [515ad530795c118f012539ed76d02bacfd426d89]
stable/5.10: [4ae2e501331aaa506eaf760339bb2f43e5769395]
stable/5.15: [041e2ac88caef286b39064e83e825e3f53113d36]
stable/6.1: [fc95c8b02c6160936f1f3d8d9d7f4f66f3c84b49]
stable/6.4: [5e5e967e8505fbdabfb6497367ec1b808cadc356]

CVE-2023-3212: gfs2: Don''t deref jdesc in evict

Stable 5.10 was fixed.

Fixed status
mainline: [504a10d9e46bc37b23d0a1ae2f28973c8516e636]
stable/5.10: [d03d31d3a206093b9b8759dddf0ba9bd843606ba]
stable/5.15: [fd8b4e28f400a067e6ef84569816967be1f0642b]
stable/5.4: [23f98fe887ce3e7c8bd111f37e62735c5018c534]
stable/6.1: [5ae4a618a1558d2b536fdd5d42e53d3e2d73870c]
stable/6.3: [14c454764a37b194dc916c07488ce7339c82bc4f]

CVE-2023-3390: netfilter: nf_tables: incorrect error path handling
with NFT_MSG_NEWRULE

Stable 5.10 was fixed.

Fixed status
mainline: [1240eb93f0616b21c675416516ff3d74798fdc97]
stable/5.10: [8180fc2fadd48dde4966f2db2c716c2ce7510d0b]
stable/5.15: [44ebe988cb38e720b91826f4d7c31692061ca04a]
stable/6.1: [4aaa3b730d16c13cc3feaa127bfca1af201d969d]
stable/6.3: [bdace3b1a51887211d3e49417a18fdbd315a313b]

CVE-2023-35001: nf_tables nft_byteorder_eval OOB read/write

Stable 5.4 and 5.10 were fixed.

Fixed status
stable/5.10: [ea213922249c7e448d217a0a0441c6f86a8155fd]
stable/5.15: [870dcc31c0cf47cb15a568ade4168dc644b3ccfb]
stable/5.4: [b7d636c924eb275651bfb036eb8eca49c3f7bc24]
stable/6.1: [40f83dd66a823400d8592e3b71e190e3ad978eb5]
stable/6.4: [b79c09c2bf2d7643902a6ef26152de602c5c5e4b]

CVE-2023-3610: netfilter: nf_tables: fix chain binding transaction logic

Stable 5.10 was fixed.

Fixed status
mainline: [4bedf9eee016286c835e3d8fa981ddece5338795]
stable/5.10: [d53c295c1f43b7460d28ba0f0f98a602084fdcb6]
stable/5.15: [314a8697d08092df6d00521450d44c352c602943]
stable/6.1: [891cd2edddc76c58e842706ad27e2ff96000bd5d]

CVE-2023-3611: net/sched: sch_qfq: account for stab overhead in qfq_enqueue

Stable 5.10 was fixed.

Fixed status
mainline: [3e337087c3b5805fe0b8a46ba622a962880b5d64]
stable/5.10: [8359ee85fd6dabc5c134ed69fb22faadd8a44071]
stable/5.15: [91d3554ab1fc2804c36a815c0f79502d727a41e6]
stable/6.1: [70feebdbfad85772ab3ef152812729cab5c6c426]
stable/6.4: [bd2333fa86dc520823e8c317980b29ba91ee6b87]

CVE-2023-3776: net/sched: cls_fw: Fix improper refcount update leads
to use-after-free

Stable 5.4 and 5.10 were fixed.

Fixed status
mainline: [0323bce598eea038714f941ce2b22541c46d488f]
stable/5.10: [80e0e8d5f54397c5048fa2274144134dd9dc91b5]
stable/5.15: [5b55f2d6ef403fcda93ae4eb4d8c1ba164c66e92]
stable/5.4: [808211a8d427404331e39e3b8c94ab5242eef8f5]
stable/6.1: [c91fb29bb07ee4dd40aabd1e41f19c0f92ac3199]
stable/6.4: [0a2e3f49febda459252f58cec2d659623d582800]

CVE-2023-3863: net: nfc: Fix use-after-free caused by nfc_llcp_find_local

Stable 5.4 and 5.10 were fixed.

Fixed status
mainline: [6709d4b7bc2e079241fdef15d1160581c5261c10]
stable/5.10: [96f2c6f272ec04083d828de46285a7d7b17d1aad]
stable/5.15: [fc8429f8d86801f092fbfbd257c3af821ac0dcd3]
stable/5.4: [dd6ff3f3862709ab1a12566e73b9d6a9b8f6e548]
stable/6.1: [425d9d3a92df7d96b3cfb7ee5c240293a21cbde3]
stable/6.4: [e5207c1d69b1a9707615ab6ff9376e59fc096815]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 8 new CVEs and 5 updated CVEs.

CVE-2023-20593 is the Zenbleed vulnerability which is not a kernel
vulnerability.  However, the Linux kernel added mitigation code.
CVE-2023-2640 and CVE-2023-32629 are Ubuntu kernel specific
vulnerabilities, so mainline/stable/cip kernels aren't affected.

* New CVEs

CVE-2023-3611: net/sched: sch_qfq: account for stab overhead in qfq_enqueue

CVSS v3 score is not provided(NVD).
CVSS v3 score is not 7.8 HIGH(CNA).

An out-of-bounds write vulnerability in the Linux kernel's net/sched:
sch_qfq component can be exploited to achieve local privilege
escalation.
The qfq_change_agg() function in net/sched/sch_qfq.c allows an
out-of-bounds write because lmax is updated according to packet sizes
without bounds checks.

This bug was introduced by commit 462dbc9 ("pkt_sched: QFQ Plus
fair-queueing service at DRR cost") in 3.8-rc1.

Fixed status
mainline: [3e337087c3b5805fe0b8a46ba622a962880b5d64]
stable/5.15: [91d3554ab1fc2804c36a815c0f79502d727a41e6]
stable/6.1: [70feebdbfad85772ab3ef152812729cab5c6c426]
stable/6.4: [bd2333fa86dc520823e8c317980b29ba91ee6b87]

CVE-2023-3776: net/sched: cls_fw: Fix improper refcount update leads
to use-after-free

CVSS v3 score is not provided(NVD).
CVSS v3 score is not 7.8 HIGH(CNA).

A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw
component can be exploited to achieve local privilege escalation.
If tcf_change_indev() fails, fw_set_parms() will immediately return an
error after incrementing or decrementing the reference counter in
tcf_bind_filter().
If an attacker can control the reference counter and set it to zero,
they can cause the reference to be freed, leading to a use-after-free
vulnerability.

This bug was introduced before 2.6.12. So all stable kernels are affected.

Fixed status
mainline: [0323bce598eea038714f941ce2b22541c46d488f]
stable/5.15: [5b55f2d6ef403fcda93ae4eb4d8c1ba164c66e92]
stable/6.1: [c91fb29bb07ee4dd40aabd1e41f19c0f92ac3199]
stable/6.4: [0a2e3f49febda459252f58cec2d659623d582800]

CVE-2023-3863: net: nfc: Fix use-after-free caused by nfc_llcp_find_local

CVSS v3 score is not provided(NVD).
CVSS v3 score is not 6.4 MEDIUM(CNA).

A use-after-free flaw was found in nfc_llcp_find_local in
net/nfc/llcp_core.c in NFC in the Linux kernel.
This flaw allows a local user with special privileges to impact a
kernel information leak issue.

This patch fixes 52feb44 ("NFC: Extend netlink interface for LTO, RW,
and MIUX parameters support") in 3.8-rc1 and
c7aa122 ("NFC: Take a reference on the LLCP local pointerwhen creating
a socket") in 3.6-rc1.
So all stable kernels affect this bug.

Fixed status
mainline: [6709d4b7bc2e079241fdef15d1160581c5261c10]
stable/5.15: [fc8429f8d86801f092fbfbd257c3af821ac0dcd3]
stable/6.1: [425d9d3a92df7d96b3cfb7ee5c240293a21cbde3]
stable/6.4: [e5207c1d69b1a9707615ab6ff9376e59fc096815]

CVE-2023-20593: “Zen 2” CPUs, under specific microarchitectural
circumstances, may allow an attacker to potentially access sensitive
information

CVSS v3 score is not provided.

An issue in “Zen 2” CPUs, under specific microarchitectural
circumstances, may allow an attacker to potentially access sensitive
information. This bug is added a name called Zenbleed.
You can find more details from https://lock.cmpxchg8b.com/zenbleed.html .

This is not a kernel issue. However, linux kernel mitigates zenbleed
vulnerability.

Fixed status
mainline: [522b1d69219d8f083173819fde04f994aa051a98]
stable/4.19: [cfef7bbf0dca27209ea5d82d7060d4fc2c0d72ea]
stable/5.10: [93df00f9d48d48466ddbe01a06eaaf3311ecfb53]
stable/5.15: [be824fdb827dc06f77a31122949fe1bc011e3e1e]
stable/5.4: [00363ef30797211c247605464dc3daaa988531a2]
stable/6.1: [ed9b87010aa84c157096f98c322491e9af8e8f07]
stable/6.4: [9b8bb5c4e25678af895dc9dd4a1e82b2f948cacc]

CVE-2023-3772: xfrm: add NULL check in xfrm_update_ae_params

CVSS v3 score is not provided(NVD).
CVSS v3 score is not 5.5 MEDIUM(CNA).

A flaw was found in the Linux kernel’s IP framework for transforming
packets (XFRM subsystem).
This issue may allow a malicious user with CAP_NET_ADMIN privileges to
directly dereference a
NULL pointer in xfrm_update_ae_params(), leading to a possible kernel
crash and denial of service.

This bug was introduced by commit d8647b79c3b7 ("xfrm: Add user
interface for esn and big anti-replay windows") in 2.6.39-rc1.

Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/netdev/20230721145103.2714073-1-linma@zju.edu.cn/

CVE-2023-3773: xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH

CVSS v3 score is not provided(NVD).
CVSS v3 score is not 5.5 MEDIUM(CNA).

A flaw was found in the Linux kernel’s IP framework for transforming
packets (XFRM subsystem).
This issue may allow a malicious user with CAP_NET_ADMIN privileges to
cause a 4 byte out-of-bounds
read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading
to potential leakage of sensitive
heap data to userspace.

This bug was introduced by commit 4e484b3e969b ("xfrm: rate limit SA
mapping change message to user space") in 5.17-rc1.
This patch was backported to 5.15 and 5.10, so these kernels are also affected.
Linux 5.4, 4.19, 4.14 and 4.4 are not affected.

Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/all/20230723074110.3705047-1-linma@zju.edu.cn/T/#u

CVE-2023-2640: An unprivileged user may set privileged extended
attributes on the mounted files in ubuntu kernels

CVSS v3 score is not provided(NVD).
CVSS v3 score is not 7.8 HIGH(CNA).

On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE:
overlayfs: Skip permission checking for trusted.overlayfs.* xattrs",
an unprivileged user may set privileged extended attributes on the
mounted files, leading them to be set on the upper files
without the appropriate security checks.

This CVE is ubuntu kernel specific, so mainline/stable/cip kernels
aren't affected.

CVE-2023-32629: Local privilege escalation vulnerability in Ubuntu
Kernels overlayfs

CVSS v3 score is not provided(NVD).
CVSS v3 score is not 7.8 HIGH(CNA).

Local privilege escalation vulnerability in Ubuntu Kernels overlayfs
ovl_copy_up_meta_inode_data skip permission checks when calling
ovl_do_setxattr on Ubuntu kernels.

This CVE is ubuntu kernel specific, so mainline/stable/cip kernels
aren't affected.

* Updated CVEs

CVE-2022-48502: fs/ntfs3: Check fields while reading

Stable 5.15 and 6.1 were fixed.

Fixed status
mainline: [0e8235d28f3a0e9eda9f02ff67ee566d5f42b66b]
stable/5.15: [333feb7ba84f69f9b423422417aaac54fd9e7c84]
stable/6.1: [000a9a72efa4a9df289bab9c9e8ba1639c72e0d6]

CVE-2023-2898: f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io()

Stable 5.15 was fixed.

Fixed status
mainline: [d8189834d4348ae608083e1f1f53792cfcc2a9bc]
stable/5.15: [982c29e0d27a48d65fd0fa0d1bcee501eeb06e76]
stable/6.1: [ebe83e9bb8a6b3db28603fe938ee80ccaa01ed53]
stable/6.4: [5619e9aabbd2b369cde2114ad6f55f6eb3e0b5be]

CVE-2023-31248: nf_tables UAF when using nft_chain_lookup_byid

Stable 5.15 was fixed.

Fixed status
mainline: [515ad530795c118f012539ed76d02bacfd426d89]
stable/5.15: [041e2ac88caef286b39064e83e825e3f53113d36]
stable/6.1: [fc95c8b02c6160936f1f3d8d9d7f4f66f3c84b49]
stable/6.4: [5e5e967e8505fbdabfb6497367ec1b808cadc356]

CVE-2023-35001: nf_tables nft_byteorder_eval OOB read/write

Stable 5.15 was fixed.

Fixed status
mainline: [caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd]
stable/5.15: [870dcc31c0cf47cb15a568ade4168dc644b3ccfb]
stable/6.1: [40f83dd66a823400d8592e3b71e190e3ad978eb5]
stable/6.4: [b79c09c2bf2d7643902a6ef26152de602c5c5e4b]

CVE-2023-38432: OOB read bug was found in the ksmbd subsystem

Stable 5.15 was fixed.

Fixed status
mainline: [2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d]
stable/5.15: [35f450f54dca1519bb24faacd0428db09f89a11f]
stable/6.1: [9650cf70ec9d94ff34daa088b643229231723c26]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 12 new CVEs and 4 updated CVEs.

About half of CVEs are ksmbd's vulnerability this week. These have
been fixed in the mainline,
but some patches have failed to apply 5.15.

The io_uring system wide disable/enable setting
(https://www.phoronix.com/news/Linux-6.6-sysctl-IO_uring) is
interesting.
Google has been limiting io_uring recentry
(https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html)
so
it seems good way to harden a system when user are sure they don't
need to be io_uring enabled.

* New CVEs

CVE-2023-3640: A per-cpu entry area leak was found in x86/mm subsystem

CVSS v3 score is not provided.

x86/mm: a per-cpu entry area leak was identified through the
init_cea_offsets function when prefetchnta and prefetcht2 instructions
being used for the per-cpu entry area mapping to the user space

Fixed status
Not fixed yet

CVE-2023-3106: crash in XFRM_MSG_GETSA netlink handler

CVSS v3 score is not provided (NIST).
CVSS v3 score is 6.6 MEDIUM (CNA).

A NULL pointer dereference vulnerability was found in netlink_dump.
This issue can occur when the Netlink socket receives the
message(sendmsg) for the XFRM_MSG_GETSA, XFRM_MSG_GETPOLICY type
message, and the DUMP flag is set and can cause a denial of service or
possibly another unspecified impact. Due to the nature of the flaw,
privilege escalation cannot be fully ruled out, although it is
unlikely.

This bug was introduced by commit d362309 ("ipsec: add support of
limited SA dump") in 3.15-rc1 and fixed by commit 1ba5bf9 ("xfrm: fix
crash in XFRM_MSG_GETSA netlink handler") in 4.8-rc7. So, It only
affects Linux 4.4.y.
It was fixed in 4.4.223.

Fixed status
cip/4.4: [0cbb0084fa2b444b7316a0967a0d93f5ae520216]
cip/4.4-rt: [0cbb0084fa2b444b7316a0967a0d93f5ae520216]
cip/4.4-st: [0cbb0084fa2b444b7316a0967a0d93f5ae520216]
mainline: [1ba5bf993c6a3142e18e68ea6452b347f9cb5635]

CVE-2023-3609: net/sched: cls_u32: Fix reference counter leak leading
to overflow

CVSS v3 score is not provided.

A double free bug was found in the net/sched subsystem. When failure
happens in the tcf_change_indev(), u32_set_params() doesn't decrement
the reference counter so that counter value will be incorrect in that
case. It leads to a double free bug.

It was introduced by commit 705c709 ("net: sched: cls_u32: no need to
call tcf_exts_change for newly allocated struct") in 4.14-rc1 and
fixed in 6.4-rc7. It doesn't affect Linux 4.4 series.

Fixed status
mainline: [04c55383fa5689357bcdd2c8036725a55ed632bc]
stable/5.10: [af6eaa57986e82d7efd81984ee607927c6de61e4]
stable/5.15: [0e1098d72fa462944c68262e1b5cca045dcb555e]
stable/5.4: [46305daf8064598a4008af1728651296815a74ed]
stable/6.1: [07f9cc229b44cbcee6385802d390091d915f38c3]

CVE-2023-3610: netfilter: nf_tables: fix chain binding transaction logic

CVSS v3 score is not provided.

The logic to deal with chain binding in nft_data_hold() and
nft_data_release() is not correct. The NFT_TRANS_PREPARE state needs a
special handling in case a chain is bound but next expressions in the
same rule fail to initialize as described by 1240eb9 ("netfilter:
nf_tables: incorrect error path handling with NFT_MSG_NEWRULE")

It was introduced by commit d0e2c7d ("netfilter: nf_tables: add
NFT_CHAIN_BINDING") in 5.9-rc1 and fixed in 6.4.
Linux 4.x are not affected.

Fixed status
mainline: [4bedf9eee016286c835e3d8fa981ddece5338795]
stable/5.15: [314a8697d08092df6d00521450d44c352c602943]
stable/6.1: [891cd2edddc76c58e842706ad27e2ff96000bd5d]

CVE-2023-38409: fbcon: set_con2fb_map needs to set con2fb_map

CVSS v3 score is not provided.

An issue was discovered in set_con2fb_map in
drivers/video/fbdev/core/fbcon.c in the Linux kernel before 6.2.12.
Because an assignment occurs only for the first vc, the
fbcon_registered_fb and fbcon_display arrays can be desynchronized in
fbcon_mode_deleted (the con2fb_map points at the old fb_info).

Introduced by commit d443d93 ("fbcon: move more common code into
nfb_open()") in 5.19-rc1.
This patch is not backported to older stable kernels. so, before 5.19
kernels aren't affected.

Fixed status
mainline: [fffb0b52d5258554c645c966c6cbef7de50b851d]
stable/6.1: [b15df140fe092c3ac28dab32c6b3acdda1a93c63]

CVE-2023-38426: OOB read bug was found in smb2_find_context_vals()

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an
out-of-bounds read in smb2_find_context_vals when create_context's
name_len is larger than the tag length.
The ksmbd has been introduced in 5.15 so before this versions aren't affected.

Fixed status
mainline: [02f76c401d17e409ed45bf7887148fcc22c93c85]
stable/5.15: [865be1cff2c038984fe55c9deae5461a498cfdf9]
stable/6.1: [75378b03a90d75b1349bb03577ac8465194c883e]

CVE-2023-38427: OOB read bug was found in deassemble_neg_contexts()

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel before 6.3.8.
fs/smb/server/smb2pdu.c in ksmbd has an integer underflow and
out-of-bounds read in deassemble_neg_contexts.
The ksmbd has been introduced in 5.15 so before this versions aren't affected.

Applying this fix to 5.15 failed
(https://lore.kernel.org/stable/2023061216-striking-darkened-f7a5@gregkh/).

Fixed status
mainline: [f1a411873c85b642f13b01f21b534c2bab81fc1b]
stable/6.1: [bf12d7fb63b365fb766655cedcb5d5f292b0c35e]

CVE-2023-38428: OOB read bug was found in session_user()

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel before 6.3.4.
fs/ksmbd/smb2pdu.c in ksmbd does not properly check the UserName value
because it does not consider the address of security buffer, leading
to an out-of-bounds read.
The ksmbd has been introduced in 5.15 so before this versions aren't affected.

Fixed status
mainline: [f0a96d1aafd8964e1f9955c830a3e5cb3c60a90f]
stable/5.15: [7657321b2624197840ef2cfa4f29ccf873d7aa9b]
stable/6.1: [40d90ee0275a1bfcd26fa7690adc4330b4227a69]

CVE-2023-38429: OOB access bug was found in the ksmbd subsystem

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel before 6.3.4.
fs/ksmbd/connection.c in ksmbd has an off-by-one error in memory
allocation (because of ksmbd_smb2_check_message) that may lead to
out-of-bounds access.
The ksmbd has been introduced in 5.15 so before this versions aren't affected.

Fixed status
mainline: [443d61d1fa9faa60ef925513d83742902390100f]
stable/5.15: [61e043326e72b5abb02b5bc9132f2620a7faf8c5]
stable/6.1: [af7335a4b946f9f6f9d98398cbcea15cd9850409]

CVE-2023-38430: OOB read bug was found in the ksmbd subsystem

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel before 6.3.9. ksmbd does
not validate the SMB request protocol ID, leading to an out-of-bounds
read.
The ksmbd has been introduced in 5.15 so before this versions aren't affected.

Applying this patch to 5.15 failed
(https://lore.kernel.org/stable/2023061222-comic-platypus-831e@gregkh/).

Fixed status
mainline: [1c1bcf2d3ea061613119b534f57507c377df20f9]
stable/6.1: [e01fc7caac9ce9ad76df9f42f7f61ef4bf1d27c9]

CVE-2023-38431: OOB read bug was found in the ksmbd subsystem

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel before 6.3.8.
fs/smb/server/connection.c in ksmbd does not validate the relationship
between the NetBIOS header's length field and the SMB header sizes,
via pdu_size in ksmbd_conn_handler_loop, leading to an out-of-bounds
read.
The ksmbd has been introduced in 5.15 so before this versions aren't affected.

Applying this patch to 5.15 failed
(https://lore.kernel.org/stable/2023061233-omnivore-cardigan-93f8@gregkh/).

Fixed status
mainline: [368ba06881c395f1c9a7ba22203cf8d78b4addc0]
stable/6.1: [543c12c2644e772caa6880662c2a852cfdc5a10c]

CVE-2023-38432: OOB read bug was found in the ksmbd subsystem

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel before 6.3.10.
fs/smb/server/smb2misc.c in ksmbd does not validate the relationship
between the command payload size and the RFC1002 length specification,
leading to an out-of-bounds read.

Applying this patch to 5.15 failed
(https://lore.kernel.org/stable/2023062128-record-unclog-7ccd@gregkh/).

Fixed status
mainline: [2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d]
stable/6.1: [9650cf70ec9d94ff34daa088b643229231723c26]

* Updated CVEs

CVE-2023-1192: use-after-free in smb2_is_status_io_timeout()

The mainline, 5.15, and 6.1 were fixed.

Fixed status
mainline: [98bea253aa28ad8be2ce565a9ca21beb4a9419e5]
stable/5.15: [2a67f26f70ab344ae6ea78638890eebc1191a501]
stable/6.1: [a8eaa9a06addbd9cb0238cb1c729921ecbb6504c]

CVE-2023-2898: f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io()

The mainline, 6.1, and 6.4 were fixed.

Fixed status
mainline: [d8189834d4348ae608083e1f1f53792cfcc2a9bc]
stable/6.1: [ebe83e9bb8a6b3db28603fe938ee80ccaa01ed53]
stable/6.4: [5619e9aabbd2b369cde2114ad6f55f6eb3e0b5be]

CVE-2023-31248: nf_tables UAF when using nft_chain_lookup_byid

Stable 6.1 and 6.4 were fixed.

Fixed status
mainline: [515ad530795c118f012539ed76d02bacfd426d89]
stable/6.1: [fc95c8b02c6160936f1f3d8d9d7f4f66f3c84b49]
stable/6.4: [5e5e967e8505fbdabfb6497367ec1b808cadc356]

CVE-2023-35001: nf_tables nft_byteorder_eval OOB read/write

Stable 6.1 and 6.4 were fixed.

Fixed status
mainline: [caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd]
stable/6.1: [40f83dd66a823400d8592e3b71e190e3ad978eb5]
stable/6.4: [b79c09c2bf2d7643902a6ef26152de602c5c5e4b]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 6 new CVEs and 0 updated CVEs.

A new exploitation technique called Dirty Pagetable has been published
(https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html).
It is interesting to read. This technique can bypass major mitigation
methods like KASLR, SMAP, and so on. It abuses heap-based
vulnerabilities to manipulate user page tables.

* New CVEs

CVE-2023-21255: binder: fix UAF caused by faulty buffer cleanup

CVSS v3 score is not provided.

A use-after-free bug was found in binder_transaction_buffer_release().
When a transaction buffer is released without
any objects having been processed, it leads to a use-after-free bug.
This bug was introduced by commit 32e9f56 ("binder: don't detect
sender/target during buffer cleanup") in 5.16-rc1.
This commit fixes 44d8047 ("binder: use standard functions to allocate
fds") in 4.20-rc1. So, commit 32e9f56 isn't backported to 4.x kernels.

Fixed status
mainline: [bdc1c5fac982845a58d28690cdb56db8c88a530d]
stable/5.10: [2218752325a98861dfb10f59a9b0270d6d4abe21]
stable/5.15: [5fd7c1e36b0a500d5fce820ee63c2a5b47b36e85]
stable/5.4: [6c88024cab83c820604db5f6a998ef3ae5682f1c]
stable/6.1: [e1e198eff1fbaf56fd8022c4fbbf59c5324ea320]
stable/6.3: [c9e6aae1f26758f3e87b93cff18d79dfd80f2f25]

CVE-2023-32248: Linux Kernel ksmbd Tree Connection NULL Pointer
Dereference Denial-of-Service Vulnerability

CVSS v3 score is not provided.

This vulnerability allows remote attackers to create a
denial-of-service condition on affected installations of Linux Kernel.
Authentication is not required to exploit this vulnerability, but only
systems with ksmbd enabled are vulnerable.

The specific flaw exists within the handling of SMB2_TREE_CONNECT and
SMB2_QUERY_INFO commands. The issue results from the lack of proper
validation of a pointer prior to accessing it. An attacker can
leverage this vulnerability to create a denial-of-service condition on
the system.

The ksmbd subsystem was introduced in 5.15 so before this versions are
not affected.

Fixed status
mainline: [3ac00a2ab69b34189942afa9e862d5170cdcb018]
stable/5.15: [227eb2689b44d0d60da3839b146983e73435924c]
stable/6.1: [a70751dd7b60eab025e97e19b6b2477c6eaf2bbb]
stable/6.3: [1636e09779f83e10e6ed57d91ef94abcefdd206b]

CVE-2023-37453: out-of-bounds in read_descriptors in drivers/usb/core/sysfs

CVSS v3 score is 4.4 MEDIUM.

An issue was discovered in the USB subsystem in the Linux kernel
through 6.4.2. There is an out-of-bounds and crash in read_descriptors
in drivers/usb/core/sysfs.c.

Fixed status
Not fixed yet.

CVE-2023-37454: use-after-free in udf_put_super and udf_close_lvid
functions in fs/udf/super.c

CVSS v3 score is 5.5 MEDIUM.

An issue was discovered in the Linux kernel through 6.4.2. A crafted
UDF filesystem image causes a use-after-free write operation in the
udf_put_super and udf_close_lvid functions in fs/udf/super.c.

Fixed status
Not fixed yet.

CVE-2023-3567: use-after-free in vcs_read in drivers/tty/vt/vc_screen.c

CVSS v3 score is not provided.

A use-after-free bug was found in vcs_size() in the drivers/tty/vt/vc_screen.c.
It was introduced by commit ac751ef ("console: rename
acquire/release_console_sem() to console_lock/unlock()") in
2.6.38-rc3.

Fixed status
mainline: [226fae124b2dac217ea5436060d623ff3385bc34]
stable/4.19: [6332f52f44b9776568bf3c0b714ddfb0bb175e78]
stable/5.10: [55515d7d8743b71b80bfe68e89eb9d92630626ab]
stable/5.15: [fc9e27f3ba083534b8bbf72ab0f5c810ffdc7d18]
stable/5.4: [d0332cbf53dad06a22189cc341391237f4ea6d9f]
stable/6.1: [8506f16aae9daf354e3732bcfd447e2a97f023df]

CVE-2023-3108: rypto: fix af_alg_make_sg() conversion to iov_iter

CVSS v3 score is not provided (NIST).
CVSS v3 score is 6.2 MEDIUM (CNA).

A flaw was found in the subsequent get_user_pages_fast in the Linux
kernel’s interface for symmetric key cipher algorithms in the
skcipher_recvmsg of crypto/algif_skcipher.c function. This flaw allows
a local user to crash the system.

This bug was introduced by commit 1d10eb2 ("crypto: switch
af_alg_make_sg() to iov_iter") in 4.0-rc1 and fixed by commit 9399f0c
("crypto: fix af_alg_make_sg() conversion to iov_iter") in 4.0-rc1.
So, this bug was introduced and fixed during the 4.0-rc1 development
cycle. Therefore, no released kernels are affected.

Fixed status
mainline: [9399f0c51489ae8c16d6559b82a452fdc1895e91]

* Updated CVEs

No update CVEs.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 14 new CVEs and 1 updated CVEs.

* New CVEs

CVE-2023-1295: A TOCTOU bug was found in io_uring subsystem.

CVSS v3 score is not provided (NIST).
CVSS v3 score is 7.8 (HIGH).

A time-of-check to time-of-use issue exists in io_uring subsystem's
IORING_OP_CLOSE operation in the Linux kernel's versions 5.6 - 5.11
(inclusive), which allows a local user to elevate their privileges to
root. Introduced in b5dba59e0cf7e2cc4d3b3b1ac5fe81ddf21959eb, patched
in 9eac1904d3364254d622bf2c771c4f85cd435fc2, backported to stable in
788d0824269bef539fe31a785b1517882eafed93.

It was Introduced by commit b5dba59 (io_uring: add support for
IORING_OP_CLOSE) in 5.6-rc1. So before 5.6 kernels are not affected.

Fixed status
mainline: [9eac1904d3364254d622bf2c771c4f85cd435fc2]

CVE-2023-2163: bpf: Fix incorrect verifier pruning due to missing
register precision taints

CVSS v3 score is not provided.

An OOB read/write access was found in the eBPF subsystem.
This bug was introduced by commit b5dc0163d8fd ("bpf: precise
scalar_value tracking") in 5.3-rc1.

Fixed status
mainline: [71b547f561247897a0a14f3082730156c0533fed]
stable/5.10: [b1281d008845ae9a4de9ef7510dcc1667557a67a]
stable/5.15: [e722ea6dae2cc042d1bb7090e2ef8456dd5a0e57]
stable/5.4: [0f0a291cc5208dcc6436974246e8c18106e3c3d2]
stable/6.1: [89603f4c9154e818b9ead1abe08545a053c66ded]

CVE-2023-2860: ipv6: sr: fix out-of-bounds read when setting HMAC data.

CVSS v3 score is not provided.

An oob read bug was found in IPv6 subsystem.
This bug was introduced by commit 4f4853d ("ipv6: sr: implement API to
control SR HMAC structure") in 4.10-rc1.

Fixed status
mainline: [84a53580c5d2138c7361c7c3eea5b31827e63b35]
stable/4.14: [dc9dbd65c803af1607484fed5da50d41dc8dd864]
stable/4.19: [f684c16971ed5e77dfa25a9ad25b5297e1f58eab]
stable/5.10: [076f2479fc5a15c4a970ca3b5e57d42ba09a31fa]
stable/5.15: [55195563ec29f80f984237b743de0e2b6ba4d093]
stable/5.4: [3df71e11a4773d775c3633c44319f7acdb89011c]

CVE-2023-33951: Linux Kernel vmwgfx Driver Race Condition Information
Disclosure Vulnerability

CVSS v3 score is not provided.

This vulnerability allows local attackers to disclose sensitive
information on affected installations of Linux Kernel. An attacker
must first obtain the ability to execute high-privileged code on the
target system in order to exploit this vulnerability.
The specific flaw exists within the handling of GEM objects. The issue
results from the lack of proper locking when performing operations on
an object. An attacker can leverage this vulnerability to disclose
information in the context of the kernel.

It was introduced by commit 8afa13a ("drm/vmwgfx: Implement
DRIVER_GEM") in 5.17-rc1.

Fixed status
mainline: [9ef8d83e8e25d5f1811b3a38eb1484f85f64296c]
stable/6.1: [0a127ac972404600c99eb141c8d5b5348e53ee4f]

CVE-2023-33952: Linux Kernel vmwgfx Driver Double Free Local Privilege
Escalation Vulnerability

CVSS v3 score is not provided.

This vulnerability allows local attackers to escalate privileges on
affected installations of Linux Kernel. An attacker must first obtain
the ability to execute high-privileged code on the target system in
order to exploit this vulnerability.
The specific flaw exists within the handling of vmw_buffer_object
objects. The issue results from the lack of validating the existence
of an object prior to performing further free operations on the
object. An attacker can leverage this vulnerability to escalate
privileges and execute code in the context of the kernel.

It was introduced by commit 8afa13a ("drm/vmwgfx: Implement
DRIVER_GEM") in 5.17-rc1.

Fixed status
mainline: [9ef8d83e8e25d5f1811b3a38eb1484f85f64296c]
stable/6.1: [0a127ac972404600c99eb141c8d5b5348e53ee4f]

CVE-2023-3439: A use-after-free bug was found in the MCTP subsystem

CVSS v3 score is not provided.

A flaw was found in the MCTP protocol in the Linux kernel. The
function mctp_unregister() reclaims the device's relevant resource
when a netcard detaches. However, a running routine may be unaware of
this and cause the use-after-free of the mdev->addrs object,
potentially leading to a denial of service.

It was introduced by commit 583be98 (mctp: Add device handling and
netlink interface) in 5.15-rc1.

Fixed status
mainline: [b561275d633bcd8e0e8055ab86f1a13df75a0269]

CVE-2023-3117: A use-after-free flaw was found in the Netfilter subsystem

CVSS v3 score is not provided.

It is duplicate of CVE-2023-3390.

CVE-2023-31248: nf_tables UAF when using nft_chain_lookup_byid

CVSS v3 score is not provided (NIST).
CVSS v3 score is not 7.8 HIGH (CNA).

Linux Kernel nftables Use-After-Free Local Privilege Escalation
Vulnerability; `nft_chain_lookup_byid()` failed to check whether a
chain was active and CAP_NET_ADMIN is in any user or network namespace

It was introduced by commit 837830a4b439 ("netfilter: nf_tables: add
NFTA_RULE_CHAIN_ID attribute") in 5.9-rc1.
That is not backported to stable kernels. So, 4.4, 4.14, 4.19, 5.4 are
not affected.

Fixed status
Patch is reviewing on the netfilter-devel mailing list.

CVE-2023-32247: Linux Kernel ksmbd Session Setup Memory Exhaustion
Denial-of-Service Vulnerability

CVSS v3 score is not provided.

This vulnerability allows remote attackers to create a
denial-of-service condition on affected installations of Linux Kernel.
Authentication is not required to exploit this vulnerability, but only
systems with ksmbd enabled are vulnerable.

The specific flaw exists within the handling of SMB2_SESSION_SETUP
commands. The issue results from the lack of control of resource
consumption. An attacker can leverage this vulnerability to create a
denial-of-service condition on the system.

The ksmbd subsystem was introduced in 5.15 so before this versions are
not affected.

Fixed status
mainline: [ea174a91893956450510945a0c5d1a10b5323656]
stable/6.1: [1fc8a2b14ef5223f8e0b95faba2ee0a6e4d0f99d]
stable/6.3: [6775ee7ef4b37c521aa4cf3730f54554c4875542]

CVE-2023-32252: Linux Kernel ksmbd Session NULL Pointer Dereference
Denial-of-Service Vulnerability

CVSS v3 score is not provided.

This vulnerability allows remote attackers to create a
denial-of-service condition on affected installations of Linux Kernel.
Authentication is not required to exploit this vulnerability, but only
systems with ksmbd enabled are vulnerable.

The specific flaw exists within the handling of SMB2_LOGOFF commands.
The issue results from the lack of proper validation of a pointer
prior to accessing it. An attacker can leverage this vulnerability to
create a denial-of-service condition on the system.

The ksmbd subsystem was introduced in 5.15 so before this versions are
not affected.

Fixed status
mainline: [f5c779b7ddbda30866cf2a27c63e34158f858c73]
stable/6.1: [f623f627ad2b1dc215ab3b0df53fb05cfd3a1c3b]
stable/6.3: [02f41d88f15d6b7d523e52cc3f87488f57e9265b]

CVE-2023-32257: Linux Kernel ksmbd Session Race Condition Remote Code
Execution Vulnerability

CVSS v3 score is not provided.

This vulnerability allows remote attackers to execute arbitrary code
on affected installations of Linux Kernel. Authentication is not
required to exploit this vulnerability, but only systems with ksmbd
enabled are vulnerable.

The specific flaw exists within the processing of SMB2_SESSION_SETUP
and SMB2_LOGOFF commands. The issue results from the lack of proper
locking when performing operations on an object. An attacker can
leverage this vulnerability to execute code in the context of the
kernel.

The ksmbd subsystem was introduced in 5.15 so before this versions are
not affected.

Fixed status
mainline: [f5c779b7ddbda30866cf2a27c63e34158f858c73]
stable/6.1: [f623f627ad2b1dc215ab3b0df53fb05cfd3a1c3b]
stable/6.3: [02f41d88f15d6b7d523e52cc3f87488f57e9265b]

CVE-2023-32258: Linux Kernel ksmbd Session Race Condition Remote Code
Execution Vulnerability

CVSS v3 score is not provided.

This vulnerability allows remote attackers to execute arbitrary code
on affected installations of Linux Kernel. Authentication is not
required to exploit this vulnerability, but only systems with ksmbd
enabled are vulnerable.

The specific flaw exists within the processing of SMB2_LOGOFF and
SMB2_CLOSE commands. The issue results from the lack of proper locking
when performing operations on an object. An attacker can leverage this
vulnerability to execute code in the context of the kernel.

The ksmbd subsystem was introduced in 5.15 so before this versions are
not affected.

Fixed status
mainline: [abcc506a9a71976a8b4c9bf3ee6efd13229c1e19]
stable/6.1: [4aba9ab6a007e41182454f84f95c0bddf7d6d7e1]
stable/6.3: [920d5dd2d041484bf001c9713c2e3bcc6de79726]

CVE-2023-3269: StackRot: Linux kernel privilege escalation vulnerability

CVSS v3 score is not provided.

Since Linux 6.1 the VMA tree structure was changed fron red-black tree
to maple tree(https://lwn.net/Articles/845507/). This vulnerability
which called StackRot allows a user to gain their privilege by
use-after-free-by-RCU(UAFBR) bug.

You can read more detail on the github (https://github.com/lrh2000/StackRot).

The maple tree was introduced in 6.1-rc1 and it is not backported to
stable kernels. Therefore, 4.x and 5.x kernels aren't affected.

Fixed status
mainline: [c2508ec5a58db67093f4fb8bf89a9a7c53a109e9,
eda0047296a16d65a7f2bc60a408f70d178b2014,
  ae870a68b5d13d67cf4f18d47bb01ee3fee40acb,
e6fe228c4ffafdfc970cf6d46883a1f481baf7ea,
  4bce37a68ff884e821a02a731897a8119e0c37b7,
7267ef7b0b77f4ed23b7b3c87d8eca7bd9c2d007,
  8b35ca3e45e35a26a21427f35d4093606e93ad0a,
a050ba1e7422f2cc60ff8bfde3f96d34d00cb585,
  2cd76c50d0b41cec5c87abfcdf25b236a2793fb6,
f440fa1ac955e2898893f9301568435eb5cdfc4b,
  f313c51d26aa87e69633c9b46efb37a930faca71,
8d7071af890768438c14db6172cc8f9f4d04e184,
  a425ac5365f6cb3cc47bf83e6bff0213c10445f7]
stable/6.1: [d6a5c7a1a6e52d4c46fe181237ca96cd46a42386,
755aa1bc6aaf9961aa4bdb54f32faaba06c08792,
  b92cd80e5f0b14760a49ff68da23959a38452cda,
82972ea17b47e2f9b08a91d62e92731367475f11,
  7227d70acc7813c77e797be00503177ce484228a,
ac764deea709b4d13fa78265cb2ec463da05a5d6,
  1f4197f050dec016783663682b9eccbb603befa7,
21ee33d51bf9f9489c7e0eb8cb17c803e2d03bd0,
  48c232819e77dcd7ff476e964bc671e0589daae6,
6a6b5616c3d04eba12dd0abc0522e5bae5f1ee5a,
  c4b31d1b694e101cae7469a20762647185e11721,
e6bbad75712a97b9b16433563c1358652a33003e]
stable/6.3: [bce721f87edd54379120ffb85111357923f4f326,
88b1d56e3c81d88584d28592b7afe72099739e3d,
  4f6263b1fb29302453b9806b435ddd588ee5fb71,
337a7cb4a6c3c3c8a029b758f8b99435ac2c99a1,
  4af485289adc3576bf0835e2f63604b268d63942,
6fafcfb83bab112ac06ca793adf2a00fcdb10f0f,
  97308720616ed56291b1d3d45a81617fe91e8794,
7e697935bab3c6d7a6e8b8f0b6c2894509ea9bf8,
  723b929cbc2a032f581e0b603ad040470ed883f8,
0f1e856aba03d19490b9e5649f70438b9c98d27c,
  011b261f0872e47d27c84172ad86a536d1cc5233,
5f50096f0a7e2eb4f0ab3eff781e594308e89f80,
  704a0c495572c6a8607fd2dd9f3518630906ef4b]
stable/6.4: [b11fa3d22ac0fbc0bfaa740b3b3669d43ec48503,
d939d8c154f1dcc8ff6818e564a518b382a32ef5,
  7a1383601b7ced8976854706f22630f4bc3473bf,
b6f36565369c66459dbdde7199e8fa89cbb5f54b,
  929eb6b2a6901d5c7ef13a6aab0a07c31a603a05,
7e99b9821acc954f407da09b31a4a95d35dd147d,
  4e3fb74f605054555693031083248903dc2796d6,
203cfe05efc84b6d888fdc37862c53c6ee64a006,
  accf6d0c5832e3a880e6798fc4cc76d49573e7f4,
b2d6752dbfe74d9eed81fe5cb608232e87c823f4,
  af099fa739b8408ea3b3c854a3098a6fd94855cb,
fb32951c89030c5f9944ca8aa10301d7eb733b49,
  f450d0307644f0efd91ed99f613069302ff52e52]

CVE-2023-35001: nf_tables nft_byteorder_eval OOB read/write

CVSS v3 score is not provided (NIST).
CVSS v3 score is not 7.8 HIGH (CNA).

Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability;
nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN
is in any user or network namespace

Introduced by commit 96518518cc41 ("netfilter: add nftables") in 3.13-rc1.

Fixed status
Patch is reviewing on the netfilter-devel mailing list.

* Updated CVEs

CVE-2023-1295: A TOCTOU bug was found in io_uring subsystem

The stable/5.10 was fixed.

Fixed status
mainline: [9eac1904d3364254d622bf2c771c4f85cd435fc2]
stable/5.10: [788d0824269bef539fe31a785b1517882eafed93]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 10 new CVEs and 3 updated CVEs.

* New CVEs

CVE-2023-3357: NULL pointer dereference bug was found in the AMD
Sensor Fusion Hub driver

CVSS v3 score is not provided.

It didn't check dma_clloc_coherent()'s return value in the
amd_sfh_hid_client_init(). If it returns NULL, NULL pointer
dereference bug occurs.
This bug was introduced by commit 4b2c53d ("SFH:Transport Driver to
add support of AMD Sensor Fusion Hub (SFH)") in 5.11-rc1 so that
before 5.11 kernels aren't affected.

Fixed status
mainline: [53ffa6a9f83b2170c60591da1ead8791d5a42e81]
stable/5.15: [d238f94b2b61c77dd60db820aa683ff6a58c1543]
stable/6.1: [8a37cf11dc78b71a5e0ef18aa33af41415b5ca38]

CVE-2023-3358: NULL pointer dereference bug was found in the
Integrated Sensor Hub driver

CVSS v3 score is not provided.

It didn't check dev->ishtp_dma_tx_map is NULL or not in the
ishtp_cl_get_dma_send_buf(). If it is NULL, a NULL pointer dereference
bug will occur.
This bug was introduced by commit 3703f53 ("HID: intel_ish-hid: ISH
Transport layer") in 4.9-rc1 so 4.4 isn't affected.

Fixed status
mainline: [b3d40c3ec3dc4ad78017de6c3a38979f57aaaab8]
stable/4.14: [eaa86c4ae77e9c6c28e3c417539ebbee987be0c9]
stable/4.19: [cc906a3a4432da143ab3d2e894f99ddeff500cd3]
stable/5.10: [7b4516ba56f1fcb13ffc91912f3074e28362228d]
stable/5.15: [c4cb73febe35f92f7a401f4cbc84f94c764732a9]
stable/5.4: [97445814efcd0ba7a347b1463ba86bdf3cdc65aa]
stable/6.1: [9a65e90179ba06eb299badc3e4dc4aa2b1e35af3]

CVE-2023-3359: NULL pointer dereference bug was found in the Broadcom
NVRAM driver

CVSS v3 score is not provided.

It didn't check kzalloc() return value in the brcm_nvram_parse() if it
returns NULL, NULL pointer dereference bug will occur.
This bug was introduced by commit 6e977ea ("nvmem: brcm_nvram: parse
NVRAM content into NVMEM cells") in 5.18-rc1 so that before 5.18
kernels aren't affected.

Fixed status
mainline: [b0576ade3aaf24b376ea1a4406ae138e2a22b0c0]
stable/6.1: [f5249bbae0e736d612d2095ad79dc1389b3e89b5]

CVE-2023-3338: NULL Pointer Dereference in DECnet

CVSS v3 score is not provided.

A NULL pointer dereference bug was found in the DECnet subsystem that
will cause a system crash or privilege escalation.
The DECnet subsystem has been removed in 6.1-rc1 and stable kernels.

Fixed status
mainline: [1202cdd665315c525b5237e96e0bedc76d7e754f]
stable/4.14: [975840f8dec3c1e6a6b28a387bb7cf55a4775e18]
stable/4.19: [3e77bbc87342841db66c18a3afca0441c8c555e4]
stable/5.10: [1c004b379b0327992c1713334198cf5eba29a4ba]
stable/5.15: [2a974abc09761c05fef697fe229d1b85a7ce3918]
stable/5.4: [6b1203ae83c3d07bad90b6f38ebf2e4d5998dd28]

CVE-2023-1206: hash collisions in the IPv6 connection lookup table

CVSS v3 score is not provided.

A hash collision bug was found in the IPv6 connection lookup table. It
will cause a DoS.

Fixed status
Not fixed yet

CVE-2023-3090: ipvlan:Fix out-of-bounds caused by unclear skb->cb

CVSS v3 score is not provided (NIST).
CVSS v3 score is 7.8 HIGH (CNA).

A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan
network driver can be exploited to achieve local privilege escalation.
The out-of-bounds write is caused by missing skb->cb initialization in
the ipvlan network driver. The vulnerability is reachable if
CONFIG_IPVLAN is enabled.
All stable kernels and CIP kernels have been fixed.

Fixed status
mainline: [90cbed5247439a966b645b34eb0a2e037836ea8e]
stable/4.14: [8747ec637300f1212a47a9f15e2340cfe4dcbb9c]
stable/4.19: [b36dcf3ed547c103acef6f52bed000a0ac6c074f]
stable/5.10: [f4a371d3f5a7a71dff1ab48b3122c5cf23cc7ad5]
stable/5.15: [7c8be27727fe194b4625da442ee2b854db76b200]
stable/5.4: [1aa872e967f2017041bb2284479b3c6ce8d121b5]
stable/6.1: [610a433810b277b3b77389733c07d22e8af68de2]
stable/6.3: [3cd16c6a6a6b68bba02fbbc54b9906f44640ffde]

CVE-2023-3355: Missing return value check from kmalloc

CVSS v3 score is not provided.

A NULL pointer dereference flaw was found in the Linux kernel's
drivers/gpu/drm/msm/msm_gem_submit.c code in the submit_lookup_cmds
function, which fails because it lacks a check of the return value of
kmalloc(). This issue allows a local user to crash the system.

This bug was introduced by commit 20224d7 ("drm/msm/submit: Move
copy_from_user ahead of locking bos") in 5.11-rc1. Before 5.11 kernels
aren't affected.

Fixed status
mainline: [d839f0811a31322c087a859c2b181e2383daa7be]
stable/5.15: [436fb91cadb82da0b0b114baa4fc3b5ef7e6d557]
stable/6.1: [31c4251a20fd7addc1bf4fe801f95f9ba1b38990]

CVE-2023-3389: io_uring: hold uring mutex around poll removal

CVSS v3 score is not provided (NIST).
CVSS v3 score is 5.5 MEDIUM (CNA).

A use-after-free vulnerability in the Linux Kernel io_uring subsystem
can be exploited to achieve local privilege escalation. Racing a
io_uring cancel poll request with a linked timeout can cause a UAF in
a hrtimer.

The io_uring feature was introduced in 5.1 so kernel 4.x are not affected.

Fixed status
mainline: [9ca9fb24d5febccea354089c41f96a8ad0d853f8]
stable/5.10: [4716c73b188566865bdd79c3a6709696a224ac04]

CVE-2023-3390: netfilter: nf_tables: incorrect error path handling
with NFT_MSG_NEWRULE

CVSS v3 score is not provided (NIST).
CVSS v3 score is 7.8 HIGH (CNA).

A use-after-free vulnerability was found in the Linux kernel's
netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error
handling with NFT_MSG_NEWRULE makes it possible to use a dangling
pointer in the same transaction causing a use-after-free
vulnerability. This flaw allows a local attacker with user access to
cause a privilege escalation issue.

Patch to 4.14, 4.19, 5.4, and 5.10 were failed.
https://lore.kernel.org/stable/2023061939-sprout-jujitsu-b6a0@gregkh/
https://lore.kernel.org/stable/2023061937-spiritism-reliably-6082@gregkh/
https://lore.kernel.org/stable/2023061935-renewed-granite-7529@gregkh/
https://lore.kernel.org/stable/ZJAT0Ci5+sT+AQfm@calendula/


Fixed status
mainline: [1240eb93f0616b21c675416516ff3d74798fdc97]
stable/5.15: [44ebe988cb38e720b91826f4d7c31692061ca04a]
stable/6.1: [4aaa3b730d16c13cc3feaa127bfca1af201d969d]
stable/6.3: [bdace3b1a51887211d3e49417a18fdbd315a313b]

CVE-2023-3397: fs/jfs: Add a mutex named txEnd_lmLogClose_mutex to
prevent a race condition between txEnd and lmLogClose functions

CVSS v3 score is not provided.

A race condition bug was found between lmLogClose() and txEnd() which
causes a slab use-after-free bug.

Fixed status
Patch is available but it hasn't been merget
yet(https://lore.kernel.org/lkml/20230515095956.17898-1-zyytlz.wz@163.com/).

* Updated CVEs

CVE-2022-1015: OOB access bug in netfilter

Stable 5.10 was fixed.

Fixed status
mainline: [6e1acfa387b9ff82cfc7db8cc3b6959221a95851]
stable/5.10: [9e8d927cfa564e5a00cd287bd66fac6d45f0af39]
stable/5.15: [1bd57dea456149619f3b80d67eee012122325af8]
stable/5.16: [2c8ebdaa7c9755b85d90c07530210e83665bad9a]
stable/5.17: [afdc3f4b81f0ec9f97f0910476af4620a2481a6d]

CVE-2023-2124: OOB access in the Linux kernel's XFS subsystem

Stable 5.4 was fixed.

Fixed status
mainline: [22ed903eee23a5b174e240f1cdfa9acf393a5210]
stable/5.10: [0e98a97f772f2ffcee8ced7a49b71e72916e0aa1]
stable/5.15: [6cfe9ddb6aa698464fa16fb77a0233f68c13360c]
stable/5.4: [c87439055174b31c51a89f8d66af2600033c664d]
stable/6.1: [a2961463d74f5c86a8dda3b41c484c28ccc4c289]
stable/6.3: [69ebe82c73f4f9f4b49ed3b35ce347af20716d0a]

CVE-2023-34255: xfs: verify buffer contents when we skip log replay

Stable 5.4 was fixed.

mainline: [22ed903eee23a5b174e240f1cdfa9acf393a5210]
stable/5.10: [0e98a97f772f2ffcee8ced7a49b71e72916e0aa1]
stable/5.15: [6cfe9ddb6aa698464fa16fb77a0233f68c13360c]
stable/5.4: [c87439055174b31c51a89f8d66af2600033c664d]
stable/6.1: [a2961463d74f5c86a8dda3b41c484c28ccc4c289]
stable/6.3: [69ebe82c73f4f9f4b49ed3b35ce347af20716d0a]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 11 new CVEs and 0 updated CVEs.

* New CVEs

CVE-2023-3268: relayfs: fix out-of-bounds access in relay_file_read

CVSS v3 score is not provided.

An out of bounds (OOB) memory access flaw was found in the Linux
kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs.
This flaw could allow a local attacker to crash the system or leak
kernel internal information.

This bug was introduced by commit 8d62fde ("relay file read: start-pos
fix") in 2.6.22-rc7.

Fixed status
mainline: [43ec16f1450f4936025a9bdf1a273affdb9732c1]
stable/4.19: [ed32488417669568308b65ba5d45799418f9ed49]
stable/5.10: [1b0df44753bf9e45eaf5cee34f87597193f862e8]
stable/5.15: [0b46ee654a9dcd330e8183856b88505a9f633f7d]
stable/5.4: [bc0905a76531fa10fd12d661328636453a36f4ce]
stable/6.1: [f6ee841ff2169d7a7d045340ee72b2b9de9f06c5]
stable/6.3: [35ca4fb494c0c9f226fbcfa1c1688e6cc1e5062e]

CVE-2023-35788: net/sched: flower: fix possible OOB write in fl_set_geneve_opt()

CVSS v3 score is not provided.

An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c
in the Linux kernel before 6.3.7. It allows an out-of-bounds write in
the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets.
This may result in denial of service or privilege escalation.

This bug was introduced by commit 0a6e777 ("net/sched: allow flower to
match tunnel options") in 4.19-rc1.
So, 4.14 and 4.4 kernels aren't affected.

Fixed status
mainline: [4d56304e5827c8cc8cc18c75343d283af7c4825c]
stable/4.19: [59a27414bb00e48c4153a8b794fb4e69910a6a1b]
stable/5.10: [7c5c67aa294444b53f697dc3ddce61b33ff8badd]
stable/5.15: [45f47d2cf1142fbfe5d6fc39ad78f4aac058907c]
stable/5.4: [94a00f1142c581fe01d17d7beca314592f85e83a]
stable/6.1: [eac615ed3c6d91f1196f16f0a0599fff479cb220]
stable/6.3: [900fab73a9cd3dd6a3a69f89980f8f3c9a738d5a]

CVE-2023-35823: media: saa7134: fix use after free bug in
saa7134_finidev due to race condition

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel before 6.3.2. A
use-after-free was found in saa7134_finidev in
drivers/media/pci/saa7134/saa7134-core.c.
This bug was introduced by commit 1e7126b ("media: saa7134: Convert
timers to use timer_setup()")in 4.15-rc1. So, 4.14 and 4.4 kernels
aren't affected.

Fixed status
mainline: [30cf57da176cca80f11df0d9b7f71581fe601389]
stable/4.19: [95e684340470a95ff4957cb9a536ec7a0461c75b]
stable/5.10: [7dac96e9cc985328ec1fae92f0c245f559dc0e11]
stable/5.15: [2f48c0a463a37ac76ac089ec7936f673b9a0a448]
stable/5.4: [a4b6ab360f56ccdcde29eab29f493d8c464c3ffb]
stable/6.1: [5a72aea9acfe945353fb3a2f141f4e526a5f3684]
stable/6.3: [3a60e51489a3ec61565f5bc53f726ac9ccc6083c]

CVE-2023-35824: media: dm1105: Fix use after free bug in dm1105_remove
due to race condition

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel before 6.3.2. A
use-after-free was found in dm1105_remove in
drivers/media/pci/dm1105/dm1105.c.
This bug was introduced by commit 34d2f9b ("V4L/DVB: dm1105: use
dm1105_dev & dev instead of dm1105dvb") in 2.6.34-rc1 so that 4.4
kernels are affected too.

mainline: [5abda7a16698d4d1f47af1168d8fa2c640116b4a]
stable/4.14: [df01f9c146ce2134de4daf393e29e18d6d5866ec]
stable/4.19: [722c156c6eab40a6e7dda98dfa66724f9d5aeceb]
stable/5.10: [e9d64e90a0ada4d00ac6562e351ef10ae7d9b911]
stable/5.15: [c94388b5b9098db82d6ba4627ef6e41a35870818]
stable/5.4: [cd1583caed7ea879ecb638ed876960e41363b7b6]
stable/6.1: [305262a23c949010a056bd81b6e84051fd72a567]
stable/6.3: [d730bc84064364cafdb20c6ee7fda2cd7416407a]

CVE-2023-35825: Duplicated of CVE-2023-3141

This CVE is a duplicate of CVE-2023-3141 so that CVE-2023-35825 has
been rejected.

CVE-2023-35826: media: cedrus: fix use after free bug in cedrus_remove
due to race condition

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel before 6.3.2. A
use-after-free was found in cedrus_remove in
drivers/staging/media/sunxi/cedrus/cedrus.c.
This bug was introduced by commit 7c38a55 ("media: cedrus: Add
watchdog for job completion") in 5.18-rc1 so that 5.15, 5.4, 4.19,
4.14, and 4.4 aren't affected.

Fixed status
mainline: [50d0a7aea4809cef87979d4669911276aa23b71f]
stable/6.1: [2cdc8f729d953143b3bbdc56841bb6800752de7f]
stable/6.3: [565c863bd982584aa4393f7bdb345dbccb3ad488]

CVE-2023-35827: net: ravb: Fix possible UAF bug in ravb_remove

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel through 6.3.8. A
use-after-free was found in ravb_remove in
drivers/net/ethernet/renesas/ravb_main.c.
This bug was introduced by commit c156633f1353 ("Renesas Ethernet AVB
driver proper") in 4.2-rc1.

Fixed status
Patch was sent to lkml but it hasn't been merged yet
(https://lore.kernel.org/lkml/cca0b40b-d6f8-54c7-1e46-83cb62d0a2f1@huawei.com/T/).

CVE-2023-35828: usb: gadget: udc: renesas_usb3: Fix use after free bug
in renesas_usb3_remove due to race condition

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel before 6.3.2. A
use-after-free was found in renesas_usb3_remove in
drivers/usb/gadget/udc/renesas_usb3.c.
This bug was introduced by commit 39facfa ("usb: gadget: udc:
renesas_usb3: Add register of usb role switch") in 4.19-rc1 so 4.14
and 4.4 aren't affected.

Fixed status
mainline: [2b947f8769be8b8181dc795fd292d3e7120f5204]
stable/4.19: [ad03fe033a71ed1fd2cb68a067198ae0e342f991]
stable/5.10: [36c237b202a406ba441892eabcf44e60dae7ad73]
stable/5.15: [1e58fb6b1cef4d5e552a0c3038bf946890af6f3b]
stable/5.4: [0fee5030c09401818c17be0786f2684c1cc1e440]
stable/6.1: [df2380520926bdbc264cffab0f45da9a21f304c8]
stable/6.3: [231598b40a070a6bf780c0df1ff5ae3e57102900]

CVE-2023-35829: media: rkvdec: fix use after free bug in rkvdec_remove

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel before 6.3.2. A
use-after-free was found in rkvdec_remove in
drivers/staging/media/rkvdec/rkvdec.c.
This bug was introduced by commit cd33c83 ("media: rkvdec: Add the
rkvdec driver") in 5.8-rc1 so 5.4, 4.19, 4.14, and 4.4 aren't
affected.

Fixed status
mainline: [3228cec23b8b29215e18090c6ba635840190993d]
stable/5.10: [de19d02d734ef29f5dbd2c12fe810fa960ecd83f]
stable/5.15: [cac0f4f36e226c79c83d01dddc049ac59d2de157]
stable/6.1: [6a17add9c61030683b9c1fc86878f00a2d318a95]
stable/6.3: [2115e94838adc9d1e7b75043c9f26abcc910f6fb]

CVE-2023-3312: : fix double IO unmap and resource release on exit

CVSS v3 score is not provided.

A vulnerability was found in drivers/cpufreq/qcom-cpufreq-hw.c in
cpufreq subsystem in the Linux Kernel. This flaw, during device unbind
will lead to double release problem leading to denial of service.

This bug was introduced by commit 054a3ef ("cpufreq: qcom-hw: Allocate
qcom_cpufreq_data during probe") in 6.2-rc1. So, before version 6.2
kernels aren't affected.

Fixed status
mainline: [ba5e770c9698782bc203bbf5cf3b36a77720bdbe]
stable/6.3: [d9bad836cf156ee87d577f0bd1ed01501b31a253]

CVE-2023-3317: wifi: mt76: mt7921: Fix use-after-free in fw features query.

CVSS v3 score is not provided.

A use-after-free bug was found in
drivers/net/wireless/mediatek/mt76/mt7921/init.c. When
mt7921_check_offload_capability() is called after release_firmware()
is called, mt7921_check_offload_capability() accesses freed memory
that will cause a kernel crash.
It was fixed in 6.3-rc6.

The mt7921 has been supported since 5.12-rc1-dontuse. So before the
versions don't have this driver.
The mt7921_check_offload_capability() was introduced by commit 034ae28
("wifi: mt76: mt7921: introduce remain_on_channel support") in
6.2-rc1. It might be this commit introduced the bug.

Fixed status
mainline: [2ceb76f734e37833824b7fab6af17c999eb48d2b]

CVE-2023-3220: Lack of return value check will cause NULL pointer dereference

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel through 6.1-rc8.
dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
lacks check of the return value of kzalloc() and will cause the NULL
Pointer Dereference.

This bug was introduced by commit 25fdd59 ("drm/msm: Add SDM845 DPU
support") in 4.19-rc1. So, Linux 4.4 and 4.14 are not affected.

Fixed status
mainline: [93340e10b9c5fc86730d149636e0aa8b47bb5a34]
stable/4.19: [c746a0b9210cebb29511f01d2becf240408327bf]
stable/5.10: [e9743b3052e125c44b555f07f2876a4bdccfd983]
stable/5.15: [c7ee1772e3c36fff8e13daa5ce1ac61426544a33]
stable/5.4: [dadd30fcc7e3e01561ef3624f6c0e323105ab523]
stable/6.1: [dd49cef313e6a62541b55e739261c5943cb06c47]

* Updated CVEs

No updated CVEs this week.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 4 new CVEs and 7 updated CVEs.

* New CVEs

CVE-2023-3141: memstick: r592: Fix UAF bug in r592_remove due to race condition

CVSS v3 score is 5.9 MEDIUM.

The client side in OpenSSH 5.7 through 8.4 has an Observable
Discrepancy leading to an information leak in the algorithm
negotiation. This allows man-in-the-middle attackers to target initial
connection attempts (where no host key for the server has been cached
by the client).

Fixed status
mainline: [63264422785021704c39b38f65a78ab9e4a186d7]
stable/4.14: [3faa6fe21c516dbcca469c297df77decbc2fed0f]
stable/4.19: [dce890c3dfaf631d0a8ac79c2792911f9fc551fa]
stable/5.10: [5c23f6da62f71ebfeda6ea3960982ccd926ebb09]
stable/5.15: [162a9b321538972a260c7b178638c2368c071f77]
stable/5.4: [a2a5d3a584bf86c9c09017381a8fc63cfaf5a9e6]
stable/6.1: [9a342d4eb9fb8e52f7d1afe088a79513f3f9a9a5]
stable/6.3: [76fec5f01c9c70e11b85fdeb3f2707589c9238ca]

CVE-2023-3159: A use-after-free bug was found in firmware driver code

CVSS v3 score is not provided.

A use after free issue was discovered in driver/firewire in
outbound_phy_packet_callback in the Linux Kernel. In this flaw a local
attacker with special privilege may cause a use after free problem
when queue_event() fails.

It was fixed in 5.18-rc6. All stable kernels and cip kernels were fixed.

Fixed status
mainline: [b7c81f80246fac44077166f3e07103affe6db8ff]
stable/4.14: [1269a6567274edecd04ee7fd7871aa4d0c937f2a]
stable/4.19: [34380b5647f13fecb458fea9a3eb3d8b3a454709]
stable/5.10: [e757ff4bbc893bc030c2d10143091094da73b9ff]
stable/5.15: [e259ba5c08d3791ab269b7775f1de5b36b06388c]
stable/5.4: [34b9b91829111a7e44b593c790a22680c89cd402]

CVE-2023-3161: An OOB access bug was found in fbdev driver

CVSS v3 score is not provided.

A flaw was found in the Framebuffer Console (fbcon) in the Linux
Kernel. When providing font->width and font->height greater than 32 to
fbcon_set_font, since there are no checks in place, a
shift-out-of-bounds occurs leading to undefined behavior and possible
denial of service.

It was fixed in 6.2-rc7. All stable kernels and cip kernels were fixed.

Fixed status
mainline: [2b09d5d364986f724f17001ccfe4126b9b43a0be]
stable/4.14: [7625513267a2b155a5e31e4ac443bf954591b7fa]
stable/4.19: [1c3d4901fad1db6a4e2dcdd6b13ed0ea22f227a1]
stable/5.10: [28d190882ba55cbcee1db8e4ae90c149178dcf64]
stable/5.15: [dccbd062d71657648efc32fdc9919b33763cc68b]
stable/5.4: [4abcd352a0222cc807f6f87d2f58d59aeeb70340]
stable/6.1: [5e7f6e2ade57dfd6d133ff7c643abd2079248943]

CVE-2023-3212: NULL pointer dereference in gfs2_evict_inode() in fs/gfs2/super.c

CVSS v3 score is not provided.

A Null pointer dereference bug was found in the gfs2 file system　where
the evict code attempts to reference the freed and NULL-ified journal
descriptor structure (jdesc).
The vulnerability arises from a sequence of events that includes the
freeing of journals and the subsequent reference to the now
freed/zeroed sd_jdesc pointer.

It was fixed in 6.4-rc2.

Fixed status
mainline: [504a10d9e46bc37b23d0a1ae2f28973c8516e636]
stable/5.10: [d03d31d3a206093b9b8759dddf0ba9bd843606ba]
stable/5.15: [fd8b4e28f400a067e6ef84569816967be1f0642b]
stable/6.1: [5ae4a618a1558d2b536fdd5d42e53d3e2d73870c]
stable/6.3: [14c454764a37b194dc916c07488ce7339c82bc4f]

* Updated CVEs

CVE-2022-48425: fs/ntfs3: Validate MFT flags before replaying logs

The stable/6.1 was fixed.

Fixed status
mainline: [98bea253aa28ad8be2ce565a9ca21beb4a9419e5]
stable/5.15: [2a67f26f70ab344ae6ea78638890eebc1191a501]
stable/6.1: [a8eaa9a06addbd9cb0238cb1c729921ecbb6504c]
stable/6.3: [e6f4b1c32d6d6047958d7700d12fed6d91f441e7]

CVE-2023-1838: Fix double fget() in vhost_net_set_backend()

The stable/4.14 was fixed.

Fixed status
mainline: [fb4554c2232e44d595920f4d5c66cf8f7d13f9bc]
stable/4.14: [d1bcb0ab20980c6da663708c9a47c322703f9fc3]
stable/4.19: [6ca70982c646cc32e458150ee7f2530a24369b8c]
stable/5.10: [ec0d801d1a44d9259377142c6218885ecd685e41]
stable/5.15: [42d8a6dc45fc6619b8def1a70b7bd0800bcc4574]
stable/5.4: [3a12b2c413b20c17832ec51cb836a0b713b916ac]

CVE-2023-2007: Linux Kernel DPT I2O Controller Time-Of-Check
Time-Of-Use Information Disclosure Vulnerability

Stable 4.19 and 5.10 were fixed.

Fixed status
mainline: [b04e75a4a8a81887386a0d2dbf605a48e779d2a0]
stable/4.19: [1b88816a9499608c736e192e0f442e65d4b71de1]
stable/5.10: [a2cd7599b558d6c70c01880d470f6eedaf6a8f23]

CVE-2023-2124: OOB access in the Linux kernel's XFS subsystem

Stable 6.1 and 6.3 were fixed.

Fixed status
mainline: [22ed903eee23a5b174e240f1cdfa9acf393a5210]
stable/5.10: [0e98a97f772f2ffcee8ced7a49b71e72916e0aa1]
stable/5.15: [6cfe9ddb6aa698464fa16fb77a0233f68c13360c]
stable/6.1: [a2961463d74f5c86a8dda3b41c484c28ccc4c289]
stable/6.3: [69ebe82c73f4f9f4b49ed3b35ce347af20716d0a]

CVE-2023-31084: BUG: WARNING in dvb_frontend_get_event

All stable kernels were fixed.

Fixed status
mainline: [b8c75e4a1b325ea0a9433fa8834be97b5836b946]
stable/4.14: [72197f21d9a6c47286a57d323f6858fbed1d0f77]
stable/4.19: [f3b5442184a0dab5cee9b2682f947393569e24b2]
stable/5.10: [ca2d171fd1f3ea03198b8775443d2767301dce9b]
stable/5.15: [22fc36d59eab8e0bcc8ef72bba2363285784ac74]
stable/5.4: [66a6d704c251aac864b69ae094a7579e0837eec9]
stable/6.1: [d0088ea444e676a0c75551efe183bee4a3d2cfc8]
stable/6.3: [47dc2e5f5fb45aff7f9c32f10412125ee13cb5ce]

CVE-2023-34255: xfs: verify buffer contents when we skip log replay

Stable 6.1 and 6.3 were fixed.

Fixed status
mainline: [22ed903eee23a5b174e240f1cdfa9acf393a5210]
stable/5.10: [0e98a97f772f2ffcee8ced7a49b71e72916e0aa1]
stable/5.15: [6cfe9ddb6aa698464fa16fb77a0233f68c13360c]
stable/6.1: [a2961463d74f5c86a8dda3b41c484c28ccc4c289]
stable/6.3: [69ebe82c73f4f9f4b49ed3b35ce347af20716d0a]

CVE-2023-3111: btrfs: unset reloc control if transaction commit fails
in prepare_to_relocate()

Stable 4.14, 4.19, 5.4, and 5.10 were fixed.

Fixed status
mainline: [85f02d6c856b9f3a0acf5219de6e32f58b9778eb]
stable/4.14: [ff0e8ed8dfb584575cffc1561f17a1d094e8565b]
stable/4.19: [dcb11fe0a0a9cca2b7425191b9bf30dc29f2ad0f]
stable/5.10: [b60e862e133f646f19023ece1d476d630a660de1]
stable/5.15: [78f8c2370e3d33e35f23bdc648653d779aeacb6e]
stable/5.4: [8e546674031fc1576da501e27a8fd165222e5a37]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 4 new CVEs and 1 updated CVEs.

* New CVEs

CVE-2023-3006: arm64: Add AMPERE1 to the Spectre-BHB affected list

CVSS v3 score is not provided.

A known cache speculation vulnerability, known as Branch History
Injection (BHI) or Spectre-BHB, becomes actual again for the new hw
AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious
code uses the shared branch history (stored in the CPU Branch History
Buffer, or BHB) to influence mispredicted branches within the victim's
hardware context. Once that occurs, speculation caused by the
mispredicted branches can cause cache allocation. This issue leads to
obtaining information that should not be accessible.

The arch/arm64/kernel/proton-pack.c was introduced by commit 455697ad
("arm64: Introduce separate file for spectre mitigations and
reporting") int 5.10-rc1. Kernel 5.4, 4.19, and 4.14 have
spectre_bhb_loop_affected() in the arch/arm64/kernel/cpu_errata.c but
4.4 doesn't

Fixed status
mainline: [0e5d5ae837c8ce04d2ddb874ec5f920118bd9d31]
stable/5.10: [52a43b82006dc88f996bd06da5a3fcfef85220c8]
stable/5.15: [52c2329147cf5d956dcaa3a91c886c550e7bdd39]

CVE-2023-2985: A use-after-free bug was found hfsplus file system

CVSS v3 score is 5.5(MEDIUM).

A use after free flaw was found in hfsplus_put_super in
fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local
user to cause a denial of service problem.

Fixed status
mainline: [07db5e247ab5858439b14dd7cc1fe538b9efcf32]
stable/4.14: [a9433406837c211af58a533d9e6f7a8f865b01f3]
stable/4.19: [e226f1fdcee1ca6e68233b132718deb578a84e38]
stable/5.10: [ef7d71d7bd57b8b7fe514e459927696c1c6d1047]
stable/5.15: [05103d88482dc3757db108415342fdd86821a79b]
stable/5.4: [3776ef785e1005355cdd86c751a8e838bac8e2e8]
stable/6.1: [0c80bef0b7d297ea86e5408fe79c45479e504a26]

CVE-2023-3022: ipv6: Use result arg in fib_lookup_arg consistently

CVSS v3 score is not provided.

According to the Red Hat bugzilla, there is a kernel crash bug that
was found in the ipv6 subsystem when some specific networking local
rule enabled and both IPV6 being used.

This bug was introduced by commit effda4d ("ipv6: Pass fib6_result to
fib lookups") in 5.2-rc1. Kernel 4.x are not affected by this issue.

Fixed status
mainline: [a65120bae4b7425a39c5783aa3d4fc29677eef0e]

CVE-2023-3111: btrfs: unset reloc control if transaction commit fails
in prepare_to_relocate()

CVSS v3 score is not provided.

A use after free vulnerability was found in prepare_to_relocate in
fs/btrfs/relocation.c in btrfs in the Linux Kernel. This possible flaw
can be triggered by calling btrfs_ioctl_balance() before calling
btrfs_ioctl_defrag().
It was fixed in 6.0-rc2.

Fixed status
mainline: [85f02d6c856b9f3a0acf5219de6e32f58b9778eb]
stable/5.15: [78f8c2370e3d33e35f23bdc648653d779aeacb6e]

* Updated CVEs

CVE-2023-2156: Linux Kernel IPv6 RPL Protocol Reachable Assertion
Denial-of-Service Vulnerability

The mainline, stable 5.10, 5.15, and 6.1 were fixed. It was introduced
by commit 8610c7c ("net: ipv6: add support for rpl sr exthdr") in
5.7-rc1 and fixed in 6.3. Before 5.7 kernels don't contain commit
8610c7c so that these kernels aren't affected.

Fixed status
mainline: [4e006c7a6dac0ead4c1bf606000aa90a372fc253]
stable/5.10: [c972851d3848647f57cd8d5625c48663410c3f96]
stable/5.15: [4eee0d9d3c1117aa4a1c9f4c7f29287107e7c084]
stable/6.1: [9a0b96d03c59ba560b074cdb9b6233493fd5492d]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 5 new CVEs and 3 updated CVEs.

* New CVEs

CVE-2023-2898: f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io()

CVSS v3 score is not provided.

There is a null-pointer-dereference flaw found in f2fs_write_end_io in
fs/f2fs/data.c in the Linux kernel. This flaw allows a local
privileged user to cause a denial of service problem.

This bug was introduced by commit b4b10061ef98 ("f2fs: refactor
resize_fs to avoid meta updates in progress") in 5.8-rc1.
5.4, 4.19, 4.14, and 4.4 kernels are not affected by this issue.

Fixed status
Patch available on the f2fs-devel mailing list but it hasn't been merged yet.
https://lore.kernel.org/linux-f2fs-devel/20230522124203.3838360-1-chao@kernel.org/

CVE-2023-2612: A race condition bug was found in shiftfs file system

CVSS v3 score is not provided (NIST).
CVSS v3 score is 4.4 MEDIUM (CNA).

Jean-Baptiste Cayrou discovered that the shiftfs file system in the
Ubuntu Linux kernel contained a race condition when handling inode
locking in some situations. A local attacker could use this to cause a
denial of service (kernel deadlock).

The shiftfs is out of tree kernel module so that mainline kernels are
not affected.

Fixed status
Fixed in ubuntu kernels.

CVE-2022-48502: fs/ntfs3: Check fields while reading

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel before 6.2. The ntfs3
subsystem does not properly check for correctness during disk reads,
leading to an out-of-bounds read in ntfs_set_ea in fs/ntfs3/xattr.c.

The NTFS3 file system was introduced in 5.15 so that before 5.15
kernels aren't affected.

Fixed status
mainline: [0e8235d28f3a0e9eda9f02ff67ee566d5f42b66b]

CVE-2023-34255: xfs: verify buffer contents when we skip log replay

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel through 6.3.5. There is a
use-after-free in xfs_btree_lookup_get_block in
fs/xfs/libxfs/xfs_btree.c because fs/xfs/xfs_buf_item_recover.c does
not perform buffer content verification when log replay is skipped.

The xlog_recover_buf_commit_pass2() was introduced in 5.8-rc1 by
commit 1094d3f1 ("xfs: refactor log recovery buffer item dispatch for
pass2 commit functions"). This commit changed the function name
xlog_recover_buffer_pass2() to xlog_recover_buf_commit_pass2().
So, it looks like before 5.8 kernels need to be patched to the
xlog_recover_buffer_pass2().

Fixed status
mainline: [22ed903eee23a5b174e240f1cdfa9acf393a5210]

CVE-2023-34256: ext4: avoid a potential slab-out-of-bounds in
ext4_group_desc_csum

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel before 6.3.3. There is an
out-of-bounds read in crc16 in lib/crc16.c when called from
fs/ext4/super.c because ext4_group_desc_csum does not properly check
an offset.

This bug was introduced by commit 717d50e ("Ext4: Uninitialized Block
Groups ") in 2.6.24-rc1.

Fixed status
mainline: [4f04351888a83e595571de672e0a4a8b74f4fb31]
stable/4.14: [64b7487e3769e013fc7edb3804d1a769747f0228]
stable/4.19: [a733c466cedd1013a41fd8908d5810f2c161072f]
stable/5.10: [0dde3141c527b09b96bef1e7eeb18b8127810ce9]
stable/5.15: [6d9a705a653eb146b4991dbd198b258f787c70b1]
stable/5.4: [4f4fd982d972a55dee129f7da517b81fa16c408d]
stable/6.1: [1fffe4750500148f3e744ed77cf233db8342603f]
stable/6.3: [be7b6374a2ee8a59c1ff5addcbe25ebc1b4efd9f]

* Updated CVEs

CVE-2020-36694: A use-after-free bug was found in the netfilter

Commit 7f5c6d4f ("netfilter: get rid of atomic ops in fast path") was
merged in 5.12-rc5.
This commit fixes commit 7f5c6d4 ("netfilter: get rid of atomic ops in
fast path") in 3.0-rc in 3.0-rc1.

Fixed status
mainline: [175e476b8cdf2a4de7432583b49c871345e4f8a1]
stable/4.14: [f1fd7a174018f1107881150c6c2ce00e49a1e643]
stable/4.19: [81bc258370c6eeb1f41d350325e8a2c8e20fafad]
stable/5.10: [3fdebc2d8e7965f946a3d716ffdd482e66c1f46c]
stable/5.4: [19a5fb4ceada903e692de96b8aa8494179abbf0b]

CVE-2022-39189: KVM instruction emulation doesn't clear
KVM_VCPU_PREEMPTED, breaking guest's TLB flushing

Kernel 5.4 was fixed.

Fixed status
mainline: [6cd88243c7e03845a450795e134b488fc2afb736]
stable/5.10: [529f41f0eb1ef995bfa83c121c3cfe3a0720119a]
stable/5.15: [92343314d34e04da0923cefd3be67521d706fa35]
stable/5.4: [1eb3e32de7b1f6ed927dfff3ab3651ce25f3d516]

CVE-2022-4269: kernel: net: CPU soft lockup in TC mirred
egress-to-ingress action

Kernel 5.10 was fixed.

Fixed status
mainline: [ca22da2fbd693b54dc8e3b7b54ccc9f7e9ba3640]
stable/5.10: [53245103786312f21fb9785327a4367cf10f0dbb]
stable/5.15: [169a41073993add6b0cfdc44e168e75f92f4834d]
stable/6.1: [4c8fc3fe28e47e2a495444347375f7354c24b018]
stable/6.2: [8c9e553c58a491ad328c622441e08178373442dc]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 6 new CVEs and 2 updated CVEs.

* New CVEs

CVE-2023-33203: A use-after-free bug was found in the qualcomm emac driver code

CVSS v3 score is not provided.

The Linux kernel before 6.2.9 has a race condition and resultant
use-after-free in drivers/net/ethernet/qualcomm/emac/emac.
If a physically proximate attacker unplugs an emac based device.

It was introduced by commit b9b17de ("net: emac: emac gigabit ethernet
controller driver") in 4.9-rc1.
Linux 4.4 is not affected.

Fixed status
mainline: [6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75]
stable/4.14: [aee129c0096e479eae92e2127f96f9d08f16ad8f]
stable/4.19: [4bbc59ec4feb1ea8d5cb3d9d38d4cb1317943ea4]
stable/5.10: [cb5879efde4f9b4de4248b835890df7b6c49ffbc]
stable/5.15: [8c4a180dc12303159592d15e8f077c20deeb1e55]
stable/5.4: [0e5c7d00ec4f2f359234044b809eb23b7032d9b0]
stable/6.1: [5fc2c4e311a9341a2b0e044ab5f33afa37b56226]

CVE-2020-36694: A use-after-free bug was found in the netfilter

CVSS v3 score is not provided.

An issue was discovered in netfilter in the Linux kernel before 5.10.
There can be a use-after-free in the packet processing context,
because the per-CPU sequence count is mishandled during concurrent
iptables rules replacement.
This could be exploited with the CAP_NET_ADMIN capability in an
unprivileged namespace. NOTE: cc00bca was reverted in 5.12.

This bug was introduced by commit 80055da ("netfilter: x_tables: make
xt_replace_table wait until old rules are not used anymore") in
4.15-rc1.
The commit cc00bca ("netfilter: x_tables: Switch synchronization to
RCU") fixes this issue but it has been reverted by commit
d3d40f2 ("Revert "netfilter: x_tables: Switch synchronization to RCU")
in 5.12-rc5 because there was a performance regression.

Fixed status
Not fixed.

CVE-2023-32250: ksmbd: fix racy issue from session setup and logoff

CVSS v3 score is not provided.

This vulnerability allows remote attackers to execute arbitrary code
on affected installations of Linux Kernel. Authentication is not
required to exploit this vulnerability,
but only systems with ksmbd enabled are vulnerable.
The specific flaw exists within the processing of SMB2_SESSION_SETUP
commands. The issue results from the lack of proper locking when
performing operations on an object.
An attacker can leverage this vulnerability to execute code in the
context of the kernel.

The ksmbd was introduced in 5.15 so before 5.15 kernels aren't
affected by this issue.

Fixed status
mainline: [f5c779b7ddbda30866cf2a27c63e34158f858c73]
stable/6.1: [f623f627ad2b1dc215ab3b0df53fb05cfd3a1c3b]
stable/6.3: [02f41d88f15d6b7d523e52cc3f87488f57e9265b]

CVE-2023-32254: ksmbd: fix racy issue under cocurrent smb2 tree disconnect

CVSS v3 score is not provided.

This vulnerability allows remote attackers to execute arbitrary code
on affected installations of Linux Kernel. Authentication is not
required to exploit this vulnerability,
but only systems with ksmbd enabled are vulnerable.
The specific flaw exists within the processing of SMB2_TREE_DISCONNECT
commands. The issue results from the lack of proper locking when
performing operations on an object.
An attacker can leverage this vulnerability to execute code in the
context of the kernel.

The ksmbd was introduced in 5.15 so before 5.15 kernels aren't
affected by this issue.

Fixed status
mainline: [30210947a343b6b3ca13adc9bfc88e1543e16dd5]
stable/6.1: [bd80d35725a0cf4df9307bfe2f1a3b2cb983d8e6]
stable/6.3: [39366b47a59d46af15ac57beb0996268bf911f6a]

CVE-2023-33250: a use-after-free bug was found in iopt_unmap_iova_range

CVSS v3 score is not provided.

The Linux kernel 6.3 has a use-after-free in iopt_unmap_iova_range in
drivers/iommu/iommufd/io_pagetable.c.

Fixed status
Not fixed.

CVE-2023-33288: power: supply: bq24190: Fix use after free bug in
bq24190_remove due to race condition

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel before 6.2.9. A
use-after-free was found in bq24190_remove in
drivers/power/supply/bq24190_charger.c.
It could allow a local attacker to crash the system due to a race condition.

This bug was introduced by commit 9777467 ("power_supply: Initialize
changed_work before calling device_add") in 2.6.39-rc1.

Fixed status
mainline: [47c29d69212911f50bdcdd0564b5999a559010d4]
stable/5.10: [2b346876b93168541a45551d5f9abd1d26102e89]
stable/5.15: [4ca3fd39c72efa250129d2af406c3bb56eec7dd9]
stable/6.1: [84bdb3b76b07f2e62183913a1f5da2d4aa25580a]

* Updated CVEs

CVE-2023-31084: BUG: WARNING in dvb_frontend_get_event

The mainline was fixed.
It looks as if all stable kernels and cip kernels are affected.

Fixed status
mainline: [b8c75e4a1b325ea0a9433fa8834be97b5836b946]

CVE-2022-48425: fs/ntfs3: Validate MFT flags before replaying logs

stable 6.3 and 5.15 were fixed.

Fixed status
mainline: [98bea253aa28ad8be2ce565a9ca21beb4a9419e5]
stable/5.15: [2a67f26f70ab344ae6ea78638890eebc1191a501]
stable/6.3: [e6f4b1c32d6d6047958d7700d12fed6d91f441e7]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 0 new CVEs and 8 updated CVEs.

* New CVEs

There is no new CVE this week.

Fixed status

* Updated CVEs

CVE-2023-2269: A possible deadlock in dm_get_inactive_table in dm-
ioctl.c leads to dos

stable 4.14, 4.19, 5.10, 5.4, 5.15, 6.1, 6.2, and 6.3 were fixed.

Fixed status
mainline: [3d32aaa7e66d5c1479a3c31d6c2c5d45dd0d3b89]
stable/4.14: [c9dfa8ba3b181e67970f06d80de18aa257d1ecda]
stable/4.19: [b4b94b25c78ed03be0e07fa4e76fe51e64dac533]
stable/5.10: [ea827627a9249154b34b646b1e1007013402afea]
stable/5.15: [e11765cea2050fa25fc3e03da858e83284c5ce79]
stable/5.4: [29a1ef57c3be1d53ecadb749d45b0636e8245a89]
stable/6.1: [9a94ebc74c3540aba5aa2c7b05032da4610a08c9]
stable/6.2: [243093d536fe3cc78b450f1beb8d584505ea3193]
stable/6.3: [a554e6ec3626d4c11f55d7eef8d6aa93fb211c24]

CVE-2023-2598: An OOB access bug was found in the io_uring subsystem

stable 6.3 was fixed.

Fixed status
mainline: [776617db78c6d208780e7c69d4d68d1fa82913de]
stable/6.3: [3a0a9211d7d0138d55aecd209b05e6d4a9eec383]

CVE-2023-32233: netfilter: nf_tables: deactivate anonymous set from
preparation phase

stable 4.19, 5.10, 5.4, 5.15, 6.1, 6.2, and 6.3 were fixed.

Fixed status
mainline: [c1592a89942e9678f7d9c8030efa777c0d57edab]
stable/4.19: [c6989314fd809c5eaf4980d6fa474f19fc653d6c]
stable/5.10: [e044a24447189419c3a7ccc5fa6da7516036dc55]
stable/5.15: [21c2a454486d5e9c1517ecca19266b3be3df73ca]
stable/5.4: [c8b6063f13add68f89540aa5030ceee875f48aa2]
stable/6.1: [4507918cd1f8b80f21a396fa0531d53e372bed66]
stable/6.2: [6b0801dcc1aa4373d28ac8ee396788d2e715c495]
stable/6.3: [f8486683ffa30456e0be4290282a44c4459a3287]

CVE-2023-28410: A potential security vulnerability in some Intel® i915
Graphics drivers for linux may allow escalation of privilege

According to the SUSE bugzilla
(https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-28410), commit
661412e ("drm/i915/gem: add missing boundary check in vm_access") in
5.19-rc1 is fixing this CVE.
This bug was introduced by commit 9f909e2 ("drm/i915: Implement
vm_ops->access for gdb access into mmaps") in 5.8-rc1.

Linux 5.4, 4.19, 4.14, and 4.4 are not affected.

Fixed status
mainline: [661412e301e2ca86799aa4f400d1cf0bd38c57c6]
stable/5.10: [89ddcc81914ab58cc203acc844f27d55ada8ec0e]
stable/5.15: [312d3d4f49e12f97260bcf972c848c3562126a18]

CVE-2022-39189: KVM instruction emulation doesn't clear
KVM_VCPU_PREEMPTED, breaking guest's TLB flushing

stable 5.10 was fixed.

Fixed status
mainline: [6cd88243c7e03845a450795e134b488fc2afb736]
stable/5.10: [529f41f0eb1ef995bfa83c121c3cfe3a0720119a]
stable/5.15: [92343314d34e04da0923cefd3be67521d706fa35]

CVE-2023-1380: wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()

stable 4.14, 4.19, 5.10, and 5.4 were fixed.

Fixed status
mainline: [0da40e018fd034d87c9460123fa7f897b69fdee7]
stable/4.14: [ac5305e5d227b9af3aae25fa83380d3ff0225b73]
stable/4.19: [39f9bd880abac6068bedb24a4e16e7bd26bf92da]
stable/5.10: [549825602e3e6449927ca1ea1a08fd89868439df]
stable/5.15: [936a23293bbb3332bdf4cdb9c1496e80cb0bc2c8]
stable/5.4: [425eea395f1f5ae349fb55f7fe51d833a5324bfe]
stable/6.1: [e29661611e6e71027159a3140e818ef3b99f32dd]
stable/6.2: [228186629ea970cc78b7d7d5f593f2d32fddf9f6]
stable/6.3: [21bee3e649d87f78fe8aef6ae02edd3d6f310fd0]

CVE-2023-2002: bluetooth: Perform careful capability checks in hci_sock_ioctl()

stable 4.14, 4.19, 5.10, and 5.4 were fixed.

Fixed status
mainline: [25c150ac103a4ebeed0319994c742a90634ddf18]
stable/4.14: [73ddc585228db650bd4ff10d5b59c831924fd9ba]
stable/4.19: [8d59548bae309000442c297bff3e54ab535f0ab7]
stable/5.10: [98cfbad52fc286c2a1a75e04bf47b98d6489db1f]
stable/5.15: [f1e6a14d5ae879d6ab6d90c58d2fde1b5716b389]
stable/5.4: [48cdcb40d589d990ccc1a99fb76843484ce732a0]
stable/6.1: [47e6893a5b0ad14c0b1c25983a1facb1cf667b6e]
stable/6.2: [727b3ea80f3fdda6c686806ce3579face0415c76]
stable/6.3: [dd30f9da333748488d96b7cb3c5a17bbaf86b32d]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 9 new CVEs and 3 updated CVEs.

* New CVEs

CVE-2023-21102: arm64: efi: Execute runtime services from a dedicated stack

CVSS v3 score is not provided.

A local privilege escalation bug was found in the EFI code for ARM64
architecture.

Actual security fix is commit ff7a167 ("arm64: efi: Execute runtime
services from a dedicated stack").
The commit 18bba18 adds the missing header file which the commit ff7a167 needs.

Fixed status
mainline: [ff7a167961d1b97e0e205f245f806e564d3505e7,
18bba1843fc7f264f58c9345d00827d082f9c558]
stable/5.10: [4012603cbd469223f225637d265a233f034c567a,
d6544bccc1967cd6a883d6abac71fc7d863e8baa]
stable/5.15: [de2af657cab92afc13a4ccd8780370481ed0eb61,
7a993c1be595835acf578d0382bfd8f83475f301]
stable/6.1: [f75a91c82dc805af8f718ff106ec9c090234b37b,
72b0e5faa5149f09c6a7a74e4012f29e33509bab]

CVE-2023-2156: Linux Kernel IPv6 RPL Protocol Reachable Assertion
Denial-of-Service Vulnerability

CVSS v3 score is not provided.

This vulnerability allows remote attackers to create a
denial-of-service condition on affected installations of Linux Kernel.
Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the RPL protocol. The
issue results from the lack of proper handling of user-supplied data,
which can result in an assertion failure. An attacker can leverage
this vulnerability to create a denial-of-service condition on the
system.

According to the ZDI advisory(ZDI-23-547), it said that "Given the
nature of the vulnerability, the only salient mitigation strategy is
to restrict interaction with the application.".

Fixed status
Not fixed yet

CVE-2023-21106: drm/msm/gpu: Fix potential double-free

CVSS v3 score is not provided.

A double free bug was found in the drm/msm/gpu driver.
It was introduced by commit d4726d770068 ("drm/msm: Add a way to
override processes comm/cmdline") in 5.19-rc1.
This commit is not backported to older stable kernels so that before
5.19 kernels aren't affected.

Fixed status
mainline: [a66f1efcf748febea7758c4c3c8b5bc5294949ef]
stable/6.1: [8103d53f25ec7b9aa99c134642c6e840e896be71]

CVE-2023-2483: net: qcom/emac: Fix use after free bug in emac_remove
due to race condition

CVSS v3 score is not provided.

A use-after-free bug was found in the drivers/net/ethernet/qualcomm/emac/emac.c.
Introduced by commit b9b17de ("net: emac: emac gigabit ethernet
controller driver") in 4.9-rc1.
This commit is not present in 4.4 so 4.4 kernels are not affected.

Fixed status
mainline: [6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75]
stable/4.14: [aee129c0096e479eae92e2127f96f9d08f16ad8f]
stable/4.19: [4bbc59ec4feb1ea8d5cb3d9d38d4cb1317943ea4]
stable/5.10: [cb5879efde4f9b4de4248b835890df7b6c49ffbc]
stable/5.15: [8c4a180dc12303159592d15e8f077c20deeb1e55]
stable/5.4: [0e5c7d00ec4f2f359234044b809eb23b7032d9b0]
stable/6.1: [5fc2c4e311a9341a2b0e044ab5f33afa37b56226]
stable/6.2: [514dc3d0f176d280dc2d3cd25e898a7ec329e878]

CVE-2023-2513: ext4: fix use-after-free in ext4_xattr_set_entry

CVSS v3 score is not provided.

A use-after-free vulnerability was found in the Linux kernel's ext4
filesystem in the way
it handled the extra inode size for extended attributes. This flaw
could allow a privileged
local user to cause a system crash or other undefined behaviors.
It looks like 4.4 is affected.

Fixed status
mainline: [67d7d8ad99beccd9fe92d585b87f1760dc9018e3]
stable/4.14: [fb8b3aa9dae22b2184d31fd63ed44d3215fcb41f]
stable/4.19: [c3ecf16b410fd88c15eb8353369a1943c3da5101]
stable/5.10: [bb8592efcf8ef2f62947745d3182ea05b5256a15]
stable/5.15: [21f6bd5cbdab8ac7f7e9321de53668e1ef8f22a6]
stable/5.4: [9d1468732118ec402095451e67b2781ac3a39502]

CVE-2023-32233: netfilter: nf_tables: deactivate anonymous set from
preparation phase

CVSS v3 score is not provided.

In the Linux kernel through 6.3.1, a use-after-free in Netfilter
nf_tables when processing batch
requests can be abused to perform arbitrary read and write operations
on kernel memory.
Unprivileged local users can obtain root privileges. This occurs
because anonymous sets are mishandled.

Fixed status
mainline: [c1592a89942e9678f7d9c8030efa777c0d57edab]

CVE-2023-32269: A use-after-free bug was found in net/netrom/af_netrom.c

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel before 6.1.11. In
net/netrom/af_netrom.c, there is
a use-after-free because accept is also allowed for a successfully
connected AF_NETROM socket.
However, in order for an attacker to exploit this, the system must
have netrom routing configured
or the attacker must have the CAP_NET_ADMIN capability.
It affected 4.4 kernels.

Fixed status
mainline: [611792920925fb088ddccbe2783c7f92fdfb6b64]
stable/4.14: [35d5bb094bc7529c15561289a1ea995f897bf2e6]
stable/4.19: [2c1984d101978e979783bdb2376eb6eca9f8f627]
stable/5.10: [dd6991251a1382a9b4984962a0c7a467e9d71812]
stable/5.15: [c27e0eac568a008cdf04ae7e4ea2d3c18717e627]
stable/5.4: [20355b9569bd1fd5a236898524b6dd4117e660d0]
stable/6.1: [5c2227f3f17782d5262ee0979ad30609b3e01f6e]

CVE-2023-2598: An OOB access bug was found in the io_uring subsystem

CVSS v3 score is not provided.

This vulnerability in the fixed buffer registration code of io_uring
that allows for out-of-bounds access to physical memory beyond the end
of the buffer, enabling complete local privilege escalation.
This bug was introduced by commit 57bebf8 ("io_uring/rsrc: optimise
registered huge pages") in 6.3-rc1 so that  before 6.3 kernels aren't
affected.

Fixed status
mainline: [776617db78c6d208780e7c69d4d68d1fa82913de]

CVE-2023-28410: A potential security vulnerability in some Intel® i915
Graphics drivers for linux may allow escalation of privilege

CVSS v3 score is not provided (NIST)
CVSS v3 score is 8.8 HIGH (CNA)

Improper restriction of operations within the bounds of a memory
buffer in some Intel(R) i915 Graphics drivers for linux before kernel
version 6.2.10 may allow an authenticated user to potentially enable
escalation of privilege via local access.

Fixed status
Intel Security advisory(https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00886.html)
said that "Intel recommends updating Intel® i915 Graphics for linux to
kernel version 6.2.10 or later."

v6.2.10 contains the following commits in drivers/gpu/drm/i915.

8fc3207 ("drm/i915: Move CSC load back into .color_commit_arm() when
PSR is enabled on skl/glk")
278647c ("drm/i915: Split icl_color_commit_noarm() from
skl_color_commit_noarm()")
5624743 ("drm/i915: Disable DC states for all commits")
5390a02 ("drm/i915/dpt: Treat the DPT BO as a framebuffer")
1c9faad ("drm/i915/gem: Flush lmem contents after construction")
1ca9c29 ("drm/i915/perf: Drop wakeref on GuC RC error")
3ee0c45 ("drm/i915/tc: Fix the ICL PHY ownership check in TC-cold state")
3891994 ("drm/i915/pmu: Use functions common with sysfs to read actual freq")

It looks 5390a02 ("drm/i915/dpt: Treat the DPT BO as a framebuffer")
and 1c9faad ("drm/i915/gem: Flush lmem contents after construction")
fix memory related bug. But not sure which commit/both fix this CVE,
nor neither.

* Updated CVEs

CVE-2023-2124: OOB access in the Linux kernel's XFS subsystem

The mainline was fixed.

Fixed status
mainline: [22ed903eee23a5b174e240f1cdfa9acf393a5210]

CVE-2022-48425: fs/ntfs3: Validate MFT flags before replaying logs

The mainline was fixed.

Fixed status
mainline: [98bea253aa28ad8be2ce565a9ca21beb4a9419e5]

CVE-2023-28464: Bluetooth: hci_conn_cleanup function has double free

The mainline, 6.1, and 6.2 were fixed.

Fixed status
mainline: [5dc7d23e167e2882ef118456ceccd57873e876d8]
stable/6.1: [8c4b65f6c707bc07cbcd871667b5056821c5685d]
stable/6.2: [dba0f922d57408fdbd32b9964fcca1d3f1acc9c2]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 5 new CVEs and 3 updated CVEs.

* New CVEs

CVE-2023-31436: net: sched: sch_qfq: prevent slab-out-of-bounds in
qfq_activate_agg

CVSS v3 score is not provided.

qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before
6.2.13 allows an out-of-bounds write because lmax can exceed
QFQ_MIN_LMAX.

This bug was introduced by commit 3015f3d ("pkt_sched: enable QFQ to
support TSO/GSO") in 3.7-rc5.

Fixed status
mainline: [3037933448f60f9acb705997eae62013ecb81e0d]
stable/4.14: [0616570ce23bbcc1ac842e97fb8e167235f1582d]
stable/4.19: [6ef8120262dfa63d9ec517d724e6f15591473a78]
stable/5.10: [ddcf35deb8f2a1d9addc74b586cf4c5a1f5d6020]
stable/5.15: [1ffc0e8105510cb826cb9d27ed1820a1131c82d4]
stable/5.4: [35dceaeab97c9e5f3fda3b10ce7f8110df0feecd]
stable/6.1: [ce729b06dc33b01f8a6ac84da5ef54154326bf7e]
stable/6.2: [420d014b19ff119e210ecc075ff611fe7844690c]

CVE-2023-2248: net: sched: sch_qfq: prevent slab-out-of-bounds in
qfq_activate_agg

CVSS v3 score is not provided (NVD).
CVSS v3 score is 7.8 HIGH (CNA).

A heap out-of-bounds read/write vulnerability in the Linux Kernel
traffic control (QoS) subsystem can be exploited to achieve local
privilege escalation.
The qfq_change_class function does not properly limit the lmax
variable which can lead to out-of-bounds read/write.
If the TCA_QFQ_LMAX value is not offered through nlattr, lmax is
determined by the MTU value of the network device.
The MTU of the loopback device can be set up to 2^31-1 and as a result,
it is possible to have an lmax value that exceeds QFQ_MIN_LMAX

It is a duplicate of CVE-2023-31436.

Fixed status
mainline: [3037933448f60f9acb705997eae62013ecb81e0d]
stable/4.14: [0616570ce23bbcc1ac842e97fb8e167235f1582d]
stable/4.19: [6ef8120262dfa63d9ec517d724e6f15591473a78]
stable/5.10: [ddcf35deb8f2a1d9addc74b586cf4c5a1f5d6020]
stable/5.15: [1ffc0e8105510cb826cb9d27ed1820a1131c82d4]
stable/5.4: [35dceaeab97c9e5f3fda3b10ce7f8110df0feecd]
stable/6.1: [ce729b06dc33b01f8a6ac84da5ef54154326bf7e]
stable/6.2: [420d014b19ff119e210ecc075ff611fe7844690c]

CVE-2023-2430: io_uring/msg_ring: fix missing lock on overflow for IOPOLL

CVSS v3 score is not provided.

A vulnerability due to missing lock on overflow for IOPOLL bug in
io_cqring_event_overflow() which causes a denial of service.
This bug is in the io_uring subsystem, so kernel 4.x aren't affected.

Fixed status
mainline: [e12d7a46f65ae4b7d58a5e0c1cbfa825cf8d830d]

CVE-2023-2235: A use-after-free bug was found in the perf subsystem

CVSS v3 score is not provided (NVD).
CVSS v3 score is 7.8 HIGH (CNA).

A use-after-free vulnerability in the Linux Kernel Performance Events
system can be exploited to achieve local privilege escalation. The
perf_group_detach function did not check the event's siblings'
attach_state before calling add_event_to_groups(), but remove_on_exec
made it possible to call list_del_event() on before detaching from
their group, making it possible to use a dangling pointer causing a
use-after-free vulnerability.

It was introduced by commit 2e498d0 ("perf: Add support for event
removal on exec") in 5.13-rc1.
Before Linux 5.13 kernels aren't affected by this bug.

Fixed status
mainline: [fd0815f632c24878e325821943edccc7fde947a2]
stable/5.15: [de3ef7ba684a25313c4b7405d007ab22912ef95a]
stable/6.1: [529546ea2834ce58aa075837d57918740accf713]
stable/6.2: [2c6d1b32838d8cf0114dfdbbb93f4d808e498760]

CVE-2023-2236: a use-after-free bug was found in the io_uring subsystem

CVSS v3 score is not provided (NVD).
CVSS v3 score is 7.8 HIGH (CNA).

A use-after-free vulnerability in the Linux Kernel io_uring subsystem
can be exploited to achieve local privilege escalation. Both
io_install_fixed_file and its callers call fput in a file in case of
an error, causing a reference underflow which leads to a
use-after-free vulnerability.

This bug was introduced by commit 61c1b44 ("io_uring: fix deadlock on
iowq file slot alloc") in 5.19-rc1.
Before Linux 5.19 kernels aren't affected by this bug.

Fixed status
mainline: [9d94c04c0db024922e886c9fd429659f22f48ea4]

* Updated CVEs

CVE-2023-1281: net/sched: tcindex: imperfect hash filters

stable 4.19 was fixed.

Fixed status
mainline: [ee059170b1f7e94e55fa6cadee544e176a6e59c2]
stable/4.19: [01d0d2b8b4e3cf2110baba9371c0c3d04ad5c77b]
stable/5.10: [eb8e9d8572d1d9df17272783ad8a84843ce559d4]
stable/5.15: [becf55394f6acb60dd60634a1c797e73c747f9da]
stable/6.1: [bd662ba56187b5ef8a62a3511371cd38299a507f]

CVE-2023-2002: bluetooth: Perform careful capability checks in hci_sock_ioctl()

Fixed in the mainline, 5.15, 6.1, and 6.2.

Fixed status
mainline: [25c150ac103a4ebeed0319994c742a90634ddf18]
stable/5.15: [f1e6a14d5ae879d6ab6d90c58d2fde1b5716b389]
stable/6.1: [47e6893a5b0ad14c0b1c25983a1facb1cf667b6e]
stable/6.2: [727b3ea80f3fdda6c686806ce3579face0415c76]
stable/6.3: [dd30f9da333748488d96b7cb3c5a17bbaf86b32d]

CVE-2023-1380: wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()

5.15, 6.1, and 6.2 were fixed.

Fixed status
mainline: [0da40e018fd034d87c9460123fa7f897b69fdee7]
stable/5.15: [936a23293bbb3332bdf4cdb9c1496e80cb0bc2c8]
stable/6.1: [e29661611e6e71027159a3140e818ef3b99f32dd]
stable/6.2: [228186629ea970cc78b7d7d5f593f2d32fddf9f6]
stable/6.3: [21bee3e649d87f78fe8aef6ae02edd3d6f310fd0]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 13 new CVEs and 3 updated CVEs.

* New CVEs

CVE-2023-2176: Kernel: Slab-out-of-bound read in compare_netdev_and_ip

CVSS v3 score is not provided.

Accessing out-of-boundary bug was found in drivers/infiniband/core/cma.c.
This bug will cause a system crash or escalate privilege.

Fixed status
mainline: [8d037973d48c026224ab285e6a06985ccac6f7bf]

CVE-2023-2177: Kernel: NULL pointer dereference problem in
sctp_sched_dequeue_common

CVSS v3 score is not provided.

A NULL pointer dereference bug was found in the net/sctp/stream_sched.c.
This bug will cause a system crash or a denial of service.

This bug was introduced by commit 5bbbbe32a431 ("sctp: introduce
stream scheduler foundations") in 4.15-rc1.
Kernel 4.4 and 4.14 are not affected.

Fixed status
mainline: [181d8d2066c000ba0a0e6940a7ad80f1a0e68e9d]
stable/5.10: [6f3505588d66b27220f07d0cab18da380fae2e2d]
stable/5.15: [e796e1fe20ecaf6da419ef6a5841ba181bba7a0c]
stable/5.4: [8d6dab81ee3d0309c09987ff76164a25486c43e0]

CVE-2023-2166: A null pointer dereference issue was found in can protocol

CVSS v3 score is not provided.

A null pointer dereference issue was found in can protocol in
net/can/af_can.c in the Linux before Linux. ml_priv may not be
initialized in the receive path of CAN frames. A local user could use
this flaw to crash the system or potentially cause a denial of
service.

This issue was introduced by commit 4e096a1 ("net: introduce CAN
specific pointer in the struct net_device") in 5.12-rc1-dontuse.
Kernel 4.4, 4.14, and 4.19 are not affected.

Fixed status
mainline: [0acc442309a0a1b01bcdaa135e56e6398a49439c]
stable/5.10: [c42221efb1159d6a3c89e96685ee38acdce86b6f]
stable/5.15: [c142cba37de29f740a3852f01f59876af8ae462a]
stable/5.4: [3982652957e8d79ac32efcb725450580650a8644]

CVE-2023-2194: write in xgene_slimpro_i2c_xfer()

CVSS v3 score is not provided.

An out-of-bounds write vulnerability was found in the Linux kernel's
SLIMpro I2C device driver. The userspace "data->block[0]" variable was
not capped to a number between 0-255 and was used as the size of a
memcpy, possibly writing beyond the end of dma_buffer. This flaw could
allow a local privileged user to crash the system or potentially
achieve code execution.

This issue was introduced by commit f6505fb ("i2c: add SLIMpro I2C
device driver on APM X-Gene platform") in 4.2-rc1.

Fixed status
mainline: [92fbb6d1296f81f41f65effd7f5f8c0f74943d15]
stable/4.14: [b8cb50c68c87f2c4a1d65df9275073e9c94aef5e]
stable/4.19: [5fc2b9485a8722c8350c3379992f5931ccfeaf98]
stable/5.10: [1eaa2b7ae90c5a5e05586df310d804de250747d3]
stable/5.15: [272dc775a52f2b0d0d8e844e77fefa7df8ebc653]
stable/5.4: [f8cbad984b1601435d087125ac760d3cae90213a]
stable/6.1: [7c64e839585eac8048bf67b1c6dcb7a5ca189a2e]
stable/6.2: [cc3c3ee6d035d38f116a6dec88acf7f74598aebd]

CVE-2023-31081: BUG: general protection fault in vidtv_mux_stop_thread

CVSS v3 score is not provided.

An issue was discovered in
drivers/media/test-drivers/vidtv/vidtv_bridge.c in the Linux kernel
6.2. There is a NULL pointer dereference in vidtv_mux_stop_thread. In
vidtv_stop_streaming, after dvb->mux=NULL occurs, it executes
vidtv_mux_stop_thread(dvb->mux).

No CIP member enables DVB_TEST_DRIVERS in the cip-kernel-config.

Fixed status
Not fixed yet

CVE-2023-31082: BUG: sleeping function called from invalid context in
__might_resched

CVSS v3 score is not provided.

An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel
6.2. There is a sleeping function called from an invalid context in
gsmld_write, which will block the kernel.

Fixed status
Not fixed yet

CVE-2023-31083: BUG: general protection fault in hci_uart_tty_ioctl

CVSS v3 score is not provided.

An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux
kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between
HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before
hu->proto is set. A NULL pointer dereference may occur.

Fixed status
Not fixed yet

CVE-2023-31084: BUG: WARNING in dvb_frontend_get_event

CVSS v3 score is not provided.

An issue was discovered in drivers/media/dvb-core/dvb_frontend.c in
the Linux kernel 6.2. There is a blocking operation when a task is in
!TASK_RUNNING. In dvb_frontend_get_event, wait_event_interruptible is
called; the condition is dvb_frontend_test_event(fepriv,events). In
dvb_frontend_test_event, down(&fepriv->sem) is called. However,
wait_event_interruptible would put the process to sleep, and
down(&fepriv->sem) may block the process.

Fixed status
Not fixed yet

CVE-2023-31085: BUG: divide error in ubi_attach_mtd_dev

CVSS v3 score is not provided.

An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel
6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize),
used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.

Fixed status
Not fixed yet

CVE-2023-2006: A race condition was found in the RxRPC network protocol

CVSS v3 score is not provided.

A race condition was found in the Linux kernel's RxRPC network
protocol, within the processing of RxRPC bundles. This issue results
from the lack of proper locking when performing operations on an
object. This may allow an attacker to escalate privileges and execute
arbitrary code in the context of the kernel.

It was introduced by commit 245500d ("rxrpc: Rewrite the client
connection manager") in 5.10-rc1.
So, before 5.10 kernels are not affected.

Fixed status
mainline: [3bcd6c7eaa53b56c3f584da46a1f7652e759d0e5]
stable/5.10: [3535c632e6d16c98f76e615da8dc0cb2750c66cc]
stable/5.15: [38fe0988bd516f35c614ea9a5ff86c0d29f90c9a]

CVE-2023-2007: Linux Kernel DPT I2O Controller Time-Of-Check
Time-Of-Use Information Disclosure Vulnerability

CVSS v3 score is not provided.

The specific flaw exists within the DPT I2O Controller driver. The
issue results from the lack of proper locking when performing
operations on an object. An attacker can leverage this in conjunction
with other vulnerabilities to escalate privileges and execute
arbitrary code in the context of the kernel.

To fix this issue, the driver has been removed.

Following defconfig files use this driver in the cip-kernel-config.
$ find . -name *defconfig | xargs grep -n SCSI_DPT_I2O
./4.9.y-cip/x86/siemens_server_defconfig:165:CONFIG_SCSI_DPT_I2O=m
./4.14.y-cip/x86/siemens_iot2000_defconfig:149:CONFIG_SCSI_DPT_I2O=m
./4.14.y-cip/x86/siemens_server_defconfig:149:CONFIG_SCSI_DPT_I2O=m
./4.19.y-cip/x86/siemens_server_defconfig:153:CONFIG_SCSI_DPT_I2O=m
./4.4.y-cip/x86/siemens_server_defconfig:154:CONFIG_SCSI_DPT_I2O=m

Fixed status
mainline: [b04e75a4a8a81887386a0d2dbf605a48e779d2a0]

CVE-2023-2019: netdevsim: fib: Fix reference count leak on route
deletion failure

CVSS v3 score is not provided.

A flaw was found in the Linux kernel's netdevsim device driver, within
the scheduling of events. This issue results from the improper
management of a reference count. This may allow an attacker to create
a denial of service condition on the system

It was introduced by commit 0ae3eb7 ("netdevsim: fib: Perform the
route programming in a non-atomic context") in 5.12-rc1dontuse.
This patch is not backported to older stable kernels so before 5.12
kernels are not affected by this issue.

Fixed status
mainline: [180a6a3ee60a7cb69ed1232388460644f6a21f00]
stable/5.15: [f671cf48f383fccba313346eddb4bd6bcbdb55a4]

CVE-2023-2269: A possible deadlock in dm_get_inactive_table in dm-
ioctl.c leads to dos

CVSS v3 score is not provided.

A denial of service problem was found, due to a possible recursive
locking scenario, resulting in a deadlock in table_clear in
drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing
sub-component.

Fixed status
mainline: [3d32aaa7e66d5c1479a3c31d6c2c5d45dd0d3b89]

* Updated CVEs

CVE-2021-4037: kernel: security regression for CVE-2018-13405

stable 5.4 was fixed.

Fixed status
mainline: [01ea173e103edd5ec41acec65b9261b87e123fc2]
stable/5.10: [e811a534ec2f7f6c0d27532c0915715427b7cab1]
stable/5.4: [e76bd6da51235ce86f5a8017dd6c056c76da64f9]

CVE-2023-1859: 9p/xen: Fix use after free bug in xen_9pfs_front_remove
due  to race condition

stable kernels were fixed.

Fixed status
stable/4.14: [b5664e929e2e19f644ea133ae8d87fbd5654ec5a]
stable/4.19: [c078fcd3f00ea5eadad07da169956d84f65af49b]
stable/5.10: [9266e939d76279d8710196d86215ba2be6345041]
stable/5.15: [e35ae49bc198412c9294115677e5acdef95b1fb5]
stable/5.4: [fcd084e199b9a38490bfedd97885bbaba14475e5]
stable/6.1: [c4002b9d5e837f152a40d1333c56ccb84975147b]
stable/6.2: [e7dcd834af53c79418ca3cd1c42749a314b9f7dc]

CVE-2023-30456: KVM: nVMX: add missing consistency checks for CR0 and CR4

stable 4.19 was fixed.

Fixed status
mainline: [112e66017bff7f2837030f34c2bc19501e9212d5]
stable/4.19: [495adb06518bb10f50e1aa1a1dbd5daa47d118f2]
stable/5.10: [c54974ccaff73525462e278602dfe4069877cfaa]
stable/5.15: [9c2f09add608a505f0e5fb694805f4766801583f]
stable/5.4: [65e4c9a6d0c9a8c81ce75576869d46fff5d7964f]
stable/6.1: [4bba9c8adec804f03d12dc762e50d083ee88b6b0]
stable/6.2: [71d05b9fa0bfc131a6e2250dea045a818ff25550]


Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 8 new CVEs and 2 updated CVEs.

* New CVEs

CVE-2023-1990: nfc: st-nci: Fix use after free bug in ndlc_remove due
to race condition

CVSS v3 score is 4.7 MEDIUM.

A use-after-free flaw was found in ndlc_remove in
drivers/nfc/st-nci/ndlc.c in the Linux Kernel. This flaw could allow
an attacker to crash the system due to a race problem.

This bug was introduced by commit 35630df ("NFC: st21nfcb: Add driver
for STMicroelectronics ST21NFCB NFC chip") in 3.17-rc1.
Kernel 4.4-cip, 4.4-cip-rt, and 4.4-st have been fixed.

Fixed status
mainline: [5000fe6c27827a61d8250a7e4a1d26c3298ef4f6]
stable/4.14: [2156490c4b7cacda9a18ec99929940b8376dc0e3]
stable/4.19: [3405eb641dafcc8b28d174784b203c1622c121bf]
stable/5.10: [43aa468df246175207a7d5d7d6d31b231f15b49c]
stable/5.15: [84dd9cc34014e3a3dcce0eb6d54b8a067e97676b]
stable/5.4: [b0c202a8dc63008205a5d546559736507a9aae66]
stable/6.1: [5e331022b448fbc5e76f24349cd0246844dcad25]
stable/6.2: [f589e5b56c562d99ea74e05b1c3f0eab78aa17a3]

CVE-2023-2002: bluetooth: Perform careful capability checks in hci_sock_ioctl()

CVSS v3 score is not provided.

An insufficient permission check bug was found in the Bluetooth
subsystem. This permission check logic checks task has proper
CAP_NET_ADMIN capability but not check socket opener's capability.
This insufficient permission check sets HCI sockets as trusted even if
the socket opener doesn't have proper capabilities.

This bug was exploitable by commit f81f5b2db869 ("Bluetooth: Send
control open and close messages for HCI raw sockets") in 4.9-rc1.
Kernel 4.4 doesn't contain this commit.

Fixed status
Patch is available on the linux-bluetooth mailing
list(https://lore.kernel.org/linux-bluetooth/20230416080251.7717-1-lrh2000@pku.edu.cn/)
but it hasn't been merged yet.

CVE-2023-30772: power: supply: da9150: Fix use after free bug in
da9150_charger_remove due to race condition

CVSS v3 score is not provided.

A use-after-free bug was found in the power subsystem. This bug
happened when removing the module which will call
da9150_charger_remove, there may be unfinished work which will make a
race condition bug then the use-after-free bug will occur.

Introduced by commit c1a281e ("power: Add support for DA9150 Charger")
in 4.1-rc1.

Fixed status
mainline: [06615d11cc78162dfd5116efb71f29eb29502d37]
stable/4.14: [bbf45f079f41efcf1e51bb65a0a45d2b31061bd5]
stable/4.19: [533d915899b4a5a7b5b5a99eec24b2920ccd1f11]
stable/5.10: [75e2144291e847009fbc0350e10ec588ff96e05a]
stable/5.15: [0fdb1cc4fe5255d0198c332b961bc4c1f8787982]
stable/5.4: [6fe078c2864b9defaa632733a5bae969b398b673]
stable/6.1: [47b2e1a67e6da172bb4cf69ef9dafde4458bde5f]
stable/6.2: [a7d686b36aa8021ee96128290ac3b58c4c1f6297]

CVE-2023-2008: Improper validation of array index was found in the
udmabuf device driver

CVSS v3 score is not provided.

A flaw was found in the Linux kernel's udmabuf device driver. The
specific flaw exists within a fault handler. The issue results from
the lack of proper validation of user-supplied data, which can result
in a memory access past the end of an array. An attacker can leverage
this vulnerability to escalate privileges and execute arbitrary code
in the context of the kernel.

This bug was introduced by commit 7b26e4e ("udmabuf: drop WARN_ON()
check.") in 4.20-rc1. This commit is not backported to 4.19, 4.14, and
4.4 so these kernels aren't affected.

Fixed status
mainline: [05b252cccb2e5c3f56119d25de684b4f810ba40a]
stable/5.10: [20119c1e0fff89542ff3272ace87e04cf6ee6bea]
stable/5.15: [5b45535865d62633e3816ee30eb8d3213038dc17]
stable/5.4: [c7bdaad9cbfe17c83e4f56c7bb7a2d87d944f0fb]

CVE-2023-0458: Half Spectre-v1 Gadget prlimit

CVSS v3 score is not provided.

A speculation bug was found in do_prlimit(). This bug will cause
leaking kernel memory to user space.
The CIP kernels and stable kernels were fixed.

Fixed status
mainline: [739790605705ddcf18f21782b9c99ad7d53a8c11]
stable/4.14: [291a0395bb298d0ef0bba21d2186f632e4b30053]
stable/4.19: [d3ee91e50a6b3c5a45398e3dcb912a8a264f575c]
stable/5.10: [9f8e45720e0e7edb661d0082422f662ed243d8d8]
stable/5.15: [f01aefe374d32c4bb1e5fd1e9f931cf77fca621a]
stable/5.4: [96b02125dd68d77e28a29488e6f370a5eac7fb1c]
stable/6.1: [91185568c99d60534bacf38439846103962d1e2c]

CVE-2023-0459: Spectre-v1 Usercopy Hardening

CVSS v3 score is not provided.

Missing speculation barriers causes a leaking kernel memory.
The 4.4 kernel _copy_from_user() implementation is different from
4.19 and later. So this patch can not be applied.
It seems as if the 4.4 kernel needs some barrier to prevent
speculation bug in other ways.

Fixed status
stable/4.14: [e0fbff18bbcee4f07d46bee172803fad63f6f4dd]
stable/4.19: [f8e54da1c729cc23d9a7b7bd42379323e7fb7979]
stable/5.10: [3b6ce54cfa2c04f0636fd0c985913af8703b408d]
stable/5.15: [41d8b591d70a7517293b23958a18452baf22588f]
stable/5.4: [6c750ed0367f6bf1b09c0c353a701781ee05dd22]
stable/6.1: [684db631a15779c8f3b2235d507efdfe6bb10278]
stable/6.2: [2c8ee21d78942cf48bc836612ad365fd6f06cfbb]

CVE-2023-2124: OOB access in the Linux kernel's XFS subsystem

CVSS v3 score is not provided.

A slab oob access bug was found in the XFS subsystem. It can cause a
DoS and potentially privilege
escalation.

The vulnerable function xlog_recover_buf_commit_pass2() has been
introduced by commit 1094d3f1 ("refactor log recovery buffer item
dispatch for pass2 commit functions") in 5.8-rc1. Before the commit
1094d3f1, this function was called xlog_recover_buffer_pass2().
In 4.4, 4.14, and 4.19,  the xlog_recover_buffer_pass2() is in the
fs/xfs/xfs_log_recover.c.

Fixed status
Patch is in the linux-next
tree(https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/fs/xfs?id=22ed903eee23a5b174e240f1cdfa9acf393a5210).
It hasn't been merged into the mainline yet.

CVE-2023-2162: scsi: iscsi_tcp: Fix UAF during login when accessing
the shost ipaddress

CVSS v3 score is not provided.

A use-after-free bug was found in the scsi driver code. When this bug
occured, kernel internal information will be leaked to the userspace.
4.4 kernels(-cip, -cip-rt, -st)  are already fixed.

Fixed status
mainline: [f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3]
stable/4.14: [496af9d3682ed4c28fb734342a09e6cc0c056ea4]
stable/4.19: [6abd4698f4c8a78e7bbfc421205c060c199554a0]
stable/5.10: [9758ffe1c07b86aefd7ca8e40d9a461293427ca0]
stable/5.15: [0aaabdb900c7415caa2006ef580322f7eac5f6b6]
stable/5.4: [d4d765f4761f9e3a2d62992f825aeee593bcb6b9]
stable/6.1: [61e43ebfd243bcbad11be26bd921723027b77441]

* Updated CVEs

CVE-2023-1859: 9p/xen: Fix use after free bug in xen_9pfs_front_remove
due  to race condition

The mainline was fixed.

Fixed status
mainline: [ea4f1009408efb4989a0f139b70fb338e7f687d0]

CVE-2023-1380: wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()

Fixed in the mainline.

Fixed status
mainline: [0da40e018fd034d87c9460123fa7f897b69fdee7]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 6 new CVEs and 2 updated CVEs.

* New CVEs

CVE-2023-1855: Fix use after free bug in xgene_hwmon_remove due to
race condition

CVSS v3 score is not provided.

A use-after-free flaw was found in xgene_hwmon_remove in
drivers/hwmon/xgene-hwmon.c in the Hardware Monitoring Linux Kernel
Driver (xgene-hwmon).
This flaw could allow a local attacker to crash the system due to a
race problem. This vulnerability could even lead to a kernel
information leak problem.

Introduced by commit 2ca492e ("hwmon: (xgene) Fix crash when alarm
occurs before driver probe") in 4.9-rc1 so 4.4 kernels aren't
affected.

Fixed status
mainline: [cb090e64cf25602b9adaf32d5dfc9c8bec493cd1]
stable/4.14: [c809ed776e190edfc04f8d6b25a62855b1386a0d]
stable/4.19: [e0a37b43cd732038e37b4e7f6c6c0658fe0b6d73]
stable/5.10: [0a73c8b3cc99d214dff83c51805c844240c4f749]
stable/5.15: [7091951c2ca9d3fbec75ef1d677cbd89eeac9793]
stable/5.4: [26c176ce902861a45f8d699e057245ed7e0bcdf2]
stable/6.1: [b2ae1f15cd6fe0cb36e432a179ae7d479ae2e6e0]
stable/6.2: [eacd1f6bb43ac4b9de3bf886083a71c18d5f329f]

CVE-2023-1859: 9p/xen: Fix use after free bug in xen_9pfs_front_remove
due  to race condition

CVSS v3 score is not provided.

When a thread calls xen_9pfs_front_remove() priv variable will be
freed. However, if other thread runs p9_tag_lookup after the priv
variable was freed, use-after-free bug will occur.
The xen/9pfs was introduced in 4.12-rc1 so that 4.4 kernels aren't affected.

Fixed status
Patch was sent to netdev mailing list, but it hasn't been merged yet.

CVE-2023-30456: KVM: nVMX: add missing consistency checks for CR0 and CR4

An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux
kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0
and CR4.

The nested_vmx_check_guest_state() in arch/x86/kvm/vmx/nested.c was
first introduced by commit 55d2375 ("KVM: nVMX: Move nested code to
dedicated files ") in 5.0-rc1.

CVSS v3 score is not provided.

The nested_vmx_check_guest_state() in arch/x86/kvm/vmx/nested.c was
first introduced by commit 55d2375 ("KVM: nVMX: Move nested code to
dedicated files ") in 5.0-rc1. That time the function name was
check_vmentry_prereqs().
Then check_vmentry_prereqs() was renamed to
nested_vmx_check_vmentry_prereqs() by commit 16322a3 ("KVM: nVMX:
Prepend "nested_vmx_" to check_vmentry_{pre,post}reqs() ").
Finally, the nested_vmx_check_vmentry_prereqs() was renamed to
nested_vmx_check_host_state().

Before 5.0-rc1, vulnerable code is not found so they are not affected
by this issue.

Fixed status
mainline: [112e66017bff7f2837030f34c2bc19501e9212d5]
stable/5.10: [c54974ccaff73525462e278602dfe4069877cfaa]
stable/5.15: [9c2f09add608a505f0e5fb694805f4766801583f]
stable/5.4: [65e4c9a6d0c9a8c81ce75576869d46fff5d7964f]
stable/6.1: [4bba9c8adec804f03d12dc762e50d083ee88b6b0]
stable/6.2: [71d05b9fa0bfc131a6e2250dea045a818ff25550]

CVE-2023-1829: net/sched: Retire tcindex classifier

CVSS v3 score is not provided (NIST).
CVSS v3 score is 7.8 HIGH (CNA).

A use-after-free vulnerability in the Linux Kernel traffic control
index filter (tcindex) can be exploited to achieve local privilege
escalation.
The tcindex_delete function which does not properly deactivate filters
in case of a perfect hashes while deleting the underlying structure
which can later lead to double freeing the structure.
A local attacker user can use this vulnerability to elevate its
privileges to root.

To fix this issue the tcindex_classify(CONFIG_NET_CLS_TCINDEX) has been removed.
This bug affects the kernel 4.4 too.

Fixed status
mainline: [8c710f75256bb3cf05ac7b1672c82b92c43f3d28]
stable/4.14: [53af9c793f644d5841d84d8e0ad83bd7ab47f3e0]
stable/4.19: [01d0d2b8b4e3cf2110baba9371c0c3d04ad5c77b]
stable/5.10: [18c3fa7a7fdbb4d21dafc8a7710ae2c1680930f6]
stable/5.15: [7c183dc0af472dec33d2c0786a5e356baa8cad19]
stable/5.4: [7a6fb69bbcb21e9ce13bdf18c008c268874f0480]
stable/6.1: [3abebc503a5148072052c229c6b04b329a420ecd]
stable/6.2: [372ae77cf11d11fb118cbe2d37def9dd5f826abd]

CVE-2023-1872: A use-after-free bug was found in the io_uring

CVSS v3 score is not provided (NIST).
CVSS v3 score is 7.8 HIGH (CNA).

A use-after-free vulnerability in the Linux Kernel io_uring system can
be exploited to achieve local privilege escalation. The
io_file_get_fixed function lacks the presence of ctx->uring_lock which
can lead to a Use-After-Free vulnerability due a race condition with
fixed files getting unregistered.

This bug was fixed in the 5.18 development cycle which is not
backported to old stable kernels. Therefore, kernel 5.10 has its own
fix.
Kernel 5.4 does not contain the vulnerable function
io_file_get_fixed() so it will not be affected.

Fixed status
mainline: [5106dd6e74ab6c94daac1c357094f11e6934b36f]
stable/5.10: [08681391b84da27133deefaaddefd0acfa90c2be,
da24142b1ef9fd5d36b76e36bab328a5b27523e8]

CVE-2023-1998: x86/speculation: Allow enabling STIBP with legacy IBRS

CVSS v3 score is not provided.

The vulnerability report said that "The Linux kernel allows userspace
processes to enable mitigations by calling prctl with
PR_SET_SPECULATION_CTRL which disables the speculation feature as well
as by using seccomp. We had noticed that on VMs of at least one major
cloud provider, the kernel still left the victim process exposed to
attacks in some cases even after enabling the spectre-BTI mitigation
with prctl. The same beahaviour can be observed on a bare-metal
machine when forcing the mitigation to IBRS on boot comand line.
This happened because when plain IBRS was enabled (not enhanced IBRS),
the kernel had some logic that determined that STIBP was not needed.
The IBRS bit implicitly protects against cross-thread branch target
injection. However, with legacy IBRS, the IBRS bit was cleared on
returning to userspace, due to performance reasons, which disabled the
implicit STIBP and left userspace threads vulnerable to cross-thread
branch target injection against which STIBP protects.".

This bug was introduced by commit Z7c693f5 ("x86/speculation: Add
spectre_v2=ibrs option to support Kernel IBRS") in 5.19-rc7.
This commit is not backported to 4.4 kernels.

Fixed status
mainline: [6921ed9049bc7457f66c1596c5b78aec0dae4a9d]
stable/4.14: [03bc360ce8896ef53ebcef83cccd9f24d9815160]
stable/4.19: [10543fb3c9b019e45e2045f08f46fdf526add593]
stable/5.10: [abfed855f05863d292de2d0ebab4656791bab9c8]
stable/5.15: [e7f1ddebd9f5b12de40bc37db9243957678f1448]
stable/5.4: [34c1b60e7a80404056c03936dd9c2438da2789d4]
stable/6.1: [08d87c87d6461d16827c9b88d84c48c26b6c994a]
stable/6.2: [ead3c8e54d28fa1d5454b1f8a21b96b4a969b1cb]

* Updated CVEs

CVE-2023-26544: KASAN: use-after-free Read in run_unpack

The mainline, 5.15, and 6.1 were fixed.

Fixed status
mainline: [887bfc546097fbe8071dac13b2fef73b77920899]
stable/5.15: [9c8471a17f1f15b18cb7b96cba86e6f9bd6aae1c]
stable/6.1: [d34485d40b6a263d65bc476554299c42b2ec0187]

CVE-2023-1611: Kernel: race between quota disable and quota assign
ioctls in fs/btrfs/ioctl.c

The mainline, 5.10, 5,15, 6.1, and 6.2 were fixed.

Fixed status
mainline: [2f1a6be12ab6c8470d5776e68644726c94257c54]
stable/5.10: [5f6347034341bf45056ca1ec3fa72040152ecf83]
stable/5.15: [c976f9233ef926e090db5614a837824a0bcab3fb]
stable/6.1: [a38ff2024805a30d9b96f52557c6ea0bbc31252a]
stable/6.2: [4caab245b0469ce9258ba099a41e909f5d307b33]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 4 new CVEs and 9 updated CVEs.

* New CVEs

CVE-2023-1670: xirc2ps_cs: Fix use after free bug in xirc2ps_detach

CVSS v3 score is not provided.

A use-after-free bug was found in PCMCIA xirc2ps driver.
Patche's Fixes tag is set to commit 1da177e ("Linux-2.6.12-rc2") so it
seems as if all stable kernels are affected.

Fixed status
mainline: [e8d20c3ded59a092532513c9bd030d1ea66f5f44]
stable/5.15: [4ab9e85a5ce0b2ef6e63abf861179898da613d78]
stable/6.1: [9d882229d365f68f74028252261ab14a8de7faed]
stable/6.2: [9c515f3290456bb6850bd7ee29d5bf6652d7f103]

CVE-2022-42432: Kernel information leak bug was found in netfilter subsystem

CVSS v3 score is not provided.

This vulnerability allows local attackers to disclose sensitive
information on affected installations of the Linux Kernel 6.0-rc2. An
attacker must first obtain the ability to execute high-privileged code
on the target system in order to exploit this vulnerability. The
specific flaw exists within the nft_osf_eval function. The issue
results from the lack of proper initialization of memory prior to
accessing it. An attacker can leverage this in conjunction with other
vulnerabilities to execute arbitrary code in the context of the
kernel. Was ZDI-CAN-18540.

This bug was introduced by commit 22c7652 ("netfilter: nft_osf: Add
version option support") in 5.2-rc1.
The commit 22c7652 is not backported to 4.19, 4.14, and 4.4 kernels so
that they are not affected.

Fixed status
mainline: [559c36c5a8d730c49ef805a72b213d3bba155cc8]
stable/5.10: [5d75fef3e61e797fab5c3fbba88caa74ab92ad47]
stable/5.15: [816eab147e5c6f6621922b8515ad9010ceb1735e]
stable/5.4: [721ea8ac063d70c2078c4e762212705de6151764]

CVE-2023-1838: Fix double fget() in vhost_net_set_backend()

CVSS v3 score is not provided.

A use-after-free flaw was found in vhost_net_set_backend in
drivers/vhost/net.c in virtio network subcomponent in the Linux kernel
due to a double fget. This flaw could allow a local attacker to crash
the system, and could even lead to a kernel information leak problem.

Fixed status
mainline: [fb4554c2232e44d595920f4d5c66cf8f7d13f9bc]
stable/4.19: [6ca70982c646cc32e458150ee7f2530a24369b8c]
stable/5.10: [ec0d801d1a44d9259377142c6218885ecd685e41]
stable/5.15: [42d8a6dc45fc6619b8def1a70b7bd0800bcc4574]
stable/5.4: [3a12b2c413b20c17832ec51cb836a0b713b916ac]

CVE-2023-20941: Privilege escalation bug was found in usb gadget driver

CVSS v3 score is not provided.

This bug fixes drivers/usb/gadget/function/f_accessory.c which is not
in the mainline kernel.
So, this bug is android kernel specific so that mainline and stable
kernels aren't affected.

* Updated CVEs

CVE-2022-4269: kernel: net: CPU soft lockup in TC mirred
egress-to-ingress action

stable 5.15, 6.1, and 6.2 were fixed.

Fixed status
mainline: [ca22da2fbd693b54dc8e3b7b54ccc9f7e9ba3640]
stable/5.15: [169a41073993add6b0cfdc44e168e75f92f4834d]
stable/6.1: [4c8fc3fe28e47e2a495444347375f7354c24b018]
stable/6.2: [8c9e553c58a491ad328c622441e08178373442dc]

CVE-2022-4379: NFSD: fix use-after-free in __nfs42_ssc_open()

stable 5.10 and 5.15 were fixed.

Fixed status
mainline: [75333d48f92256a0dec91dbf07835e804fc411c0]
stable/5.10: [01e4c9c03de8a9f8839cb7342bc4bccf9104efe5]
stable/5.15: [ec5b7814353532243e8a9147d232a32549174909]
stable/6.1: [650b69b17cfd79f51476d93c2c63bfb73280a77a]

CVE-2023-1583: kernel: NULL pointer dereference in io_file_bitmap_get
in io_uring/filetable.c

stable 6.1 and 6.2 were fixed.

Fixed status
mainline: [02a4d923e4400a36d340ea12d8058f69ebf3a383]
stable/6.1: [7b100a45dc19ffd708f364ba66601efaca1ccf56]
stable/6.2: [2ff9f7319b915acc42cf8fcf743589f926f4a014]

CVE-2023-28866: Bluetooth: HCI: Fix global-out-of-bounds

stable 6.1 and 6.2 were fixed.

Fixed status
mainline: [bce56405201111807cc8e4f47c6de3e10b17c1ac]
stable/6.1: [b3168abd24245aa0775c5a387dcf94d36ca7e738]
stable/6.2: [8497222b22b591c6b2d106e0e3c1672ffe4e10e0]

CVE-2023-28466: net: tls: fix possible race condition between
do_tls_getsockopt_conf() and do_tls_setsockopt_conf()

stable 5.10, 5.15, and 5.4 were fixed.

Fixed status
mainline: [49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962]
stable/5.10: [1fde5782f187daa05919d2bebd872df8ebcc00d1]
stable/5.15: [0b54d75aa43a1edebc8a3770901f5c3557ee0daa]
stable/5.4: [754838aa02050ff3d8675bef79d172097218ea71]
stable/6.1: [14c17c673e1bba08032d245d5fb025d1cbfee123]
stable/6.2: [5231fa057bb0e52095591b303cf95ebd17bc62ce]

CVE-2022-4744: tun: avoid double free in tun_free_netdev

stable 4.19 and 5.4 were fixed.

Fixed status
mainline: [158b515f703e75e7d68289bf4d98c664e1d632df]
stable/4.19: [8eb43d635950e27c29f1e9e49a23b31637f37757]
stable/5.10: [a01a4e9f5dc93335c716fa4023b1901956e8c904]
stable/5.15: [3cb5ae77799e8ed6ec3fec0b6b4cd07f01650cc5]
stable/5.4: [0c0e566f0387490d16f166808c72e9c772027681]

CVE-2023-0590: net: sched: fix race condition in qdisc_graft()

stable 5.4 was fixed.

Fixed status
mainline: [ebda44da44f6f309d302522b049f43d6f829f7aa]
stable/5.10: [7aa3d623c11b9ab60f86b7833666e5d55bac4be9]
stable/5.15: [ce1234573d183db1ebcab524668ca2d85543bf80]
stable/5.4: [0f5c0e0a4c0b081e5f959578a8e56c7921e63a2d]

CVE-2023-1670: xirc2ps_cs: Fix use after free bug in xirc2ps_detach

stable 4.14, 4.19, 5.10, and 5.4 were fixed.

Fixed status
mainline: [e8d20c3ded59a092532513c9bd030d1ea66f5f44]
stable/4.14: [fe7eebebca51d56b900331c3052a6342731f1117]
stable/4.19: [526660c25d3b93b1232a525b75469048388f0928]
stable/5.10: [bfeeb3aaad4ee8eaaefe5d9edd9b2ccb5d9b7505]
stable/5.15: [4ab9e85a5ce0b2ef6e63abf861179898da613d78]
stable/5.4: [a07ec453e86abbd14e2d06d59367b4dd11437358]
stable/6.1: [9d882229d365f68f74028252261ab14a8de7faed]
stable/6.2: [9c515f3290456bb6850bd7ee29d5bf6652d7f103]

CVE-2023-23454: net: sched: cbq: dont intepret cls results when asked to drop

stable 4.14 and 4.19 were fixed.

Fixed status
mainline: [caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12]
stable/4.14: [c4b1e702dc841a79664c5b8000fd99ffe9b3e9c2]
stable/4.19: [8ed4c82571d848d76877c4d70687686e607766e3]
stable/5.10: [b2c917e510e5ddbc7896329c87d20036c8b82952]
stable/5.15: [04dc4003e5df33fb38d3dd85568b763910c479d4]
stable/5.4: [6b17b84634f932f4787f04578f5d030874b9ff32]
stable/6.0: [cde7091efe3fcc0b19f736acd0163499d1fd6d31]
stable/6.1: [dc46e39b727fddc5aacc0272ef83ee872d51be16]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 12 new CVEs and 0 updated CVEs.

* New CVEs

CVE-2022-4744: tun: avoid double free in tun_free_netdev

CVSS v3 score is not provided.

A double free bug was found in the tun driver in the tun_free_netdev().
This bug will cause system crashes or potentially privilege escalation.
It looks as if 4.14 and 4.19 may be affected. 4.4 may not be affected.

Fixed status
mainline: [158b515f703e75e7d68289bf4d98c664e1d632df]
stable/5.10: [a01a4e9f5dc93335c716fa4023b1901956e8c904]
stable/5.15: [3cb5ae77799e8ed6ec3fec0b6b4cd07f01650cc5]

CVE-2023-0386: ovl: fail on invalid uid/gid mapping at copy up

CVSS v3 score is 7.8 HIGH.

A flaw was found in the Linux kernel, where unauthorized access to the
execution of the setuid file with capabilities was found in the Linux
kernel’s OverlayFS subsystem in how a user copies a capable file from
a nosuid mount into another mount.
This uid mapping bug allows a local user to escalate their privileges
on the system.
This bug was introduced by commit 459c7c5 ("ovl: unprivieged mounts")
in 5.11-rc1 so before 5.11 LTS kernels are not affected.

Fixed status
mainline: [4f11ada10d0ad3fd53e2bd67806351de63a4f9c3]
stable/5.15: [e91308e63710574c4b6a0cadda3e042a3699666e]
stable/6.1: [42fea1c35254c49cce07c600d026cbc00c6d3c81]

CVE-2023-1583: kernel: NULL pointer dereference in io_file_bitmap_get
in io_uring/filetable.c

CVSS v3 score is not provided.

A NULL pointer dereference bug was found in io_file_bitmap_get() in
io_uring subsystem. It will allow an unprivileged user to crash a
system via this bug.
It was introduced by commit 4278a0d ("io_uring: defer alloc_hint
update to io_file_bitmap_set()") in 5.19-rc1 so before 5.19 LTS
kernels aren't affected.

Fixed status
mainline: [02a4d923e4400a36d340ea12d8058f69ebf3a383]

CVE-2020-36691: netlink: limit recursion depth in policy validation

CVSS v3 score is 5.5 MEDIUM.

An issue was discovered in the Linux kernel before 5.8. lib/nlattr.c
allows attackers to cause a denial of service (unbounded recursion)
via a nested Netlink policy with a back reference.

Fixed status
mainline: [7690aa1cdf7c4565ad6b013b324c28b685505e24]

CVE-2023-0160: possibility of deadlock in libbpf function sock_hash_delete_elem

CVSS v3 score is not provided.

There is a possible deadlock bug in sock_hash_delete_elem() in bpf subsystem.

Fixed status
Not fixed yet.

CVE-2023-28772: A heap overflow bug was found in seq_buf_putmem_hex()

CVSS v3 score is 7.8 HIGH.

An issue was discovered in the Linux kernel before 5.13.3.
lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow.
This bug was introduced by commit 5e3ca0e ("ftrace: introduce the
"hex" output method") in 2.6.27-rc1.
So, all stable kernels are affected by this issue.

Fixed status
mainline: [d3b16034a24a112bb83aeb669ac5b9b01f744bb7]
stable/4.14: [50b51460f59acbd403475510ad423bb5ea7a4c97]
stable/4.19: [1f4c6061fccee64b2072b28dfa3e93cf859c4c0a]
stable/5.10: [f9fb4986f4d81182f938d16beb4f983fe71212aa]
stable/5.4: [33ab9138a13e379cf1c4ccd76b97ae2ee8c5421b]

CVE-2023-1582: fs/proc: task_mmu.c: don''t read mapcount for migration entry

CVSS v3 score is not provided.

A race condition bug was found in task_mmu.c in procfs. If
PageDoubleMap() was called when this page is not a tail page of THP,
it will cause a system crash.
It was introduced by commit e9b61f1 ("thp: reintroduce
split_huge_page()") in 4.5-rc1 so Linux 4.4 kernels are not affected.

Fixed status
mainline: [24d7275ce2791829953ed4e72f68277ceb2571c6]
stable/5.10: [db3f3636e4aed2cba3e4e7897a053323f7a62249]
stable/5.15: [a8dd0cfa37792863b6c4bf9542975212a6715d49]

CVE-2023-1611: Kernel: race between quota disable and quota assign
ioctls in fs/btrfs/ioctl.c

CVSS v3 score is not provided.

A slab-use-after-free read flaw was found in btrfs_search_slot in
fs/btrfs/ctree.c. This bug allows a user to read kernel information
via ioctl.

Fixed status
Patch is available but it hasn't been merged into the mainline yet.

CVE-2023-1637: x86/speculation: Restore speculation related MSRs
during S3 resume

CVSS v3 score is not provided.

A flaw that boot CPU could be vulnerable for the speculative execution
behavior kind of attacks in the Linux kernel X86 CPU Power management
options functionality was found in the way user resuming CPU from
suspend-to-RAM. A local user could use this flaw to potentially get
unauthorized access to some memory of the CPU similar to the
speculative execution behavior kind of attacks.

It was introduced by commit 7724397 ("x86/bugs/intel: Set proper CPU
features and setup RDS") in 4.17-rc1. Linux 4.14 and 4.4 contain this
patch so they are affected too.

Fixed status
mainline: [e2a1256b17b16f9b9adf1b6fea56819e7b68e463]
stable/4.14: [7b5f17024f115b6aa42d2a079326dd0ca8e3449b]
stable/4.19: [edc7b755e8fce10009ac85bb234a035557301bc4]
stable/5.10: [fc4bdaed4d4ea4209e65115bd3948a1e4ac51cbb]
stable/5.15: [fab4b79e869a8e1c0f7d931a4eff0285d9b5efa7]
stable/5.4: [17f3e31c860371ff72db7f9b2fb44ab008a133e0]

CVE-2023-28866: HCI: Fix global-out-of-bounds

CVSS v3 score is not provided.

In the Linux kernel through 6.2.8, net/bluetooth/hci_sync.c allows
out-of-bounds access because amp_init1[] and amp_init2[] are supposed
to have an intentionally invalid element, but do not.
It was introduced by commit d0b1370 ("Bluetooth: hci_sync: Rework init
stages") in 5.17-rc1. This patch is not backported to older stable
kernels so before 5.17 kernels are not affected.

Fixed status
mainline: [bce56405201111807cc8e4f47c6de3e10b17c1ac]

CVE-2023-1652: NFSD: fix use-after-free in nfsd4_ssc_setup_dul()

CVSS v3 score is not provided.

A use-after-free flaw was found in nfsd4_ssc_setup_dul in
fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This
issue could allow a local attacker to crash the system or it may lead
to a kernel information leak problem.
This bug was introduced by commit f4e44b3 ("NFSD: delay unmount
source's export after inter-server copy completed.") in 5.14-rc1 so
before 5.14 kernels aren't affected.

Fixed status
mainline: [e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd]
stable/5.15: [0a27dcd5343026ac0cb168ee63304255372b7a36]
stable/6.1: [32d5eb95f8f0e362e37c393310b13b9e95404560]

CVE-2023-28464: Bluetooth: hci_conn_cleanup function has double free

CVSS v3 score is not provided.

A use-after-free bug was found in hci_conn_hash_flush() in the
Bluetooth subsystem. It may cause a DOS or privilege escalation.
It looks as if all LTS kernels are affected.

Fixed status
Patch is available in the lkml
(https://lore.kernel.org/lkml/20230309074645.74309-1-wzhmmmmm@gmail.com/).

* Updated CVEs

no updated CVEs this week.

Fixed status

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 6 new CVEs and 2 updated CVEs.

* New CVEs

CVE-2023-28466: net: tls: fix possible race condition between
do_tls_getsockopt_conf() and do_tls_setsockopt_conf()

CVSS v3 score is 7.0 HIGH.

do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through
6.2.6 lacks a lock_sock call, leading to a race condition (with a
resultant use-after-free or NULL pointer dereference).
This bug was introduced by commit 3c4d755 ("tls: kernel TLS support")
in 4.13-rc1. The 4.4 kernels aren't affected.

Fixed status
mainline: [49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962]
stable/6.1: [14c17c673e1bba08032d245d5fb025d1cbfee123]
stable/6.2: [5231fa057bb0e52095591b303cf95ebd17bc62ce]

CVE-2022-48423: An out-of-bounds was found in ntfs3 driver

CVSS v3 score is not provided.

In the Linux kernel before 6.1.3, fs/ntfs3/record.c does not validate
resident attribute names. An out-of-bounds write may occur.
The ntfs3 module was introduced in 5.15-rc1 so that before 5.15
kernels aren't affected.

Fixed status
mainline: [54e45702b648b7c0000e90b3e9b890e367e16ea8]
stable/5.15: [3a52f17867727818ae8dbcfd9425033df32f92e0]
stable/6.1: [2f041a19f4eb72bcc851f9e3a15f3cfd1ae1addf]

CVE-2022-48424: An oob memory access bug was found in ntfs3 driver

CVSS v3 score is not provided.

In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate
the attribute name offset. An unhandled page fault may occur.
The ntfs3 module was introduced in 5.15-rc1 so that before 5.15
kernels aren't affected.

Fixed status
mainline: [4f1dc7d9756e66f3f876839ea174df2e656b7f79]
stable/5.15: [c878a915bcb992c12a97ebae1013e377158f560a]
stable/6.1: [b343c40bb7ff9095430c3f31468a59f8a760dabd]

CVE-2022-48425: fs/ntfs3: Validate MFT flags before replaying logs

CVSS v3 score is not provided.

In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid
kfree because it does not validate MFT flags before replaying logs.
The ntfs3 module was introduced in 5.15-rc1 so that before 5.15
kernels aren't affected.

Fixed status
Patch is available in the linux-next There

CVE-2023-1281: net/sched: tcindex: imperfect hash filters

CVSS v3 score is not provided(NIST).
CVSS v3 score is 7.8 HIGH(CNA).

A race condition bug will cause a use-after-free in net/sched subsystem.
This bug was introduced by commit 9b0d444 ("net: sched: avoid atomic
swap in tcf_exts_change") in 4.14-rc1 so that 4.4 is not affected.

Fixed status
mainline: [ee059170b1f7e94e55fa6cadee544e176a6e59c2]
stable/5.10: [eb8e9d8572d1d9df17272783ad8a84843ce559d4]
stable/5.15: [becf55394f6acb60dd60634a1c797e73c747f9da]
stable/6.1: [bd662ba56187b5ef8a62a3511371cd38299a507f]

CVE-2023-1513: kvm: initialize all of the kvm_debugregs structure
before sending it to userspace

CVSS v3 score is not provided.

A kernel information leak bug was found when processing
KVM_GET_DEBUGREGS ioctl in kvm_vcpu_ioctl_x86_get_debugregs() in the
kvm subsystem.
It may leak information from uninitialized kvm_debugregs structure value.

Kernel 4.4 might be affected by this issue.

Fixed status
mainline: [2c10b61421a28e95a46ab489fd56c0f442ff6952]
stable/4.14: [1d43de93b35d85981006ec3c52c0cad8af1f2f6a]
stable/4.19: [669c76e55de332fbcbce5b74fccef1b4698a8936]
stable/5.10: [6416c2108ba54d569e4c98d3b62ac78cb12e7107]
stable/5.15: [35351e3060d67eed8af1575d74b71347a87425d8]
stable/5.4: [9f95a161a7deef62d6d2f57b1a69f94e0546d8d8]
stable/6.1: [747ca7c8a0c7bce004709143d1cd6596b79b1deb]

* Updated CVEs

CVE-2022-38457: A use-after-free(UAF) vulnerability in vmxgfx driver

The mainline and stable 6.1 were fixed.
It was introduced by commit e14c02e ("drm/vmwgfx: Look up objects
without taking a reference") in 4.20-rc1 so before 4.20 kernels aren't
affected.

Fixed status
mainline: [a309c7194e8a2f8bd4539b9449917913f6c2cd50]
stable/6.1: [7ac9578e45b20e3f3c0c8eb71f5417a499a7226a]

CVE-2022-40133: A use-after-free(UAF) vulnerability in vmxgfx driver

The mainline and stable 6.1 were fixed.
It was introduced by commit e14c02e ("drm/vmwgfx: Look up objects
without taking a reference") in 4.20-rc1 so before 4.20 kernels aren't
affected.

Fixed status
mainline: [a309c7194e8a2f8bd4539b9449917913f6c2cd50]
stable/6.1: [7ac9578e45b20e3f3c0c8eb71f5417a499a7226a]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 6 new CVEs and 7 updated CVEs.

* New CVEs

CVE-2023-1032: net: avoid double iput when sock_alloc_file fails

CVSS v3 score is not provided.

A double-free bug was found in io_uring subsystem when handling
IORING_OPSOCKET operation.
This bug was introduced by commit da214a4 ("net: add
__sys_socket_file()") in 5.19-rc1. This patch is not backported to
older stable kernels. So, before 5.19 kernels are not affected by this
issue.

Fixed status
mainline: [649c15c7691e9b13cbe9bf6c65c365350e056067]
stable/6.1: [7c7570791b15c3b78e3229ae97825e7eb869c7da]
stable/6.2: [cb6aedc1fd9d808d7319db2f953f4886dd46c627]

CVE-2023-1380: wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()

CVSS v3 score is not provided.

A slab-out-of-bounds read was found in brcmf_get_assoc_ies() in brcmfmac driver.
It hasn't been fixed in the mainline yet but it has been merged into
wireless-next tree.

It looks like 4.4 will be vulnerable as well.

CVE-2023-1382: Kernel: denial of service in tipc_conn_close

CVSS v3 score is not provided.

A race condition bug was found in net/tipc/topsrv.c. This results in a
null pointer dereference and use-after-free may be triggered.
It was introduced by commit c5fa7b3 ("tipc: introduce new TIPC server
infrastructure") in 3.11-rc1.

Fixed status
mainline: [0e5d56c64afcd6fd2d132ea972605b66f8a7d3c4,
a7b42969d63f47320853a802efd879fbdc4e010e]
stable/4.19: [2c9c64a95d97727c9ada0d35abc90ee5fdbaeff7,
f46826a6fce33c3549332c3eb1fbf615dc79be18]
stable/5.10: [e87a077d09c05985a0edac7c6c49bb307f775d12,
4058e3b74ab3eabe0835cee9a0c6deda79e8a295]
stable/5.15: [4ae907c45fcad4450423b8cdefa5a74bad772068,
33fb115a76ae6683e34f76f7e07f6f0734b2525f]
stable/5.4: [30f91687fa2502abb0b4d79569b63d1381169ccf,
59f9aad22fd743572bdafa37d3e1dd5dc5658e26]

CVE-2023-1390: components for: CVE-2023-1390 kernel: remote DoS in
TIPC kernel module

CVSS v3 score is not provided.

A null pointer dereference bug was found in the tipc module. If a
remote attacker sends a malicious packet, the system will crash.
It was introduced by commit af9b028 ("tipc: make media xmit call
outside node spinlock context") in 4.3-rc1.

Fixed status
mainline: [b77413446408fdd256599daf00d5be72b5f3e7c6]
stable/4.14: [3ed0b5bb8cf71b4b9f995d4b3763648674fa032a]
stable/4.19: [4d1d3dddcb3f26000e66cd0a9b8b16f7c2eb41bb]
stable/5.10: [60b8b4e6310b7dfc551ba68e8639eeaf70a0b2dd]
stable/5.4: [56e8947bcf814d195eb4954b4821868803d3dd67]

CVE-2023-28327: kernel: denial of service problem in net/unix/diag.c

CVSS v3 score is not provided.

A null pointer dereference issue was found in the unix protocol in
net/unix/diag.c. It allows a local user to crash the system.
Introduced by commit cae9910 ("net: Add UNIX_DIAG_UID to Netlink UNIX
socket diagnostics.") in 5.3-rc1. Before 5.3 kernels aren't affected.

Fixed status
mainline: [b3abe42e94900bdd045c472f9c9be620ba5ce553]
stable/5.10: [575a6266f63dbb3b8eb1da03671451f0d81b8034]
stable/5.15: [5c014eb0ed6c8c57f483e94cc6e90f34ce426d91]
stable/5.4: [c66d78aee55dab72c92020ebfbebc464d4f5dd2a]

CVE-2023-28328: media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()

CVSS v3 score is not provided.

A null pointer dereference bug was found in dvd-usb driver.
Introduced by commit 76f9a82 ("V4L/DVB: AZ6027: Initial import of the
driver") in 2.6.34-rc1.

Fixed status
mainline: [0ed554fd769a19ea8464bb83e9ac201002ef74ad]
stable/4.14: [c712d1ccbfb787620422b437a5b8fac0802547bd]
stable/4.19: [7abfe467cd685f5da7ecb415441e45e3e4e2baa8]
stable/5.10: [559891d430e3f3a178040c4371ed419edbfa7d65]
stable/5.15: [210fcf64be4db82c0e190e74b5111e4eef661a7a]
stable/5.4: [8b256d23361c51aa4b7fdb71176c1ca50966fb39]
stable/6.1: [6b60cf73a931af34b7a0a3f467a79d9fe0df2d70]

* Updated CVEs

CVE-2023-1076: tap: tap_open(): correctly initialize socket uid

stable 5.10, 5.15, 5.4, 6.1, and 6.2 were fixed.

Fixed status
mainline: [66b2c338adce580dfce2199591e65e2bab889cff,
a096ccca6e503a5c575717ff8a36ace27510ab0a]
stable/5.10: [4a9272a864cbf6dacc3f4b35213108dd01691d31,
9a31af61f397500ccae49d56d809b2217d1e2178]
stable/5.15: [db6efde0ab809d68c0db9284aae8224317367206,
67f9f02928a34aad0a2c11dab5eea269f5ecf427]
stable/5.4: [522d319cda951d5c7464490dfdd341e8b73eb7f8,
d92d87000eda9884d49f1acec1c1fccd63cd9b11]
stable/6.1: [035a80733ec47ed81aa159e16e56d2de106d3335,
b4ada752eaf1341f47bfa3d8ada377eca75a8d44]
stable/6.2: [fce60a29cc0cf888687e2686538a23d1a0db0468,
4aa4b4b3b3e9551c4de2bf2987247c28805fb8f6]

CVE-2023-1077: sched/rt: pick_next_rt_entity(): check list_entry

stable 5.10, 5.15, 5.4, 6.1, and 6.2 were fixed.

Fixed status
mainline: [7c4a5b89a0b5a57a64b601775b296abf77a9fe97]
stable/5.10: [80a1751730b302d8ab63a084b2fa52c820ad0273]
stable/5.15: [2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7]
stable/5.4: [084cd75643b61fb924f70cba98a71dea14942938]
stable/6.1: [6b4fcc4e8a3016e85766c161daf0732fca16c3a3]
stable/6.2: [1099004ae1664703ec573fc4c61ffb24144bcb63]

CVE-2023-1079: Use-After-Free in asus_kbd_backlight_set()

stable 4.14, 4.19, 5.10, 5.15, 5.4, 6.1, and 6.2 were fixed.

Fixed status
mainline: [4ab3a086d10eeec1424f2e8a968827a6336203df]
stable/4.14: [df0fad94ca3787727b9cdd76797aaacf46fe93ed]
stable/4.19: [74b78391a9b6f67de90b13f5a85e329e3b3f5a72]
stable/5.10: [21a2eec4a440060a6eb294dc890eaf553101ba09]
stable/5.15: [3959316f8ceb17866646abc6be4a332655407138]
stable/5.4: [dd08e68d04d08d2f42b09162c939a0b0841216cc]
stable/6.1: [ee907829b36949c452c6f89485cb2a58e97c048e]
stable/6.2: [b08bcfb4c97d7bd41b362cff44b2c537ce9e8540]

CVE-2023-1118: kernel: use-after-free in drivers/media/rc/ene_ir.c due
to race condition

stable 4.14, 4.19, 5.10, 5.15, 5.4, 6.1, and 6.2 were fixed.

Fixed status
mainline: [29b0589a865b6f66d141d79b2dd1373e4e50fe17]
stable/4.14: [0987f836bc1a258cb8fb51669a5afb67bb01c31b]
stable/4.19: [52bde2754d76fc97390f097fba763413607f157a]
stable/5.10: [78da5a378bdacd5bf68c3a6389bdc1dd0c0f5b3c]
stable/5.15: [29962c478e8b2e6a6154d8d84b8806dbe36f9c28]
stable/5.4: [d120334278b370b6a1623a75ebe53b0c76cb247c]
stable/6.1: [029c1410e345ce579db5c007276340d072aac54a]
stable/6.2: [182ea492aae5b64067277e60a4ea5995c4628555]

CVE-2023-25012: HID: bigben_remove: manually unregister leds

stable 5.10, 5.15, 5.4, 6.1, and 6.2 were fixed.

Fixed status
mainline: [76ca8da989c7d97a7f76c75d475fe95a584439d7]
stable/5.10: [fddde36316da8acb45a3cca2e5fda102f5215877]
stable/5.15: [0fd9998052926ed24cfb30ab1a294cfeda4d0a8f]
stable/5.4: [25e14bf0c894f9003247e3475372f33d9be1e424]
stable/6.1: [f2bf592ebd5077661e00aa11e12e054c4c8f6dd0]
stable/6.2: [90289e71514e9533a9c44d694e2b492be9ed2b77]

CVE-2023-23004: malidp: Fix NULL vs IS_ERR() checking

stable 5.10 and 5.15 were fixed.

Fixed status
mainline: [15342f930ebebcfe36f2415049736a77d7d2e045]
stable/5.10: [a5bbea50d622b8f49ab8ee3b0eb283107febcf1a]
stable/5.15: [1c7988d5c79f72287177bb774cde15fde69f3c97]

CVE-2023-26606: KASAN: use-after-free Read in ntfs_trim_fs

The mainline, 5.15, and 6.1 were fixed.

Fixed status
mainline: [557d19675a470bb0a98beccec38c5dc3735c20fa]
stable/5.15: [ab53749c32db90eeb4495227c998d21dc07ad8c1]
stable/6.1: [f2e58e95273ce072ca95a2afa1f274825a1e1772]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 11 new CVEs and 4 updated CVEs.

* New CVEs

CVE-2023-23002: Bluetooth: hci_qca: Fix NULL vs IS_ERR_OR_NULL check
in qca_serdev_probe

CVSS v3 score is not provided.

In the Linux kernel before 5.16.3, drivers/bluetooth/hci_qca.c
misinterprets the devm_gpiod_get_index_optional return
value (expects it to be NULL in the error case, whereas it is actually
an error pointer).

Introduced by commit 77131df ("Bluetooth: hci_qca: Replace
devm_gpiod_get() with devm_gpiod_get_optional()") in 5.7-rc1
so that before 5.7 kernels aren't affected by this issue.

Fixed status
mainline: [6845667146a28c09b5dfc401c1ad112374087944]
stable/5.10: [4579954bf4cc0bdfc4a42c88b16fe596f1e7f82d]
stable/5.15: [9186e6ba52af11ba7b5f432aa2321f36e00ad721]

CVE-2023-23003: perf expr: Fix missing check for return value of hashmap__new()

CVSS v3 score is not provided.

In the Linux kernel before 5.16, tools/perf/util/expr.c lacks a check
for the hashmap__new return value.
Introduced by commit cb94a02 ("perf metric: Restructure struct
expr_parse_ctx.") in 5.16-rc1 so that
before 5.16 kernels aren't affected by this issue.

Fixed status
mainline: [0a515a06c5ebfa46fee3ac519e418f801e718da4]

CVE-2023-23004: malidp: Fix NULL vs IS_ERR() checking

CVSS v3 score is not provided.

In the Linux kernel before 5.19, drivers/gpu/drm/arm/malidp_planes.c
misinterprets the get_sg_table return value (expects it to be NULL in
the error case, whereas it is actually an error pointer).

Introduced by commit 1f23a56 ("drm/malidp: Enable MMU prefetch on
Mali-DP650") in 4.20-rc1 so that before 4.20 kernels aren't
affeceted by this issue.

Fixed status
mainline: [15342f930ebebcfe36f2415049736a77d7d2e045]

CVE-2023-23005: mm/demotion: fix NULL vs IS_ERR checking in memory_tier_init

CVSS v3 score is not provided.

** DISPUTED ** In the Linux kernel before 6.2, mm/memory-tiers.c
misinterprets the alloc_memory_type return value (expects it to be
NULL in the error case, whereas it is actually an error pointer).
NOTE: this is disputed by third parties because there are no realistic
cases in which a user can cause the alloc_memory_type error case to be
reached.

Introduced by commit 7b88bda ("mm/demotion/dax/kmem: set node's
abstract distance to MEMTIER_DEFAULT_DAX_ADISTANCE") in 6.1-rc1
so before 6.1 kernels are not affected by this issue.

Fixed status
mainline: [4a625ceee8a0ab0273534cb6b432ce6b331db5ee]

CVE-2023-23006: net/mlx5: DR, Fix NULL vs IS_ERR checking in
dr_domain_init_resources

CVSS v3 score is not provided.

In the Linux kernel before 5.15.13,
drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c
misinterprets the mlx5_get_uars_page return value (expects it to be
NULL in the error case, whereas it is actually an error pointer).

Introduced by commit 4ec9e7b ("net/mlx5: DR, Expose steering domain
functionality") in 5.4-rc1 so that
before 5.4 kernels aren't affected by this issue.

Fixed status
mainline: [6b8b42585886c59a008015083282aae434349094]
stable/5.10: [4cd1da02f0c39606e3378c9255f17d6f85d106c7]
stable/5.15: [4595dffccfa5b9360162c72cc0f6a33477d871cf]
stable/5.4: [db484d35a9482d21a7f36da4dfc7a68aa2e9e1d6]

CVE-2023-1192: use-after-free in smb2_is_status_io_timeout()

CVSS v3 score is not provided.

A use-after-free bug was found in smb2_is_status_io_timeout() in cifs subsystem.

This bug was introduced by commit a848c4f ("cifsd: add Kconfig and
Makefile") in 5.15-rc1.

Fixed status
Not fixed yet

CVE-2023-1193: use-after-free in setup_async_work()

CVSS v3 score is not provided.

A use-after-free in setup_async_work() in cifs subsystem.
This bug was introduced by commit a848c4f ("cifsd: add Kconfig and
Makefile") in 5.15-rc1.
Stable 5.10, 5.4, and 4.x kernels are not affected by this issue.

Fixed status
Not fixed yet

CVE-2023-1194: use-after-free in parse_lease_state()

CVSS v3 score is not provided.

A use-after-free bug was found in parse_lease_state() in cifsd.
This bug was introduced by commit a848c4f ("cifsd: add Kconfig and
Makefile") in 5.15-rc1.
Stable 5.10, 5.4, and 4.x kernels are not affected by this issue.

Fixed status
Not fixed yet

CVE-2023-1195: use-after-free caused by invalid pointer `hostname`

A use-after-free bug was found in cifs subsystem.
Introduced by commit 7be3248 ("cifs: To match file servers, make sure
the server hostname matches") in 5.16-rc1.
This commit was backported to 5.15 so it was affected by this issue.
However, before 5.15 kernels do not contain commit 7be3248
so these kernels are not affected.

Fixed status
mainline: [153695d36ead0ccc4d0256953c751cabf673e621]
stable/5.15: [ee2536830b161d16859b2771effdde6b819c253f]

CVE-2023-1249: coredump: Use the vma snapshot in fill_files_note

CVSS v3 score is not provided.

A use-after-free bug was found in the coredump feature. A missing
mmap_lock in file_files_note() could possibly lead to a use-after-free
bug.

This commit's Fixes tags adresse following commits.
- a07279c ("binfmt_elf, binfmt_elf_fdpic: use a VMA list snapshot") in 5.10-rc1
- 2aa362c ("coredump: extend core dump note section to contain file
names of mapped files") in 3.7-rc1

Fixed status
mainline: [390031c942116d4733310f0684beb8db19885fe6]
stable/5.10: [558564db44755dfb3e48b0d64de327d20981e950]
stable/5.15: [39fd0cc079c98dafcf355997ada7b5e67f0bb10a]

CVE-2023-1252: kernel: ovl: fix use after free in struct ovl_aio_req

CVSS v3 score is not provided.

A use-after-free bug was found in overlayfs. If ext4 file system is
used by ovlfs, a use-after-free could happen as result of a race
condition.
This bug was introduced by commit 2406a30 ("ovl: implement async IO
routines") in 5.16-rc1. This patch was backported to 5.10 and 5.15 so
that both are affected.

Fixed status
mainline: [9a254403760041528bc8f69fe2f5e1ef86950991]
stable/5.10: [4fd9f0509a1452b45e89c668e2bab854cb05cd25]
stable/5.15: [2f372e38f5724301056e005353c8beecc3f8d257]

* Updated CVEs

CVE-2022-4269: kernel: net: CPU soft lockup in TC mirred
egress-to-ingress action

The mainline was fixed.

Fixed status
mainline: [ca22da2fbd693b54dc8e3b7b54ccc9f7e9ba3640]

CVE-2023-22998: drm/virtio: Fix NULL vs IS_ERR checking in
virtio_gpu_object_shmem_init

Stable 5.10 was fixed.

Fixed status
mainline: [c24968734abfed81c8f93dc5f44a7b7a9aecadfa,
64b88afbd92fbf434759d1896a7cf705e1c00e79]
stable/5.10: [0a4181b23acf53e9c95b351df6a7891116b98f9b,
87c647def389354c95263d6635c62ca0de7d12ca]
stable/5.15: [72893aadc0017f0f2998b33e7fa5e6b3a3a72d02,
60630834fad38252369bf4a351a03b75b76786e3]

CVE-2023-26605: KASAN: use-after-free Read in inode_cgwb_move_to_attached

The mainline and stable 5.15 were fixed.

Fixed status
mainline: [4e3c51f4e805291b057d12f5dda5aeb50a538dc4]
stable/5.15: [8ce9b1c97fcec906c3386277a33da19e240c3624]

CVE-2023-26607: KASAN: slab-out-of-bounds Read in ntfs_attr_find

This bug was fixed by commit 36a4d82 ("ntfs: fix out-of-bounds read in
ntfs_attr_find()") in 6.1-rc1. so, the mainline and all stable kernels
are fixed.

The mainline, 4.1
Fixed status
mainline: [36a4d82dddbbd421d2b8e79e1cab68c8126d5075]
stable/4.14: [801906eea32d9781725905271a1d4ab275743fc9]
stable/4.19: [4301aa833a734257ad3715f607cbde17402eda94]
stable/5.10: [6322dda483344abe47d17335809f7bbb730bd88b]
stable/5.15: [ab6a1bb17e3c2f6670020d7edeea2fbfe6466690]
stable/5.4: [0e2ce0954b39c8d60928f61217b72f352722a2cf]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: New CVE entries this week

[Dan Carpenter]

[-- Attachment #1: Type: text/plain, Size: 1525 bytes --]

On Thu, Jan 19, 2023 at 09:14:53AM +0900, Masami Ichikawa wrote:
> CVE-2023-23559: rndis_wlan: Prevent buffer overflow in rndis_query_oid
> 
> CVSS v3 score is not provided
> 
> In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux
> kernel through 6.1.5, there is an integer overflow in an addition.
> 
> This bug was introduced by 80f8c5b434f9 ("rndis_wlan: copy only useful
> data from rndis_command respond") in 2.6.35-rc1.
> 
> Fixed status
> Patch is in the patchwork but not merged into the mainline yet.

I have a Smatch check for this kind of bug.  It's crap code that I never
pushed.  There are two reasons why it didn't warn for this bug:

1) For some reason it was only looking at bounds checks to a known limit
   instead of to a variable limit.
2) It only generated a warning when an underflowed variable was assigned
   to something or passed to a function.  Here the underflowed variable
   was used for math.

Both these issues are easily addressed.  Here are the slightly cleaned
up warnings.  It's mostly false positives (obviously I have been looking
at the results for the past ten years and fixing the underflow bugs
which were not false positives).  The warnings in drivers/md/md.c and
fs/ksmbd/vfs.c are new and thus not false positives.  I will send bug
reports for these.

The bug list would probably have been longer but I've been re-writing
the taint handling code for marking variables as user controlled.

The line numbers are from yesterday's linux-next.

regards,
dan carpenter

[-- Attachment #2: check_no_lowerbound_test.c --]
[-- Type: text/x-csrc, Size: 2802 bytes --]

/*
 * Copyright (C) 2013 Oracle.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
 */

/*
 * This is another integer underflow test.  I look at stituations where:
 * 1) We have user data.
 * 2) We cap the upper bound but not the lower bound.
 * 3) We assign the data to something else either through an assignment or by
 *    passing it as a parameter.
 */

#include "smatch.h"
#include "smatch_extra.h"

static int my_id;

STATE(upper_capped);

static void match_condition(struct expression *expr)
{
	struct range_list *rl;
	sval_t sval;

	if (expr->type != EXPR_COMPARE)
		return;
	if (expr->op != '>' && expr->op != SPECIAL_GTE)
		return;
	if (get_implied_value(expr->right, &sval) &&
	    sval.value == 0)
		return;
	get_absolute_rl(expr->left, &rl);
//	if (!get_user_rl(expr->left, &rl))
//		return;
	if (!sval_is_negative(rl_min(rl)))
		return;
	set_true_false_states_expr(my_id, expr->left, NULL, &upper_capped);
}

static void XXX_check_for_lower_bound(struct expression *expr)
{
	struct range_list *rl;
	char *name;

	if (get_state_expr(my_id, expr) != &upper_capped)
		return;
	if (!get_user_rl(expr, &rl))
		return;
	if (sval_is_negative(rl_max(rl)))
		return;
	if (!sval_is_min(rl_min(rl)) ||
	    !sval_is_negative(rl_min(rl)))
		return;

	name = expr_to_str(expr);
	sm_msg("warn: no lower bound on '%s'", name);
	free_string(name);
}

static void check_for_lower_bound(struct expression *expr)
{
	struct smatch_state *state;
	sval_t sval;
	char *name;

	// This skips a lot of unnecessary stuff
	if (expr->type == EXPR_CALL)
		return;

	XXX_check_for_lower_bound(expr);
}

static void match_assign(struct expression *expr)
{
	check_for_lower_bound(expr->right);
}

static void match_call(struct expression *expr)
{
	struct expression *arg;

	FOR_EACH_PTR(expr->args, arg) {
		check_for_lower_bound(arg);
	} END_FOR_EACH_PTR(arg);
}

static void match_binop(struct expression *expr)
{
	check_for_lower_bound(expr->left);
	check_for_lower_bound(expr->right);
}

void check_no_lowerbound_test(int id)
{
	my_id = id;

	add_hook(&match_condition, CONDITION_HOOK);
	add_hook(&match_assign, ASSIGNMENT_HOOK);
	add_hook(&match_call, FUNCTION_CALL_HOOK);
	add_hook(&match_binop, BINOP_HOOK);
}

[-- Attachment #3: err-list --]
[-- Type: text/plain, Size: 997 bytes --]

drivers/staging/gdm724x/netlink_k.c:103 netlink_send() warn: no lower bound on 'group'
drivers/acpi/nfit/core.c:484 acpi_nfit_ctl() warn: no lower bound on 'family'
drivers/md/md.c:3170 slot_store() warn: no lower bound on 'slot'
drivers/scsi/myrs.c:1508 disable_enclosure_messages_store() warn: no lower bound on 'value'
drivers/video/fbdev/matrox/matroxfb_g450.c:184 g450_set_ctrl() warn: no lower bound on 'p->value'
drivers/net/wireless/ath/carl9170/debug.c:570 carl9170_debugfs_hw_ioread32_write() warn: no lower bound on 'n'
drivers/net/ethernet/smsc/smc91x.c:1726 smc_ethtool_seteeprom() warn: no lower bound on 'offset'
security/smack/smackfs.c:903 smk_set_cipso() warn: no lower bound on 'catlen'
fs/ksmbd/vfs.c:1040 ksmbd_vfs_fqar_lseek() warn: no lower bound on 'length'
fs/ksmbd/vfs.c:1041 ksmbd_vfs_fqar_lseek() warn: no lower bound on 'start'
fs/ksmbd/smb2pdu.c:7759 smb2_ioctl() warn: no lower bound on 'off'
net/core/skbuff.c:2694 skb_copy_bits() warn: no lower bound on 'offset'

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 22 new CVEs and 4 updated CVEs.

* New CVEs

CVE-2023-23039: drivers: tty: vcc: Fix use-after-free in vcc_open()

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel through 6.2.0-rc2.
drivers/tty/vcc.c has a race condition and resultant use-after-free if
a physically proximate attacker removes a VCC device while calling
open(), aka a race condition between vcc_open() and vcc_remove().

Fixed status
Patch is available but it hasn't been merged yet.

CVE-2023-26544: KASAN: use-after-free Read in run_unpack

CVSS v3 score is not provided.

In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in
fs/ntfs3/run.c, related to a difference between NTFS sector size and
media sector size.

NTFS3 driver was introduced in 5.15 so before version 5.15 kernels are
not affected by this issue.

Fixed status
Not fixed yet.

CVE-2023-26545: net: mpls: fix stale pointer if allocation fails
during device rename

CVSS v3 score is not provided.

In the Linux kernel before 6.1.13, there is a double free in
net/mpls/af_mpls.c upon an allocation failure (for registering the
sysctl table under a new location) during the renaming of a device.

It was introduced by commit 0fae3bf ("mpls: handle device renames for
per-device sysctls") in 4.1-rc8.

Fixed status
mainline: [fda6c89fe3d9aca073495a664e1d5aea28cd4377]
stable/4.14: [b89824a9b2398d78a32ea75343e5472a0fd4986e]
stable/4.19: [aa07c86e43ed8780d610ecfb2ce13da326729201]
stable/5.10: [7ff0fdba82298d1f456c685e24930da89703c0fb]
stable/5.15: [59a74da8da75bdfb464cbdb399e87ba4f7500e96]
stable/5.4: [df099e65564aa47478eb1cacf81ba69024fb5c69]
stable/6.1: [c376227845eef8f2e62e2c29c3cf2140d35dd8e8]

CVE-2023-26605: KASAN: use-after-free Read in inode_cgwb_move_to_attached

CVSS v3 score is not provided.

In the Linux kernel 6.0.8, there is a use-after-free in
inode_cgwb_move_to_attached in fs/fs-writeback.c, related to
__list_del_entry_valid.

Fixed status
Not fixed yet.

CVE-2023-26606: KASAN: use-after-free Read in ntfs_trim_fs

CVSS v3 score is not provided.

In the Linux kernel 6.0.8, there is a use-after-free in ntfs_trim_fs
in fs/ntfs3/bitmap.c.

NTFS3 driver was introduced in 5.15 so before version 5.15 kernels are
not affected by this issue.

Fixed status
Not fixed yet.

CVE-2023-26607: KASAN: slab-out-of-bounds Read in ntfs_attr_find

CVSS v3 score is not provided.

In the Linux kernel 6.0.8, there is an out-of-bounds read in
ntfs_attr_find in fs/ntfs/attrib.c.

Fixed status
Not fixed yet.

CVE-2023-1073: HID: check empty report_list in hid_validate_values()

CVSS v3 score is not provided.

There was an insufficient check to see if the list is empty or not in
hid_validate_values() which results in a list_head object as valid
data.
Drivers relied on the assumption that the device must have a valid
report_list. However, malicious devices can violate the assumption. In
this case,  the kernel is vulnerable.
According to the report
(https://www.openwall.com/lists/oss-security/2023/01/17/3) this
vulnerability is not exploitable.

This bug was introduced by commit 1b15d2e ("HID: core: fix validation
of report id 0") in 3.16-rc1.

Fixed status
mainline: [b12fece4c64857e5fab4290bf01b2e0317a88456]
stable/4.14: [614dd3d1725d329bf10a7ae974ebdfe101150791]
stable/4.19: [f958da03d9a71808548b2e5418d95482b106eb9a]
stable/5.10: [5dc3469a1170dd1344d262a332b26994214eeb58]
stable/5.15: [2b49568254365c9c247beb0eabbaa15d0e279d64]
stable/5.4: [89e7fe3999e057c91f157b6ba663264f4cdfcb55]
stable/6.1: [cdcdc0531a51659527fea4b4d064af343452062d]

CVE-2023-1074: sctp: fail if no bound addresses can be used for a given scope

CVSS v3 score is not provided.

A type confusion bug was found in inet_diag_msg_sctpasoc_fill() that
causes information leak to userspace.
This bug was introduced in the Linux 2.6 era.

Fixed status
mainline: [458e279f861d3f61796894cd158b780765a1569f]
stable/4.14: [97ca098d8f1a8119b6675c823706cd6231ba6d9b]
stable/4.19: [26436553aabfd9b40e1daa537a099bf5bb13fb55]
stable/5.10: [6ef652f35dcfaa1ab2b2cf6c1694718595148eee]
stable/5.15: [3391bd42351be0beb14f438c7556912b9f96cb32]
stable/5.4: [a7585028ac0a5836f39139c11594d79ede97d975]
stable/6.1: [9f08bb650078dca24a13fea1c375358ed6292df3]

CVE-2023-1075: net/tls: tls_is_tx_ready() checked list_entry

CVSS v3 score is not provided.

A type confusion bug was found in tls_is_tx_ready().
This bug was introduced by commit a42055e ("net/tls: Add support for
async encryption of records for performance") in 4.20-rc1 so that
before version 4.20 are not affected.

Fixed status
mainline: [ffe2a22562444720b05bdfeb999c03e810d84cbb]
stable/6.1: [37c0cdf7e4919e5f76381ac60817b67bcbdacb50]

CVE-2023-1076: tap: tap_open(): correctly initialize socket uid

CVSS v3 score is not provided.

A type confusion bug was found in tun and tap drivers.
This bug was introduced by commit 86741ec ("net: core: Add a UID field
to struct sock.") in 4.10-rc1 so Linux 4.4 is not affected.

Fixed status
mainline: [66b2c338adce580dfce2199591e65e2bab889cff,
a096ccca6e503a5c575717ff8a36ace27510ab0a]

CVE-2023-1077: sched/rt: pick_next_rt_entity(): check list_entry

CVSS v3 score is not provided.

An insufficient list empty checking in pick_next_rt_entity(). The
_pick_next_task_rt() checks pick_next_rt_entity() returns NULL or not
but pick_next_rt_entity() never returns NULL. So, even if the list is
empty, _pick_next_task_rt() continues its process.

This bug was introduced by commit 326587b ("sched: fix goto retry in
pick_next_task_rt()") in 2.6.25-rc1.

Fixed status
mainline: [7c4a5b89a0b5a57a64b601775b296abf77a9fe97]

CVE-2023-22995: usb: dwc3: dwc3-qcom: Add missing
platform_device_put() in dwc3_qcom_acpi_register_core

CVSS v3 score is not provided.

In the Linux kernel before 5.17, an error path in
dwc3_qcom_acpi_register_core in drivers/usb/dwc3/dwc3-qcom.c lacks
certain platform_device_put and kfree calls.
This bug was fixed in 5.17-rc1. It looks like this bugs was introduced
by commit 2bc02355 ("usb: dwc3: qcom: Add support for booting with
ACPI") in 5.3-rc1. So, 4.14, 4.19, and 4.4 are not affected.

Fixed status
mainline: [fa0ef93868a6062babe1144df2807a8b1d4924d2]

CVE-2023-1078: rds: rds_rm_zerocopy_callback() use list_first_entry()

CVSS v3 score is not provided.

A type confusing bug was found in rds_rm_zerocopy_callback(). It
causes type of memory corruption bugs.

It was introduced by commit 9426bbc ("rds: use list structure to track
information for zerocopy completion notification") in 4.17-rc1.
So, 4.4 and 4.14 are not affected.

Fixed status
mainline: [f753a68980cf4b59a80fe677619da2b1804f526d]
stable/4.19: [909d5eef5ce792bb76d7b5a9b7a6852b813d8cac]
stable/5.10: [c53f34ec3fbf3e9f67574118a6bb35ae1146f7ca]
stable/5.15: [528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba]
stable/5.4: [ba38eacade35dd2316d77b37494e6e0c01bab595]
stable/6.1: [1d52bbfd469af69fbcae88c67f160ce1b968e7f3]

CVE-2023-1079: Use-After-Free in asus_kbd_backlight_set()

CVSS v3 score is not provided.

A use-after-free bug was found in asus_kbd_backlight_set(). When an
attacker plugging a malicious USB device, which advertises itself as
an asus device.
The device uses a worker `asus_worker` scheduled by
asus_kbd_backlight_set() to communicate with the hardware.
When concurrently with device removal, the LED controller
asus_kbd_backlight_set() may schedule a worker whose use would result
in a use-after-free.

Introduced by commit af22a61 ("HID: asus: support backlight on USB
keyboards") in 4.12-rc1. So, 4.4 is not affected.

Fixed status
mainline: [4ab3a086d10eeec1424f2e8a968827a6336203df]

CVE-2023-1095: A NULL pointer dereference bug in netfilter subsystem

CVSS v3 score is not provided.

In nf_tables_updtable, if nf_tables_table_enable returns an error,
nft_trans_destroy is called to free the transaction object.
nft_trans_destroy() calls list_del(), but the transaction was never
placed on a list -- the list head is all zeroes, this results in a
NULL pointer dereference.

Introduced by commit 55dd6f9 ("netfilter: nf_tables: use new
transaction infrastructure to handle table") in 3.16-rc1.

Fixed status
mainline: [580077855a40741cf511766129702d97ff02f4d9]
stable/4.14: [49d57fb1fd44b9d3422f096d3b1b6415685d7364]
stable/4.19: [d3f409c375490a86d342eae1d0f6271d12dc19d0]
stable/5.10: [80977126bc20309f7f7bae6d8621356b393e8b41]
stable/5.15: [8a2df34b5bf652566f2889d9fa321f3b398547ef]
stable/5.4: [a452bc3deb23bf93f8a13d3e24611b7ef39645dc]

CVE-2023-1118: kernel: use-after-free in drivers/media/rc/ene_ir.c due
to race condition

CVSS v3 score is not provided.

When detaching the ene device, ene_remove() will be called but
env_remove() doesn't cancel tx_sim_timer.
If timer handler ene_tx_irqsim() is called, it could cause a use-after-free bug.

Introduced by commit 9ea53b7 ("V4L/DVB: STAGING: remove lirc_ene0100
driver") in 2.6.36-rc1.

Fixed status
mainline: [29b0589a865b6f66d141d79b2dd1373e4e50fe17]

CVE-2023-22996: use-after-free bug in drivers/soc/qcom/qcom_aoss.c

CVSS v3 score is not provided.

In the Linux kernel before 5.17.2, drivers/soc/qcom/qcom_aoss.c does
not release an of_find_device_by_node reference after use, e.g., with
put_device.

Introduced by commit 8c75d58 ("soc: qcom: aoss: Expose send for
generic usecase") in 5.16-rc1 so before 5.16 kernels are not affected
by this issue.

CVE-2023-22997: module: Fix NULL vs IS_ERR checking for module_get_next_page

CVSS v3 score is not provided.

In the Linux kernel before 6.1.2, kernel/module/decompress.c
misinterprets the module_get_next_page return value (expects it to be
NULL in the error case, whereas it is actually an error pointer).

Introduced by commit b1ae6dc ("module: add in-kernel support for
decompressing") in 5.17-rc1 so, before 5.17 kernels are not affected
by this issue.

Fixed status
mainline: [45af1d7aae7d5520d2858f8517a1342646f015db]
stable/6.1: [7a779e84b3c451ce4713456a413d3300143747a7]

CVE-2023-22998: drm/virtio: Fix NULL vs IS_ERR checking in
virtio_gpu_object_shmem_init

CVSS v3 score is not provided.

In the Linux kernel before 6.0.3,
drivers/gpu/drm/virtio/virtgpu_object.c misinterprets the
drm_gem_shmem_get_sg_table return value (expects it to be NULL in the
error case, whereas it is actually an error pointer).

This bug was introduced by commit 2f2aa13 ("drm/virtio: move
virtio_gpu_mem_entry initialization to new function") in 5.7-rc1 so
before 5.7 kernels are not affected by this issue.

Commit c249687 ("drm/virtio: Fix NULL vs IS_ERR checking in
virtio_gpu_object_shmem_init") changes return value from -EINVAL to
PTR_ERR(shmem->pages) but it needed to set NULL to shmem->pages.
Commit 64b88af ("drm/virtio: Correct drm_gem_shmem_get_sg_table()
error handling") does it.

Fixed status
mainline: [c24968734abfed81c8f93dc5f44a7b7a9aecadfa,
64b88afbd92fbf434759d1896a7cf705e1c00e79]
stable/5.15: [72893aadc0017f0f2998b33e7fa5e6b3a3a72d02,
60630834fad38252369bf4a351a03b75b76786e3]

CVE-2023-22999: usb: dwc3: qcom: Fix NULL vs IS_ERR checking in dwc3_qcom_probe

CVSS v3 score is not provided.

In the Linux kernel before 5.16.3, drivers/usb/dwc3/dwc3-qcom.c
misinterprets the dwc3_qcom_create_urs_usb_platdev return value
(expects it to be NULL in the error case, whereas it is actually an
error pointer).

Introduced by commit c25c210 ("usb: dwc3: qcom: add URS Host support
for sdm845 ACPI boot") in 5.12-rc1dontuse.
This commit was backported to 5.10 so 5.10 was affected.

Fixed status
mainline: [b52fe2dbb3e655eb1483000adfab68a219549e13]
stable/5.10: [94177fcecc35e9e9d3aecaa5813556c6b5aed7b6]
stable/5.15: [5157828d3975768b53a51cdf569203b953184022]

CVE-2023-23000: phy: tegra: xusb: Fix return value of
tegra_xusb_find_port_node function

CVSS v3 score is not provided.

In the Linux kernel before 5.17, drivers/phy/tegra/xusb.c mishandles
the tegra_xusb_find_port_node return value. Callers expect NULL in the
error case, but an error pointer is used.

Introduced by commit 0460467 ("phy: tegra: fix device-tree node
lookups") in 4.15-rc6.
Linux 4.4 isn't affected by this issue.

Fixed status
mainline: [045a31b95509c8f25f5f04ec5e0dec5cd09f2c5f]
stable/4.14: [f3f5fa872d09109edfd7c10c57865301fee396d4]

CVE-2023-23001: scsi: ufs: ufs-mediatek: Fix error checking in
ufs_mtk_init_va09_pwr_ctrl()

CVSS v3 score is not provided.

In the Linux kernel before 5.16.3, drivers/scsi/ufs/ufs-mediatek.c
misinterprets the regulator_get return value (expects it to be NULL in
the error case, whereas it is actually an error pointer).

Introduced by commit cf137b3 ("scsi: ufs-mediatek: Support VA09
regulator operations") in 5.11-rc1. So, before 5.11 kernels are not
affected by this issue.

Fixed status
mainline: [3ba880a12df5aa4488c18281701b5b1bc3d4531a]
stable/5.15: [0dc4db8abccf266390b81b72064191f876e55876]

* Updated CVEs

CVE-2022-2196: KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS

stable kernel 5.10, 5.15, 5.4, and 6.1 were fixed.

Fixed status
mainline: [2e7eab81425ad6c875f2ed47c0ce01e78afc38a5]
stable/5.10: [1b0cafaae8884726c597caded50af185ffc13349]
stable/5.15: [6b539a7dbb49250f92515c2ba60aea239efc9e35]
stable/5.4: [f93a1a5bdcdd122aae0a3eab7a52c15b71fb725b]
stable/6.1: [63fada296062e91ad9f871970d4e7f19e21a6a15]

CVE-2022-3707: Double-free in split_2MB_gtt_entry when function
intel_gvt_dma_map_guest_page failed

stable kernel 4.19, 5.10, 5.15, and 5.4 were fixed.

Fixed status
mainline: [4a61648af68f5ba4884f0e3b494ee1cabc4b6620]
stable/4.19: [c5245a6cf83ca5c4b68d643f8b31ed0eb127126e]
stable/5.10: [3d743415c6fb092167df6c23e9c7e9f6df7db625]
stable/5.15: [0d3d5099a50badadad6837edda00e42149b2f657]
stable/5.4: [787ef0db014085df8691e5aeb58ab0bb081e5ff0]
stable/6.0: [bb84f2e119accfc65d5fa6ebe31751cdc3bca9fb]
stable/6.1: [1022519da69d99d455c58ca181a6c499c562c70e]

CVE-2023-20938: Privilege escalation bug was found in android binder driver

stable 5.15 was fixed.

Fixed status
mainline: [9a0a930fe2535a76ad70d3f43caeccf0d86a3009,
09184ae9b5756cc469db6fd1d1cfdcffbf627c2d,
  656e01f3ab54afe71bed066996fc2640881e1220,
6d98eb95b450a75adb4516a1d33652dc78d2b20c,
  ef38de9217a04c9077629a24652689d8fdb4c6c6,
2d1746e3fda0c3612143d7c06f8e1d1830c13e23]
stable/5.10: [2e3c27f24173c6f3d799080da82126fa044a2f5e,
c9d3f25a7f4e3aab3dfd91885e3d428bccdcb0e1,
  5204296fc76623552d53f042e2dc411b49c151f2,
23e9d815fad84c1bee3742a8de4bd39510435362,
  ae9e0cc973fb7499ea1b1a8dfd0795f728b84faf,
017de842533f4334d646f1d480f591f4ca9f5c7a]
stable/5.15: [b345b22002889b943c50db25cd7f37c93def722a,
c194fc351fecb419e7f3a33ed7e9b273b427d263,
  d107b4352284aff85e9dae0b13d4b05e17a1520c,
7a9ad4aceb0226b391c9d3b8e4ac2e7d438b6bde,
  d518ca02542fda332b34c2a3db9164363ac3f58e,
367d0456c79264d8fe743a4ab2961c772db4d495]
stable/5.4: [15e098ab1d3c8d6b2521b7cc4bc6da80936e9af6,
74e7f1828ab4205ebacf7c92b700279113dd075d,
  7b31ab0d9efb032ac1a8f25d419f7b9df1b1cfe3,
c056a6ba35e00ae943e377eb09abd77a6915b31a,

CVE-2023-25012: HID: bigben_remove: manually unregister leds

The mainline kernel was fixed.

Fixed status
mainline: [76ca8da989c7d97a7f76c75d475fe95a584439d7]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 4 new CVEs and 0 updated CVEs.

* New CVEs

CVE-2022-36397:  Incorrect default permissions causes Escalation of
Privilege bug in Intel® QuickAssist Technology (QAT) drivers

CVSS v3 score is not provided (NVD)
CVSS v3 score is 7.3 HIGH (CNA)

Incorrect default permissions in the software installer for some
Intel(R) QAT drivers for Linux before version 4.17 (which means QAT
driver version 4.17 not Linux kernel 4.17) may allow an authenticated
user to potentially enable escalation of privilege via local access.

This bug is in the Intel QAT driver before version 4.17 so that is not
Linux kernel bug.

Fixed status
 Not a kernel bug

CVE-2023-23586: memory leak/use-after-free bug is found in io_uring
subsystem in linux 5.10.y

CVSS v3 score is not provided (NVD)
CVSS v3 score is 5.5 MEDIUM (CNA)

Due to a vulnerability in the io_uring subsystem, it is possible to
leak kernel memory information to the user process. timens_install
calls current_is_single_threaded to determine if the current process
is single-threaded, but this call does not consider io_uring's
io_worker threads, thus it is possible to insert a time namespace's
vvar page to process's memory space via a page fault. When this time
namespace is destroyed, the vvar page is also freed, but not removed
from the process' memory, and a next page allocated by the kernel will
be still available from the user-space process and can leak memory
contents via this (read-only) use-after-free vulnerability. We
recommend upgrading past version 5.10.161 or commit
788d0824269bef539fe31a785b1517882eafed93
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/io_uring

This bug is in kernel 5.10.y. Its fix is the same as CVE-2023-0240
which backport io_uring codebase from 5.15.

Fixed status
stable/5.10: [788d0824269bef539fe31a785b1517882eafed93]

CVE-2023-26242: fpga: dfl-afu-region: Add overflow checks for region
size and offset

CVSS v3 score is not provided

afu_mmio_region_get_by_offset in drivers/fpga/dfl-afu-region.c in the
Linux kernel through 6.1.12 has an integer overflow.
According to the comment
(https://patchwork.kernel.org/project/linux-fpga/patch/20230206054326.89323-1-k1rh4.lee@gmail.com/),
it might be false positive.

No CIP member enables CONFIG_FPGA_DFL_AFU.

Fixed status
Not fixed yet

CVE-2023-0461: A use-after-free bug was found is Upper Level
Protocol(ULP) subsystem

CVSS v3 score is not provided

A use-after-free bug was found in the Upper Level Protocol(ULP)
subsystem which will cause a system crash or execute arbitrary code.
It was introduced by commit 734942c ("tcp: ULP infrastructure") in
4.13-rc1, so 4.4.y kernels are not affected by this issue.

Fixed status
mainline: [2c02d41d71f90a5168391b6a5f2954112ba2307c]
stable/4.14: [b689125d04949841337dfa730d48dd91ada9ce3a]
stable/4.19: [755193f2523ce5157c2f844a4b6d16b95593f830]
stable/5.10: [f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0]
stable/5.15: [dadd0dcaa67d27f550131de95c8e182643d2c9d6]
stable/5.4: [c6d29a5ffdbc362314853462a0e24e63330a654d]
stable/6.1: [7d242f4a0c8319821548c7176c09a6e0e71f223c]

* Updated CVEs

No update this week.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 2 new CVEs and no updated CVEs.

* New CVEs

CVE-2022-27672: Cross-Thread Return Address Predictions

CVSS v3 score is not provided

When SMT is enabled, certain AMD processors may speculatively execute
instructions using a target from the sibling thread after an SMT mode
switch potentially resulting in information disclosure.

It affects certain AMD processors only. List of affected CPUs are
listed on AMD's security advisory
page(https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1045).

Fixed status
mainline: [be8de49bea505e7777a69ef63d60e02ac1712683,
6f0f2d5ef895d66a3f2b32dd05189ec34afa5a55,
  493a2c2d23ca91afba96ac32b6cbafb54382c2a3]
stable/5.15: [8f12dcab90e886d0169a9cd372a8bb35339cfc19,
5122e0e44363e3d837592b78bc04222b9d289868,
  17170acdc7c8b8585501bb443b4f196168ae9890]
stable/6.1: [cc95b5d240b631e42e2863e1dcb6ad83920cc449,
40c4fdfc942e0c93054884546bf785fe24c6831e,
  da1ae884562cc22e2705113cc39712477e37ab4e]

CVE-2023-20937: Privilege escalation bug was found in Android kernel

CVSS v3 score is not provided

This bug is in Android Common Kernel so that it doesn't affect to
mainline/stable/cip kernels.

* Updated CVEs

No updated CVEs this week.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 4 new CVEs and 2 updated CVEs.

* New CVEs

CVE-2023-0615: multiple issues for the Video for Linux version 2 test driver

CVSS v3 score is not provided

A memory leak flaw and potential divide by zero and Integer overflow
was found in the Linux kernel V4L2 and vivid test code functionality.
This issue occurs when a user triggers ioctls, such as
VIDIOC_S_DV_TIMINGS ioctl. This could allow a local user to crash the
system if vivid test code enabled.

Config files in cip-kernel-config do not enable vivid's test driver.

Fixed status
mainline: [94a7ad9283464b75b12516c5512541d467cefcf8]
stable/4.14: [5edc3604151919da8da0fb092b71d7dce07d848a]
stable/4.19: [9c7fba9503b826f0c061d136f8f0c9f953ed18b9]
stable/5.10: [f9d19f3a044ca651b0be52a4bf951ffe74259b9f]
stable/5.15: [ab54081a2843aefb837812fac5488cc8f1696142]
stable/5.4: [54f259906039dbfe46c550011409fa16f72370f6]
stable/6.1: [2f558c5208b0f70c8140e08ce09fcc84da48e789]

CVE-2023-25012: HID: bigben_remove: manually unregister leds

CVSS v3 score is not provided

The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove
in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED
controllers remain registered for too long.

This bug was introduced by commit 4eb1b01de5b9 ("HID: hid-bigbenff:
fix race condition for scheduled work during removal") in 5.6-rc4.
This patch was backported to 5.4 so linux 5.4 is affected as well.

Fixed status
Patch is available
(https://lore.kernel.org/all/20230125-hid-unregister-leds-v1-1-9a5192dcef16@diag.uniroma1.it/)
but it hasn't been merged yet.

CVE-2023-0045: Bypassing Spectre-BTI User Space Mitigations

CVSS v3 score is not provided

An attacker can bypass Spectre-BTI user space mitigations. The kernel
doesn't issue an IBPB immediately during the syscall so there is no
mitigation in a short period of time.
The impact is low. It would only affect applications that immediately
load secrets after the prctl() call.

Fixed status
mainline: [a664ec9158eeddd75121d39c9a0758016097fa96]
stable/4.14: [e1feec3bd63b7e526f92464def38a5fbe437dc99]
stable/4.19: [940ede60d74d2fc7291b96cb38072d705333c8e0]
stable/5.10: [67e39c4f4cb318cfbbf8982ab016c649ed97edaf]
stable/5.15: [cb42aa7b5f726e3fddc8656b8f5c723537d654f1]
stable/5.4: [8cbd7f26438738238c245a9c0aaf7ebf43283fba]
stable/6.1: [e8377f0456fb6738a4668d4df16c13d7599925fd]

CVE-2023-20938: Privilege escalation bug was found in android binder driver

CVSS v3 score is not provided

Privilege escalation bug was found in android binder driver.  There is
no detail about this vulnerability.
No CIP member enables CONFIG_ANDROID_BINDER_IPC.

Fixed status
mainline: [9a0a930fe2535a76ad70d3f43caeccf0d86a3009,
09184ae9b5756cc469db6fd1d1cfdcffbf627c2d,
  656e01f3ab54afe71bed066996fc2640881e1220,
6d98eb95b450a75adb4516a1d33652dc78d2b20c,
  ef38de9217a04c9077629a24652689d8fdb4c6c6,
2d1746e3fda0c3612143d7c06f8e1d1830c13e23]
stable/5.10: [2e3c27f24173c6f3d799080da82126fa044a2f5e,
c9d3f25a7f4e3aab3dfd91885e3d428bccdcb0e1,
  5204296fc76623552d53f042e2dc411b49c151f2,
23e9d815fad84c1bee3742a8de4bd39510435362,
  ae9e0cc973fb7499ea1b1a8dfd0795f728b84faf,
017de842533f4334d646f1d480f591f4ca9f5c7a]
stable/5.4: [15e098ab1d3c8d6b2521b7cc4bc6da80936e9af6,
74e7f1828ab4205ebacf7c92b700279113dd075d,
  7b31ab0d9efb032ac1a8f25d419f7b9df1b1cfe3,
c056a6ba35e00ae943e377eb09abd77a6915b31a,
  4741b00cac23d5fe7d6f74858dff1968eeb1b63a,
4e682ce5601a617b105b7f801f67511dfbd04079]

* Updated CVEs

CVE-2022-4129: l2tp: missing lock when clearing sk_user_data can lead
to NULL pointer

5.4 was fixed.

Fixed status
mainline: [b68777d54fac21fc833ec26ea1a2a84f975ab035,
af295e854a4e3813ffbdef26dbb6a4d6226c3ea1]
stable/5.10: [e34a965f771f1977f172593c73e373036c765724,
5b209b8c99d487a1c32983981bf3552980fda591]
stable/5.15: [87d9205d9a57dfc1f39f840b32e38475c3f523f6,
22c7d45ca3d7672f0b209783726d7559a2343f21]
stable/5.4: [7188c37f3c2527086aa46cbb37060fa73b144c65,
4fd6a6b1019e56ece1886d854a87051ffc86957f]

CVE-2023-23559: rndis_wlan: Prevent buffer overflow in rndis_query_oid

4.14, 4.19, and 5.4 were fixed.

Fixed status
mainline: [b870e73a56c4cccbec33224233eaf295839f228c]
stable/4.14: [8a97563bf04358f035a0b98142ae48f1ef095b61]
stable/4.19: [b4cc9d7ae9bed976de5463958afea2983b4ca57f]
stable/5.10: [802fd7623e9ed19ee809b503e93fccc1e3f37bd6]
stable/5.15: [8cbf932c5c40b0c20597fa623c308d5bde0848b5]
stable/5.4: [9042a9a3f29c942387e6d6036551d90c9ae6ce4f]
stable/6.1: [7794efa358bca8b8a2a80070c6e088a74945f018]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 4 new CVEs and 3 updated CVEs.

* New CVEs

CVE-2023-0469: A use-after-free flaw was found in io_uring/filetable.c

CVSS v3 score is not provided

A use-after-free flaw was found in io_uring/filetable.c in
io_install_fixed_file in the io_uring subcomponent in the Linux Kernel
during call cleanup. This flaw may lead to a denial of service.

This bug was introduced by commit 61c1b44 ("io_uring: fix deadlock on
iowq file slot alloc") in 5.19-rc1.
It fixes 1339f24 ("io_uring: allow allocated fixed files for
openat/openat2") in 510-rc1.
This bug was fixed by commit 9d94c04 ("io_uring/filetable: fix file
reference underflow") in 6.1-rc7.
The commit 1339f24 is not backported to older stable kernels.

Fixed status
mainline: [9d94c04c0db024922e886c9fd429659f22f48ea4]

CVE-2023-0240: Privilege escalation bug in io_uring

CVSS v3 score is not provided (NIST)
CVSS v3 score is 7.8 HIGH (CNA)

There is a logic error in io_uring's implementation which can be used
to trigger a use-after-free vulnerability leading to privilege
escalation. In the io_prep_async_work function the assumption that the
last io_grab_identity call cannot return false is not true, and in
this case the function will use the init_cred or the previous linked
requests identity to do operations instead of using the current
identity. This can lead to reference counting issues causing
use-after-free.

It looks only affects 5.10.

Fixed status
mainline: [4379bf8bd70b5de6bba7d53015b0c36c57a634ee]
stable/5.10: [788d0824269bef539fe31a785b1517882eafed93]

CVE-2023-0590: net: sched: fix race condition in qdisc_graft()

CVSS v3 score is not provided.

A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c
in the Linux Kernel due to a race problem leading to a
denial-of-service problem.

It was introduced by commit af356af ("net_sched: reintroduce
dev->qdisc for use by sch_api") in 2.6.32-rc1 and fixed in 6.1-rc2.

Fixed status
mainline: [ebda44da44f6f309d302522b049f43d6f829f7aa]
stable/5.10: [7aa3d623c11b9ab60f86b7833666e5d55bac4be9]
stable/5.15: [ce1234573d183db1ebcab524668ca2d85543bf80]

CVE-2023-0597: kernel: x86/mm: Randomize per-cpu entry area

CVSS v3 score is not provided.

A new Side-Channel Attacks was found in prefetch instructions. It an
unprivileged attacker to obtain address information.
This details is published in the paper called "Prefetch Side-Channel
Attacks: Bypassing SMAP and Kernel ASLR"
(https://gruss.cc/files/prefetch.pdf)

Fixed status
mainline: [97e3d26b5e5f371b3ee223d94dd123e6c442ba80]

* Updated CVEs

CVE-2023-23559: rndis_wlan: Prevent buffer overflow in rndis_query_oid

mainline, 5.10, 5.15, and 6.1 were fixed.

Fixed status
mainline: [b870e73a56c4cccbec33224233eaf295839f228c]
stable/5.10: [802fd7623e9ed19ee809b503e93fccc1e3f37bd6]
stable/5.15: [8cbf932c5c40b0c20597fa623c308d5bde0848b5]
stable/6.1: [7794efa358bca8b8a2a80070c6e088a74945f018]

CVE-2022-4129: l2tp: missing lock when clearing sk_user_data can lead
to NULL pointer dereference

stable 5.10 and 5.15 were fixed.

Fixed status
mainline: [b68777d54fac21fc833ec26ea1a2a84f975ab035,
af295e854a4e3813ffbdef26dbb6a4d6226c3ea1]
stable/5.10: [e34a965f771f1977f172593c73e373036c765724,
5b209b8c99d487a1c32983981bf3552980fda591]
stable/5.15: [87d9205d9a57dfc1f39f840b32e38475c3f523f6,
22c7d45ca3d7672f0b209783726d7559a2343f21]

CVE-2022-4382: usb: A use-after-free Write in put_dev

mainline, 5.10, 5.15, 5.4, and 6.1 were fixed.
This vulnerability was introduced by commit e5d82a7360d1 ("vfs:
Convert gadgetfs to use the new mount API") in 5.3-r1 so 4.x are not
affected.

Fixed status
mainline: [d18dcfe9860e842f394e37ba01ca9440ab2178f4]
stable/5.10: [856e4b5e53f21edbd15d275dde62228dd94fb2b4]
stable/5.15: [a2e075f40122d8daf587db126c562a67abd69cf9]
stable/5.4: [9a39f4626b361ee7aa10fd990401c37ec3b466ae]
stable/6.1: [616fd34d017000ecf9097368b13d8a266f4920b3]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: New CVE entries this week

[Dan Carpenter]

[-- Attachment #1: Type: text/plain, Size: 6894 bytes --]

It turned out fairly easy to write this check.  There are now just 48
warnings so that's not too bad.  I'm attaching the list and the code
to generate it.  I'm trying to involve more people in analyzing Smatch
warnings so I'm going to explain how I read these in depth below.

This is the most interesting warning.  I've added Jason Wang to the
CC list because he knows the code better than I would.

drivers/net/tap.c:1227 tap_sendmsg() warn: uncapped user loop index 'i'
  1216  static int tap_sendmsg(struct socket *sock, struct msghdr *m,
  1217                         size_t total_len)
  1218  {
  1219          struct tap_queue *q = container_of(sock, struct tap_queue, sock);
  1220          struct tun_msg_ctl *ctl = m->msg_control;
  1221          struct xdp_buff *xdp;
  1222          int i;
  1223  
  1224          if (m->msg_controllen == sizeof(struct tun_msg_ctl) &&
  1225              ctl && ctl->type == TUN_MSG_PTR) {
  1226                  for (i = 0; i < ctl->num; i++) {
  1227                          xdp = &((struct xdp_buff *)ctl->ptr)[i];
  1228                          tap_get_user_xdp(q, xdp);
  1229                  }
  1230                  return 0;
  1231          }
  1232  
  1233          return tap_get_user(q, ctl ? ctl->ptr : NULL, &m->msg_iter,
  1234                              m->msg_flags & MSG_DONTWAIT);
  1235  }
Here Smatch thinks m->msg_control is controlled by the user because of
this code from ____sys_sendmsg():
net/socket.c
  2479                  if (copy_from_user(ctl_buf, msg_sys->msg_control_user, ctl_len))
  2480                          goto out_freectl;
  2481                  msg_sys->msg_control = ctl_buf;
                        ^^^^^^^^^^^^^^^^^^^^
Of course this would be a very serious bug if it's real, but I don't
have the expertise to evaluate it properly.

drivers/char/agp/generic.c:271 agp_allocate_memory() warn: uncapped user loop index 'i'
   248          scratch_pages = (page_count + ENTRIES_PER_PAGE - 1) / ENTRIES_PER_PAGE;
   249  
   250          new = agp_create_memory(scratch_pages);
	...
   264          for (i = 0; i < page_count; i++) {
	...
   271                  new->pages[i] = page;

In this code, we allocate "scratch_pages" number of pages.  Smatch does
not understand that properly track the relationship between page_count
and scratch_pages or the relationship between scratch_pages and
new->pages.  Two things which should be fixed.

drivers/dma/qcom/hidma_mgmt.c:101 hidma_mgmt_setup() warn: uncapped user loop index 'i'
This is the first real bug, but it's root only so it's not a security
issue.  I have reported it.

drivers/comedi/comedi_fops.c:1445 parse_insn() warn: uncapped user loop index 'i'
If you look at do_insn_ioctl() the size of the "data" array is "n_data"
and "n_data" is more than "insn->n".  Smatch tries to track when a
variable *is* the array size, but I don't think we will track that the
ariable is less than the array size across function boundaries.

drivers/net/can/sun4i_can.c:458 sun4ican_start_xmit() warn: uncapped user loop index 'i'
CAN is problematic for Smatch because when it recieves a packet it take
skb->data (which is a buffer of u8) and then checks it and then stuffs
it back into the buffer of u8.  When the buffer gets stuffed back into
skb->data then the details about how it was checked are lost.  Probably
it's safe to ignore all 8 drivers/net/can/ warnings.

drivers/net/wireless/ath/ath10k/htt_rx.c:2988 ath10k_htt_rx_tx_compl_ind() warn: uncapped user loop index 'i'
Smatch assumes that every skb->data holds untrusted data.  One place
where this assumption fails is on the sending path.  I notice that this
function has both RX and TX in the name, so it might be a send path.
I do not know if this is a real bug or not.

drivers/net/wireless/ath/ath6kl/wmi.c:1304 ath6kl_wmi_neighbor_report_event_rx() warn: uncapped user loop index 'i'
  1287  static int ath6kl_wmi_neighbor_report_event_rx(struct wmi *wmi, u8 *datap,
  1288                                                 int len, struct ath6kl_vif *vif)
  1289  {
  1290          struct wmi_neighbor_report_event *ev;
  1291          u8 i;
  1292  
  1293          if (len < sizeof(*ev))
  1294                  return -EINVAL;
  1295          ev = (struct wmi_neighbor_report_event *) datap;
  1296          if (struct_size(ev, neighbor, ev->num_neighbors) > len) {
                                              ^^^^^^^^^^^^^^^^^
Smatch needs to be fixed to recognize that "ev->num_neighbors" is checked
here.  Fixable.

  1297                  ath6kl_dbg(ATH6KL_DBG_WMI,
  1298                             "truncated neighbor event (num=%d len=%d)\n",
  1299                             ev->num_neighbors, len);
  1300                  return -EINVAL;
  1301          }
  1302          for (i = 0; i < ev->num_neighbors; i++) {
  1303                  ath6kl_dbg(ATH6KL_DBG_WMI, "neighbor %d/%d - %pM 0x%x\n",
  1304                             i + 1, ev->num_neighbors, ev->neighbor[i].bssid,
  1305                             ev->neighbor[i].bss_flags);
  1306                  cfg80211_pmksa_candidate_notify(vif->ndev, i,
  1307                                                  ev->neighbor[i].bssid,
  1308                                                  !!(ev->neighbor[i].bss_flags &
  1309                                                     WMI_PREAUTH_CAPABLE_BSS),
  1310                                                  GFP_ATOMIC);
  1311          }
  1312  
  1313          return 0;
  1314  }

drivers/net/wireless/quantenna/qtnfmac/commands.c:1100 qtnf_parse_variable_mac_info() warn: uncapped user loop index 'i'
  1079                          rec_len = sizeof(*rec) + rec->n_limits * sizeof(*lim);
  1080  
  1081                          if (unlikely(tlv_value_len != rec_len)) {
Another false positive.  This bounds checking on "rec->n_limits" was too
complicated for Smatch.

drivers/net/ethernet/mediatek/mtk_wed_mcu.c:82 mtk_wed_update_rx_stats() warn: uncapped user loop index 'i'
    64  static void
    65  mtk_wed_update_rx_stats(struct mtk_wed_device *wed, struct sk_buff *skb)
    66  {
    67          u32 count = get_unaligned_le32(skb->data);
    68          struct mtk_wed_wo_rx_stats *stats;
    69          int i;
    70  
    71          if (count * sizeof(*stats) > skb->len - sizeof(u32))
    72                  return;
    73  
    74          stats = (struct mtk_wed_wo_rx_stats *)(skb->data + sizeof(u32));
    75          for (i = 0 ; i < count ; i++)
    76                  wed->wlan.update_wo_rx_stats(wed, &stats[i]);
    77  }
The bounds checking is too complicated for Smatch, but also this code
is buggy.  Bug 1: There is no check to ensure that skb->len >= sizeof(u32).
Bug 2: On a 32 bit system the "count * sizeof(*stats)" multiplication
can lead to an integer overflow.  I have reported these bugs.

regards,
dan carpenter

[-- Attachment #2: err-list --]
[-- Type: text/plain, Size: 4210 bytes --]

drivers/char/agp/generic.c:271 agp_allocate_memory() warn: uncapped user loop index 'i'
drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_events.c:948 kfd_wait_on_events() warn: uncapped user loop index 'i'
drivers/gpu/drm/msm/msm_gem_submit.c:966 msm_ioctl_gem_submit() warn: uncapped user loop index 'i'
drivers/gpu/drm/msm/msm_gem_submit.c:974 msm_ioctl_gem_submit() warn: uncapped user loop index 'i'
drivers/dma/qcom/hidma_mgmt.c:101 hidma_mgmt_setup() warn: uncapped user loop index 'i'
drivers/comedi/comedi_fops.c:1445 parse_insn() warn: uncapped user loop index 'i'
drivers/net/can/sun4i_can.c:458 sun4ican_start_xmit() warn: uncapped user loop index 'i'
drivers/net/can/usb/esd_usb.c:769 esd_usb_start_xmit() warn: uncapped user loop index 'i'
drivers/net/can/usb/ems_usb.c:780 ems_usb_start_xmit() warn: uncapped user loop index 'i'
drivers/net/can/cc770/cc770.c:419 cc770_tx() warn: uncapped user loop index 'i'
drivers/net/can/slcan/slcan-core.c:521 slcan_encaps() warn: uncapped user loop index 'i'
drivers/net/can/rcar/rcar_can.c:605 rcar_can_start_xmit() warn: uncapped user loop index 'i'
drivers/net/can/sja1000/sja1000.c:321 sja1000_start_xmit() warn: uncapped user loop index 'i'
drivers/net/wireless/ath/ath10k/htt_rx.c:2988 ath10k_htt_rx_tx_compl_ind() warn: uncapped user loop index 'i'
drivers/net/wireless/ath/ath10k/htt_rx.c:3427 ath10k_htt_rx_tx_fetch_ind() warn: uncapped user loop index 'i'
drivers/net/wireless/ath/ath6kl/wmi.c:1304 ath6kl_wmi_neighbor_report_event_rx() warn: uncapped user loop index 'i'
drivers/net/wireless/quantenna/qtnfmac/commands.c:1100 qtnf_parse_variable_mac_info() warn: uncapped user loop index 'i'
drivers/net/ethernet/mediatek/mtk_wed_mcu.c:82 mtk_wed_update_rx_stats() warn: uncapped user loop index 'i'
drivers/net/tap.c:1227 tap_sendmsg() warn: uncapped user loop index 'i'
drivers/net/amt.c:1417 amt_add_srcs() warn: uncapped user loop index 'i'
drivers/net/amt.c:1420 amt_add_srcs() warn: uncapped user loop index 'i'
drivers/net/amt.c:1505 amt_lookup_act_srcs() warn: uncapped user loop index 'i'
drivers/net/amt.c:1508 amt_lookup_act_srcs() warn: uncapped user loop index 'i'
drivers/net/amt.c:1528 amt_lookup_act_srcs() warn: uncapped user loop index 'i'
drivers/net/amt.c:1531 amt_lookup_act_srcs() warn: uncapped user loop index 'i'
drivers/net/amt.c:1549 amt_lookup_act_srcs() warn: uncapped user loop index 'j'
drivers/net/amt.c:1552 amt_lookup_act_srcs() warn: uncapped user loop index 'j'
drivers/net/amt.c:1570 amt_lookup_act_srcs() warn: uncapped user loop index 'i'
drivers/net/amt.c:1573 amt_lookup_act_srcs() warn: uncapped user loop index 'i'
drivers/xen/gntalloc.c:152 add_grefs() warn: uncapped user loop index 'i'
drivers/xen/gntdev.c:974 gntdev_ioctl_grant_copy() warn: uncapped user loop index 'i'
fs/btrfs/send.c:7998 flush_delalloc_roots() warn: uncapped user loop index 'i'
fs/nfs/dir.c:226 nfs_readdir_clear_array() warn: uncapped user loop index 'i'
fs/nfs/dir.c:547 nfs_readdir_search_for_cookie() warn: uncapped user loop index 'i'
fs/nfsd/export.c:326 nfsd4_fslocs_free() warn: uncapped user loop index 'i'
fs/remap_range.c:533 vfs_dedupe_file_range() warn: uncapped user loop index 'i'
arch/x86/kvm/svm/sev.c:545 sev_launch_update_data() warn: uncapped user loop index 'i'
net/can/isotp.c:345 check_pad() warn: uncapped user loop index 'i'
net/wireless/nl80211.c:5637 nl80211_check_ap_rate_selectors() warn: uncapped user loop index 'i'
net/sctp/outqueue.c:1236 sctp_sack_update_unack_data() warn: uncapped user loop index 'i'
net/sctp/outqueue.c:1796 sctp_acked() warn: uncapped user loop index 'i'
net/rxrpc/call_event.c:149 rxrpc_resend() warn: uncapped user loop index 'i'
net/bluetooth/hci_codec.c:158 hci_read_supported_codecs() warn: uncapped user loop index 'i'
net/bluetooth/hci_codec.c:178 hci_read_supported_codecs() warn: uncapped user loop index 'i'
net/bluetooth/hci_codec.c:227 hci_read_supported_codecs_v2() warn: uncapped user loop index 'i'
net/bluetooth/hci_codec.c:245 hci_read_supported_codecs_v2() warn: uncapped user loop index 'i'
net/bluetooth/mgmt.c:5375 parse_adv_monitor_pattern() warn: uncapped user loop index 'i'
net/ncsi/ncsi-rsp.c:938 ncsi_rsp_handler_gp() warn: uncapped user loop index 'i'

[-- Attachment #3: check_user_loop_out_of_bounds.c --]
[-- Type: text/x-csrc, Size: 3013 bytes --]

/*
 * Copyright (C) 2019 Oracle.
 * Copyright (C) 2023 Dan Carpenter.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
 */

#include "smatch.h"
#include "smatch_slist.h"
#include "smatch_extra.h"

static int my_id;

STATE(uncapped);

static struct expression *get_iterator(struct statement *stmt)
{
	struct expression *expr;

	if (!stmt ||
	    stmt->type != STMT_ITERATOR ||
	    !stmt->iterator_pre_statement ||
	    stmt->iterator_pre_statement->type != STMT_EXPRESSION)
		return NULL;

	expr = strip_expr(stmt->iterator_pre_statement->expression);
	if (!expr || expr->type != EXPR_ASSIGNMENT)
		return NULL;

	return strip_expr(expr->left);
}

static void match_condition(struct expression *expr)
{
	struct expression *iterator;
	struct statement *parent;
	struct range_list *rl;

	if (!__in_pre_condition || expr->type != EXPR_COMPARE)
		return;

	parent = expr_get_parent_stmt(expr);
	if (!parent)
		return;

	iterator = get_iterator(parent);
	if (!iterator)
		return;

	if (!get_user_rl(expr->right, &rl))
		return;

	if (!is_whole_rl(rl) || user_rl_capped(expr->right))
		return;

	set_true_false_states_expr(my_id, iterator, &uncapped, NULL);
}

static bool is_copy_from_user_src(struct expression *expr)
{
	struct expression *parent;
	struct expression *src;
	int cnt = 0;

	while (cnt++ < 10) {
		parent = expr_get_parent_expr(expr);
		if (!parent)
			return false;
		if (parent->type != EXPR_CALL ||
		    !sym_name_is("copy_from_user", parent->fn)) {
			expr = parent;
			continue;
		}
		src = get_argument_from_call_expr(parent->args, 1);
		src = strip_expr(src);
		expr = strip_expr(expr);
		return src == expr;
	}
	return false;
}

static void array_check(struct expression *expr)
{
	struct expression *array_expr, *idx;
	struct range_list *rl;
	int array_size;
	char *name;

	idx = get_array_offset(expr);
	if (get_state_expr(my_id, idx) != &uncapped)
		return;

	if (buf_comparison_index_ok(expr))
		return;

	get_absolute_rl(idx, &rl);

	array_expr = get_array_base(expr);
	array_size = get_array_size(array_expr);
	if (rl_max(rl).uvalue < array_size)
		return;

	if (is_copy_from_user_src(expr))
		return;

	name = expr_to_str(idx);
	sm_warning("uncapped user loop index '%s'", name);
	free_string(name);

	set_state_expr(my_id, idx, &undefined);
}

void check_user_loop_out_of_bounds(int id)
{
	my_id = id;

	add_hook(&match_condition, CONDITION_HOOK);
	add_hook(&array_check, OP_HOOK);
}

Re: New CVE entries this week

[Dan Carpenter]

[ Still going through old stuff from the holiday season ]

On Thu, Dec 22, 2022 at 07:58:48AM +0900, Masami Ichikawa wrote:
> CVE-2022-47518: wifi: wilc1000: validate number of channels
> 
> CVSS v3 score is not provided
> 
> An issue was discovered in the Linux kernel before 6.0.11. Missing
> validation of the number of channels in
> drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000
> wireless driver can trigger a heap-based buffer overflow when copying
> the list of operating channels from Wi-Fi management frames.
> 
> It looks like a vulnerable function is not present on 4.4 and 4.9.
> That function is present in 5.4 and 4.19 however, this driver is
> staging driver at that time.
> Also, implementation of wilc_wfi_cfg_parse_ch_attr() in 5.4 and 4.19
> are different from newer code. It seems as if they are not affected.
> 
> Fixed status
> mainline: [0cdfa9e6f0915e3d243e2393bfa8a22e12d553b0]
> stable/5.10: [3eb6b89a4e9f9e44c3170d70d8d16c3c8dc8c800]
> stable/5.15: [7aed1dd5d221dabe3fe258f13ecf5fc7df393cbb]
> stable/6.0: [6195b4838e10a557859862c4e7840dc0eafdd1cd]
> 
> CVE-2022-47519: wifi: wilc1000: validate length of
> IEEE80211_P2P_ATTR_OPER_CHANNEL attribute

This is probably something which could have been caught with static
analysis.  The first problem was that cfg80211_find_vendor_ie() takes
a struct and casts it to a char *.  Smatch correctly marks some of the
struct members as user data, but loses that information when the cast
happens.

It is easy to hard code cfg80211_find_vendor_ie() as returning user data
so we avoid this bug in the future.

diff --git a/smatch_points_to_user_data.c b/smatch_points_to_user_data.c
index 4267b85b53a7..f632d8c84452 100644
--- a/smatch_points_to_user_data.c
+++ b/smatch_points_to_user_data.c
@@ -49,7 +49,7 @@ STATE(user_data_set);
 static const char *returns_pointer_to_user_data[] = {
 	"nlmsg_data", "nla_data", "memdup_user", "kmap_atomic", "skb_network_header",
 	"cfg80211_find_elem_match", "ieee80211_bss_get_elem", "cfg80211_find_elem",
-	"ieee80211_bss_get_ie",
+	"ieee80211_bss_get_ie", "cfg80211_find_vendor_ie",
 };
 
 bool is_skb_data(struct expression *expr)

Then from there, I actually have an unpublished static checker warning
which would have triggered.

drivers/net/wireless/microchip/wilc1000/cfg80211.c:991 wilc_wfi_cfg_parse_ch_attr() warn: uncapped user loop: 'attr_size'

Currently it prints 178 warnings.  It warns for things like:

        for (i = 0; i < user_controlled_value; i++)

But it's kind of useless.  There are too many times where the loop is
uncapped but it doesn't result in an out of bounds access.  For example,
the user_controlled_value could be number of seconds instead of array
offsets.  I need to add to the check and cut down on the false
positives.  I will do that today.

Update on my employment situation:  I have been lazy about looking for
Smatch funding.  But a lot of the things I'm looking at are a
subscription model where people get the warnings instead of the source
code.  These emails are intended to help the Kernel security community
to understand better how to continue the work after I have moved on.
Please email me if you have questions, because right now I have time and
I want to help people take on this work.

regards,
dan carpenter

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 1 new CVEs and 2 updated CVEs.

ProjectZero recently published a technique for exploiting a Null
pointer dereference on a modern
kernel(https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html).
In this article, it recommended the oops_limit feature to prevent this
exploitation technique. The oops_limit feature has been backported to
6.1.y (https://lore.kernel.org/stable/202301191532.AEEC765@keescook/T/#u).
The oops_limit patches are available on 5.10
(https://lore.kernel.org/stable/20230124193004.206841-1-ebiggers@kernel.org/)
and 5.15 (https://lore.kernel.org/stable/20230124185110.143857-1-ebiggers@kernel.org/)

* New CVEs

CVE-2023-0468: use-after-free in io_uring poll events due to race condition

CVSS v3 score is not provided

A use-after-free flaw was found in io_uring/poll.c in
io_poll_check_events in the io_uring subcomponent in the Linux Kernel
due to a race condition of poll_refs.
This flaw may cause a NULL pointer dereference.

This bug was introduced by commit aa43477 ("io_uring: poll rework") in 5.17-rc1.
This commit was backported to 5.15 so 5.15 is affected. It isn't
backported to 5.4 and 5.10.

Fixed status
mainline: [12ad3d2d6c5b0131a6052de91360849e3e154846,
a26a35e9019fd70bf3cf647dcfdae87abc7bacea]
stable/5.15: [df4b177b48516da64b988722a22d93d257dcda9a,
4b702b7d11ce1b9d26fc6d7c5a7ef4ac1d455048]

* Updated CVEs

CVE-2023-0179: netfilter: nft_payload: incorrect arithmetics when
fetching VLAN header bits

Fixed status
mainline: [696e1a48b1a1b01edad542a1ef293665864a4dd0]
stable/5.10: [550efeff989b041f3746118c0ddd863c39ddc1aa]
stable/5.15: [a8acfe2c6fb99f9375a9325807a179cd8c32e6e3]
stable/6.1: [76ef74d4a379faa451003621a84e3498044e7aa3]

CVE-2022-4842: fs/ntfs3: Fix attr_punch_hole() null pointer dereference

5.15 and 6.1 were fixed.

Fixed status
mainline: [6d5c9e79b726cc473d40e9cb60976dbe8e669624]
stable/5.15: [9cca110cf8bb0653b423dba7a7c4cc23ccf91b28]
stable/6.1: [ff3b1a624380c14b81f4e51c48e404a45f047aab]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: New CVE entries this week

[Dan Carpenter]

So I went through the list again and those two were the only real bugs I
spotted.

The point is not really about this specific list of warnings, it's just
the process of thinking asking how we improve going forward.  This was
only one of the action items.  Another was why was Smatch not warning
about missing checks for kmalloc() failure?  I have fixed this, but
I forget what the fix was.  Also apparently I didn't publish the fix and
the released code still does not warn.

Another question was the Smatch check for this is very old and it
assumes that everything with a gfp_t flag is an allocation.  Which is
fine.  But alloc_workqueue() doesn't take a gfp_t flag and it also needs
to be checked for NULL so stuff like that needs to be added as well.

regards,
dan carpenter

Re: New CVE entries this week

[Masami Ichikawa]

Hi.

On Thu, Jan 19, 2023 at 4:51 PM Dan Carpenter <error27@gmail.com> wrote:
>
> On Thu, Dec 15, 2022 at 12:25:18PM +0900, Masami Ichikawa wrote:
> > CVE-2022-4378: Linux kernel stack-based buffer overflow in __do_proc_dointvec
> >
> > CVSS v3 score is not provided
> >
> > A stack overflow bug was found in __do_proc_dointvec() which missed
> > checking on user input.
> > This bug affected all stable kernels. It seems as if 4.4 is affected too.
> >
> > Fixed status
> > mainline: [bce9332220bd677d83b19d21502776ad555a0e73,
> > e6cfaf34be9fcd1a8285a294e18986bfc41a409c]
>
> One thing that we used to do at Oracle was a bi-weekly meeting where we
> would go through these lists and try to be a bit proactive about
> preventing future bugs.  For me I'm trying to use Smatch for static
> analysis.
>
> There are some bugs which Smatch can't identify like race conditions or
> if there is an issue with the spec.  But for a lot of bugs can be
> prevented.  So it's often an issue of 1) There isn't a Smatch check for
> that.  2) The Smatch check exists but isn't working correctly.  3) The
> Smatch check prints a warning but there are too many warning for that
> check so I can't go through them all.
>
> First of all, why wasn't *size marked as user controlled?  It turned out
> that it comes from iov_iter_count() and that wasn't marked as user
> controlled.  Fix that:
> https://github.com/error27/smatch/commit/70ee7aa1ae8cc07767096e16fa2de68a62507a3e
>
> Once that was fixed, it turned out that I did have an unpublished check
> which printed a warning.
> kernel/sysctl.c:358 proc_get_long() warn: check 'tmp[len]' for negative offsets 'len' = s32min.  extra = 's32min-21'
>
> But it turns out that warning was because of a bug.  The check was
> asking can "*size" be user controlled and what is the minimum possible
> value negative, but it should have been asking if the minimum user
> controled value is negative.
>
> Fixing the check to as about user controlled values silenced the
> warning.  The issue with that is:
>
>         left -= proc_skip_spaces(&p);
>
> Subtractions are very hard to handle correctly because you need to keep
> track of the relationships between multiple variables.  Smatch
> deliberately assumes that this subtraction cannot underflow.  Otherwise
> you end up with too many false positives...
>
> I've been sitting on this check for the past ten years without
> publishing it.  May as well attach it now and also the results.  I don't
> know why the check has __per_cpu_offset stuff or why it ignores ntohl().
> I should probably delete that and see what happens.  Going through the
> results, a bunch of false positives are cause by subtraction (which is
> complicated).  Or because Smatch doesn't understand about
> array_index_nospec() (I should fix that).
>
> Anyway, even though I wasn't able to generate a warning for this bug,
> it was still useful to have the discussion and improve Smatch.
>

Thank you for the information about Smatch. It's really helpful. I
think it is important to learn from reported bugs then prevent future
bugs as you did.
I'll try to use Smatch.

> regards,
> dan carpenter
>

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: New CVE entries this week

[Dan Carpenter]

[-- Attachment #1: Type: text/plain, Size: 2769 bytes --]

On Thu, Dec 15, 2022 at 12:25:18PM +0900, Masami Ichikawa wrote:
> CVE-2022-4378: Linux kernel stack-based buffer overflow in __do_proc_dointvec
> 
> CVSS v3 score is not provided
> 
> A stack overflow bug was found in __do_proc_dointvec() which missed
> checking on user input.
> This bug affected all stable kernels. It seems as if 4.4 is affected too.
> 
> Fixed status
> mainline: [bce9332220bd677d83b19d21502776ad555a0e73,
> e6cfaf34be9fcd1a8285a294e18986bfc41a409c]

One thing that we used to do at Oracle was a bi-weekly meeting where we
would go through these lists and try to be a bit proactive about
preventing future bugs.  For me I'm trying to use Smatch for static
analysis.

There are some bugs which Smatch can't identify like race conditions or
if there is an issue with the spec.  But for a lot of bugs can be
prevented.  So it's often an issue of 1) There isn't a Smatch check for
that.  2) The Smatch check exists but isn't working correctly.  3) The
Smatch check prints a warning but there are too many warning for that
check so I can't go through them all.

First of all, why wasn't *size marked as user controlled?  It turned out
that it comes from iov_iter_count() and that wasn't marked as user
controlled.  Fix that:
https://github.com/error27/smatch/commit/70ee7aa1ae8cc07767096e16fa2de68a62507a3e

Once that was fixed, it turned out that I did have an unpublished check
which printed a warning.
kernel/sysctl.c:358 proc_get_long() warn: check 'tmp[len]' for negative offsets 'len' = s32min.  extra = 's32min-21'

But it turns out that warning was because of a bug.  The check was
asking can "*size" be user controlled and what is the minimum possible
value negative, but it should have been asking if the minimum user
controled value is negative.

Fixing the check to as about user controlled values silenced the
warning.  The issue with that is:

	left -= proc_skip_spaces(&p);

Subtractions are very hard to handle correctly because you need to keep
track of the relationships between multiple variables.  Smatch
deliberately assumes that this subtraction cannot underflow.  Otherwise
you end up with too many false positives...

I've been sitting on this check for the past ten years without
publishing it.  May as well attach it now and also the results.  I don't
know why the check has __per_cpu_offset stuff or why it ignores ntohl().
I should probably delete that and see what happens.  Going through the
results, a bunch of false positives are cause by subtraction (which is
complicated).  Or because Smatch doesn't understand about
array_index_nospec() (I should fix that).

Anyway, even though I wasn't able to generate a warning for this bug,
it was still useful to have the discussion and improve Smatch.

regards,
dan carpenter


[-- Attachment #2: check_underflow.c --]
[-- Type: text/x-csrc, Size: 2073 bytes --]

/*
 * Copyright (C) 2013 Oracle.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
 */

#include "smatch.h"
#include "smatch_slist.h"
#include "smatch_extra.h"

static int my_id;

int is_user_macro(struct expression *expr)
{
	char *macro;
	struct range_list *rl;

	macro = get_macro_name(expr->pos);

	if (!macro)
		return 0;
	if (get_implied_rl(expr, &rl) && !is_whole_rl(rl))
		return 0;
	if (strcmp(macro, "ntohl") == 0)
		return 1;
	if (strcmp(macro, "ntohs") == 0)
		return 1;
	return 0;
}

static void array_check(struct expression *expr)
{
	struct expression *offset;
	struct smatch_state *state;
	struct range_list *rl;
	sval_t min;
	char *name, *offset_name;

	expr = strip_expr(expr);
	if (!is_array(expr))
		return;
	if (is_user_macro(expr))
		return;

	offset = get_array_offset(expr);

	if (!get_user_rl(offset, &rl))
		return;
	if (!sval_is_negative(rl_min(rl)))
		return;

	state = get_state_expr(SMATCH_EXTRA, offset);
	if (state && !estate_rl(state))
		return;

	name = expr_to_str(expr);
	if (option_project == PROJ_KERNEL &&
	    name &&
	    strncmp("__per_cpu_offset", name, strlen("__per_cpu_offset")) == 0)
		goto free_name;
	offset_name = expr_to_str(offset);
	sm_msg("warn: check '%s' for negative offsets '%s' = %s.  extra = '%s'", name, offset_name, sval_to_str(min), state ? state->name : "unknown");
	free_string(offset_name);
free_name:
	free_string(name);
}

void check_underflow(int id)
{
	my_id = id;

	add_hook(&array_check, OP_HOOK);
}

[-- Attachment #3: err-list --]
[-- Type: text/plain, Size: 8232 bytes --]

drivers/accessibility/speakup/varhandlers.c:248 spk_set_num_var() warn: check 'var_data->u.n.out_str[val]' for negative offsets 'val' = 140405757965328.  extra = 's32min-s32max'
drivers/acpi/nfit/core.c:488 acpi_nfit_ctl() warn: check 'acpi_desc->family_dsm_mask[family]' for negative offsets 'family' = 139892171397136.  extra = 's32min-s32max'
drivers/gpu/drm/i915/gem/i915_gem_context.c:658 set_proto_ctx_engines_parallel_submit() warn: check 'ext->engines[n]' for negative offsets 'n' = 140477319050128.  extra = 's32min-s32max'
drivers/gpu/drm/i915/gem/i915_gem_context.c:663 set_proto_ctx_engines_parallel_submit() warn: check 'siblings[n]' for negative offsets 'n' = 140477317644816.  extra = 's32min-s32max'
drivers/gpu/drm/i915/gem/i915_gem_context.c:666 set_proto_ctx_engines_parallel_submit() warn: check 'siblings[n]' for negative offsets 'n' = 140477317652624.  extra = 's32min-s32max'
drivers/gpu/drm/i915/gem/i915_gem_context.c:678 set_proto_ctx_engines_parallel_submit() warn: check 'siblings[n]' for negative offsets 'n' = 140477316505488.  extra = 's32min-s32max'
drivers/gpu/drm/i915/gem/i915_gem_context.c:679 set_proto_ctx_engines_parallel_submit() warn: check 'siblings[n]' for negative offsets 'n' = 140477316429968.  extra = 's32min-s32max'
drivers/gpu/drm/i915/gem/i915_gem_context.c:697 set_proto_ctx_engines_parallel_submit() warn: check 'siblings[n]' for negative offsets 'n' = 140477314564112.  extra = 's32min-s32max'
drivers/net/ethernet/atheros/atl1e/atl1e_ethtool.c:283 atl1e_set_eeprom() warn: check 'eeprom_buff[last_dword - first_dword]' for negative offsets 'last_dword - first_dword' = 140418698139664.  extra = 'unknown'
drivers/net/ethernet/atheros/atl1e/atl1e_ethtool.c:283 atl1e_set_eeprom() warn: check 'eeprom_buff[last_dword - first_dword]' for negative offsets 'last_dword - first_dword' = 140418698146704.  extra = 'unknown'
drivers/net/ethernet/atheros/atlx/atl2.c:1958 atl2_set_eeprom() warn: check 'eeprom_buff[last_dword - first_dword]' for negative offsets 'last_dword - first_dword' = 139632960086160.  extra = 'unknown'
drivers/net/ethernet/atheros/atlx/atl2.c:1958 atl2_set_eeprom() warn: check 'eeprom_buff[last_dword - first_dword]' for negative offsets 'last_dword - first_dword' = 139632960093968.  extra = 'unknown'
drivers/net/ethernet/emulex/benet/be_ethtool.c:1311 be_set_rxfh() warn: check 'adapter->rx_obj[j]' for negative offsets 'j' = 140694977039248.  extra = 's32min-s32max'
drivers/net/ethernet/intel/e1000/e1000_ethtool.c:506 e1000_set_eeprom() warn: check 'eeprom_buff[last_word - first_word]' for negative offsets 'last_word - first_word' = 140658616621712.  extra = 'unknown'
drivers/net/ethernet/intel/e1000e/ethtool.c:610 e1000_set_eeprom() warn: check 'eeprom_buff[last_word - first_word]' for negative offsets 'last_word - first_word' = 140551373387920.  extra = 'unknown'
drivers/net/ethernet/intel/igb/igb_ethtool.c:824 igb_set_eeprom() warn: check 'eeprom_buff[last_word - first_word]' for negative offsets 'last_word - first_word' = 140138690652048.  extra = 'unknown'
drivers/net/ethernet/intel/igc/igc_ethtool.c:547 igc_ethtool_set_eeprom() warn: check 'eeprom_buff[last_word - first_word]' for negative offsets 'last_word - first_word' = 139829128802320.  extra = 'unknown'
drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c:1077 ixgbe_set_eeprom() warn: check 'eeprom_buff[last_word - first_word]' for negative offsets 'last_word - first_word' = 140353874581776.  extra = 'unknown'
drivers/net/ethernet/intel/ixgb/ixgb_ethtool.c:437 ixgb_set_eeprom() warn: check 'eeprom_buff[last_word - first_word]' for negative offsets 'last_word - first_word' = 140135473156368.  extra = 'unknown'
drivers/net/usb/asix_common.c:709 asix_set_eeprom() warn: check 'eeprom_buff[last_word - first_word]' for negative offsets 'last_word - first_word' = 140650219544976.  extra = 'unknown'
drivers/net/usb/ax88179_178a.c:601 ax88179_set_eeprom() warn: check 'eeprom_buff[last_word - first_word]' for negative offsets 'last_word - first_word' = 140521901784592.  extra = 'unknown'
drivers/net/wireless/ath/wcn36xx/smd.c:1988 wcn36xx_smd_send_beacon() warn: check 'msg_body.beacon[tim_off + 5 + pvm_len + pad]' for negative offsets 'tim_off + 5 + pvm_len + pad' = 140733510315840.  extra = 'unknown'
drivers/net/wireless/ath/wcn36xx/smd.c:1988 wcn36xx_smd_send_beacon() warn: check 'msg_body.beacon[tim_off + 5 + pvm_len + pad]' for negative offsets 'tim_off + 5 + pvm_len + pad' = 140733510315840.  extra = 'unknown'
drivers/net/wireless/ath/wcn36xx/smd.c:1988 wcn36xx_smd_send_beacon() warn: check 'msg_body.beacon[tim_off + 5 + pvm_len + pad]' for negative offsets 'tim_off + 5 + pvm_len + pad' = 140733510315840.  extra = 'unknown'
drivers/pci/endpoint/functions/pci-epf-ntb.c:2022 epf_ntb_mw1_store() warn: check 'ntb->mws_size[win_no - 1]' for negative offsets 'win_no - 1' = 140731588284720.  extra = 'unknown'
drivers/pci/endpoint/functions/pci-epf-ntb.c:2024 epf_ntb_mw2_store() warn: check 'ntb->mws_size[win_no - 1]' for negative offsets 'win_no - 1' = 140731588284720.  extra = 'unknown'
drivers/pci/endpoint/functions/pci-epf-ntb.c:2026 epf_ntb_mw3_store() warn: check 'ntb->mws_size[win_no - 1]' for negative offsets 'win_no - 1' = 140731588284720.  extra = 'unknown'
drivers/pci/endpoint/functions/pci-epf-ntb.c:2028 epf_ntb_mw4_store() warn: check 'ntb->mws_size[win_no - 1]' for negative offsets 'win_no - 1' = 140731588284720.  extra = 'unknown'
drivers/staging/rtl8192e/rtllib_rx.c:2158 rtllib_parse_info_param() warn: check 'info_element->data[3 + offset]' for negative offsets '3 + offset' = 140007844424848.  extra = 'unknown'
drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c:1658 ieee80211_parse_info_param() warn: check 'info_element->data[3 + offset]' for negative offsets '3 + offset' = 140178157514768.  extra = 'unknown'
fs/btrfs/send.c:8260 btrfs_ioctl_send() warn: check 'sctx->clone_roots[sctx->clone_roots_cnt++]' for negative offsets 'sctx->clone_roots_cnt' = 140002303789072.  extra = 's32min-s32max'
fs/btrfs/send.c:8260 btrfs_ioctl_send() warn: check 'sctx->clone_roots[sctx->clone_roots_cnt++]' for negative offsets 'sctx->clone_roots_cnt' = 140002303859088.  extra = 's32min-s32max'
net/ipv4/ip_options.c:547 ip_forward_options() warn: check 'optptr[optptr[2] - 5]' for negative offsets 'optptr[2] - 5' = 140729597154752.  extra = 'unknown'
net/ipv4/ip_options.c:561 ip_forward_options() warn: check 'optptr[srrptr - 1]' for negative offsets 'srrptr - 1' = 139857025290384.  extra = 'unknown'
net/ipv4/ip_options.c:567 ip_forward_options() warn: check 'optptr[srrptr - 1]' for negative offsets 'srrptr - 1' = 139857023710736.  extra = 'unknown'
net/ipv4/ip_options.c:575 ip_forward_options() warn: check 'optptr[optptr[2] - 9]' for negative offsets 'optptr[2] - 9' = 139857021970448.  extra = 'unknown'
net/ipv4/ip_options.c:616 ip_options_rcv_srr() warn: check 'optptr[srrptr - 1]' for negative offsets 'srrptr - 1' = 139857024107536.  extra = 'unknown'
net/ipv4/ip_options.c:616 ip_options_rcv_srr() warn: check 'optptr[srrptr - 1]' for negative offsets 'srrptr - 1' = 139857023562768.  extra = 'unknown'
net/ipv4/ip_options.c:616 ip_options_rcv_srr() warn: check 'optptr[srrptr - 1]' for negative offsets 'srrptr - 1' = 139857020230032.  extra = 'unknown'
net/sctp/socket.c:7430 sctp_getsockopt_pr_assocstatus() warn: check 'asoc->abandoned_unsent[((policy >> 4) - 1)]' for negative offsets '(policy >> 4) - 1' = 139875963263760.  extra = 'unknown'
net/sctp/socket.c:7432 sctp_getsockopt_pr_assocstatus() warn: check 'asoc->abandoned_sent[((policy >> 4) - 1)]' for negative offsets '(policy >> 4) - 1' = 139875962396944.  extra = 'unknown'
net/sctp/socket.c:7499 sctp_getsockopt_pr_streamstatus() warn: check 'streamoute->abandoned_unsent[((policy >> 4) - 1)]' for negative offsets '(policy >> 4) - 1' = 139875959726736.  extra = 'unknown'
net/sctp/socket.c:7501 sctp_getsockopt_pr_streamstatus() warn: check 'streamoute->abandoned_sent[((policy >> 4) - 1)]' for negative offsets '(policy >> 4) - 1' = 139875958368400.  extra = 'unknown'
sound/soc/sof/ipc4-mtrace.c:374 sof_ipc4_priority_mask_dfs_write() warn: check 'priv->state_info.logs_priorities_mask[id]' for negative offsets 'id' = 139930792399632.  extra = 's32min-15'

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 7 new CVEs and 8 updated CVEs.

* New CVEs

CVE-2023-23454: net: sched: cbq: dont intepret cls results when asked to drop

CVSS v3 score is not provided

atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through
6.1.4 allows attackers to cause a denial of service
because of type confusion (non-negative numbers can sometimes indicate
a TC_ACT_SHOT condition rather
than valid classification results).

This bug was introduced in 2.6.12-rc2 or before so that 4.4 will be
affected by this issue as well.
Applying this fix to 4.4 needs to modify the patch.

Fixed status
mainline: [caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12]
stable/5.10: [b2c917e510e5ddbc7896329c87d20036c8b82952]
stable/5.15: [04dc4003e5df33fb38d3dd85568b763910c479d4]
stable/5.4: [6b17b84634f932f4787f04578f5d030874b9ff32]
stable/6.0: [cde7091efe3fcc0b19f736acd0163499d1fd6d31]
stable/6.1: [dc46e39b727fddc5aacc0272ef83ee872d51be16]

CVE-2023-23455: net: sched: atm: dont intepret cls results when asked to drop

CVSS v3 score is not provided

This bug was introduced by commit b0188d4 ("[NET_SCHED]: sch_atm:
Lindent") in 2.6.23-rc1.

Fixed status
mainline: [a2965c7be0522eaa18808684b7b82b248515511b]
stable/4.14: [db49adc5aff0c84ef0439a666f494a0d57c98bc7]
stable/4.19: [5374c455ebe6102e3d5f1842c6d8ff72b3ca659f]
stable/5.10: [5f65f48516bfeebaab1ccc52c8fad698ddf21282]
stable/5.15: [f02327a4877a06cbc8277e22d4834cb189565187]
stable/5.4: [63e469cb54a87df53edcfd85bb5bcdd84327ae4a]
stable/6.0: [bbb870c88576239842602b0f7cc58c361dc8e061]
stable/6.1: [85655c63877aeafdc23226510ea268a9fa0af807]

CVE-2023-0179: netfilter: nft_payload: incorrect arithmetics when
fetching VLAN header bits

CVSS v3 score is not provided

The vulnerability consists of a stack buffer overflow due to an integer
underflow vulnerability inside the nft_payload_copy_vlan function, which is
invoked with nft_payload expressions as long as a VLAN tag is present in
the current skb.

This bug was introduced by commit f6ae9f1 ("netfilter: nft_payload:
add C-VLAN support") in 5.5-rc1

Fixed status
mainline: fixed in netfilter-next tree but not merged into the mainline yet.
stable/5.10: [550efeff989b041f3746118c0ddd863c39ddc1aa]
stable/5.15: [a8acfe2c6fb99f9375a9325807a179cd8c32e6e3]
stable/6.1: [76ef74d4a379faa451003621a84e3498044e7aa3]

CVE-2023-0266: ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to
prevent UAF

CVSS v3 score is not provided

A use-after-free bug was found in the ALSA subsystem. Taking rwsem
lock in snd_ctl_elem_read_user will cause a use-after-free bug.

This bug was introduced by commit 1fa4445 ("ALSA: control - introduce
snd_ctl_notify_one() helper")
in 5.13-rc1.

Fixed status
mainline: [56b88b50565cd8b946a2d00b0c83927b7ebb055e]
stable/4.19: [5b2ea7e91352165054c5b3f8e5442cd31c3e73f9]
stable/5.10: [df02234e6b87d2a9a82acd3198e44bdeff8488c6]
stable/5.15: [26350c21bc5e97a805af878e092eb8125843fe2c]
stable/6.1: [d6ad4bd1d896ae1daffd7628cd50f124280fb8b1]

CVE-2023-23559: rndis_wlan: Prevent buffer overflow in rndis_query_oid

CVSS v3 score is not provided

In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux
kernel through 6.1.5, there is an integer overflow in an addition.

This bug was introduced by 80f8c5b434f9 ("rndis_wlan: copy only useful
data from rndis_command respond") in 2.6.35-rc1.

Fixed status
Patch is in the patchwork but not merged into the mainline yet.

CVE-2022-47929: Null pointer dereference bug in traffic control subsystem.

CVSS v3 score is not provided

In the Linux kernel before 6.1.6, a NULL pointer dereference bug in
the traffic control subsystem allows an unprivileged user to trigger a
denial of service (system crash)
via a crafted traffic control configuration that is set up with "tc
qdisc" and "tc class" commands.
This affects qdisc_graft in net/sched/sch_api.c.

This fix uses the NL_SET_ERR_MSG macro to create an error message
which was merged in 4.12-rc1. Kernel 4.4 doesn't have this macro.

Fixed status
mainline: [96398560f26aa07e8f2969d73c8197e6a6d10407]
stable/4.14: [4574e32cbf652d7efcaa6076558752f770b01757]
stable/4.19: [0195d5ad539382a83e1bfaab51b93b8685f0b7c7]
stable/5.10: [9f7bc28a6b8afc2274e25650511555e93f45470f]
stable/5.15: [04941c1d5bb59d64165e09813de2947bdf6f4f28]
stable/5.4: [9b83ec63d0de7b1f379daa1571e128bc7b9570f8]
stable/6.1: [e8988e878af693ac13b0fa80ba2e72d22d68f2dd]

CVE-2023-0394: ipv6: raw: Deduct extension header length in
rawv6_push_pending_frames

CVSS v3 score is not provided

A null pointer dereference bug was found in
rawv6_push_pending_frames() in net/ipv6/raw.c.
Introduced by commit 357b40a ("[IPV6]: IPV6_CHECKSUM socket option can
corrupt kernel memory") in 2.6.12-rc3.

Patch can be applied to 4.4 by git am with -3 option.

Fixed status
mainline: [cb3e9864cdbe35ff6378966660edbcbac955fe17]
stable/4.14: [35ed8ba485544a31a4ab9b92a1c68e406ab66a47]
stable/4.19: [f487d636e49bc1fdfbd8105bc1ab159164e2d8bd]
stable/5.10: [6c9e2c11c33c35563d34d12b343d43b5c12200b5]
stable/5.15: [456e3794e08a0b59b259da666e31d0884b376bcf]
stable/5.4: [3998dba0f78a59922b0ef333ccfeb58d9410cd3d]
stable/6.1: [0afa5f0736584411771299074bbeca8c1f9706d4]

* Updated CVEs

CVE-2022-36280: An out-of-bounds(OOB) memory access vulnerability was
found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c

4.14, 4.19, 5.4, 5.10 and 5.15 were fixed.

Fixed status
mainline: [4cf949c7fafe21e085a4ee386bb2dade9067316e]
stable/4.14: [50d177f90b63ea4138560e500d92be5e4c928186]
stable/4.19: [6b4e70a428b5a11f56db94047b68e144529fe512]
stable/5.10: [439cbbc1519547f9a7b483f0de33b556ebfec901]
stable/5.15: [6948e570f54f2044dd4da444b10471373a047eeb]
stable/5.4: [94b283341f9f3f0ed56a360533766377a01540e0]
stable/6.0: [4d54d11b49860686331c58a00f733b16a93edfc4]
stable/6.1: [622d527decaac0eb65512acada935a0fdc1d0202]

CVE-2022-3707: Double-free in split_2MB_gtt_entry when function
intel_gvt_dma_map_guest_page failed

6.0 and 6.1 were fixed.

Fixed status
mainline: [4a61648af68f5ba4884f0e3b494ee1cabc4b6620]
stable/6.0: [bb84f2e119accfc65d5fa6ebe31751cdc3bca9fb]
stable/6.1: [1022519da69d99d455c58ca181a6c499c562c70e]

CVE-2022-41218: media: dvb-core: Fix UAF due to refcount races at releasing

4.14, 4.19, 5.4, 5.10, and 5.15 were fixed.

Fixed status
mainline: [fd3d91ab1c6ab0628fe642dd570b56302c30a792]
stable/4.14: [8d904e99c10e2e443c6c7c418541880513eb9790]
stable/4.19: [8f537a1282cd877f132643ef8f9e9d6032f90025]
stable/5.10: [3df07728abde249e2d3f47cf22f134cb4d4f5fb1]
stable/5.15: [8b45a3b19a2e909e830d09a90a7e1ec8601927d9]
stable/5.4: [a29d6213098816ed4574824b6adae94fb1c0457d]
stable/6.0: [55870fc9e45faa9a65860bcd6b0f8ca8c99afe44]
stable/6.1: [530ca64b44625f7d39eb1d5efb6f9ff21da991e2]

CVE-2023-0210: ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in
ksmbd_decode_ntlmssp_auth_blob

5.15, 6.0, and 6.1 were fixed.

Fixed status
mainline: [797805d81baa814f76cf7bdab35f86408a79d707]
stable/5.15: [e32f867b37da7902685c9a106bef819506aa1a92]
stable/6.0: [1e7ed525c60d8d51daf2700777071cd0dfb6f807]
stable/6.1: [5e7d97dbae25ab4cb0ac1b1b98aebc4915689a86]

CVE-2022-2873: an out-of-bounds vulnerability in i2c-ismt driver

4.19 and 5.10 were fixed.

Fixed status
mainline: [690b2549b19563ec5ad53e5c82f6a944d910086e]
stable/4.19: [bfe41d966c860a8ad4c735639d616da270c92735]
stable/5.10: [9ac541a0898e8ec187a3fa7024b9701cffae6bf2]
stable/5.15: [24c6fc6e7453f64cf6cbb4218c62aafdecc16ee1]

CVE-2022-3424: misc: sgi-gru: fix use-after-free error in
gru_set_context_option, gru_fault and gru_handle_user_call_os

4.14, 4.19, 5.4, and 5.10 were fixed.

Fixed status
mainline: [643a16a0eb1d6ac23744bb6e90a00fc21148a9dc]
stable/4.14: [3eec37e223fabedaf90191e8a0cc61d46a96ab8d]
stable/4.19: [bcda4624e87d6b922e94f5c0fd0bd5f027b8b226]
stable/5.10: [0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c]
stable/5.15: [d5c8f9003a289ee2a9b564d109e021fc4d05d106]
stable/5.4: [0078dd8758561540ed30b2c5daa1cb647e758977]
stable/6.0: [dbc1bb8c8ea930f188b7ce45db162807b3f4b66a]
stable/6.1: [4e947fc71bec7c7da791f8562d5da233b235ba5e]

CVE-2022-3545: nfp: fix use-after-free in area_cache_get()

4.14 and 4.19 were fixed.

Fixed status
mainline: [02e1a114fdb71e59ee6770294166c30d437bf86a]
stable/4.14: [60537e23e40f7ca9e07679fec28af79d43d9e8f6]
stable/4.19: [6ff23e9b9a04b833388862246838bb38ac0c46b6]
stable/5.10: [eb6313c12955c58c3d3d40f086c22e44ca1c9a1b]
stable/5.15: [9d933af8fef33c32799b9f2d3ff6bf58a63d7f24]
stable/5.4: [3c837460f920a63165961d2b88b425703f59affb]

CVE-2022-45934: Bluetooth: L2CAP: Fix u8 overflow

4.14, 4.19, and 5.4 were fixed.

Fixed status
mainline: [bcd70260ef56e0aee8a4fc6cd214a419900b0765]
stable/4.14: [95f1847a361c7b4bf7d74c06ecb6968455082c1a]
stable/4.19: [ad528fde0702903208d0a79d88d5a42ae3fc235b]
stable/5.10: [f3fe6817156a2ad4b06f01afab04638a34d7c9a6]
stable/5.15: [19a78143961a197de8502f4f29c453b913dc3c29]
stable/5.4: [9fdc79b571434af7bc742da40a3405f038b637a7]
stable/6.0: [5550bbf709c323194881737fd290c4bada9e6ead]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 4 new CVEs and 3 updated CVEs.

* New CVEs

CVE-2023-0047: Out of memory in local cgroup's memory may cause denial
of service outside its area

CVSS v3 score is not provided

According to the Red Hat bugzilla, "A Linux Kernel flaw found in
memory management. If allocation failure happens in
pagefault_out_of_memory with VM_FAULT_OOM,
then it can lead to memory overflow when many tasks trigger this. An
issue may cause multi-tenant denial of service (memory overflow).
It was reported that a malicious workload may be allowed to OOM-kill
random other workloads on the same node.".

kernel 4.4 looks affected by this vulnerability.

Fixed status
mainline: [60e2793d440a3ec95abb5d6d4fc034a4b480472d]
stable/4.14: [bed55513692e0dc720f02ad7da3e528c55e0b663]
stable/4.19: [d508b70eaa8d6d994c289b757c0ca0355d4dbe29]
stable/4.9: [973b61a5f3ba6690624d109a68cca35d0348b91f]
stable/5.10: [1d457987366f7a92d03e03df80f9a63040133233]
stable/5.15: [c15aeead2488b3b28db6863f9f2ba2338e3c9838]
stable/5.4: [66938ba1285778634276a4b4028de367d7f1e8c2]

CVE-2023-0122: NVME driver: null pointer dereference in
drivers/nvme/target/auth.c

CVSS v3 score is not provided

A NULL pointer dereference in nvmet_setup_auth. This bug was
introduced by commit db1312dd ("nvmet: implement basic In-Band
Authentication") in 6.0-rc1.
4.x and 5.x kernels are not affected by this vulnerability.

Fixed status
mainline: [da0342a3aa0357795224e6283df86444e1117168]

CVE-2022-4696: io_uring: add missing item types for splice request

CVSS v3 score is not provided (NIST)
CVSS v3 score is 7.8 (CNA)

There exists a use-after-free vulnerability in the Linux kernel
through io_uring and the IORING_OP_SPLICE operation.
If IORING_OP_SPLICE is missing the IO_WQ_WORK_FILES flag, which
signals that the operation won't use current->nsproxy,
so its reference counter is not increased. This assumption is not
always true as calling io_splice on specific files will call the
get_uts
function which will use current->nsproxy leading to invalidly
decreasing its reference counter later causing the use-after-free
vulnerability.

fs/io_wq.[hc] are not present in 5.4.

Fixed status
mainline: [44526bedc2ff8fcd58552e3c5bae928524b6f13c]
stable/5.10: [75454b4bbfc7e6a4dd8338556f36ea9107ddf61a]

CVE-2023-0210: ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in
ksmbd_decode_ntlmssp_auth_blob

CVSS v3 score is not provided

There is a heap overflow bug in ksmbd_decode_ntlmssp_auth_blob in
which nt_len can be less than CIFS_ENCPWD_SIZE

This vulnerability was introduced by commit e2f3448 ("cifsd: add
server-side procedures for SMB3") in 5.15-rc1.
Less than 5.15 kernels are not affected by this issue.

Fixed status
mainline: [797805d81baa814f76cf7bdab35f86408a79d707]

* Updated CVEs

CVE-2022-36280: An out-of-bounds(OOB) memory access vulnerability was
found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c

stable 6.0 and 6.1 were fixed.

Fixed status
mainline: [4cf949c7fafe21e085a4ee386bb2dade9067316e]
stable/6.0: [4d54d11b49860686331c58a00f733b16a93edfc4]
stable/6.1: [622d527decaac0eb65512acada935a0fdc1d0202]

CVE-2022-41218: media: dvb-core: Fix UAF due to refcount races at releasing

stable 6.0 and 6.1 were fixed.

Fixed status
mainline: [fd3d91ab1c6ab0628fe642dd570b56302c30a792]
stable/6.0: [55870fc9e45faa9a65860bcd6b0f8ca8c99afe44]
stable/6.1: [530ca64b44625f7d39eb1d5efb6f9ff21da991e2]

CVE-2022-3707: Double-free in split_2MB_gtt_entry when function
intel_gvt_dma_map_guest_page failed

This bug was introduced by commit b901b252 ("drm/i915/gvt: Add 2M huge
gtt support") in 4.19-rc1.

Fixed status
mainline: [4a61648af68f5ba4884f0e3b494ee1cabc4b6620]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 3 new CVEs and 6 updated CVEs.

* New CVEs

CVE-2022-4842: fs/ntfs3: Fix attr_punch_hole() null pointer dereference

CVSS v3 score is not provided

A Null pointer dereference bug was found in attr_punch_hole() in the
ntfs3 driver.
It was introduced by commit be71b5c ("fs/ntfs3: Add attrib
operations") in 5.15-rc1.
The ntfs3 driver has been added since 5.15 so that less than 5.15
kernels aren't affected by this issue.
It was fixed in 6.2-rc1.

Fixed status
mainline: [6d5c9e79b726cc473d40e9cb60976dbe8e669624]

CVE-2023-0030: drm/nouveau/mmu: add more general vmm free/node
handling functions

CVSS v3 score is not provided

A use-after-free bug was found in nvkm_vmm_pfn_map. This bug will let
system crash or potentially escalate their privileges on the system.
Commit 729eba3 ("drm/nouveau/mmu: add more general vmm free/node
handling functions") was merged in 5.0-rc1.
The nvkm_vmm_pfn_map() was introduced by commit a5ff307
("drm/nouveau/mmu: add a privileged method to directly manage PTEs")
in 5.1-rc1.

This bug happens when nvkm_vma_tail returns NULL, which means kzalloc
returns NULL.

Fixed status
Debian security tracker said that it was fixed in 5.2.6 but I couldn't
find a related commit in the change log
(https://lore.kernel.org/stable/20190804101415.GA27152@kroah.com/).

CVE-2023-20928: android: binder: stop saving a pointer to the VMA

CVSS v3 score is not provided

A use-after-free bug was found in the Android binder driver.
According to the android's commit
(https://android.googlesource.com/kernel/common/+/201d5f4a3ec1) it
said "Note this patch is specific to stable branches 5.4 and 5.10.
Since in newer kernel releases binder no longer caches a pointer to
the vma.
Instead, it has been refactored to use vma_lookup() which avoids the
issue described here. This switch was introduced in commit
a43cfc87caaf ("android: binder: stop saving a pointer to the VMA")."

binder_alloc.[ch] are not present in 4.4 and 4.9.

Fixed status
mainline: [a43cfc87caaf46710c8027a8c23b8a55f1078f19]
stable/5.10: [015ac18be7de25d17d6e5f1643cb3b60bfbe859e]
stable/5.15: [622ef885a89ad04cfb76ee478fb44f051125d1f1]

* Updated CVEs

CVE-2022-3424: misc: sgi-gru: fix use-after-free error in
gru_set_context_option, gru_fault and gru_handle_user_call_os

stable 5.15, 6.0, and 6.1 were fixed.

Fixed status
mainline: [643a16a0eb1d6ac23744bb6e90a00fc21148a9dc]
stable/5.15: [d5c8f9003a289ee2a9b564d109e021fc4d05d106]
stable/6.0: [dbc1bb8c8ea930f188b7ce45db162807b3f4b66a]
stable/6.1: [4e947fc71bec7c7da791f8562d5da233b235ba5e]

CVE-2022-3531: selftest/bpf: Fix memory leak in kprobe_multi_test

stable 6.0 and 6.1 were fixed.

Fixed status
mainline: [6d2e21dc4db3933db65293552ecc1ede26febeca]
stable/6.0: [78b772629cc5adec02ab4182b62abe916f2254a0]
stable/6.1: [661e952bc9ef798d1d33ba67f2950a3e0bea455f]

CVE-2022-3532: selftests/bpf: Fix memory leak caused by not destroying skeleton

stable 6.0 was fixed.

Fixed status
mainline: [0ef6740e97777bbe04aeacd32239ccb1732098d7,
1642a3945e223a922312fab2401ecdf58b3825b9]
stable/6.0: [0ef6740e97777bbe04aeacd32239ccb1732098d7,
cd7bccc8887787f47d0d82528c4c98e209b442b7]

CVE-2022-3595: A double free bug was found in cifs subsystem

stable 6.0 was fixed.

Fixed status
mainline: [b854b4ee66437e6e1622fda90529c814978cb4ca]
stable/6.0: [983ec6379b9bab7bf790aa7df5dc3a461ebad72a]

CVE-2022-4379: NFSD: fix use-after-free in __nfs42_ssc_open()

Fixed in mainline and 6.1.

Fixed status
mainline: [75333d48f92256a0dec91dbf07835e804fc411c0]
stable/6.1: [650b69b17cfd79f51476d93c2c63bfb73280a77a]

CVE-2022-45888: char: xillybus: Fix use-after-free in xillyusb_open()

Fixed in mainline.

Fixed status
mainline: [282a4b71816b6076029017a7bab3a9dcee12a920]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 8 new CVEs and 0 updated CVEs.
The ksmbd subsystem got some CVEs which include RCE bug. These
vulnerabilities have been affected since 5.15.

* New CVEs

CVE-2022-4662: Nested device-reset call will cause deadlock in USB
core subsystem

CVSS v3 score is not provided

A flaw in incorrect access control in the Linux kernel USB core
subsystem was found in the way a user attaches an usb device. A local
user could use this flaw to crash the system.

stable and cip kernels are fixed.

Fixed status
mainline: [9c6d778800b921bde3bff3cff5003d1650f942d1]
stable/4.14: [1b29498669914c7f9afb619722421418a753d372]
stable/4.19: [cc9a12e12808af178c600cc485338bac2e37d2a8]
stable/4.9: [d90419b8b8322b6924f6da9da952647f2dadc21b]
stable/5.10: [abe3cfb7a7c8e907b312c7dbd7bf4d142b745aa8]
stable/5.15: [c548b99e1c37db6f7df86ecfe9a1f895d6c5966e]
stable/5.4: [df1875084898b15cbc42f712e93d7f113ae6271b]

CVE-2022-47938: Linux Kernel ksmbd Out-Of-Bounds Read
Denial-of-Service Vulnerability

CVSS v3 score is not provided

An issue was discovered in ksmbd in the Linux kernel before 5.19.2.
fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for
SMB2_TREE_CONNECT.

The specific flaw exists within the handling of SMB2_TREE_CONNECT
commands. The issue results from the lack of
proper validation of user-supplied data, which can result in a read
past the end of an allocated buffer. An attacker can
leverage this vulnerability to create a denial-of-service condition on
the system.

This bug was introduced by commit e2f3448 ("cifsd: add server-side
procedures for SMB3") in 5.15-rc1.
Kernel version less than 5.15 isn't affected.

Fixed status
mainline: [824d4f64c20093275f72fc8101394d75ff6a249e]
stable/5.15: [577619605556a90e64abc759ca3ad9d86bf51176]

CVE-2022-47939: Linux Kernel ksmbd Use-After-Free Remote Code
Execution Vulnerability

CVSS v3 score is not provided

An issue was discovered in ksmbd in the Linux kernel before 5.19.2.
fs/ksmbd/smb2pdu.c has a use-after-free and OOPS for
SMB2_TREE_DISCONNECT.

This vulnerability allows remote attackers to execute arbitrary code
on affected installations of Linux Kernel.
Authentication is not required to exploit this vulnerability, but only
systems with ksmbd enabled are vulnerable.

The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands.
The issue results from the lack of validating the existence of an
object prior to performing operations on the object.
An attacker can leverage this vulnerability to execute code in the
context of the kernel.

This bug was introduced by commit e2f3448 ("cifsd: add server-side
procedures for SMB3") in 5.15-rc1.
Kernel version less than 5.15 isn't affected.

Fixed status
mainline: [cf6531d98190fa2cf92a6d8bbc8af0a4740a223c]
stable/5.15: [a54c509c32adba9d136f2b9d6a075e8cae1b6d27]

CVE-2022-47940: Linux Kernel ksmbd Out-Of-Bounds Read Information
Disclosure Vulnerability

CVSS v3 score is not provided

An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.18
before 5.18.18. fs/ksmbd/smb2pdu.c lacks length validation in the
non-padding case in smb2_write.

This vulnerability allows remote attackers to disclose sensitive information
on affected installations of Linux Kernel. Authentication is required
to exploit this vulnerability.

The specific flaw exists within the handling of SMB2_WRITE commands.
The issue results from the lack of proper validation of user-supplied data,
which can result in a read past the end of an allocated buffer.
An attacker can leverage this in conjunction with other
vulnerabilities to execute arbitrary code in the context of the
kernel.

This bug was introduced by commit e2f3448 ("cifsd: add server-side
procedures for SMB3") in 5.15-rc1.
Kernel version less than 5.15 isn't affected.

Fixed status
mainline: [158a66b245739e15858de42c0ba60fcf3de9b8e6]

CVE-2022-47941: Linux Kernel ksmbd Memory Exhaustion Denial-of-Service
Vulnerability

CVSS v3 score is not provided

An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19
before 5.19.2. fs/ksmbd/smb2pdu.c omits a kfree call in certain
smb2_handle_negotiate error conditions, aka a memory leak.

This vulnerability allows remote attackers to create a
denial-of-service condition on affected installations of Linux Kernel.
Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of SMB2_NEGOTIATE commands.
The issue results from the lack of memory release after its
effective lifetime. An attacker can leverage this vulnerability to
create a denial-of-service condition on the system.

This bug was introduced by commit e2f3448 ("cifsd: add server-side
procedures for SMB3") in 5.15-rc1.
Kernel version less than 5.15 isn't affected.

Fixed status
mainline: [aa7253c2393f6dcd6a1468b0792f6da76edad917]
stable/5.15: [dd4e4c811898410e6a3ae3b63207b7c542860907]

CVE-2022-47942: Linux Kernel ksmbd Heap-based Buffer Overflow Remote
Code Execution Vulnerability

CVSS v3 score is not provided

An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19
before 5.19.2.
There is a heap-based buffer overflow in set_ntacl_dacl, related to
use of SMB2_QUERY_INFO_HE after a malformed SMB2_SET_INFO_HE command.

This vulnerability allows remote attackers to execute arbitrary code
on affected installations of Linux Kernel.
Authentication is required to exploit this vulnerability.

The specific flaw exists within the handling of file attributes.
The issue results from the lack of proper validation of the length of
user-supplied
data prior to copying it to a heap-based buffer.
An attacker can leverage this vulnerability to execute code in the
context of the kernel.

This bug was introduced by commit e2f3448 ("cifsd: add server-side
procedures for SMB3") in 5.15-rc1.
Kernel version less than 5.15 isn't affected.

Fixed status
mainline: [8f0541186e9ad1b62accc9519cc2b7a7240272a7]
stable/5.15: [cb69d4d6f709f87c94afa28ae64c501576692171]

CVE-2022-47943: Linux Kernel ksmbd Out-Of-Bounds Read Information
Disclosure Vulnerability

CVSS v3 score is not provided

An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19
before 5.19.2.
There is an out-of-bounds read and OOPS for SMB2_WRITE, when there is
a large length in the zero DataOffset case.

This vulnerability allows remote attackers to disclose sensitive
information on affected installations of Linux Kernel.
Authentication is required to exploit this vulnerability.

The specific flaw exists within the handling of SMB2_WRITE commands.
The issue results from the lack of proper validation of user-supplied
data, which can result in a read past the end of an allocated buffer.
An attacker can leverage this in conjunction with other
vulnerabilities to execute arbitrary code in the context of the
kernel.

This bug was introduced by commit e2f3448 ("cifsd: add server-side
procedures for SMB3") in 5.15-rc1.
Kernel version less than 5.15 isn't affected.

Fixed status
mainline: [ac60778b87e45576d7bfdbd6f53df902654e6f09]
stable/5.15: [c76b216753c9eb2950a091037c9976f389e73529]

CVE-2022-47946:  A use-after-free in io_sqpoll_wait_sq in fs/io_uring.c

CVSS v3 score is not provided

An issue was discovered in the Linux kernel 5.10.x before 5.10.155. A
use-after-free in io_sqpoll_wait_sq in fs/io_uring.c allows an
attacker to crash the kernel, resulting in denial of service.
finish_wait can be skipped. An attack can occur in some situations by
forking a process and then quickly terminating it. NOTE: later kernel
versions, such as the 5.15 longterm series, substantially changed the
implementation of io_sqpoll_wait_sq.

Commit 0f54435 ("io_uring: kill goto error handling in
io_sqpoll_wait_sq()") is based on mainline's commit 70aacfe
("io_uring: kill sqo_dead and sqo submission halting") in 5.12-rc2.

5.4 kernel doesn't contain io_sqpoll_wait_sq().

Fixed status
stable/5.10: [0f544353fec8e717d37724d95b92538e1de79e86]

* Updated CVEs

No update this week.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 6 new CVEs and 10 updated CVEs.

* New CVEs

CVE-2022-2196: KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS

CVSS v3 score is not provided

Introduced by commit 5c911be ("KVM: nVMX: Skip IBPB when switching
between vmcs01 and vmcs02") in 5.8-rc1.
This commit fixes commit 15d4507 ("KVM/x86: Add IBPB support") in 4.16-rc1.
Commit 5c911be is not backported to 4.x kernels.

Fixed status
mainline: [2e7eab81425ad6c875f2ed47c0ce01e78afc38a5]

CVE-2022-4543: KASLR Leakage Achievable even with KPTI through
Prefetch Side-Channel

CVSS v3 score is not provided

A user can get KASLR base address on Intel and AMD CPUs based system
even if kernel enables KPTI.

Fixed status
Not fixed yet

CVE-2022-47518: wifi: wilc1000: validate number of channels

CVSS v3 score is not provided

An issue was discovered in the Linux kernel before 6.0.11. Missing
validation of the number of channels in
drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000
wireless driver can trigger a heap-based buffer overflow when copying
the list of operating channels from Wi-Fi management frames.

It looks like a vulnerable function is not present on 4.4 and 4.9.
That function is present in 5.4 and 4.19 however, this driver is
staging driver at that time.
Also, implementation of wilc_wfi_cfg_parse_ch_attr() in 5.4 and 4.19
are different from newer code. It seems as if they are not affected.

Fixed status
mainline: [0cdfa9e6f0915e3d243e2393bfa8a22e12d553b0]
stable/5.10: [3eb6b89a4e9f9e44c3170d70d8d16c3c8dc8c800]
stable/5.15: [7aed1dd5d221dabe3fe258f13ecf5fc7df393cbb]
stable/6.0: [6195b4838e10a557859862c4e7840dc0eafdd1cd]

CVE-2022-47519: wifi: wilc1000: validate length of
IEEE80211_P2P_ATTR_OPER_CHANNEL attribute

CVSS v3 score is not provided

An issue was discovered in the Linux kernel before 6.0.11. Missing
validation of IEEE80211_P2P_ATTR_OPER_CHANNEL in
drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000
wireless driver can trigger an out-of-bounds write when parsing the
channel list attribute from Wi-Fi management frames.

It looks like a vulnerable function is not present on 4.4 and 4.9.
That function is present in 5.4 and 4.19 however, this driver is
staging driver at that time.
Also, implementation of wilc_wfi_cfg_parse_ch_attr() in 5.4 and 4.19
are different from newer code. It seems as if they are not affected.

Fixed status
mainline: [051ae669e4505abbe05165bebf6be7922de11f41]
stable/5.10: [905f886eae4b065656a575e8a02544045cbaadcf]
stable/5.15: [143232cb5a4c96d69a7d90b643568665463c6191]
stable/6.0: [c4b629c29a51344a99f279e0bc0caffd25897725]

CVE-2022-47520: wifi: wilc1000: validate pairwise and authentication
suite offsets

CVSS v3 score is not provided

It looks like a vulnerable function is not present in 4.x kernels.
That function is present in 5.4 however, this driver is staging driver
at that time.

Fixed status
mainline: [cd21d99e595ec1d8721e1058dcdd4f1f7de1d793]
stable/5.10: [7c6535fb4d67ea37c98a1d1d24ca33dd5ec42693]
stable/5.15: [cd9c4869710bb6e38cfae4478c23e64e91438442]
stable/6.0: [b3ac275fe82fb2e52085dace26ab65c91b3434b8]

CVE-2022-47521: wifi: wilc1000: validate length of
IEEE80211_P2P_ATTR_CHANNEL_LIST attribute

CVSS v3 score is not provided

An issue was discovered in the Linux kernel before 6.0.11. Missing
validation of IEEE80211_P2P_ATTR_CHANNEL_LIST in
drivers/net/wireless/microchip/wilc1000/cfg80211.c in the WILC1000
wireless driver can trigger a heap-based buffer overflow when parsing
the operating channel attribute from Wi-Fi management frames.

It looks like a vulnerable function is not present on 4.4 and 4.9.
That function is present in 5.4 and 4.19 however, this driver is
staging driver at that time. Also, implementation of
wilc_wfi_cfg_parse_ch_attr() in 5.4 and 4.19 are different from newer
code. It seems as if they are not affected.

Fixed status
mainline: [f9b62f9843c7b0afdaecabbcebf1dbba18599408]
stable/5.10: [5a068535c0073c8402aa0755e8ef259fb98a33c5]
stable/5.15: [e9de501cf70d2b508b2793ed3e7d5d5ceabd7a74]
stable/6.0: [0269a353bb4bf49902c702e0b55dcab0d470f5aa]

* Updated CVEs

CVE-2022-3344: KVM: SVM: nested shutdown interception could lead to host crash

Added 917401f ("KVM: x86: nSVM: leave nested mode on vCPU free") and
f9697df2 ("KVM: x86: add kvm_leave_nested") to mainline.

Fixed status
mainline: [16ae56d7e0528559bf8dc9070e3bfd8ba3de80df,
ed129ec9057f89d615ba0c81a4984a90345a1684,
  917401f26a6af5756d89b550a8e1bd50cf42b07e,
f9697df251438b0798780900e8b43bdb12a56d64]
stable/5.15: [3e87cb0caa25d667a9ca2fe15fef889e43ab8f95,
6425c590d0cc6914658a630a40b7f8226aa028c3]
stable/6.0: [5ca2721b7d3ed4d3da6323a2ea7339f745866d83,
d40ef0a511676bd65ca9acb295430c07af59ab85]

CVE-2022-3424: misc: sgi-gru: fix use-after-free error in
gru_set_context_option, gru_fault and gru_handle_user_call_os

The mainline was fixed.

Fixed status
mainline: [643a16a0eb1d6ac23744bb6e90a00fc21148a9dc]

CVE-2022-36280: An out-of-bounds(OOB) memory access vulnerability was
found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c

Fixed in the mainline. This bug was Introduced by commit 2ac8637
("vmwgfx: Snoop DMA transfers with non-covering sizes") in 3.2-rc1

Fixed status
mainline: [4cf949c7fafe21e085a4ee386bb2dade9067316e]

CVE-2022-41218: media: dvb-core: Fix UAF due to refcount races at releasing

Fixed in the mainline.

Fixed status
mainline: [fd3d91ab1c6ab0628fe642dd570b56302c30a792]

CVE-2022-4129: l2tp: missing lock when clearing sk_user_data can lead
to NULL pointer dereference

Added commit af295e8 ("l2tp: Don't sleep and disable BH under
writer-side sk_callback_lock") to mainline.

Fixed status
mainline: [b68777d54fac21fc833ec26ea1a2a84f975ab035,
af295e854a4e3813ffbdef26dbb6a4d6226c3ea1]

CVE-2022-3545: nfp: fix use-after-free in area_cache_get()

Patch was backported to 5.10, 5.15, and 5.4.

Fixed status
mainline: [02e1a114fdb71e59ee6770294166c30d437bf86a]
stable/5.10: [eb6313c12955c58c3d3d40f086c22e44ca1c9a1b]
stable/5.15: [9d933af8fef33c32799b9f2d3ff6bf58a63d7f24]
stable/5.4: [3c837460f920a63165961d2b88b425703f59affb]

CVE-2022-3623: mm/hugetlb: fix races when looking up a CONT-PTE/PMD
size hugetlb page

Patch was backported to 5.4.

Fixed status
mainline: [fac35ba763ed07ba93154c95ffc0c4a55023707f]
stable/5.10: [fccee93eb20d72f5390432ecea7f8c16af88c850]
stable/5.15: [3a44ae4afaa5318baed3c6e2959f24454e0ae4ff]
stable/5.19: [86a913d55c89dd13ba070a87f61a493563e94b54]
stable/5.4: [176ba4c19d1bb153aa6baaa61d586e785b7d736c]
stable/6.0: [7c7c79dd5a388758f8dfa3de89b131d5d84f25fd]

CVE-2022-3643: xen/netback: Ensure protocol headers don''t fall in the
non-linear area

Commit 7dfa764 (xen/netback: fix build warning) was added to the
mainline and was backported to 5.10 and 5.4.

Fixed status
mainline: [ad7f402ae4f466647c3a669b8a6f3e5d4271c84a,
7dfa764e0223a324366a2a1fc056d4d9d4e95491]
stable/4.14: [e173cefc814dec81e9836ecc866cdba154e693cd]
stable/4.19: [44dfdecc288b8d5932e09f5e6a597a089d5a82b2,
5215a8c7a72c0c9d49de9450ad92464832e981af]
stable/4.9: [1a1d9be7b36ee6cbdeb9d160038834d707256e88]
stable/5.10: [49e07c0768dbebff672ee1834eff9680fc6277bf,
a00444e25bbc3ff90314ebc72e9b4952b12211d9]
stable/5.15: [0fe29bd92594a747a2561589bd452c259451929e]
stable/5.4: [8fe1bf6f32cd5b96ddcd2a38110603fe34753e52]
stable/6.0: [e8851d841fe4f29b613a00de45f39c80dbfdb975]

CVE-2022-42896: Bluetooth: L2CAP: Fix accepting connection request for
invalid SPSM

Commit f937b75 ("Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm") was
added to the mainline.

Fixed status
mainline: [711f8c3fb3db61897080468586b970c87c61d9e4,
f937b758a188d6fd328a81367087eddbb2fce50f]
stable/4.14: [9f4624c42db9dd854870ccb212ddd405d8c59041]
stable/4.19: [a2045d57e844864605d39e6cfd2237861d800f13]
stable/4.9: [c834df40af8ec156e8c3c388a08ff7381cd90d80]
stable/5.10: [6b6f94fb9a74dd2891f11de4e638c6202bc89476]
stable/5.15: [81035e1201e26d57d9733ac59140a3e29befbc5a]
stable/5.4: [0d87bb6070361e5d1d9cb391ba7ee73413bc109b]
stable/6.0: [d7efeb93213becae13c6a12e4150ce1e07bd2c49]

CVE-2022-45934: Bluetooth: L2CAP: Fix u8 overflow

Patch was backported to 5.10, 5.15, and 6.0.

Fixed status
mainline: [bcd70260ef56e0aee8a4fc6cd214a419900b0765]
stable/5.10: [f3fe6817156a2ad4b06f01afab04638a34d7c9a6]
stable/5.15: [19a78143961a197de8502f4f29c453b913dc3c29]
stable/6.0: [5550bbf709c323194881737fd290c4bada9e6ead]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
      :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 17 new CVEs and 11 updated CVEs.

* New CVEs

CVE-2022-4378: Linux kernel stack-based buffer overflow in __do_proc_dointvec

CVSS v3 score is not provided

A stack overflow bug was found in __do_proc_dointvec() which missed
checking on user input.
This bug affected all stable kernels. It seems as if 4.4 is affected too.

Fixed status
mainline: [bce9332220bd677d83b19d21502776ad555a0e73,
e6cfaf34be9fcd1a8285a294e18986bfc41a409c]
stable/4.14: [dad6ca557f640b032ed5de9c0136e5628fba1253,
4f4ff21bbcaeda6c061a25c8c2dfac3f27a1fb34]
stable/4.19: [a9c309fb49ffe3203f948973fd27b8f64f7f30c4,
fe84d7f0cb66d150de094fba461f0cb5d5b12c85]
stable/4.9: [6e3644aca0bcb572e461ace04d7045beeebb4aaa,
32646215df00b5dbc79bbeb4df69189fc2a0b234]
stable/5.10: [9ba389863ac63032d4b6ffad2c90a62cd78082ee,
4aa32aaef6c1b5e39ae2508ec596bd7b67871043]
stable/5.15: [48642f94311b0cf9667aa6833f9f5e3a87d2a0ce,
3eb9213f66127fbccd56dd4d36c4b47f3302dbf7]
stable/5.4: [0390da0565ade35f9c2bedcb57ab64c61b40045b,
dd3124a051a1c0397e82bc240f4db9987ef52b3d]
stable/6.0: [fdf2c95f28bf197bfab421d21e8c697d4f149ea1,
e04220518841708f68e7746232e3e54daef464a3]

CVE-2022-25836: Bluetooth SIG Statement Regarding the "Pairing Mode
Confusion in BLE Passkey Entry" Vulnerability

CVSS v3 score is 7.5 HIGH

Bluetooth® Low Energy Pairing in Bluetooth Core Specification v4.0
through v5.3 may permit an unauthenticated man-in-the-middle (MITM) to
acquire credentials with two pairing devices via adjacent access when
the MITM negotiates Legacy Passkey Pairing with the pairing Initiator
and Secure Connections Passkey Pairing with the pairing Responder and
brute forces the Passkey entered by the user into the Initiator. The
MITM attacker can use the identified Passkey value to complete
authentication with the Responder via Bluetooth pairing method
confusion.

Fixed status
The Bluetooth SIG recommends that implementations enforce Secure
Connections Only Mode.

CVE-2022-25837: Bluetooth SIG Statement Regarding the “Pairing Mode
Confusion in BR/EDR” Vulnerability

CVSS v3 score is 7.5 HIGH

Bluetooth® Pairing in Bluetooth Core Specification v1.0B through v5.3
may permit an unauthenticated man-in-the-middle (MITM) to acquire
credentials with two pairing devices via adjacent access when at least
one device supports BR/EDR Secure Connections pairing and the other
BR/EDR Legacy PIN code pairing if the MITM negotiates BR/EDR Secure
Simple Pairing in Secure Connections mode using the Passkey
association model with the pairing Initiator and BR/EDR Legacy PIN
code pairing with the pairing Responder and brute forces the Passkey
entered by the user into the Responder as a 6-digit PIN code. The MITM
attacker can use the identified PIN code value as the Passkey value to
complete authentication with the Initiator via Bluetooth pairing
method confusion.

Fixed status
The Bluetooth SIG recommends that implementations enforce Secure
Connections Only Mode.

CVE-2022-26047:

CVSS v3 score is 6.5 MEDIUM

Improper input validation for some Intel(R) PROSet/Wireless WiFi,
Intel vPro(R) CSME WiFi and Killer(TM) WiFi products may allow
unauthenticated user to potentially enable denial of service via local
access.

Following products are affected.
- Intel® Wi-Fi 6E AX411
- Intel® Wi-Fi 6E AX211
- Intel® Wi-Fi 6E AX210
- Intel® Wi-Fi 6 AX201
- Intel® Wi-Fi 6 AX200

Fixed status
Intel advisory said that "Intel® PROSet/Wireless WiFi drivers to
mitigate this vulnerability will be up streamed by November 08, 2022.
Consult the regular open-source channels to obtain this update."

CVE-2022-3104: Kernel: kmalloc's return value not checked, leading to
null pointer dereference

CVSS v3 score is not provided

This bug was introduced by commit ae2e1aa ("drivers/misc/lkdtm/bugs.c:
add arithmetic overflow and array bounds checks") in 5.7-rc1.
This commit isn't backported to 5.4 and 4.19. The
drivers/misc/lkdtm/bugs.c is not present in 4.4, 4.9, and 4.14.
c
Fixed status
mainline: [4a9800c81d2f34afb66b4b42e0330ae8298019a2]
stable/5.10: [56ac04f35fc5dc8b5b67a1fa2f7204282aa887d5]
stable/5.15: [1aeeca2b8397e3805c16a4ff26bf3cc8485f9853]

CVE-2022-3105: uapi_finalize's return value not checked leading to
null pointer dereference

CVSS v3 score is not provided

An issue was discovered in the Linux kernel through 5.16-rc6.
uapi_finalize in drivers/infiniband/core/uverbs_uapi.c lacks check of
kmalloc_array().
This bug was introduced by commit 6884c6c ("RDMA/verbs: Store the
write/write_ex uapi entry points in the uverbs_api") in 5.0-rc1.
This patch is not backported to 4.19.
The drivers/infiniband/core/uverbs_uapi.c is not present in 4.14, 4.9, and 4.4.

Fixed status
mainline: [7694a7de22c53a312ea98960fcafc6ec62046531]
stable/5.10: [16e5cad6eca1e506c38c39dc256298643fa1852a]
stable/5.15: [0ea8bb0811ba0ec22903cbb48ff2cd872382e8d4]
stable/5.4: [7646a340b25bb68cfb6d2e087a608802346d0f7b]

CVE-2022-3106: kmalloc's return value not checked, leading to null
pointer dereference

CVSS v3 score is not provided

An issue was discovered in the Linux kernel through 5.16-rc6.
ef100_update_stats in drivers/net/ethernet/sfc/ef100_nic.c lacks check
of the return value of kmalloc().

This bug was introduced by commit b593b6f ("sfc_ef100: statistics
gathering") in 5.9-rc1. This driver was introduced since 5.9 so less
than 5.9 kernels aren't affected by this issue.

Fixed status
mainline: [407ecd1bd726f240123f704620d46e285ff30dd9]
stable/5.10: [734a3f3106053ee41cecae2a995b3d4d0c246764]
stable/5.15: [9a77c02d1d2147a76bd187af1bf5a34242662d12]

CVE-2022-3107: Kernel: Unchecked kvmalloc_array return leads to null
pointer dereference.

CVSS v3 score is not provided

An issue was discovered in the Linux kernel through 5.16-rc6.
netvsc_get_ethtool_stats in drivers/net/hyperv/netvsc_drv.c lacks
check of the return value of kvmalloc_array() and will cause the null
pointer dereference.

This bug was introduced by commit 6ae7467 ("hv_netvsc: Add per-cpu
ethtool stats for netvsc") in 4.19-rc1. This commit is not backported
to 4.4, 4.14, and 4.9.

Fixed status
mainline: [886e44c9298a6b428ae046e2fa092ca52e822e6a]
stable/4.19: [a30c7c81db60f7f7ad52f75a4f7de5f628063df4]
stable/5.10: [9b763ceda6f8963cc99df5772540c54ba46ba37c]
stable/5.15: [ab0ab176183191cffc69fe9dd8ac6c8db23f60d3]
stable/5.4: [b01e2df5fbf68719dfb8e766c1ca6089234144c2]

CVE-2022-3108: Kernel: kmemdup''s return value not checked

CVSS v3 score is not provided

An issue was discovered in the Linux kernel through 5.16-rc6.
kfd_parse_subtype_iolink in drivers/gpu/drm/amd/amdkfd/kfd_crat.c
lacks check of the return value of kmemdup().

This bug was introduced by commit 3a87177 ("drm/amdkfd: Add topology
support for dGPUs") in 4.16-rc1. The
drivers/gpu/drm/amd/amdkfd/kfd_crat.c is not present in 4.4, 4.9, and
4.14.

Fixed status
mainline: [abfaf0eee97925905e742aa3b0b72e04a918fa9e]
stable/5.15: [5609b7803947eea1711516dd8659c7ed39f5a868]

CVE-2022-3110: Unchecked rtw_alloc_hwxmits return leads to null
pointer dereference.

CVSS v3 score is not provided

An issue was discovered in the Linux kernel through 5.16-rc6.
_rtw_init_xmit_priv in drivers/staging/r8188eu/core/rtw_xmit.c lacks
check of the return value of rtw_alloc_hwxmits() and will cause the
null pointer dereference.

This bug was introduced by commit 1586512 ("staging: r8188eu:
introduce new core dir for RTL8188eu driver") in 5.15-rc1. This driver
was introduced in 5.15-rc1 so less than 5.15 kernels aren't affected
by this issue.

Fixed status
mainline: [f94b47c6bde624d6c07f43054087607c52054a95]
stable/5.15: [029983ea88e59f4c7dc0d56ade2b16d6b869bf94]

CVE-2022-3111: Unchecked WM8350_IRQ_CHG_FAST_RDY free leads to null
pointer dereference

CVSS v3 score is not provided

An issue was discovered in the Linux kernel through 5.16-rc6.
free_charger_irq() in drivers/power/supply/wm8350_power.c lacks free
of WM8350_IRQ_CHG_FAST_RDY, which is registered in
wm8350_init_charger().

This bug was introduced by commit 14431aa ("power_supply: Add support
for WM8350 PMU") in 2.6.29-rc1.

Fixed status
mainline: [6dee930f6f6776d1e5a7edf542c6863b47d9f078]
stable/4.14: [ae64b838bececea902b819a69731cb80cca8f31a]
stable/4.19: [60dd1082322966f192f42fe2a6605dfa08eef41f]
stable/4.9: [a6a3ec1626846fba62609330673a2dd5007d6a53]
stable/5.10: [48d23ef90116c8c702bfa4cad93744e4e5588d7d]
stable/5.15: [4124966fbd95eeecca26d52433f393e2b9649a33]
stable/5.4: [90bec38f6a4c81814775c7f3dfc9acf281d5dcfa]

CVE-2022-3112: Kernel: kzalloc's return value not checked leading to
null pointer dereference

CVSS v3 score is not provided

An issue was discovered in the Linux kernel through 5.16-rc6.
amvdec_set_canvases in drivers/staging/media/meson/vdec/vdec_helpers.c
lacks check of the return value of kzalloc() and will cause the null
pointer dereference.

This bug was introduced by commit 876f123 ("media: meson: vdec: bring
up to compliance") in 5.7-rc1. This patch is not backported to 5.4.
drivers/staging/media/meson is not present in 4.4, 4.14, and 4.19.

Fixed status
mainline: [c8c80c996182239ff9b05eda4db50184cf3b2e99]
stable/5.10: [032b141a91a82a5f0107ce664a35b201e60c5ce1]
stable/5.15: [b0b890dd8df3b9a2fe726826980b1cffe17b9679]

CVE-2022-3113: Kernel: devm_kzalloc return value not checked, null
pointer dereference

CVSS v3 score is not provided

An issue was discovered in the Linux kernel through 5.16-rc6.
mtk_vcodec_fw_vpu_init in
drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c lacks check of
the return value of devm_kzalloc() and will cause the null pointer
dereference.

This bug was introduced by commit 46233e9 ("media: mtk-vcodec: move
firmware implementations into their own files") in 5.10-rc6. This
commit fixes  bf1d556 ("media: mtk-vcodec: abstract firmware
interface") in 5.10-rc1.
The mtk_vcodec_fw_vpu_init() is not found in 4.4, 4.14, 4.19, and 5.4.

Fixed status
mainline: [e25a89f743b18c029bfbe5e1663ae0c7190912b0]
stable/5.10: [bc2573abc691a269b54a6c14a2660f26d88876a5]
stable/5.15: [0022dc8cafa5fcd156da8ae7bfc9ca99497bdffc]

CVE-2022-3114: Kernel: Unchecked kcalloc return leads to null pointer
dereference.

CVSS v3 score is not provided

An issue was discovered in the Linux kernel through 5.16-rc6.
imx_register_uart_clocks in drivers/clk/imx/clk.c lacks check of the
return value of kcalloc() and will cause the null pointer dereference.

This bug was introduced by commit 379c9a2 ("clk: imx: Fix reparenting
of UARTs not associated with stdout") in 5.13-rc1. This commit fixes
9461f7b ("clk: fix CLK_SET_RATE_GATE with clock rate protection") in
4.19-rc1.
Commit 379c9a2 is not backported to 4.19, 4.14, 4.9, and 4.4.

Fixed status
mainline: [ed713e2bc093239ccd380c2ce8ae9e4162f5c037]
stable/5.10: [9e33e261b4d62a33616a16b6fda57123b1ee9c4d]

CVE-2022-3115: Kernel: Unchecked kzalloc return leads to null pointer
dereference.

CVSS v3 score is not provided

An issue was discovered in the Linux kernel through 5.16-rc6.
malidp_crtc_reset in drivers/gpu/drm/arm/malidp_crtc.c lacks check of
the return value of kzalloc() and will cause the null pointer
dereference.

This bug was introduced by commit 99665d0 ("drm: mali-dp: add
malidp_crtc_state struct") in 4.12-rc1. This commit is not backported
to 4.9. This driver is not present in 4.4.

Fixed status
mainline: [73c3ed7495c67b8fbdc31cf58e6ca8757df31a33]
stable/5.10: [b4c7dd0037e6aeecad9b947b30f0d9eaeda11762]
stable/5.15: [4cb37f715f601cee5b026c6f9091a466266b5ba5]
stable/5.4: [fa0d7ba25a53ac2e4bb24ef31aec49ff3578b44f]

CVE-2022-4379: NFSD: fix use-after-free in __nfs42_ssc_open()

CVSS v3 score is not provided

A use-after-free vulnerability in  __nfs42_ssc_open() in NFS subsystem
of Linux through v6.1 which allows an attacker to trigger remote
denial of service.

Patch removes calling nfsd4_interssc_disconnect() in nfs42_ssc_open()
and nfsd4_copy(). It also removes nfsd4_interssc_disconnect(). the
nfsd4_interssc_disconnect() was add by commit ce0887ac ("NFSD add nfs4
inter ssc to nfsd4_copy") in 5.6-rc1. So, it looks less than 5.6
kernels aren't affected by this issue.

Fixed status
Patch is available but it hasn't been merged yet.

CVE-2022-4382: usb: A use-after-free Write in put_dev

CVSS v3 score is not provided

This use-after-free violation is caused by a race among the superblock
operations in the gadgetfs driver. The vulnerability may not be a big
deal, because the normal user can't execute umount.
It could be triggered by yanking out a device that is running the gadgetfs side.

It looks like all stable kernels, including 4.4, are affected.

Fixed status
Patch is available but it hasn't been merged yet.

* Updated CVEs

CVE-2022-3169: Request to NVME_IOCTL_RESET and NVME_IOCTL_SUBSYS_RESET
may cause a DOS

5.4 was fixed.

Fixed status
mainline: [1e866afd4bcdd01a70a5eddb4371158d3035ce03]
stable/5.10: [023435a095d22bcbbaeea7e3a8c534b5c57d0d82]
stable/5.15: [b1a27b2aad936746e6ef64c8a24bcb6dce6f926a]
stable/5.4: [99c59256ea00ff7fab4914bb38e10a84850de514]
stable/6.0: [0c2b1c56252bf19d3412137073c2c07e86f40ba1]

CVE-2022-3435: ipv4: Handle attempt to delete multipath route when
fib_info contains an nh reference

5.10, 5.15, 5.4, and 6.0 were fixed.

Fixed status
mainline: [61b91eb33a69c3be11b259c5ea484505cd79f883]
stable/5.10: [0b5394229ebae09afc07aabccb5ffd705ffd250e]
stable/5.15: [25174d91e4a32a24204060d283bd5fa6d0ddf133]
stable/5.4: [cc3cd130ecfb8b0ae52e235e487bae3f16a24a32]
stable/6.0: [bb20a2ae241be846bc3c11ea4b3a3c69e41d51f2]

CVE-2022-3524: tcp/udp: Fix memory leak in ipv6_renew_options().

4.14, 4.19, and 4.9 were fixed.

Fixed status
mainline: [3c52c6bb831f6335c176a0fc7214e26f43adbd11]
stable/4.14: [205c1e9ac56a5cd1a7d0bc457d8b38871f5b37ed]
table/4.19: [bbfbdca680b0cbea0e57be597b5e2cae19747052]
stable/4.9: [d2c9e2ebafa14a564b28e237db8d90ab7bdbd061]
stable/5.10: [818c36b988b82f31e4be8ad8415e1be902b8e5f8]
stable/5.15: [1401e9336bebaa6dd5a320f83bddc17619d4e3a6]
stable/5.4: [92aaa5e8fe90a008828a1207e66a30444bcb1cbd]
stable/6.0: [0c5d628f1e1d049c33595693fab1b6e9baf25795]

CVE-2022-4139: drm/i915: fix TLB invalidation for Gen12 video and
compute engines

5.4 was fixed.

Fixed status
mainline: [04aa64375f48a5d430b5550d9271f8428883e550]
stable/5.10: [86f0082fb9470904b15546726417f28077088fee]
stable/5.15: [ee2d04f23bbb16208045c3de545c6127aaa1ed0e]
stable/5.4: [3659e33c1e4f8cfc62c6c15aca5d797010c277a4]
stable/6.0: [aef39675ad33317c8badc0165ea882e172a633e6]

CVE-2022-42896: Bluetooth: L2CAP: Fix accepting connection request for
invalid SPSM

4.14, 4.19, 4.9, and 5.4 wer fixed.

Fixed status
mainline: [711f8c3fb3db61897080468586b970c87c61d9e4]
stable/4.14: [9f4624c42db9dd854870ccb212ddd405d8c59041]
stable/4.19: [a2045d57e844864605d39e6cfd2237861d800f13]
stable/4.9: [c834df40af8ec156e8c3c388a08ff7381cd90d80]
stable/5.10: [6b6f94fb9a74dd2891f11de4e638c6202bc89476]
stable/5.15: [81035e1201e26d57d9733ac59140a3e29befbc5a]
stable/5.4: [0d87bb6070361e5d1d9cb391ba7ee73413bc109b]
stable/6.0: [d7efeb93213becae13c6a12e4150ce1e07bd2c49]

CVE-2022-45869: KVM: x86/mmu: Fix race condition in direct_page_fault

5.15 was fixed.

Fixed status
mainline: [47b0c2e4c220f2251fd8dcfbb44479819c715e15]
stable/5.15: [f88a6977f8b981bfb5fddd18fbaa75e57e8af293]
stable/6.0: [34ced1da74eb975abdf7ef823512c7719f67601b]

CVE-2022-45934: Bluetooth: L2CAP: Fix u8 overflow

The mainline was fixed.

Fixed status
mainline: [bcd70260ef56e0aee8a4fc6cd214a419900b0765]

CVE-2022-3623: mm/hugetlb: fix races when looking up a CONT-PTE/PMD
size hugetlb page

5.10 was fixed.

Fixed status
mainline: [fac35ba763ed07ba93154c95ffc0c4a55023707f]
stable/5.10: [fccee93eb20d72f5390432ecea7f8c16af88c850]
stable/5.15: [3a44ae4afaa5318baed3c6e2959f24454e0ae4ff]
stable/5.19: [86a913d55c89dd13ba070a87f61a493563e94b54]
stable/6.0: [7c7c79dd5a388758f8dfa3de89b131d5d84f25fd]

CVE-2022-3643: xen/netback: Ensure protocol headers don''t fall in the
non-linear area

stable kernel were fixed.

Fixed status
mainline: [ad7f402ae4f466647c3a669b8a6f3e5d4271c84a]
stable/4.14: [e173cefc814dec81e9836ecc866cdba154e693cd]
stable/4.19: [44dfdecc288b8d5932e09f5e6a597a089d5a82b2]
stable/4.9: [1a1d9be7b36ee6cbdeb9d160038834d707256e88]
stable/5.10: [49e07c0768dbebff672ee1834eff9680fc6277bf]
stable/5.15: [0fe29bd92594a747a2561589bd452c259451929e]
stable/5.4: [8fe1bf6f32cd5b96ddcd2a38110603fe34753e52]
stable/6.0: [e8851d841fe4f29b613a00de45f39c80dbfdb975]

CVE-2022-42328: xen/netback: don''t call kfree_skb() with interrupts disabled

stable kernels were fixed.

Fixed status
mainline: [74e7e1efdad45580cc3839f2a155174cf158f9b5]
stable/4.14: [2b81c566ab5724976de59ad7787e204f7938ae27]
stable/4.19: [d3e1b6151d5d40bedabea129f5873a83b9390b62]
stable/4.9: [b41eab5790ac8ceed2b940f7acc5b3698c824644]
stable/5.10: [83632fc41449c480f2d0193683ec202caaa186c9]
stable/5.15: [5d0fa6fc8899fe842329c0109f8ddd01144b1ed8]
stable/5.4: [50e1ab7e638f1009d953658af8f6b2d7813a7883]
stable/6.0: [3fb02db125bbcf8163e9e30d2824b4adf13f06cb]

CVE-2022-42329: xen/netback: don''t call kfree_skb() with interrupts disabled

stable kernels were fixed.

Fixed status
mainline: [74e7e1efdad45580cc3839f2a155174cf158f9b5]
stable/4.14: [2b81c566ab5724976de59ad7787e204f7938ae27]
stable/4.19: [d3e1b6151d5d40bedabea129f5873a83b9390b62]
stable/4.9: [b41eab5790ac8ceed2b940f7acc5b3698c824644]
stable/5.10: [83632fc41449c480f2d0193683ec202caaa186c9]
stable/5.15: [5d0fa6fc8899fe842329c0109f8ddd01144b1ed8]
stable/5.4: [50e1ab7e638f1009d953658af8f6b2d7813a7883]
stable/6.0: [3fb02db125bbcf8163e9e30d2824b4adf13f06cb]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 9 new CVEs and 3 updated CVEs.

* New CVEs

CVE-2022-4269: kernel: net: CPU soft lockup in TC mirred
egress-to-ingress action

CVSS v3 score is 5.5MEDIUM.

A deadlock bug was found in the Linux kernel traffic control(TC)
subsystem. When configuring redirecting egress packets to ingress
using TC action "mirred" a local user could trigger deadlock.
This issue was introduced by commit 53592b364001 ("net/sched:
act_mirred: Implement ingress actions") in 4.10-rc1.

Fixed status
Patch is available but it hasn't been merged into the mainlin yet.

CVE-2022-20565: HID: core: Correctly handle ReportSize being zero

CVSS v3 score is not provided.

If ReportSize is 0 which is legal value, calculating total size of
byte will be wrong. When the wrong value is passed to memset() it will
access invalid memory area.
This bug was fixed in 5.9-rc4. cip/4.4 kernels contain backport commit 12b27c4.

Fixed status
mainline: [bce1305c0ece3dc549663605e567655dd701752c]
stable/4.14: [9e5894b7e2229e6d89319864fb08304571fd44f7]
stable/4.19: [abae259fdccc5e41ff302dd80a2b944ce385c970]
stable/4.9: [cf7797ea60e3e721e3ae5090edbc2ec72d715436]
stable/5.4: [667514df10a08e4a65cb88f5fd5ffeccd027c4af]

CVE-2022-20566: Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put

CVSS v3 score is not provided.

A use-after-free bug was found in the Bluetooth subsystem.
When hci_rx_work() starts up after the final channel reference has
been put during sock_clone() and this channel has been destroyed
before starting hci_rx_work(), it will lead to a UAF bug.
cip/4.4 kernels contain backport commit 46e77e0.

This bug was fixed in 5.19.

Fixed status
mainline: [d0be8347c623e0ac4202a1d4e0373882821f56b0]
stable/4.14: [5bb395334392891dffae5a0e8f37dbe1d70496c9]
stable/4.19: [bbd1fdb0e1adf827997a93bf108f20ede038e56e]
stable/4.9: [d255c861e268ba342e855244639a15f12d7a0bf2]
stable/5.10: [de5d4654ac6c22b1be756fdf7db18471e7df01ea]
stable/5.15: [f32d5615a78a1256c4f557ccc6543866e75d03f4]
stable/5.4: [098e07ef0059296e710a801cdbd74b59016e6624]

CVE-2022-20567: l2tp: fix race in pppol2tp_release with session object destroy

CVSS v3 score is not provided.

A race condition bug was found in l2tp subsystem. When
pppol2tp_release() put final reference on its socket by call_rcu,
while pppol2tp_put_sk() is running, pppol2tp_release() may release an
already freed socket.

This bug was introduced by commit ee40fb2 ("l2tp: protect sock pointer
of struct pppol2tp_session with RCU") in 4.15-rc1 and fixed in
4.16-rc5.
cip/4.4 kernels contain backport commit b241b0c.

Fixed status
mainline: [d02ba2a6110c530a32926af8ad441111774d2893]
stable/4.14: [1819c764fe0f851942c2b3cf5dae516e7bbe69d8]
stable/4.9: [267b8fa3f5bf8ca6458670298a02f7438855bd80]

CVE-2022-20568: io_uring: always grab file table for deferred statx

CVSS v3 score is not provided.

A use-after-free bug was found in io_uring.
This bug was only in the 5.10.y stable kernel series. According to the
commit log, it said that "This issues doesn't exist upstream since the
native workers got introduced with 5.12."

Fixed status
stable/5.10: [3c48558be571e01f67e65edcf03193484eeb2b79]

CVE-2022-3643: xen/netback: Ensure protocol headers don''t fall in the
non-linear area

CVSS v3 score is not provided.

A xen guest can reset/abort/crash NIC interface by sending certain
kinds of packets.
This bug was introduced by commit 7e5d775 ("xen-netback: remove
unconditional __pskb_pull_tail() in guest Tx path") in 3.19-rc1 so all
stable kernels affected by this issue.

Fixed status
mainline: [ad7f402ae4f466647c3a669b8a6f3e5d4271c84a]

CVE-2022-42328: xen/netback: don''t call kfree_skb() with interrupts disabled
CVE-2022-42329: xen/netback: don''t call kfree_skb() with interrupts disabled

CVSS v3 score is not provided.

CVE-2022-42328 and CVE-2022-42329 have the same root cause and are
also fixed by the same commit.

Introduced by commit be81992 ("xen/netback: don't queue unlimited
number of packages") in v5.16-rc7. This commit fixes f48da8b
("xen-netback: fix unlimited guest Rx internal queue and carrier
flapping") in 3.18-rc3.
Commit be81992 is not backported to 4.4 kernel because
drivers/net/xen-netback/rx.c isn't present in 4.4.
However, 4.9, 4.19, 5.4, 5.10, 5.15 are affected.

Fixed status
mainline: [74e7e1efdad45580cc3839f2a155174cf158f9b5]

CVE-2022-20572: dm verity: set DM_TARGET_IMMUTABLE feature flag

CVSS v3 score is not provided.

The dm-verity doesn't set its feature as immutable so that it allows a
user to change its target type.

Introduced by commit a4ffc15 ("dm: add verity target") in 3.4-rc1.
In kernel 4.4, verity_target variable is defined in drivers/md/dm-verity.c.

Fixed status
mainline: [4caae58406f8ceb741603eee460d79bacca9b1b5]
stable/4.14: [388bc1e69663956f8cee43af3bd02bd3061d222d]
stable/4.19: [6bff6107d1364c95109609c3fd680e6c8d7fa503]
stable/4.9: [27798cca4e54fe9c390396c4cc655480f827bbd5]
stable/5.10: [8df42bcd364cc3b41105215d841792aea787b133]
stable/5.15: [69712b170237ec5979f168149cd31e851a465853]
stable/5.4: [fd2f7e9984850a0162bfb6948b98ffac9fb5fa58]

* Updated CVEs

CVE-2022-3344: KVM: SVM: nested shutdown interception could lead to host crash

5.15 and 6.0 were fixed.

Fixed status
mainline: [16ae56d7e0528559bf8dc9070e3bfd8ba3de80df,
ed129ec9057f89d615ba0c81a4984a90345a1684]
stable/5.15: [3e87cb0caa25d667a9ca2fe15fef889e43ab8f95,
6425c590d0cc6914658a630a40b7f8226aa028c3]
stable/6.0: [5ca2721b7d3ed4d3da6323a2ea7339f745866d83,
d40ef0a511676bd65ca9acb295430c07af59ab85]

CVE-2022-4139: drm/i915: fix TLB invalidation for Gen12 video and
compute engines

5.10, 5.15, and 6.0 were fixed.

Fixed status
mainline: [04aa64375f48a5d430b5550d9271f8428883e550]
stable/5.10: [86f0082fb9470904b15546726417f28077088fee]
stable/5.15: [ee2d04f23bbb16208045c3de545c6127aaa1ed0e]
stable/6.0: [aef39675ad33317c8badc0165ea882e172a633e6]

CVE-2022-45869: KVM: x86/mmu: Fix race condition in direct_page_fault

6.0 was fixed.

Fixed status
mainline: [47b0c2e4c220f2251fd8dcfbb44479819c715e15]
stable/6.0: [34ced1da74eb975abdf7ef823512c7719f67601b]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 11 new CVEs and 3 updated CVEs.
CVE-2022-45884, CVE-2022-45885, CVE-2022-45886, CVE-2022-45887 are
fixed in a same patch series.

* New CVEs

CVE-2022-4129: l2tp: missing lock when clearing sk_user_data can lead
to NULL pointer dereference

CVSS v3 score is not provided.

A NULL pointer dereference bug was found in the l2tp module.

Introduced by commit b68777d54fac ("l2tp: Serialize access to
sk_user_data with sk_callback_lock") in 6.1-rc6.
It fixes commit 3557baa ("[L2TP]: PPP over L2TP driver core") in 2.6.23-rc1.
Commit b68777d54fac is not backported to stable kernels so these
kernels aren't affected by this issue.

Fixed status
Patch is available(https://lore.kernel.org/netdev/20221119130317.39158-1-jakub@cloudflare.com/)
but not merged yet.

CVE-2022-28667: Out-of-bounds write for some Intel(R) PROSet/Wireless
WiFi software

CVSS v3 score is 6.5 MEDIUM.

Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi software
before version 22.140 may allow an unauthenticated user to potentially
enable denial of service via adjacent access.

According to the Intel security advisory INTEL-SA-00687, it said that
"Intel® PROSet/Wireless WiFi drivers to mitigate this vulnerability
will be up streamed by November 08, 2022." so the mainline kernel
seems affected by this issue.

Fixed status
Not fixed yet

CVE-2022-45884: A use-after-free bug was found in
drivers/media/dvb-core/dvbdev.c

CVSS v3 score is 7.0 HIGH.

An issue was discovered in the Linux kernel.
drivers/media/dvb-core/dvbdev.c has a use-after-free, related to
dvb_register_device dynamically allocating fops.

It looks like all stable kernels (include 4.4) are affected by this issue.

Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel@gmail.com/

CVE-2022-45885: A use-after-free bug was found in
drivers/media/dvb-core/dvb_frontend.c

CVSS v3 score is 7.0 HIGH.

An issue was discovered in the Linux kernel.
drivers/media/dvb-core/dvb_frontend.c has a race condition that can
cause a use-after-free when a device is disconnected.

It looks like all stable kernels (include 4.4) are affected by this issue.

Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel@gmail.com/

CVE-2022-45886: A use-after-free bug was found in
drivers/media/dvb-core/dvb_net.c

CVSS v3 score is 7.0 HIGH.

An issue was discovered in the Linux kernel.
drivers/media/dvb-core/dvb_net.c has a .disconnect versus
dvb_device_open race condition that leads to a use-after-free.

It looks like all stable kernels (include 4.4) are affected by this issue.

Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel@gmail.com/

CVE-2022-45887: media: ttusb-dec: Fix memory leak in ttusb_dec_exit_dvb()

CVSS v3 score is 4.7 MEDIUM.

An issue was discovered in the Linux kernel.
drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of
the lack of a dvb_frontend_detach call.

It looks like all stable kernels (including 4.4) are affected by this issue.

Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel@gmail.com/

CVE-2022-45888: char: xillybus: Fix use-after-free in xillyusb_open()

CVSS v3 score is 6.4 MEDIUM.

An issue was discovered in the Linux kernel.
drivers/char/xillybus/xillyusb.c has a race condition and
use-after-free during physical removal of a USB device.

XILLYUSB driver was added by a53d120 ("char: xillybus: Add driver for
XillyUSB (Xillybus variant for USB)" in 5.14-rc1. So, before 5.14
kernels are not affected.

Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/all/20221022175404.GA375335@ubuntu/

CVE-2022-45919: media: dvb-core: Fix use-after-free due to race
condition occurring in dvb_ca_en50221

CVSS v3 score is 7.0 HIGH.

An issue was discovered in the Linux kernel. In
drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur if
there is a disconnect after an open, because of the lack of a
wait_event.

It looks like all stable kernels (include 4.4) are affected by this issue.

Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/linux-media/20221121063308.GA33821@ubuntu/T/#u

CVE-2022-45934: Bluetooth: L2CAP: Fix u8 overflow

CVSS v3 score is not provided.

An issue was discovered in the Linux kernel. l2cap_config_req in
net/bluetooth/l2cap_core.c has an integer wraparound via
L2CAP_CONF_REQ packets.

It looks like all stable kernels (include 4.4) are affected by this issue.

Fixed status
fixed in the bluetooth-next tree.
https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=ae4569813a6e931258db627cdfe50dfb4f917d5d

CVE-2022-45869: KVM: x86/mmu: Fix race condition in direct_page_fault

CVSS v3 score is not provided.

A race condition bug was found in direct_page_fault() it will lead to
a systemc crash.
Introduced by commit a2855af ("KVM: x86/mmu: Allow parallel page
faults for the TDP MMU") in v5.12-rc1-dontuse. It is not backported to
stable kernels.
so less than 5.12 kernels are not affected by this issue.

Fixed status
mainline: [47b0c2e4c220f2251fd8dcfbb44479819c715e15]

CVE-2022-4139: drm/i915: fix TLB invalidation for Gen12 video and
compute enginescip

CVSS v3 score is not provided.

A random memory corruption or data leaks problem in Intel i915 graphic
driver because of incorrect GPU TLB flush.
This bug was introduced by commit 7938d61 ("drm/i915: Flush TLBs
before releasing backing store") which was backported to all stable
kernels.

Fixed status
mainline: [04aa64375f48a5d430b5550d9271f8428883e550]

* Updated CVEs

CVE-2022-3169: Request to NVME_IOCTL_RESET and NVME_IOCTL_SUBSYS_RESET
may cause a DOS

stable kernels are fixed this week.

Fixed status
mainline: [1e866afd4bcdd01a70a5eddb4371158d3035ce03]
stable/5.10: [023435a095d22bcbbaeea7e3a8c534b5c57d0d82]
stable/5.15: [b1a27b2aad936746e6ef64c8a24bcb6dce6f926a]
stable/6.0: [0c2b1c56252bf19d3412137073c2c07e86f40ba1]

CVE-2022-3521: kcm: avoid potential race in kcm_tx_work

stable kernels are fixed this week. kernel 4.4 is not affected by this issue.

Fixed status
mainline: [ec7eede369fe5b0d085ac51fdbb95184f87bfc6c]
stable/4.14: [381b6cb3f3e66b84db77028ac7d84f18d80f1153]
stable/4.19: [23a0a5869749c7833772330313ae7aec6581ec60]
stable/4.9: [fe3f79701fdaf8a087bc7043839e7f8b2e61b6fe]
stable/5.10: [7deb7a9d33e4941c5ff190108146d3a56bf69e9d]
stable/5.15: [27d706b0d394a907ff8c4f83ffef9d3e5817fa84]
stable/5.4: [ad39d09190a545d0f05ae0a82900eee96c5facea]
stable/6.0: [2526ac6b0f5a9b38e7e9073e37141cf78408078d]

CVE-2022-3344: KVM: SVM: nested shutdown interception could lead to host crash

mainline was fixed this week.

Fixed status
mainline: [16ae56d7e0528559bf8dc9070e3bfd8ba3de80df,
ed129ec9057f89d615ba0c81a4984a90345a1684]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 5 new CVEs and 3 updated CVEs.

* New CVEs

CVE-2022-3910: Improper update of reference count in io_uring leads to
use-after-free

CVSS v3 score is not provided(NIST).
CVSS v3 score is 7.8 HIGH(CNA).

A use-after-free bug was found in io_uring subsystem. An improper
Update of Reference Count in io_uring leads to Use-After-Free and
Local Privilege Escalation. When io_msg_ring was invoked with a fixed
file, it called io_fput_file() which improperly decreased its
reference count (leading to Use-After-Free and Local Privilege
Escalation).

Introduced by aa184e8 ("io_uring: don't attempt to IOPOLL for MSG_RING
requests") which fixes 3f1d52a ("io_uring: defer msg-ring file
validity check until command issue").
Commit 3f1d52a was merged in 5.18-rc1 that is not backported to stable
kernels. This vulnerability was fixed in v6.0-rc6.

Fixed status
mainline: [fc7222c3a9f56271fba02aabbfbae999042f1679]

CVE-2022-4095: A Use-after-Free/Double-Free bug in rtl8712

CVSS v3 score is not provided.

A Use-after-Free/Double-Free bug was found in rtl8712 in staging
driver. This vulnerability leads DoS/Local privilege escalation.
This bug was Introduced in 2.6.37-rc1.

Fixed status
mainline: [e230a4455ac3e9b112f0367d1b8e255e141afae0]
stable/4.14: [376e15487fec837301d888068a3fcc82efb6171a]
stable/4.19: [9fd6170c5e2d0ccd027abe26f6f5ffc528e1bb27]
stable/4.9: [7dce6b0ee7d78667d6c831ced957a08769973063]
stable/5.10: [19e3f69d19801940abc2ac37c169882769ed9770]
stable/5.15: [dc02aaf950015850e7589696521c7fca767cea77]
stable/5.4: [d0aac7146e96bf39e79c65087d21dfa02ef8db38]

CVE-2022-4127: io_uring: NULL pointer dereference in
io_files_update_with_index_alloc

CVSS v3 score is not provided.

A NULL pointer dereference bug was found in
io_files_update_with_index_alloc() in io_uring subsystem. It will lead
system crash.

This bug was introduced by commit a7c41b4 ("io_uring: let
IORING_OP_FILES_UPDATE support choosing fixed file slots") in
5.19-rc1.
kernel version less than 5.19 aren't affected by this issue.

Fixed status
mainline: [d785a773bed966a75ca1f11d108ae1897189975b]

CVE-2022-4128: mptcp: NULL pointer dereference in subflow traversal at
disconnect time

CVSS v3 score is not provided.

A NULL pointer dereference bug was found in mctp module. This bug will
lead a system crash.
This issue was introduced by commit b29fcfb ("mptcp: full disconnect
implementation") in 5.17-rc1.
kernel version less than 5.17 aren't affected by this issue.

Fixed status
mainline: [5c835bb142d4013c2ab24bff5ae9f6709a39cbcf]

CVE-2022-41858: kernel: null-ptr-deref vulnerabilities in
sl_tx_timeout in drivers/net/slip

CVSS v3 score is not provided.

A NULL pointer dereference bug was found in slip module. This bug will
lead a system crash.
CIP 4.4 kernels are already fixed.

Fixed status
mainline: [ec4eb8a86ade4d22633e1da2a7d85a846b7d1798]
stable/4.14: [3fdb033f8f8c978489c7702a4a44494b7ae63424]
stable/4.19: [753b9d220a7d36dac70e7c6d05492d10d6f9dd36]
stable/4.9: [113284fe48770841e157e338bf3a2e9f197a8b50]
stable/5.10: [ca24c5e8f0ac3d43ec0cff29e1c861be73aff165]
stable/5.15: [efb020924a71391fc12e6f204eaf25694cc116a1]
stable/5.4: [d05cd68ed8460cb158cc62c41ffe39fe0ca16169]

* Updated CVEs

CVE-2022-23816: Mis-trained branch predictions for return instructions may allow
 arbitrary speculative code execution under certain
microarchitecture-dependent conditions on some AMD processors
CVE-2022-29900: Information leak through mispredicted returns on AMD processors
CVE-2022-29901: Information leak through mispredicted returns on Intel
processors

4.19 finally fixed Retbleed vulnerability(CVE-2022-23816,
CVE-2022-29900 and CVE-2022-29901).

Fixed status
stable/4.19: [67b137bf0d9d096f86c8bfa175ca5ab3629369c9,
8627f766f42beefcce9979e6db44541cc651d521,
c150c96152aa0ca3d59ecc71c0c4a8864abca42a,
e6bfe7967f1a06ff906a1d8d73696c750f833e74,
78c9a72da30a2a6e30c190f431d03a3b06bdcdc0,
0ff64957bae869ab7163d4b6c930f8ecfc6ae7cf,
12db59370889ce1a5e3deb50507d4141910c4341,
7c9a1a329b6273b5fe1c47f78a8efb15197937d5,
bd2b18f6d226de17b42b1f1ff15daf800a4f0c52,
c79ea34ffbb9af46a3e97f2a4550f83d0151a2e3,
4b74a4f69682058fa79ccc9643ea69a0f1b955ee,
310aee6c371b076f86b61f764fe77de0e2913edd,
9e03416b022e83c73bbbdc275f1df1c3e88e3155,
f1b4cf5ce43f28503ef24d30fdbb9247d141765d,
c1493b60fd131c0c1558a8f71192fbebe7ed998f,
6cc8bd7dd3f33c39469899b2045870b62dd1ef4d,
9dc813c5fe403345e3edf1e52ee1ee2ecfe0d46d,
d2c10ea360a307f520c22e56b77f9a40db79e253,
9f3330d4930e034d84ee6561fbfb098433ff0ab9,
ca47b5c598c2772aadd6bd5626ac531e640cd477,
93f951062040f132968103bb5a070aaafde2865c,
8bafec7f0eaa0d4f260fe74de49d9aaa0451bc3d,
1ec1aceda390df12ad85525521f3ce2c7d837934,
24344e2bee186d54e0fdfbae70e67ec39473a9ae,
e6ac9561776a1fa80e245993f94c8f63fa15632b,
6451e3ce91f70398dd5e0f9feada255f19d5b2b7,
f744b88dfc201bf8092833ec70b23c720188b527,
9f88c3b0a2bcf18b3ec7e551958723a1061c9b99,
1bce094085ff639bbe370821f2ab99e996a0e108,
745cd50cc41a4ca529d20a889699b829e739dddd,
48eb8d6ac7df51a6408d629306335449826fc3a8,
0019a40f27e98bac177d3ec3a006df3c177d9181,
7eb3e2a80fe6b41ead0eb08d6772f2604acc1899,
56cf3753a1ef6d269fe24872db53b7b135ca011a]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 2 new CVEs and 15 updated CVEs.

* New CVEs

CVE-2022-3903: An invalid pipe direction in the mceusb driver cause
the kernel to DOS

CVSS v3 score is not provided.

When mceusb driver sends an invalid read request on endpoint 0 without
setting USB_DIR bit in the bRequest type field will lead to an
invalid pipe direction warning in the driver.

Commit 41fd1cb ("media: mceusb: Use new usb_control_msg_*() routines")
requires usb_control_msg_recv() and usb_control_msg_send() both
functions are introduced by commit 719b8f2 ("USB: add
usb_control_msg_send() and usb_control_msg_recv()") in 5.10-rc1.

Fixed status
mainline: [41fd1cb6151439b205ac7611883d85ae14250172]
stable/5.10: [587f793c64d99d92be8ef01c4c69d885a3f2edb6]

CVE-2022-3977: A use-after-free bug that was found in the
mctp_sk_unhash in Linux kernel’ net/mctp/af_mctp.c

CVSS v3 score is not provided.

There was a race where DROPTAG ioctl and socket close that leads
remove a key from lists twice, and perform an unref for each removal
operation. This causes a use-after-free bug. It allows an attacker to
local privilege escalation.

This bug was introduced by 63ed1aa ("mctp: Add SIOCMCTP{ALLOC,DROP}TAG
ioctls for tag control") in 5.18-rc1.
The MCTP module was added by commit bc49d81 ("mctp: Add MCTP base") in 5.15-rc1.

Fixed status
mainline: [3a732b46736cd8a29092e4b0b1a9ba83e672bf89]
stable/6.0: [3c7c84319833259b0bb8c879928700c9e42d6562]

* Updated CVEs

CVE-2021-3759: memcg: charge semaphores and sem_undo objects

5.10 and 5.4 were fixed.

Fixed status
mainline: [18319498fdd4cdf8c1c2c48cd432863b1f915d6f]
stable/5.10: [836686e1a01d7e2fda6a5a18252243ff30a6e196]
stable/5.4: [bad83d55134e647a739ebef2082541963f2cbc92]

CVE-2022-3524: tcp/udp: Fix memory leak in ipv6_renew_options().

5.10 and 5.4 were fixed.

Fixed status
mainline: [3c52c6bb831f6335c176a0fc7214e26f43adbd11]
stable/5.10: [818c36b988b82f31e4be8ad8415e1be902b8e5f8]
stable/5.15: [1401e9336bebaa6dd5a320f83bddc17619d4e3a6]
stable/5.4: [92aaa5e8fe90a008828a1207e66a30444bcb1cbd]
stable/6.0: [0c5d628f1e1d049c33595693fab1b6e9baf25795]

CVE-2022-3543: af_unix: Fix memory leaks of the whole sk due to OOB skb.

5.15 was fixed.

Fixed status
mainline: [7a62ed61367b8fd01bae1e18e30602c25060d824]
stable/5.15: [3975affcf55f93814a8ae14333d7fc7f183e60a4]
stable/5.19: [e2e49822a0a16d306bf6fe0009fe3136a3318f36]
stable/6.0: [2f415ad33bc1a729fb1050141921b5a9ec4e062c]

CVE-2022-3623: mm/hugetlb: fix races when looking up a CONT-PTE/PMD
size hugetlb page

5.15 was fixed.

Fixed status
mainline: [fac35ba763ed07ba93154c95ffc0c4a55023707f]
stable/5.15: [3a44ae4afaa5318baed3c6e2959f24454e0ae4ff]
stable/5.19: [86a913d55c89dd13ba070a87f61a493563e94b54]
stable/6.0: [7c7c79dd5a388758f8dfa3de89b131d5d84f25fd]

CVE-2022-3628: wifi: Fix potential buffer overflow in
''brcmf_fweh_event_worker''

4.14, 4.19, 4.9, 5.10, 5.15, 5.4, and 6.0 were fixed.

Fixed status
mainline: [6788ba8aed4e28e90f72d68a9d794e34eac17295]
stable/4.14: [b23665bbd39224e15aab89df4a4b60c0ab2ad09d]
stable/4.19: [5e7d546917431400b7d6e5e38f588e0bd13083c9]
stable/4.9: [b1477d95e967bf626b8c5e3838bb885c47381b24]
stable/5.10: [c6678c8f4f3f8383fe2dff3455de3d504382638f]
stable/5.15: [7038af4ce95105146d22e461eaa450829f28eeaf]
stable/5.4: [a16415c8f156bec5399ef0345715ee4b90e5bb83]
stable/6.0: [631f73deedeb0fbc92ca5037d5a71c9fcae7974d]

CVE-2022-42895: Bluetooth: L2CAP: Fix attempting to access uninitialized memory

4.14, 4.19, 4.9, 5.10, 5.15, 5.4, and 6.0 were fixed.

Fixed status
mainline: [b1a2cd50c0357f243b7435a732b4e62ba3157a2e]
stable/4.14: [999d99c8de09537bd4f4a4a7db2be6b55c6ed817]
stable/4.19: [36919a82f335784d86b4def308739559bb47943d]
stable/4.9: [63e3d75298fac7fa50906454603dd5bb4ef22a23]
stable/5.10: [26ca2ac091b49281d73df86111d16e5a76e43bd7]
stable/5.15: [3e4697ffdfbb38a2755012c4e571546c89ab6422]
stable/5.4: [6949400ec9feca7f88c0f6ca5cb5fdbcef419c89]
stable/6.0: [e1aada9b71493b2e11c2a239ece99a97e3f13431]

CVE-2022-42896: Bluetooth: L2CAP: Fix accepting connection request for
invalid SPSM

5.10, 5.15, and 6.0 were fixed.

Fixed status
mainline: [711f8c3fb3db61897080468586b970c87c61d9e4]
stable/5.10: [6b6f94fb9a74dd2891f11de4e638c6202bc89476]
stable/5.15: [81035e1201e26d57d9733ac59140a3e29befbc5a]
stable/6.0: [d7efeb93213becae13c6a12e4150ce1e07bd2c49]

CVE-2022-2978: fs: fix UAF/GPF bug in nilfs_mdt_destroy

The mainline and stable kernels were fixed.
Patch can be applied to 4.4-st.

Fixed status
mainline: [2e488f13755ffbb60f307e991b27024716a33b29]
stable/4.14: [c0aa76b0f17f59dd9c9d3463550a2986a1d592e4]
stable/4.19: [ec2aab115eb38ac4992ea2fcc2a02fbe7af5cf48]
stable/4.9: [d1ff475d7c83289d0a7faef346ea3bbf90818bad]
stable/5.10: [1e555c3ed1fce4b278aaebe18a64a934cece57d8]
stable/5.15: [64b79e632869ad3ef6c098a4731d559381da1115]
stable/5.4: [70e4f70d54e0225f91814e8610477d65f33cefe4]
stable/6.0: [2a96b532098284ecf8e4849b8b9e5fc7a28bdee9]

CVE-2022-3169: Request to NVME_IOCTL_RESET and NVME_IOCTL_SUBSYS_RESET
may cause a DOS

The mainline was fixed.

Fixed status
mainline: [1e866afd4bcdd01a70a5eddb4371158d3035ce03]

CVE-2022-3435: ipv4: Handle attempt to delete multipath route when
fib_info contains an nh reference

The mainline was fixed.
Kernel less than 5.3 aren't affected by this CVE.

Fixed status
mainline: [61b91eb33a69c3be11b259c5ea484505cd79f883]

CVE-2022-3564: Bluetooth: L2CAP: Fix use-after-free caused by
l2cap_reassemble_sdu

The mainline and stable kernels were fixed.
Backporting this fix to 4.4 needs to fix merge conflict.

Fixed status
mainline: [3aff8aaca4e36dc8b17eaa011684881a80238966]
stable/4.14: [03af22e23b96fb7ef75fb7885407ef457e8b403d]
stable/4.19: [6c7407bfbeafc80a04e6eaedcf34d378532a04f2]
stable/4.9: [dc30e05bb18852303084430c03ca76e69257d9ea]
stable/5.10: [cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569]
stable/5.15: [8278a87bb1eeea94350d675ef961ee5a03341fde]
stable/5.4: [4cd094fd5d872862ca278e15b9b51b07e915ef3f]
stable/6.0: [9a04161244603f502c6e453913e51edd59cb70c1]

CVE-2022-3619: Bluetooth: L2CAP: Fix memory leak in vhci_write

The mainline, 5.15, and 6.0 were fixed.
kernel less than 5.15 aren't affected by this CVE.

Fixed status
mainline: [7c9524d929648935bac2bbb4c20437df8f9c3f42]
stable/5.15: [aa16cac06b752e5f609c106735bd7838f444784c]
stable/6.0: [5b4f039a2f487c5edae681d763fe1af505f84c13]

CVE-2022-3640: Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()

4.19 and 5.10 were fixed. 4.4 is not affected by this CVE.

Fixed status
mainline: [42cf46dea905a80f6de218e837ba4d4cc33d6979]
stable/4.19: [7f7bfdd9a9af3b12c33d9da9a012e7f4d5c91f4b]
stable/5.10: [d9ec6e2fbd4a565b2345d4852f586b7ae3ab41fd]

CVE-2022-41849: video: fbdev: smscufx: Fix use-after-free in ufx_ops_open()

The mainline and stable kernels were fixed.
Patch can be applied to 4.4-st.

Fixed status
mainline: [5610bcfe8693c02e2e4c8b31427f1bdbdecc839c]
stable/4.14: [fa008859983d9231b9241a4b9eac7aabfbb45155]
stable/4.19: [6d8dbefc4de96d35d68c723e2e75b5a23173c08c]
stable/4.9: [347a969b130c2a496f471f14b354119b82664f0a]
stable/5.10: [e50472949604f385e09ce3fa4e74dce9f44fb19b]
stable/5.15: [2b0897e33682a332167b7d355eec28693b62119e]
stable/5.4: [3742e9fd552e6c4193ebc5eb3d2cd02d429cad9c]
stable/6.0: [e2e5264dcf5796559869750a2d6943ac88fe3918]

CVE-2022-41850: HID: roccat: Fix Use-After-Free in roccat_read

The mainline and stable kernels were fixed.
Patch can be applied to 4.4-st.

Fixed status
mainline: [cacdb14b1c8d3804a3a7d31773bc7569837b71a4]
stable/4.14: [fb8b43b7721786f551ec95542e07cf9a909f3e56]
stable/4.19: [13de81c7ea0fd68efb48a2d2957e349237905923]
stable/4.9: [84607bd3a8542b84b450d19a3579172f96c2bb47]
stable/5.10: [dbcca76435a606a352c794956e6df62eedd3a353]
stable/5.15: [c61786dc727d1850336d12c85a032c9a36ae396d]
stable/5.4: [e30c3a9a88818e5cf3df3fda6ab8388bef3bc6cd]
stable/6.0: [8a251549ab577d64ece210a11c404354479bd635]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 3 new CVEs and 2 updated CVEs.

* New CVEs

CVE-2022-42895: Bluetooth: L2CAP: Fix attempting to access uninitialized memory

CVSS v3 score is not provided.

An accessing uninitialized variable bug was found in
l2cap_parse_conf_req() in net/bluetooth/l2cap_core.c
The efs variable is on the stack. It is initialized when the type
variable is L2CAP_CONF_EFS.
So, if type isn't L2CAP_CONF_EFS and rfc.mode is L2CAP_MODE_ERTM, then
accessing uninitialized variable bug occurs.

It looks 4.4 is affected by this issue too.

Fixed status
mainline: [b1a2cd50c0357f243b7435a732b4e62ba3157a2e]

CVE-2022-42896: Bluetooth: L2CAP: Fix accepting connection request for
invalid SPSM

CVSS v3 score is not provided.

There was a valid range check for SPSM. Therefore, it will accept
connections with invalid SPSM value.

It looks 4.4 is affected by this issue too.

Fixed status
mainline: [711f8c3fb3db61897080468586b970c87c61d9e4]

CVE-2022-43945: A buffer overflow bug was found in nfsd

CVSS v3 score is 7.5 HIGH.

The Linux kernel NFSD implementation prior to versions 5.19.17 and
6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of
pages held by each NFSD thread by combining the receive and send
buffers of a remote procedure call (RPC) into a single array of pages.
A client can force the send buffer to shrink by sending an RPC message
over TCP with garbage data added at the end of the message. The RPC
message with garbage data is still correctly formed according to the
specification and is passed forward to handlers. Vulnerable code in
NFSD is not expecting the oversized request and writes beyond the
allocated buffer space.

nfsd3_proc_read() and nfsd_proc_read() changed to set argp->count
value adding an extra min_t() macro.
nfsd_init_dirlist_pages() and nfsd3_init_dirlist_pages() changed the
process of setting buf->buflen value.
However, 4.4, 4.19, 5.10 use different ways to set these values. So,
even if these kernels are vulnerable, it needs a different way to fix
them.

Fixed status
mainline: [00b4492686e0497fdb924a9d4c8f6f99377e176c,
640f87c190e0d1b2a0fcb2ecf6d2cd53b1c41991,
  401bc1f90874280a80b93f23be33a0e7e2d1f912,
fa6be9cc6e80ec79892ddf08a8c10cabab9baf38]
stable/5.15: [dc7f225090c29a5f3b9419b1af32846a201555e7,
071a076fd1b763aa6fe478efa047e0a549ba9c22,
  2be9331ca6061bc6ea32247266f45b8b21030244,
75d9de25a6f833dd0701ca546ac926cabff2b5af]
stable/6.0: [f59c74df82f6ac9d2ea4e01aa3ae7c6c4481652d,
279274e31270c28b86feffe5e166d4088f22317b,
  1868332032eccbab8c1878a0d918193058c0a905,
309f29361b6bfae96936317376f1114568c5de19]

* Updated CVEs

CVE-2022-20369: 'media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP
buffers across ioctls

4.14 and 4.19 were fixed this week.

Fixed status
mainline: [8310ca94075e784bbb06593cd6c068ee6b6e4ca6]
stable/4.14: [7339b6bdf9e084f9e83c084ccc8879b6ae80b75a]
stable/4.19: [95c4751705f7eef0f16a245e121259857f867c4a]
stable/5.10: [8a83731a09a5954b85b1ce49c01ff5c2a3465cb7]
stable/5.15: [48d00e24822e4384edcee3aae03d54c1b7982eba]
stable/5.4: [54e1abbe856020522a7952140c26a4426f01dab6]

CVE-2022-3524: tcp/udp: Fix memory leak in ipv6_renew_options().

5.15 and 6.0 were fixed this week.

Fixed status
mainline: [3c52c6bb831f6335c176a0fc7214e26f43adbd11]
stable/5.15: [1401e9336bebaa6dd5a320f83bddc17619d4e3a6]
stable/6.0: [0c5d628f1e1d049c33595693fab1b6e9baf25795]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 6 new CVEs and 3 updated CVEs.

CVE-2022-44034, CVE-2022-44032, and CVE-2022-44033 are related issues.

* New CVEs

CVE-2022-3544: A memory leak bug was found in damon_sysfs_add_target()
in mm/daemon/sysfs.c.

CVSS v3 score is 5.5 MEDIUM(NIST).
CVSS v3 score is 3.5 MEDIUM(CNA).

This bug was introduced by commit a61ea56 ("mm/damon/sysfs: link DAMON
for virtual address spaces monitoring") in 5.18-rc1.
The mm/daemon/sysfs.c was introduced by commit c951cd3 ("mm/damon:
implement a minimal stub for sysfs-based DAMON interface") in
5.18-rc1.

Fixed status
mainline: [1c8e2349f2d033f634d046063b704b2ca6c46972]

CVE-2022-3628: wifi: Fix potential buffer overflow in 'brcmf_fweh_event_worker'

CVSS v3 score is not provided.

An intra-object buffer overflow was found in brcmfmac (an upstream
Broadcom's USB Wi-Fi driver), which can be triggered by a malicious
USB device. This bug will cause privilege escalation or DoS.
However, it requires an attacker to attach a malicious USB device to
the target system.

Fixed status
patch is available but not merged
yet(https://lore.kernel.org/linux-wireless/10230673-8dbe-bf67-ba76-9f8cdc35faf3@gmail.com/T/#u)

CVE-2022-44034: char: pcmcia: scr24x_cs: Fix use-after-free in scr24x_fops

CVSS v3 score is 6.4 MEDIUM.

An issue was discovered in the Linux kernel through 6.0.6.
drivers/char/pcmcia/scr24x_cs.c has a race condition and resultant
use-after-free if a physically proximate attacker removes a PCMCIA
device while calling open(), aka a race condition between
scr24x_open() and scr24x_remove().

Fixed status
patch is available but it hasn't been merged
yet(https://lore.kernel.org/lkml/20220919101825.GA313940@ubuntu/).

CVE-2022-44032: char: pcmcia: cm4000_cs: Fix use-after-free in cm4000_fops

CVSS v3 score is 6.4 MEDIUM.

An issue was discovered in the Linux kernel through 6.0.6.
drivers/char/pcmcia/cm4000_cs.c has a race condition and resultant
use-after-free if a physically proximate attacker removes a PCMCIA
device while calling open(), aka a race condition between cmm_open()
and cm4000_detach().

Fixed status
patch is available but it hasn't been merged
yet(https://lore.kernel.org/lkml/20220919040701.GA302806@ubuntu/).

CVE-2022-44033: char: pcmcia: cm4040_cs: Fix use-after-free in reader_fops

CVSS v3 score is 6.4 MEDIUM.

An issue was discovered in the Linux kernel through 6.0.6.
drivers/char/pcmcia/cm4040_cs.c has a race condition and resultant
use-after-free if a physically proximate attacker removes a PCMCIA
device while calling open(), aka a race condition between
cm4040_open() and reader_detach().

Fixed status
patch is available but it hasn't been merged
yet(https://lore.kernel.org/lkml/20220919040457.GA302681@ubuntu/).

CVE-2022-3707: Double-free in split_2MB_gtt_entry when function
intel_gvt_dma_map_guest_page failed

CVSS v3 score is not provided.

A double free bug was found in the Intel GVT-g graphics driver in
drivers/gpu/drm/i915/gvt/gtt.c.
If intel_gvt_dma_map_guest_page() fails, it will call
ppgtt_invalidate_spt() to free spt value but the caller doesn't notice
that, the caller will free spt value again in the error path. It will
cause a system crash.

Intel GVT-g graphics driver was introduced in 4.8-rc1. Kernel 4.4
doesn't contain it.

Fixed status
Patch is available but it hasn't been merged
yet(https://lore.kernel.org/all/20221007013708.1946061-1-zyytlz.wz@163.com/).

* Updated CVEs

CVE-2022-3531: selftest/bpf: Fix memory leak in kprobe_multi_test

Fixed in the mainline.

Fixed status
mainline: [6d2e21dc4db3933db65293552ecc1ede26febeca]

CVE-2022-26373: Post-Barrier Return Stack Buffer Predictions (PBRSB)

4.14 was fixed this week.

stable/4.14: [7a4d2cba68731673c3ec89a1a5eee3a9af35ffa7,
48bfe6ca381525bd3b7e4d360a4695792ace4c55]
stable/4.19: [b6c5011934a15762cd694e36fe74f2f2f93eac9b,
b1c9f470fb724d3cfd6cf8fe4a70c2ec4de2e9f4]
stable/5.10: [509c2c9fe75ea7493eebbb6bb2f711f37530ae19,
1bea03b44ea2267988cce064f5887b01d421b28c]
stable/5.15: [7fcd99e889c0634f8275ae7a6b06aec4a22c8715,
5c5c77746ce1108833d1fda005598a749eaef2cb]
stable/5.18: [0abdbbd9ae9c81615836278d787a8c8dcd576c36,
fd2128cd778f46f5444967ed203b91120ebdda72]
stable/5.19: [f826d0412d80348aa22274ec9884cab0950a350b,
f6664a403f11c97929ebde920da1ec1c10438428]
stable/5.4: [f2f41ef0352db9679bfae250d7a44b3113f3a3cc,
b58882c69f6633dcebd66bdb38658f688aa52ec9]

CVE-2019-19338: Kernel: KVM: export MSR_IA32_TSX_CTRL to guest -
incomplete fix for TAA (CVE-2019-11135)

I added CVE-2019-19338.yml which hasn't been tracked on cip-kernel-sec.

This issue was introduced by commit e1d38b63acd8 ("kvm/x86: Export
MDS_NO=0 to guests when TSX is enabled") in 5.4-rc8.

Fixed status
mainline: [cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b,
c11f83e0626bdc2b6c550fc8b9b6eeefbd8cefaa,
  b07a5c53d42a8c87b208614129e947dd2338ff9c]
stable/4.19: [6a10f818a9adbe394eb36d223814e207e5121236]
stable/4.9: [0bc72dbb9dbc2dfa0f975f4b519ae91fa338aec8]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 20 new CVEs and 8 updated CVEs.
Some of CVEs's NIST CVSS v3 score get HIGH, but these exploitability
score is low, so I think there is no real critical issues in this
week.

For example, CVE-2022-3649 NIST's CVSS v3 score is 9.8 (exploitability
is 3.9) by NIST but CNA's score is 3.1(exploitability is 1.6).

* New CVEs

CVE-2022-3344: KVM: SVM: nested shutdown interception could lead to host crash

CVSS v3 score is not assigned yet.

A flaw was found in the KVM's AMD nested virtualization (SVM). A
malicious L1 guest could purposely fail to intercept the shutdown of a
cooperative nested guest (L2), possibly leading to a page fault and
kernel panic in the host (L0).

Fixed status
Patch is available(https://lore.kernel.org/lkml/20221020093055.224317-5-mlevitsk@redhat.com/T/)
but not merged into the mainline yet.

CVE-2022-3619: Bluetooth: L2CAP: Fix memory leak in vhci_write

CVSS v3 score is 4.3 MEDIUM(NIST).
CVSS v3 score is 3.5 LOW(CNA).

A vulnerability has been found in Linux Kernel and classified as
problematic. This vulnerability affects the function
l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c of the
component Bluetooth. The manipulation leads to memory leak.

This issue was introduced by commit 4d7ea8ee90e4 ("Bluetooth: L2CAP:
Fix handling fragmented length") in 5.12-rc1-dontuse.
So, up to 5.12 kernels are not affected by this issue.

Fixed status
Patch has been merged into bluetooth-next tree but not merged in the
mainline yet.

CVE-2022-3621: nilfs2: fix NULL pointer dereference at
nilfs_bmap_lookup_at_level()

CVSS v3 score is 7.5(NIST).
CVSS v3 score is 4.3 MEDIUM(CNA).

If the i_mode field in the inode of metadata files is corrupted on
disk, initialization of the bmap structure process will not be called
which will cause a null pointer dereference bug in
nilfs_bmap_lookup_at_level().

kernel 4.4 may be affected by this issue.

Fixed status
mainline: [21a87d88c2253350e115029f14fe2a10a7e6c856]
stable/4.14: [1ce68de30b663b79073251162123e57cbed2dc84]
stable/4.19: [fe8015680f383ea1dadec76972894dfabf8aefaa]
stable/4.9: [bb63454b66f4a73d4b267fd5061aaf3a5657172c]
stable/5.10: [3f840480e31495ce674db4a69912882b5ac083f2]
stable/5.15: [1e512c65b4adcdbdf7aead052f2162b079cc7f55]
stable/5.19: [caf2c6b580433b3d3e413a3d54b8414a94725dcd]
stable/5.4: [792211333ad77fcea50a44bb7f695783159fc63c]
stable/6.0: [037e760a4a009e9545a51e87c98c22d9aaf32df7]

CVE-2022-3623: mm/hugetlb: fix races when looking up a CONT-PTE/PMD
size hugetlb page

CVSS v3 score is 7.5 HIGH(NIST).
CVSS v3 score is 5.0 MEDIUM(CNA).

A race condition issue was found in arm64 hugepage table feature.
This issue was introduced by commit 5480280 ("arm64/mm: enable HugeTLB
migration for contiguous bit HugeTLB pages") in 5.1-rc1.
So, kernel 4.x series are not affected by this issue

NIST's CVSS score is high but it's exploitability is 1.6 so I think
it's not critical as NIST's score says.

Fixed status
mainline: [fac35ba763ed07ba93154c95ffc0c4a55023707f]
stable/5.19: [86a913d55c89dd13ba070a87f61a493563e94b54]
stable/6.0: [7c7c79dd5a388758f8dfa3de89b131d5d84f25fd]

CVE-2022-3640: Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()

CVSS v3 score is 8.8 HIGH(NIST).
CVSS v3 score is 5.5 MEDIUM(CNA).

A vulnerability, which was classified as critical, was found in Linux
Kernel. Affected is the function l2cap_conn_del of the file
net/bluetooth/l2cap_core.c of the component Bluetooth. The
manipulation leads to use after free.

NIST's CVSS score is high but it's exploitability is 2.8 so I think
it's not critical as NIST's score says.

This issue was introduced by commit d0be8347c623 ("Bluetooth: L2CAP:
Fix use-after-free caused by l2cap_chan_put") in 5.19. This commit was
backported to stable kernels. CIP 4.4 kernels don't have this patch.

Fixed status
mainline: [d0be8347c623e0ac4202a1d4e0373882821f56b0]
stable/4.14: [5bb395334392891dffae5a0e8f37dbe1d70496c9]
stable/4.19: [bbd1fdb0e1adf827997a93bf108f20ede038e56e]
stable/4.9: [d255c861e268ba342e855244639a15f12d7a0bf2]
stable/5.10: [de5d4654ac6c22b1be756fdf7db18471e7df01ea]
stable/5.15: [f32d5615a78a1256c4f557ccc6543866e75d03f4]
stable/5.4: [098e07ef0059296e710a801cdbd74b59016e6624]

CVE-2022-3646: nilfs2: fix leak of nilfs_root in case of writer thread
creation failure

CVSS v3 score is 5.3 MEDIUM(NIST).
CVSS v3 score is 3.1 LOW(CNA).

A memory leak bug was found in nilfs2 subsystem. If
nilfs_attach_log_writer() faild to create log write thread, some data
are not freed by cleanup process.
This issue was introduced by commit e912a5b ("nilfs2: use root object
to get ifile") in v2.6.37-rc1 so that all stable kernels will be
affected by this issue.

Fixed status
mainline: [d0d51a97063db4704a5ef6bc978dddab1636a306]
stable/4.14: [a832de79d82ac8c9f445f99069e11b17c5d2224a]
stable/4.19: [4b748ef0f2afadd31c914623daa610f26385a4dc]
stable/4.9: [81fe58e4e7f61a1f5200898e7cd4c9748f83051f]
stable/5.10: [aad4c997857f1d4b6c1e296c07e4729d3f8058ee]
stable/5.15: [44b1ee304bac03f1b879be5afe920e3a844e40fc]
stable/5.19: [4755fcd844240857b525f6e8d8b65ee140fe9570]
stable/5.4: [b7e409d11db9ce9f8bc05fcdfa24d143f60cd393]
stable/6.0: [9dc48a360e7b6bb16c48625f8f80ab7665bc9648]

CVE-2022-3649: nilfs2: fix use-after-free bug of struct nilfs_root

CVSS v3 score is 9.8 CRITICAL(NIST).
CVSS v3 score is 3.1 LOW(CNA).

A use-after-free bug was found in nilfs2 subsystem. If inode bitmap
area is corrupted on disk, subsequent calls to nilfs_clear_inode()
will use a freed object which causes a use-after-free bug.

NIST's CVSS score is high but it's exploitability is 3.9 so I think
it's not critical as NIST's score says.

Fixed status
mainline: [d325dc6eb763c10f591c239550b8c7e5466a5d09]
stable/4.14: [26b9b66610d6f8f3333cb6f52e97745da875fee1]
stable/4.19: [bfc82a26545b5f61a64d51ca2179773706fb028f]
stable/4.9: [a9043a24c6e340d45b204d294a25044726fd2770]
stable/5.10: [21ee3cffed8fbabb669435facfd576ba18ac8652]
stable/5.15: [cb602c2b654e26763226d8bd27a702f79cff4006]
stable/5.19: [394b2571e9a74ddaed55aa9c4d0f5772f81c21e4]
stable/5.4: [d1c2d820a2cd73867b7d352e89e92fb3ac29e926]
stable/6.0: [6251c9c0430d70cc221d0bb907b278bd99d7b066]

CVE-2022-3238: ntfs3 local privilege escalation if NTFS character set
and remount and umount called simultaneously

CVSS v3 score is not assigned yet.

A double free bug found in ntfs3 file system. When character set is
set for ntfs3 file system at mount time, then remount and unmount will
release character set string twice that will cause system crash or
privilege escalation.
To exploit this bug, an attacker must have permission to mount a file
system(CAP_SYS_ADMIN).

The ntfs3 driver was introduced in 5.15 so before this versions are
not affected by this issue.

Fixed status
Not fixed yet.

CVE-2022-3577: An out-of-bounds memory write flaw was found in the
Linux kernel’s Kid-friendly Wired Controller driver

CVSS v3 score is 7.8 HIGH.

An out-of-bounds memory write flaw was found in the Linux kernel’s
Kid-friendly Wired Controller driver. This flaw allows a local user to
crash or potentially escalate their privileges on the system. It is in
bigben_probe of drivers/hid/hid-bigbenff.c. The reason is incorrect
assumption - bigben devices all have inputs. However, malicious
devices can break this assumption, leaking to out-of-bound write.

NIST's CVSS score is high but it's exploitability is 1.8 so I think
it's not critical as NIST's score says.

Commit fc4ef9d ("HID: bigben: fix slab-out-of-bounds Write in
bigben_probe") is the main fix for out-of-bounds memory write bug.
Commit 945a9a8 ("media: pvrusb2: fix memory leak in pvr_probe") and
9d64d24 ("binderfs: rework superblock destruction") fixes memory leak
issue it is reported by in CVE-2022-3577

The slab-out-of-bounds was in drivers/hid/hid-bigbenff.c was
introduced by commit 256a90e ("HID: hid-bigbenff: driver for BigBen
Interactive PS3OFMINIPAD gamepad") in 4.20-rc1. 4.4, 4.9, 4.14, and
4.19 are not affected by this issue.

Fixed status
mainline: [fc4ef9d5724973193bfa5ebed181dba6de3a56db,
945a9a8e448b65bec055d37eba58f711b39f66f0,
           9d64d2405f7d30d49818f6682acd0392348f0fdb]
stable/4.14: [ba7dd8a9686a61a34b3a7b922ce721378d4740d0,
ba7dd8a9686a61a34b3a7b922ce721378d4740d0]
stable/4.19: [491762b3250fb06a0c97b5198656ea48359eaeed]
stable/4.9: [2fe46195d2f0d5d09ea65433aefe47a4d0d0ff4d]
stable/5.10: [296f8ca0f73f5268cd9b85cf72ff783596b2264e,
bacb37bdc2a21c8f7fdc83dcc0dea2f4ca1341fb]
stable/5.15: [22e0b0b84c538b60bdf8eeceee7ab3cebf4a1a09,
f2f6e67522916f53ad8ccd4dbe68dcf76e9776e5]
stable/5.4: [00771de7cc28e405f5ae19ca46facd83a534bb8f,
466b67c0543b2ae67814d053f6e29b39be6b33bb]

CVE-2022-3586: A use-after-free bug was found in net/sched/sch_sfb.c

CVSS v3 score is 5.5 MEDIUM.

A flaw was found in the Linux kernel’s networking code. A
use-after-free was found in the way the sch_sfb enqueue function used
the socket buffer (SKB) cb field after the same SKB had been enqueued
(and freed) into a child qdisc. This flaw allows a local, unprivileged
user to crash the system, causing a denial of service.

This issue was introduced by commit e13e02a ("net_sched: SFB flow
scheduler") in v2.6.39-rc1 so kernel 4.4 will be affected too.

Fixed status
mainline: [9efd23297cca530bb35e1848665805d3fcdd7889]
stable/4.14: [a7af71bb5ee6e887d49f098e212ef4f2f7cfbaf6]
stable/4.19: [9245ed20950afe225bc6d1c4b9d28d55aa152e25]
stable/4.9: [b5aa83141aa97f81c8e06051e4bd925bfb5474fb]
stable/5.10: [2ee85ac1b29dbd2ebd2d8e5ac1dd5793235d516b]
stable/5.15: [1a889da60afc017050e1f517b3b976b462846668]
stable/5.4: [279c7668e354fa151d5fd2e8c42b5153a1de3135]

CVE-2022-3595: A double free bug was found in cifs subsystem

CVSS v3 score is 5.5 MEDIUM (NIST).
CVSS v3 score is 3.5 LOW (CNA).

A vulnerability was found in Linux Kernel. It has been rated as
problematic. Affected by this issue is the function sess_free_buffer
of the file fs/cifs/sess.c of the component CIFS Handler. The
manipulation leads to double free. It is recommended to apply a patch
to fix this issue. The identifier of this vulnerability is VDB-211364.

This issue was introduced by a4e430c ("cifs: replace kfree() with
kfree_sensitive() for sensitive data") in 6.1-rc1 and fixed by commit
b854b4e ("cifs: fix double-fault crash during ntlmssp") in 6.1-rc1. No
released kernels are affected by this issue.

Fixed status
mainline: [b854b4ee66437e6e1622fda90529c814978cb4ca]

CVE-2022-3624: A memory leak bug was found in drivers/net/bonding/bond_alb.c

CVSS v3 score is 3.3 LOW (NIST).
CVSS v3 score is 3.5 LOW (CNA).

A vulnerability was found in Linux Kernel and classified as
problematic. Affected by this issue is the function rlb_arp_xmit of
the file drivers/net/bonding/bond_alb.c of the component IPsec. The
manipulation leads to memory leak. It is recommended to apply a patch
to fix this issue. The identifier of this vulnerability is VDB-211928.

Commit d5410ac ("net:bonding:support balance-alb interface with vlan
to bridge") is not backported to stable kernels so they are not
affected by this issue.

Fixed status
mainline: [4f5d33f4f798b1c6d92b613f0087f639d9836971]

CVE-2022-3625: A use-after-free bug was found in  net/core/devlink.c

CVSS v3 score is 7.8 HIGH (NIST).
CVSS v3 score is 3.5 LOW (CNA).

A vulnerability was found in Linux Kernel. It has been classified as
critical. This affects the function
devlink_param_set/devlink_param_get of the file net/core/devlink.c of
the component IPsec. The manipulation leads to use after free. It is
recommended to apply a patch to fix this issue. The identifier
VDB-211929 was assigned to this vulnerability.

NIST's CVSS score is high but it's exploitability is 1.8 so I think
it's not critical as NIST's score says.

This issue was introduced by commit Commit fixes 98bbf70c1c41 ("mlxsw:
spectrum: add "acl_region_rehash_interval" devlink param") in 5.1-rc1.
This commit is not backported to 4.x kernels. so, these kernels aren't
affected by this issue.

Fixed status
mainline: [6b4db2e528f650c7fb712961aac36455468d5902]
stable/5.10: [0e28678a770df7989108327cfe86f835d8760c33]
stable/5.15: [c4d09fd1e18bac11c2f7cf736048112568687301]
stable/5.4: [1ad4ba9341f15412cf86dc6addbb73871a10212f]

CVE-2022-3629: A memory leak bug was found in net/vmw_vsock/af_vsock.c

CVSS v3 score is 3.3 LOW (NIST).
CVSS v3 score is 2.6 LOW (CNA).

A vulnerability was found in Linux Kernel. It has been declared as
problematic. This vulnerability affects the function vsock_connect of
the file net/vmw_vsock/af_vsock.c of the component IPsec. The
manipulation leads to memory leak. It is recommended to apply a patch
to fix this issue. VDB-211930 is the identifier assigned to this
vulnerability.

This issue was introduced by commit d021c34 ("VSOCK: Introduce VM
Sockets") in 3.9-rc1 so that 4.4 will be affected too.

Fixed status
mainline: [7e97cfed9929eaabc41829c395eb0d1350fccb9d]
stable/4.14: [ec0a5b730cc053202df6b6e6dd6c860977990646]
stable/4.19: [2fc2a7767f661e6083f69588718cdf6f07cb9330]
stable/4.9: [09fc7ffdf11d20049f3748ccdef57c9a49403214]
stable/5.10: [38ddccbda5e8b762c8ee06670bb1f64f1be5ee50]
stable/5.15: [e4c0428f8a6fc8c218d7fd72bddd163f05b29795]
stable/5.4: [f82f1e2042b397277cd39f16349950f5abade58d]

CVE-2022-3630: A memory leak bug was found in fs/fscache/cookie.c

CVSS v3 score is 5.5 MEDIUM (NIST).
CVSS v3 score is 3.1 LOW (CNA).

A vulnerability was found in Linux Kernel. It has been rated as
problematic. This issue affects some unknown processing of the file
fs/fscache/cookie.c of the component IPsec. The manipulation leads to
memory leak. It is recommended to apply a patch to fix this issue. The
associated identifier of this vulnerability is VDB-211931.

This issue was introduced by commit 85e4ea1 ("fscache: Fix
invalidation/lookup race") in 5.19-rc6. This commit is not backported
to stable kernels so that they are not affected by this issue.
The commit 85e4ea1 fixes d24af13 ("fscache: Implement cookie
invalidation") in 5.17-rc1. The commit d24af13 is not backported to
stable kernels too.

Fixed status
mainline: [fb24771faf72a2fd62b3b6287af3c610c3ec9cf1]

CVE-2022-3633: A memory leak bug was found in net/can/j1939/transport.c

CVSS v3 score is 3.3 LOW (NIST).
CVSS v3 score is 3.5 LOW (CNA).

A vulnerability classified as problematic has been found in Linux
Kernel. Affected is the function j1939_session_destroy of the file
net/can/j1939/transport.c of the component IPsec. The manipulation
leads to memory leak. It is recommended to apply a patch to fix this
issue. The identifier of this vulnerability is VDB-211932.

This issue was introduced by commit 9d71dd0 ("can: add support of SAE
J1939 protocol") in 5.4-rc1 which is not backported to older stable
kernels.

Fixed status
mainline: [8c21c54a53ab21842f5050fa090f26b03c0313d6]
stable/5.10: [a220ff343396bae8d3b6abee72ab51f1f34b3027]
stable/5.15: [98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2]
stable/5.4: [04e41b6bacf474f5431491f92e981096e8cc8e93]

CVE-2022-3635: A use-after-free bug was found in drivers/atm/idt77252.c

CVSS v3 score is 7.0 HIGH(NIST).
CVSS v3 score is 5.5 MEDIUM (CNA).

A vulnerability, which was classified as critical, has been found in
Linux Kernel. Affected by this issue is the function tst_timer of the
file drivers/atm/idt77252.c of the component IPsec. The manipulation
leads to use after free. It is recommended to apply a patch to fix
this issue. VDB-211934 is the identifier assigned to this
vulnerability.

NIST's CVSS score is high but it's exploitability is 1.0 so I think
it's not critical as NIST's score says.

kernel 4.4 will be affected by this issue.

Fixed status
mainline: [3f4093e2bf4673f218c0bf17d8362337c400e77b]
stable/4.14: [3db3f3bf05a88635beb7391fca235fb0e5213e6f]
stable/4.19: [52fddbd9754b249546c89315787075b7247b029d]
stable/4.9: [acf173d9e27877ac1f4b0fc6614bf7f19ac90894]
stable/5.10: [a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e]
stable/5.15: [a5d7ce086fe942c5ab422fd2c034968a152be4c4]
stable/5.4: [9a6cbaa50f263b12df18a051b37f3f42f9fb5253]

CVE-2022-3636: A use-after-free bug was found in
drivers/net/ethernet/mediatek/mtk_ppe.c

CVSS v3 score is 7.8 HIGH(NIST).
CVSS v3 score is 5.5 MEDIUM (CNA).

A vulnerability, which was classified as critical, was found in Linux
Kernel. This affects the function __mtk_ppe_check_skb of the file
drivers/net/ethernet/mediatek/mtk_ppe.c of the component Ethernet
Handler. The manipulation leads to use after free. It is recommended
to apply a patch to fix this issue. The associated identifier of this
vulnerability is VDB-211935.

This issue was introduced by commit 33fc42d ("net: ethernet:
mtk_eth_soc: support creating mac address based offload entries") in
5.19-rc1. This issue was introduced in 5.19-rc1 and fixed in 5.19-rc1.
Released kernels aren't affected by this issue.

NIST's CVSS score is high but it's exploitability is 1.8 so I think
it's not critical as NIST's score says.

Fixed status
mainline: [17a5f6a78dc7b8db385de346092d7d9f9dc24df6]

CVE-2022-3642: Using uninitialized data in rtl8188f_spur_calibration()
in drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8188f.c

CVSS v3 score is 5.5 MEDIUM(NIST).
CVSS v3 score is 3.5 LOW (CNA).

A vulnerability classified as problematic has been found in Linux
Kernel. This affects the function rtl8188f_spur_calibration of the
file drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8188f.c of the
component Wireless. The manipulation of the argument
hw_ctrl_s1/sw_ctrl_s1 leads to use of uninitialized variable. It is
recommended to apply a patch to fix this issue. The associated
identifier of this vulnerability is VDB-211959.

This issue was found in wireless-next[0] tree and fixed in
wireless-next tree[1]. These code haven't been merged into mainline
yet.
So, mainline and stable kernels aren't affected.

0: https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git/commit/?id=80e5acb6dd72b25a6e6527443b9e9c1c3a7bcef6
1: https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git/commit/?id=c888183b21f36a247bb166ca9365705611bea847

Fixed status
Fixed in the wireless-next tree. mainline and stable kernels aren't affected.

CVE-2022-43750: usb: mon: make mmapped memory read only

CVSS v3 score is not provided.

When user space application writing data via mmap(2) to /dev/usbmon ,
it can corrupt usb monitor's internal memory.
That result will be system crash, use-after-free, and etc.
Commit a659daf ("usb: mon: make mmapped memory read only") disallows
/dev/usbmon devices with VM_WRITE. Therefore, it will break an
existing user application if it uses mmap(2) with VM_WRITE flag.
This issue was introduced by commit 6f23ee1 ("USB: add binary API to
usbmon") in 2.6.21-rc1 so 4.4 will be affected.

Fixed status
mainline: [a659daf63d16aa883be42f3f34ff84235c302198]
stable/4.14: [b29f76fcf2db6615b416d98e28c7d81eff4c89a2]
stable/4.19: [bf7e2cee3899ede4c7c6548f28159ee3775fb67f]
stable/4.9: [1b5ad3786a2f2cdbfed34071aa467f80e4903a0b]
stable/5.10: [1b257f97fec43d7a8a4c9ada8538d14421861b0a]
stable/5.15: [5ff80339cdc3143b89eee2ad91ae44b4dbf65ad1]
stable/5.4: [21446ad9cb9844b90d7d8e73d8fff03160e51ebc]
stable/6.0: [08e2c70e549b77f5f3af9c76da00779d5756f997]

* Updated CVEs

CVE-2022-2602: io_uring/af_unix: defer registered files gc to io_uring release

5.10, 5.15, 5.4, 5.19 and 6.0 were fixed.

Fixed status
mainline: [0091bfc81741b8d3aeb3b7ab8636f911b2de6e80]
stable/5.10: [c378c479c5175833bb22ff71974cda47d7b05401]
stable/5.15: [813d8fe5d30388f73a21d3a2bf46b0a1fd72498c]
stable/5.19: [b4293c01ee0d0ecdd3cb5801e13f62271144667a]
stable/5.4: [04df9719df1865f6770af9bc7880874af0e594b2]
stable/6.0: [75e94c7e8859e58aadc15a98cc9704edff47d4f2]

CVE-2022-3535: net: mvpp2: fix mvpp2 debugfs leak

4.19, 5.10, 5.15, 5.19 5.4, and 6.0 were fixed.

Fixed status
mainline: [0152dfee235e87660f52a117fc9f70dc55956bb4]
  stable/4.19: [84e2394b0be397f7198986aa9a28207f70b29bd4]
  stable/5.10: [29f50bcf0f8b9e49c3c9b0e08fcae2ec3a88cc9f]
  stable/5.15: [a624161ebe0c678c10c4c82b574fed6c04d552d8]
  stable/5.19: [169aa2664639de359a7c723ba55023ef57c0dc15]
  stable/5.4: [72c0d361940aec02d114d6f8f351147b85190464]
  stable/6.0: [218dbb2ef8597b837c1a8f248ad176c5f3f5b464]

CVE-2022-3541: eth: sp7021: fix use after free bug in
spl2sw_nvmem_get_mac_address

5.19 and 6.0 were fixed.

Fixed status
mainline: [12aece8b01507a2d357a1861f470e83621fbb6f2]
stable/5.19: [b47bc8202b31a2677a344322b3c4b7f8750c5e66]
stable/6.0: [99e229c7fe30a1661f9f306b3df06eaf1db064aa]

CVE-2022-3542: bnx2x: fix potential memory leak in bnx2x_tpa_stop()

4.14, 4.19, 4.9, 5.10, 5.15, 5.19, 5.4, and 6.0 were fixed.

Fixed status
mainline: [b43f9acbb8942b05252be83ac25a81cec70cc192]
stable/4.14: [f63e896e78c247d0be8165d99d543a28ca0be360]
stable/4.19: [70421f9708d4cf14c2bd15de58862a3d22e00bbe]
stable/4.9: [9ec3f783f08b57a861700fdf4d3d8f3cfb68f471]
stable/5.10: [6cc0e2afc6a137d45b9523f61a1b1b16a68c9dc0]
stable/5.15: [0b6516a4e3eb0e2dc88a538458f3f732940f44fd]
stable/5.19: [96c0c14135f5803f9e94e6da2ee9c4b012fdcb20]
stable/5.4: [71e0ab5b7598d88001762fddbfeb331543c62841]
stable/6.0: [a712737af79b4a9a75f9abbf812279062da75777]

CVE-2022-3543: af_unix: Fix memory leaks of the whole sk due to OOB skb.

5.19 and 6.0 were fixed.

Fixed status
mainline: [7a62ed61367b8fd01bae1e18e30602c25060d824]
stable/5.19: [e2e49822a0a16d306bf6fe0009fe3136a3318f36]
stable/6.0: [2f415ad33bc1a729fb1050141921b5a9ec4e062c]

CVE-2022-3565: mISDN: fix use-after-free bugs in l1oip timer handlers

4.14, 4.19, 4.9, 5.10, 5.15, 5.19, 5.4, and 6.0 were fixed.

Fixed status
mainline: [2568a7e0832ee30b0a351016d03062ab4e0e0a3f]
stable/4.14: [cbd342376a4e7ea481891181910e9e995390eb24]
stable/4.19: [27f74a47d5b1cf52d48af15993bb1caa31ad8f5b]
stable/4.9: [1ba21168faf881c23c270605834d01af260cbb72]
stable/5.10: [2a1d0363208528a3bacbc2c37264d60182efd482]
stable/5.15: [7bfa18b05f381162c9d38192bbf0179f1142dd38]
stable/5.19: [1f76323ac43fe0b00677794c930dee9f66ea2999]
stable/5.4: [466ed722f205c2cf8caba5982f3cd9729e767903]
stable/6.0: [5c9422e2d8563a3efe064493ff7ebbc2948441ea]

CVE-2022-3594: r8152: Rate limit overflow messages

4.14, 4.19, 4.9, 5.10, 5.15, 5.19, 5.4, and 6.0 were fixed.

Fixed status
mainline: [93e2be344a7db169b7119de21ac1bf253b8c6907]
stable/4.14: [f5d6c938d51217d6f0f534f1ee606d9c5eb22fdc]
stable/4.19: [88d2a93972c369eb812952aa15a25c1385506c1d]
stable/4.9: [3723658c287a98875f43cffc3245d0bf1d3ee076]
stable/5.10: [484400d433ca1903a87268c55f019e932297538a]
stable/5.15: [b3179865cf7e892b26eedab3d6c54b4747c774a2]
stable/5.19: [2e896abccf99fef76691d8e1019bd44105a12e1f]
stable/5.4: [61fd56b0a1a3e923aced4455071177778dd59e88]
stable/6.0: [21f2532974115026fdab1205aab275d6181fb89f]

CVE-2022-40768: scsi: stex: properly zero out the passthrough command structure

4.14, 4.19, and 4.9 were fixed.

Fixed status
mainline: [6022f210461fef67e6e676fd8544ca02d1bcfa7a]
stable/4.14: [5c8395d775ca9044b361af4a19b2ff223485be35]
stable/4.19: [a99c5e38dc6c3dc3da28489b78db09a4b9ffc8c3]
stable/4.9: [35db0282da84ad200054ad5af0fd6c2f693b17f8]
stable/5.10: [36b33c63515a93246487691046d18dd37a9f589b]
stable/5.15: [76efb4897bc38b2f16176bae27ae801037ebf49a]
stable/5.19: [6ae8aa5dcf0d7ada07964c8638e55d3af5896a86]
stable/5.4: [20a5bde605979af270f94b9151f753ec2caf8b05]
stable/6.0: [b9b7369d89924a366b20045dc26dc4dc6b0567a4]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 23 new CVEs and 2 updated CVEs.
CVE-2022-41674, CVE-2022-42719, and CVE-2022-42720 are remote code
execution vulnerabilities. These CVEs are already fixed.

* New CVEs

CVE-2022-41674: fix u8 overflow in cfg80211_update_notlisted_nontrans

CVSS v3 score is 8.1 HIGH.

There is a buffer overflow bug in cfg80211_update_notlisted_nontrans()
which causes 2 bytes to be overwritten.
This overflow result leads to remote code execution.

This bug was introduced by commit 0b8fb82 ("cfg80211: Parsing of
Multiple BSSID information in scanning") in 5.1-rc1.
This commit isn't backported to 4.x kernels so 4.x kernels aren't
affected by this vulnerability.

Fixed status
mainline: [aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d]
stable/5.10: [a6408e0b694c1bdd8ae7dd0464a86b98518145ec]
stable/5.15: [9a8ef2030510a9d6ce86fd535b8d10720230811f]
stable/5.19: [42ea11a81ac853c3e870c70d61ab435d0b09b851]
stable/5.4: [020402c7dd587a8a4725d32bbd172a5f7ecc5f8f]
stable/6.0: [fc1ed6d0c9898a68da7f1f7843560dfda57683e2]

CVE-2022-42719: wifi: mac80211: fix MBSSID parsing use-after-free

CVSS v3 score is 8.8 HIGH.

There is a use-after-free bug in the mac80211 subsystem. The result
will cause a remote code execution.

This vulnerability was introduced by commit 5023b14 ("mac80211:
support profile split between elements") in 5.2-rc1.
The commit 5023b14cf4df is not backported to 4.x kernels. so they
aren't affected by this vulnerability.

Fixed status
mainline: [ff05d4b45dd89b922578dac497dcabf57cf771c6]
stable/5.10: [31ce5da48a845bac48930bbde1d45e7449591728]
stable/5.15: [de124365a7d2deed22cf706583930f28d537ff0f]
stable/5.19: [e6d77ac0132da7e73fdcc4a38dd4c40ac0226466]
stable/6.0: [4afcb8886800131f8dd58d82754ee0c508303d46]

CVE-2022-42720: wifi: cfg80211: fix BSS refcounting bugs

CVSS v3 score is 7.8 HIGH.

There is a use-after-free bug in cfg80211 subsystem. The result will
cause a remote code execution.

Introduced by commit a3584f5 ("cfg80211: Properly track transmitting
and non-transmitting BSS") which is not backported to 4.x kernels. so
they aren't affected by this vulnerability.

Fixed status
mainline: [0b7808818cb9df6680f98996b8e9a439fa7bcc2f]
stable/5.10: [6b944845031356f3e0c0f6695f9252a8ddc8b02f]
stable/5.15: [bfe29873454f38eb1a511a76144ad1a4848ca176]
stable/5.19: [46b23a9559580a72d8cc5811b1bce8db099806d6]
stable/5.4: [785eaabfe3103e8bfa36aebacff6e8f69f092ed7]
stable/6.0: [e97a5d7091e6d2df05f8378a518a9bbf81688b77]

CVE-2022-42721: wifi: cfg80211: avoid non transmitted BSS list corruption

CVSS v3 score is 5.5 MEDIUM.

If there is an invalid BSS（Basic Service Set）, the cfg80211 subsystem
will loop the data forever. That causes DoS attacks.

Introduced by commit 0b8fb82 ("cfg80211: Parsing of Multiple BSSID
information in scanning") which is not backported to 4.x kernels. so
they aren't affected by this vulnerability.

Fixed status
mainline: [bcca852027e5878aec911a347407ecc88d6fff7f]
stable/5.10: [b0e5c5deb7880be5b8a459d584e13e1f9879d307]
stable/5.15: [0a8ee682e4f992eccce226b012bba600bb2251e2]
stable/5.19: [1d73c990e9bafc2754b1ced71345f73f5beb1781]
stable/5.4: [77bb20ccb9dfc9ed4f9c93788c90d08cfd891cdc]
stable/6.0: [377cb1ce85878c197904ca8383e6b41886e3994d]

CVE-2022-42722: wifi: mac80211: fix crash in beacon protection for P2P-device

CVSS v3 score is 5.5 MEDIUM.

There is a NULL pointer dereference bug in ieee80211_rx_h_decrypt()
and ieee80211_rx_h_decrypt() when processing beacon protection for
P2P-device. This bug leads to DoS attacks.

This bug was introduced by commit 9eaf183 ("mac80211: Report beacon
protection failures to user space") which is not backported to 5.4 and
4.x kernels. so they aren't affected by this vulnerability.

Fixed status
mainline: [b2d03cabe2b2e150ff5a381731ea0355459be09f]
stable/5.10: [58c0306d0bcd5f541714bea8765d23111c9af68a]
stable/5.15: [93a3a32554079432b49cf87f326607b2a2fab4f2]
stable/5.19: [fa63b5f6f8853ace755d9a23fb75817d5ba20df5]
stable/6.0: [8ed62f2df8ebcf79c185f1bc3e4f346ea0905da6]

CVE-2022-3521: kcm: avoid potential race in kcm_tx_work

CVSS v3 score is 2.5 LOW(NIST).
CVSS v3 score is 2.6 LOW(VulDB).

A vulnerability has been found in Linux Kernel and classified as
problematic. This vulnerability affects the function kcm_tx_work of
the file net/kcm/kcmsock.c of the component kcm. The manipulation
leads to race conditions.

This bug was introduced by ab7ac4e ("kcm: Kernel Connection
Multiplexor module") in 4.6-rc1.
The kcm was introduced in 4.6 so 4.4 kernel is not affected by this issue.

Fixed status
mainline: [ec7eede369fe5b0d085ac51fdbb95184f87bfc6c]

CVE-2022-3522: mm/hugetlb: use hugetlb_pte_stable in migration race check

CVSS v3 score is 7.0 HIGH(NIST).
CVSS v3 score is 4.6 MEDIUM(VulDB).

A vulnerability was found in Linux Kernel and classified as
problematic. This issue affects the function hugetlb_no_page of the
file mm/hugetlb.c. The manipulation leads to race conditions.

Commit 2ea7ff1 ("mm/hugetlb: fix race condition of uffd missing/minor
handling") in 6.1-rc1 added a new function called
hugetlb_pte_stable(). Commit f9bf6c0 ("mm/hugetlb: use
hugetlb_pte_stable in migration race check") uses the function so
applying this patch requires commit 2ea7ff1.

Fixed status
mainline: [f9bf6c03eca1077cae8de0e6d86427656fa42a9b]

CVE-2022-3523: mm/memory.c: fix race when faulting a device private page

CVSS v3 score is not provided(NIST).
CVSS v3 score is 5.3 MEDIUM(VulDB).

A vulnerability was found in Linux Kernel. It has been classified as
problematic. Affected is an unknown function of the file mm/memory.c
of the component Driver Handler. The manipulation leads to use after
free.

Commit log said that.

```
When the CPU tries to access a device private page the migrate_to_ram()
callback associated with the pgmap for the page is called.  However no
reference is taken on the faulting page.  Therefore a concurrent migration
of the device private page can free the page and possibly the underlying
pgmap.  This results in a race which can crash the kernel due to the
migrate_to_ram() function pointer becoming invalid.  It also means drivers
can't reliably read the zone_device_data field because the page may have
been freed with memunmap_pages().
```

According to the above commit log, accessing invalid migrate_to_ram
pointer will cause a bug.
This migrate_to_ram pointer was added by commit 897e636 ("memremap:
add a migrate_to_ram method to struct dev_pagemap_ops") in 5.3-rc1.
Therefore, kernel versions from 5.3-rc1 to 6.1-rc1 are affected by
thid vulnerability.

This fix is based on Memory folios feature so that it cannot apply to
older kernels straightly.

- mm/migrate_device.c was introduced by commit 76cbbea ("mm: move the
migrate_vma_* device migration code into its own file") in 5.18-rc1.
- migrate_folio() was added into include/linux/migrate.h by commit
5418465 ("mm/migrate: Convert migrate_page() to migrate_folio()") in
6.0-rc1.
- Memory folios feature was introduced in 5.16.

Fixed status
mainline: [16ce101db85db694a91380aa4c89b25530871d33]

CVE-2022-3524: tcp/udp: Fix memory leak in ipv6_renew_options().

A vulnerability was found in Linux Kernel. It has been declared as
problematic. Affected by this vulnerability is the function
ipv6_renew_options of the component IPv6 Handler. The manipulation
leads to memory leak. The attack can be launched remotely.

CVSS v3 score is 7.5 HIGH(NIST).
CVSS v3 score is 4.3 MEDIUM(VulDB).

Kernel 4.4 is also affected by this issue. applying this fix needs to
modify the patch.

Fixed status
mainline: [3c52c6bb831f6335c176a0fc7214e26f43adbd11]

CVE-2022-3526: macvlan: Fix leaking skb in source mode with nodst option

CVSS v3 score is 7.5 HIGH(NIST).
CVSS v3 score is 5.3 MEDIUM(VulDB).

A vulnerability classified as problematic was found in Linux Kernel.
This vulnerability affects the function macvlan_handle_frame of the
file drivers/net/macvlan.c of the component skb. The manipulation
leads to memory leak. The attack can be initiated remotely.

Introduced by 427f0c8 ("macvlan: Add nodst option to macvlan type
source") in 5.13-rc1.
Before 5.13-rc1 kernels are not affected.

Fixed status
mainline: [e16b859872b87650bb55b12cca5a5fcdc49c1442]
stable/5.15: [8f79ce226ad2e9b2ec598de2b9560863b7549d1b]

CVE-2022-3531: selftest/bpf: Fix memory leak in kprobe_multi_test

CVSS v3 score is 5.7 MEDIUM(NIST).
CVSS v3 score is 3.5 LOW(VulDB).

A vulnerability was found in Linux Kernel. It has been classified as
problematic. This affects the function get_syms of the file
tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c of the
component BPF. The manipulation leads to memory leak.

Introduced by commit 5b6c7e5c4434 ("selftests/bpf: Add attach bench
test") in 5.19-rc1. It isn't backported to older kernels.
btw, users shouldn't run kselftest on their production environment, anyway.

Fixed status
Fixed in bpf-next tree as of 2022-10-18.

CVE-2022-3532: selftests/bpf: Fix memory leak caused by not destroying skeleton

CVSS v3 score is 5.7 MEDIUM(NIST).
CVSS v3 score is 3.5 LOW(VulDB).

A vulnerability was found in Linux Kernel. It has been declared as
problematic. This vulnerability affects the function
test_map_kptr_success/test_fentry of the component BPF. The
manipulation leads to memory leak.

Introduced by commit 0ef6740e9777 ("selftests/bpf: Add tests for
kptr_ref refcounting") in 5.19-rc1 and 1642a3945e22 ("selftests/bpf:
Add struct argument tests with fentry/fexit programs.") in 6.1-rc1.
These commits are not backported to stable kernels.
Users shouldn't run kselftest on their production environment, anyway.

4.4, 4.9, 4.14, 4.19, 5.4, and 5.10 kernels are not affected by this issue.

Fixed status
Fixed in bpf-next tree as of 2022-10-18.

CVE-2022-3535: net: mvpp2: fix mvpp2 debugfs leak

CVSS v3 score is not provided(NIST).
CVSS v3 score is 3.5 LOW(VulDB).

A vulnerability classified as problematic was found in Linux Kernel.
Affected by this vulnerability is the function mvpp2_dbgfs_port_init
of the file drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c of the
component mvpp2. The manipulation leads to memory leak.

Introduced by commit 21da57a ("net: mvpp2: add a debugfs interface for
the Header Parser") in 4.19-rc1.
4.4, 4.9, 4.10, and 4.19 kernels are not affected by this issue.

Fixed status
mainline: [0152dfee235e87660f52a117fc9f70dc55956bb4]

CVE-2022-3543: af_unix: Fix memory leaks of the whole sk due to OOB skb.

CVSS v3 score is 5.5 MEDIUM(NIST).
CVSS v3 score is 3.5 LOW(VulDB).

A vulnerability, which was classified as problematic, has been found
in Linux Kernel. This issue affects the function
unix_sock_destructor/unix_release_sock of the file net/unix/af_unix.c
of the component BPF. The manipulation leads to memory leak.

Introduced by commit 314001f ("af_unix: Add OOB support") in 5.15-rc1.
This commit is not backported to older kernels.
4.4, 4.9, 4.14, 4.19, 5.4, and 5.10 kernels are not affected by this issue.

Fixed status.
mainline: [7a62ed61367b8fd01bae1e18e30602c25060d824]

CVE-2022-3564: Bluetooth: L2CAP: Fix use-after-free caused by
l2cap_reassemble_sdu

CVSS v3 score is not provided(NIST).
CVSS v3 score is 5.5 MEDIUM(VulDB).

A vulnerability classified as critical was found in Linux Kernel.
Affected by this vulnerability is the function l2cap_reassemble_sdu of
the file net/bluetooth/l2cap_core.c of the component Bluetooth. The
manipulation leads to use after free. I

Introduced by commit d2a7ac5d5d3a ("Bluetooth: Add the ERTM receive
state machine") in 3.6-rc1 and 4b51dae96731 ("Bluetooth: Add streaming
mode receive and incoming packet classifier") in 3.6-rc1.

Fixed status
fixed in bluetooth-next tree as of 2022-10-18

CVE-2022-3565: mISDN: fix use-after-free bugs in l1oip timer handlers

CVSS v3 score is not provided(NIST).
CVSS v3 score is 4.6 MEDIUM(VulDB).

A vulnerability, which was classified as critical, has been found in
Linux Kernel. Affected by this issue is the function del_timer of the
file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The
manipulation leads to use after free.

Fixed status
mainline: [2568a7e0832ee30b0a351016d03062ab4e0e0a3f]

CVE-2022-3566: tcp: Fix data races around icsk->icsk_af_ops.

CVSS v3 score is not provided(NIST).
CVSS v3 score is 4.6 MEDIUM(VulDB).

A vulnerability, which was classified as problematic, was found in
Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt
of the component TCP Handler. The manipulation leads to race
conditions.

Fixed status
mainline: [f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57]

CVE-2022-3567: ipv6: Fix data races around sk->sk_prot.

CVSS v3 score is not provided(NIST).
CVSS v3 score is 4.6 MEDIUM(VulDB).

A vulnerability has been found in Linux Kernel and classified as
problematic. This vulnerability affects the function
inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The
manipulation leads to race conditions.

According to the commit log, commit 086d490 ("ipv6: annotate some
data-races around sk->sk_prot") fixes a race condition bug but it was
not enough.
Therefore it seems that both commit 086d490 and 364f997 need to fix this issue.

Fixed status
mainline: [364f997b5cfe1db0d63a390fe7c801fa2b3115f6]

CVE-2022-2602: io_uring/af_unix: defer registered files gc to io_uring release

CVSS v3 score is not provided.

A use-after-free bug was found in the io_uring subsystem. When
io_uring releasing registered fds, Unix socket Garbage Collection
process is used. If Unix GC is run before io_uring released fds, a
use-after-free bug will happen. That causes local privilege escalation
vulnerability.

Fixed status
mainline: [0091bfc81741b8d3aeb3b7ab8636f911b2de6e80]

CVE-2022-3542: bnx2x: fix potential memory leak in bnx2x_tpa_stop()

CVSS v3 score is 5.5 MEDIUM(NIST).
CVSS v3 score is 3.5 LOW(VulDB).

A vulnerability classified as problematic was found in Linux Kernel.
This vulnerability affects the function bnx2x_tpa_stop of the file
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c of the component BPF.
The manipulation leads to memory leak.

This bug was in a driver for Broadcom NetXtremeII 10 gigabit Ethernet
cards (CONFIG_BNX2X).

Fixed status
mainline: [b43f9acbb8942b05252be83ac25a81cec70cc192]

CVE-2022-3545: nfp: fix use-after-free in area_cache_get()

CVSS v3 score is 7.8 HIGH(NIST).
CVSS v3 score is 5.5 MEDIUM(VulDB).

A vulnerability has been found in Linux Kernel and classified as
critical. Affected by this vulnerability is the function
area_cache_get of the file
drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the
component IPsec. The manipulation leads to use after free.

The nfp/nfpcore was added by 4cb584e0 ("nfp: add CPP access core") in
4.11-rc1. So, 4.4 and 4.9 are not affected.

Fixed status
mainline: [02e1a114fdb71e59ee6770294166c30d437bf86a]

CVE-2022-3541: eth: sp7021: fix use after free bug in
spl2sw_nvmem_get_mac_address

CVSS v3 score is 7.8 HIGH(NIST).
CVSS v3 score is 5.5 MEDIUM(VulDB).

A vulnerability classified as critical has been found in Linux Kernel.
This affects the function spl2sw_nvmem_get_mac_address of the file
drivers/net/ethernet/sunplus/spl2sw_driver.c of the component BPF. The
manipulation leads to use after free.

This issue was introduced by commit fd3040b ("net: ethernet: Add
driver for Sunplus SP7021") in 5.19-rc1.
Therefore, 4.x, 5.10, and 5.15 kernels are not affected by this issue.

Fixed status
mainline: [12aece8b01507a2d357a1861f470e83621fbb6f2]

CVE-2022-3594: r8152: Rate limit overflow messages

CVSS v3 score is not provided(NIST).
CVSS v3 score is 5.3 MEDIUM(VulDB).

A vulnerability was found in Linux Kernel. It has been declared as
problematic. Affected by this vulnerability is the function
intr_callback of the file drivers/net/usb/r8152.c of the component
BPF. The manipulation leads to logging of excessive data. The attack
can be launched remotely.

Fixed status
mainline: [93e2be344a7db169b7119de21ac1bf253b8c6907]

* Updated CVEs

CVE-2022-3303: ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC

5.10 was fixed this week.

Fixed status
mainline: [8423f0b6d513b259fdab9c9bf4aaa6188d054c2d]
stable/5.10: [fce793a056c604b41a298317cf704dae255f1b36]
stable/5.15: [8015ef9e8a0ee5cecfd0cb6805834d007ab26f86]
stable/5.19: [723ac5ab2891b6c10dd6cc78ef5456af593490eb]
stable/5.4: [4051324a6dafd7053c74c475e80b3ba10ae672b0]

CVE-2022-40768: scsi: stex: properly zero out the passthrough command structure

stable 5.10, 5.15, 5.19, 5.4, and 6.0 were fixed this week.

Fixed status
mainline: [6022f210461fef67e6e676fd8544ca02d1bcfa7a]
stable/5.10: [36b33c63515a93246487691046d18dd37a9f589b]
stable/5.15: [76efb4897bc38b2f16176bae27ae801037ebf49a]
stable/5.19: [6ae8aa5dcf0d7ada07964c8638e55d3af5896a86]
stable/5.4: [20a5bde605979af270f94b9151f753ec2caf8b05]
stable/6.0: [b9b7369d89924a366b20045dc26dc4dc6b0567a4]


Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 4 new CVEs and 1 updated CVEs.

* New CVEs

CVE-2022-3424: misc: sgi-gru: fix use-after-free error in
gru_set_context_option, gru_fault and gru_handle_user_call_os

CVSS v3 score is not provided.

A gts value may be freed in gru_check_chiplet_assignment(). However,
the caller still uses it after that, then use-after-free happens.

No CIP member enables CONFIG_SGI_GRU.

Fixed status
Patch is available(https://lore.kernel.org/all/20221006152643.1694235-1-zyytlz.wz@163.com/)
but not merged yet.

CVE-2022-3435: ipv4: Handle attempt to delete multipath route when
fib_info contains an nh reference

CVSS v3 score is 4.3 MEDIUM.

A vulnerability classified as problematic has been found in Linux
Kernel. This affects the function fib_nh_match of the file
net/ipv4/fib_semantics.c of the component IPv4 Handler. The
manipulation leads to out-of-bounds read. It is possible to initiate
the attack remotely. It is recommended to apply a patch to fix this
issue. The identifier VDB-210357 was assigned to this vulnerability.

Commit 493ced1ac47c ("ipv4: Allow routes to use nexthop objects")
introduced this vulnerability.
This commit is not backported to 4.x kernels so they aren't affected
by this vulnerability.

CVE-2022-20409: io_uring: Use original task for req identity in
io_identity_cow()

CVSS v3 score is not provided.

Commit 2ee0cab1 ("io_uring: Use original task for req identity in
io_identity_cow()") described that
 "If the ring is setup with IORING_SETUP_IOPOLL and we have more than
  one task doing submissions on a ring, we can up in a situation where
  we assign the context from the current task rather than the request
  originator."

This vulnerability was introduced by commit 5c3462cfd123b ("io_uring:
store io_identity in io_uring_task") in 5.10-rc1.
The mainline kernel stops to use non-native workers since 5.12-rc1.
So, only 5.10 has this vulnerability.

Fixed status
mainline: [4379bf8bd70b5de6bba7d53015b0c36c57a634ee]
stable/5.10: [2ee0cab11f6626071f8a64c7792406dabdd94c8d]

CVE-2022-42703: anon_vma UAF through bogus merge of VMAs caused by
double-reuse of leaf anon_vma because of ->degree misinterpretation

CVSS v3 score is 5.5 MEDIUM.

mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free
related to leaf anon_vma double reuse.

This vulnerability was introduced by commit 7a3ef20 ("mm: prevent
endless growth of anon_vma hierarchy") in 3.19-rc4.
CIP's 4.4 kernels can apply c24ca0f17 (this commit is in 4.9) without
modification.

Fixed status
mainline: [2555283eb40df89945557273121e9393ef9b542b]
stable/4.14: [978a70601bdc4c32de4003d3beef4dfa23fff1e0]
stable/4.19: [6dbfc25d68d922736381988d64156a649ccf7bf1]
stable/4.9: [c24ca0f172905d593ad8ab276b0992bb74353a8d]
stable/5.10: [98f401d36396134c0c86e9e3bd00b6b6b028b521]
stable/5.15: [c18a209b56e37b2a60414f714bd70b084ef25835]
stable/5.19: [7877eaa1131147b4d6a063962f3aac0ab1b8ea1c]
stable/5.4: [2fe3eee48899a890310177d54537d5b8e255eb31]

* Updated CVEs

CVE-2022-40768: scsi: stex: properly zero out the passthrough command structure

Vulnerability was in drivers/scsi/stex.c which is compiled when
CONFIG_SCSI_STEX is set.

Fixed status
mainline: [6022f210461fef67e6e676fd8544ca02d1bcfa7a]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 7 new CVEs and 2 updated CVEs.

* New CVEs

CVE-2022-41848: char: pcmcia: synclink_cs: Fix use-after-free in mgslpc_ops

CVSS v3 score is 4.2 MEDIUM.

drivers/char/pcmcia/synclink_cs.c in the Linux kernel through 5.19.12
has a race condition and resultant use-after-free if a physically
proximate attacker removes a PCMCIA device while calling ioctl, aka a
race condition between mgslpc_ioctl and mgslpc_detach.

This Vulnerability is affected if CONFIG_SYNCLINK_CS(SyncLink PC Card
support) is enabled.

No CIP member enables CONFIG_SYNCLINK_CS.

Fixed status
Patch is available but it hasn't been merged yet.

CVE-2022-41849: video: fbdev: smscufx: Fix use-after-free in ufx_ops_open()

CVSS v3 score is 4.2 MEDIUM.

This vulnerability is affected if CONFIG_FB_SMSCUFX (SMSC UFX6000/7000
USB Framebuffer support) is enabled.

drivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has
a race condition and resultant use-after-free if a physically
proximate attacker removes a USB device while calling open(), aka a
race condition between ufx_ops_open and ufx_usb_disconnect.

4.4.y-cip-rt/x86/siemens_i386-rt.config is enabled CONFIG_FB_SMSCUFX.

Fixed status
Patch is available but it hasn't been merged yet.

CVE-2022-41850: HID: roccat: Fix Use-After-Free in roccat_read

CVSS v3 score is 4.7 MEDIUM.

This vulnerability is affected if CONFIG_HID_ROCCAT (Roccat device
support) is enabled.

roccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel
through 5.19.12 has a race condition and resultant use-after-free in
certain situations where a report is received while copying a
report->value is in progress.

Following files set CONFIG_HID_ROCCAT=m.

4.9.y-cip/arm/moxa_mxc_defconfig
4.19.y-cip/arm/moxa_mxc_defconfig
4.4.y-cip/arm/moxa_mxc_defconfig
5.10.y-cip/arm/moxa_mxc_defconfig

Fixed status
Patch is available but it hasn't been merged yet.

CVE-2022-20421: binder: fix UAF of ref->proc caused by race condition

CVSS v3 score is not provided.

A use-after-free bug was found in drivers/android/binder.c.
This driver is built when ANDROID_BINDER_IPC is set.

No CIP member enables ANDROID_BINDER_IPC.

Fixed status
mainline: [a0e44c64b6061dda7e00b7c458e4523e2331b739]
stable/4.14: [229f47603dd306bc0eb1a831439adb8e48bb0eae]
stable/4.19: [06e5b43ca4dab06a92bf4c2f33766e6fb11b880a]
stable/5.10: [9629f2dfdb1dad294b468038ff8e161e94d0b609]
stable/5.15: [c2a4b5dc8fa71af73bab704d0cac42ac39767ed6]
stable/5.19: [603a47f2ae56bf68288784d3c0a8c5b8e0a827ed]
stable/5.4: [30d0901b307f27d36b2655fb3048cf31ee0e89c0]

CVE-2022-20422: arm64: fix oops in concurrently setting insn_emulation sysctls

CVSS v3 score is not provided.

A NULL pointer dereference bug was found in emulation_proc_handler()
in arm64/kernel/armv8_deprecated.c.
If emulation_proc_handler() is called concurrently, a NULL pointer
dereference bug may occur.
The armv8_deprecated.c is built when ARMV8_DEPRECATED is set.

Patch for 4.9 is available but it's not released yet.

No CIP member enables ARMV8_DEPRECATED.

Fixed status
mainline: [af483947d472eccb79e42059276c4deed76f99a6]
stable/4.14: [9d5fec6ba2e4117d196a8259ab54615ffe562460]
stable/4.19: [b51881b1da57fe9877125dfdd0aac5172958fcfd]
stable/5.10: [353b4673d01c512303c45cf2346f630cda73b5c9]
stable/5.15: [cc69ef95988b9ef2fc730ec452a7441efb90ef5e]
stable/5.19: [07022e07017ee5540f5559b0aeb916e8383c1e1a]
stable/5.4: [04549063d5701976034d8c2bfda3d3a8cbf0409f]

CVE-2022-20423: usb: gadget: rndis: prevent integer overflow in
rndis_set_response()

CVSS v3 score is not provided.

In rndis_set_response(), there was a missing buffer size check that
caused an integer overflow bug.

Fixed status
cip/4.4: [debcd5bcbe8ab6cfaf703ad7f7333308e388874a]
cip/4.4-rt: [debcd5bcbe8ab6cfaf703ad7f7333308e388874a]
cip/4.4-st: [debcd5bcbe8ab6cfaf703ad7f7333308e388874a]
mainline: [65f3324f4b6fed78b8761c3b74615ecf0ffa81fa]
stable/4.14: [c7953cf03a26876d676145ce5d2ae6d8c9630b90]
stable/4.19: [138d4f739b35dfb40438a0d5d7054965763bfbe7]
stable/4.9: [8b3e4d26bc9cd0f6373d0095b9ffd99e7da8006b]
stable/5.10: [28bc0267399f42f987916a7174e2e32f0833cc65]
stable/5.15: [56b38e3ca4064041d93c1ca18828c8cedad2e16c]
stable/5.4: [21829376268397f9fd2c35cfa9135937b6aa3a1e]

CVE-2022-20424: io_uring: always use original task when preparing req identity

This CVE is a duplicate of
CVE-2022-1786(https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/-/blob/master/issues/CVE-2022-1786.yml).

* Updated CVEs

CVE-2022-23816 CVE-2022-29900: Information leak through mispredicted
returns on AMD processors
CVE-2022-29901: Information leak through mispredicted returns on Intel
processors

According to the debian security tracker[1,2], it added new notes that
said "[buster] - linux <ignored> (Mitigation is too invasive to
backport)". It seems as if the Debian team tried to backport patches
to 4.19 but they gave up backporting patches because of its too
complex backport?

1: https://security-tracker.debian.org/tracker/CVE-2022-29900
2: https://security-tracker.debian.org/tracker/CVE-2022-29901

CVE-2022-2663: netfilter: nf_conntrack_irc: Tighten matching on DCC message

Added one more commit e8d5dfd ("netfilter: nf_conntrack_irc: Tighten
matching on DCC message"). This commit was merged in 6.0-rc7.
Both commits 0efe125 ("netfilter: nf_conntrack_irc: Fix forged IP
logic") and e8d5dfd ("netfilter: nf_conntrack_irc: Tighten matching on
DCC message") mentions to fix 869f37d ("[NETFILTER]:
nf_conntrack/nf_nat: add IRC helper port").

Fix status
mainline: [0efe125cfb99e6773a7434f3463f7c2fa28f3a43,
e8d5dfd1d8747b56077d02664a8838c71ced948e]
stable/4.14: [6ce66e3442a5989cbe56a6884384bf0b7d1d0725]
stable/4.19: [3275f7804f40de3c578d2253232349b07c25f146,
468adf7aab7a30ffe4467e2c981a65568ba84f0b]
stable/4.9: [eb4d8d6b44a23ff2b6e2af06c8240de73dff8a7d]
stable/5.10: [e12ce30fe593dd438c5b392290ad7316befc11ca,
9a5d7e0acb41bb2aac552f8eeb4b404177f3f66d]
stable/5.15: [451c9ce1e2fc9b9e40303bef8e5a0dca1a923cc4]
stable/5.19: [6cf0609154b2ce8d3ae160e7506ab316400a8d3d]
stable/5.4: [36f7b71f8ad8e4d224b45f7d6ecfeff63b091547]

CVE-2022-2308: undefined behavior or data leak in Virtio drivers with VDUSE

The mainline, 5.15, and 5.19 were fixed. The VDUSE has been introduced
since 5.15-rc1 by commit c8a6153("vduse: Introduce VDUSE - vDPA Device
in Userspace") so earlier than 5.15 kernels aren't affected.

Fixed status
mainline: [46f8a29272e51b6df7393d58fc5cb8967397ef2b]
stable/5.15: [dc248ddf41eab4566e95b1ee2433c8a5134ad94a]
stable/5.19: [38d854c4a11c3bbf6a96ea46f14b282670c784ac]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 6 new CVEs and 5 updated CVEs.

* New CVEs

CVE-2022-2785: bpf: Disallow bpf programs call prog_run command.

CVSS v3 score is 5.5 MEDIUM(NIST).
CVSS v3 score is 6.7 MEDIUM(CNA).

There exists an arbitrary memory read within the Linux Kernel BPF -
Constants provided to fill pointers in structs passed in to
bpf_sys_bpf are not verified and can point anywhere, including memory
not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory
from anywhere on the system.

This vulnerability was introduced by commit b1d18a7574d0 ("bpf: Extend
sys_bpf commands for bpf_syscall programs.") in 5.18-rc1.
LTS kernels don't have this commit so they aren't affected by this issue.

Fixed status
mainline: [86f44fcec22ce2979507742bc53db8400e454f46]
stable/5.19: [b429d0b9a7a0f3dddb1f782b72629e6353f292fd]

CVE-2022-3103: io_uring: fix off-by-one in sync cancelation file check

CVSS v3 score is 7.8 HIGH.

There is a wrong validation check in io_uring/cancel.c.  It will cause
an off-by-one.

This bug was introduced by commit 78a861b ("io_uring: add sync
cancelation API through io_uring_register()") in 6.0-rc1. This commit
is not backported to stable kernels so it only affected from 6.0-rc1
to 6.0-rc2.

Fixed status
mainline: [47abea041f897d64dbd5777f0cf7745148f85d75]

CVE-2022-3239: A use-after-free bug was found in video4linux driver
for the Empia 28xx based TV cards

CVSS v3 score is 7.8 HIGH

A flaw use after free in the Linux kernel video4linux driver was found
in the way user triggers em28xx_usb_probe() for the Empia 28xx based
TV cards. A local user could use this flaw to crash the system or
potentially escalate their privileges on the system.
This bug was introduced by commit 47677e5 ("[media] em28xx: Only
deallocate struct em28xx after finishing all extensions") in 3.15-rc1.

No CIP member enables CONFIG_VIDEO_EM28XX.

Fixed status
mainline: [c08eadca1bdfa099e20a32f8fa4b52b2f672236d]
stable/4.14: [1f6ab281f218c3a2b789eb976c5b1ef67139680a]
stable/4.19: [0113fa98a49a8e46a19b0ad80f29c904c6feec23]
stable/5.10: [ec8a37b2d9a76a9443feb0af95bd06ac3df25444]
stable/5.15: [332d45fe51d75a3a95c4a04e2cb7bffef284edd4]
stable/5.4: [92f84aa82dfaa8382785874277b0c4bedec89a68]

CVE-2022-36402: An integer overflow vulnerability was found in vmwgfx driver

CVSS v3 score is 5.5 MEDIUM(NIST).
CVSS v3 score is 6.3 MEDIUM(CNA).

An integer overflow vulnerability was found in vmwgfx driver in
drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel
with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a
local attacker with a user account on the system to gain privilege,
causing a denial of service(DoS).

Fixed status
Not fixed yet.

CVE-2022-3303: ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC

CVSS v3 score is not assigned.

A race condition bug was found in snd_pcm_oss_sync() in the
sound/core/oss/pcm_oss.c. This race condition triggers a NULL pointer
dereference that results in a system crash. It looks as if 4.4 is
affected too.

Fixed status
mainline: [8423f0b6d513b259fdab9c9bf4aaa6188d054c2d]
stable/5.15: [8015ef9e8a0ee5cecfd0cb6805834d007ab26f86]
stable/5.19: [723ac5ab2891b6c10dd6cc78ef5456af593490eb]
stable/5.4: [4051324a6dafd7053c74c475e80b3ba10ae672b0]

CVE-2022-3170: ALSA: control: Re-order bounds checking in get_ctl_id_hash()

CVSS v3 score is 7.8 HIGH.

An out-of-bounds access issue was found in the Linux kernel sound
subsystem. It could occur when the 'id->name' provided by the user did
not end with '\0'. A privileged local user could pass a specially
crafted name through ioctl() interface and crash the system or
potentially escalate their privileges on the system.

This vulnarability's root cause is commit c27e1ef ("ALSA: control: Use
xarray for faster lookups"). This commit was merged in 6.0-rc1. The
commit c27e1ef is not backported to stable kernels. So, it affected
6.0-rc1 to 6.0-rc4.

Fixed status
mainline: [5934d9a0383619c14df91af8fd76261dc3de2f5f,
6ab55ec0a938c7f943a4edba3d6514f775983887]

* Updated CVEs

CVE-2022-0171: KVM: cache incoherence issue in SEV API may lead to
kernel crash

stable 5.10 and 5.15 was fixed. This vulnerability is affected to 5.10
or later version.

Fixed status
mainline: [683412ccf61294d727ead4a73d97397396e69a6b]
stable/5.10: [a60babeb60ff276963d4756c7fd2e7bf242bb777]
stable/5.15: [39b0235284c7aa33a64e07b825add7a2c108094a]

CVE-2022-3061: video: fbdev: i740fb: Error out if ''pixclock'' equals zero

5.10 and 5.15 were fixed.

Fixed status
mainline: [15cf0b82271b1823fb02ab8c377badba614d95d5]
stable/5.10: [e00582a36198888ffe91ed6b097d86556c8bb253]
stable/5.15: [59b756da49bfa51a00a0b58b4147ce2652bc3d28]

CVE-2022-39842: video: fbdev: pxa3xx-gcu: Fix integer overflow in
pxa3xx_gcu_write

4.14, 4.10, 4.9, 5.4, 5.10 and 5.15 were fixed.

Fixed status
mainline: [a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7]
stable/4.14: [9556a88a16e381dbd6834da95206742d0973afc6]
stable/4.19: [a34547fc43d02f2662b2b62c9a4c578594cf662d]
stable/4.9: [a0dcaa48042a56a9eee2efed19563866a0ddbce2]
stable/5.10: [06e194e1130c98f82d46beb40cdbc88a0d4fd6de]
stable/5.15: [ab5140c6ddd7473509e12f468948de91138b124e]
stable/5.4: [1878eaf0edb8c9e58a6ca0cf31b7a647ca346be9]

CVE-2022-40307: efi: capsule-loader: Fix use-after-free in efi_capsule_write

This vulnerability was introduced by commit 65117f1 ("efi: Add misc
char driver interface to update EFI firmware") was merged in 4.7-rc1.
4.4.y-cip and linux-4.4.y-rt have this commit but 4.4.y-st doesn't.

Fixed status
mainline: [9cb636b5f6a8cc6d1b50809ec8f8d33ae0c84c95]
stable/4.14: [233d5c4d18971feee5fc2f33f00b63d8205cfc67]
stable/4.19: [021805af5bedeafc76c117fc771c100b358ab419]
stable/5.10: [918d9c4a4bdf5205f2fb3f64dddfb56c9a1d01d6]
stable/5.15: [dd291e070be0eca8807476b022bda00c891d9066]
stable/5.19: [d46815a8f26ca6db2336106a148265239f73b0af]
stable/5.4: [8028ff4cdbb3f20d3c1c04be33a83bab0cb94997]

CVE-2021-4037: kernel: security regression for CVE-2018-13405

5.10 was fixed.

Fixed status
mainline: [01ea173e103edd5ec41acec65b9261b87e123fc2]
stable/5.10: [e811a534ec2f7f6c0d27532c0915715427b7cab1]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 5 new CVEs and 4 updated CVEs.

* New CVEs

CVE-2022-40476: io_uring: use original request task for inflight tracking

CVSS v3 score is 5.5 MEDIUM.

A null pointer dereference issue was discovered in fs/io_uring.c in
the Linux kernel before 5.15.62. A local user could use this flaw to
crash the system or potentially cause a denial of service.

This vulnerability was introduced by commit d536123 ("io_uring: drop
the old style inflight file tracking") which was merged in 5.19-rc1.
Kernel 5.4 and 5.10 doesn't have commit d536123.

Fixed status
mainline: [386e4fb6962b9f248a80f8870aea0870ca603e89]
stable/5.15: [3746d62ecf1c872a520c4866118edccb121c44fd]

CVE-2022-3176: io_uring: disable polling pollfree files

CVSS v3 score is 7.8 HIGH.

There exists a use-after-free in io_uring in the Linux kernel.
Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is
the current task. It will send a POLLFREE notification to all waiters
before the queue is freed. Unfortunately, the io_uring poll doesn't
handle POLLFREE. This allows a use-after-free to occur if a signalfd
or binder fd is polled with io_uring poll, and the waitqueue gets
freed.

Fixed status
mainline: [791f3465c4afde02d7f16cf7424ca87070b69396]
stable/5.10: [28d8d2737e82fc29ff9e788597661abecc7f7994]
stable/5.15: [e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5]
stable/5.4: [fc78b2fc21f10c4c9c4d5d659a685710ffa63659]

CVE-2022-40768: scsi: stex: properly zero out the passthrough command structure

CVSS v3 score is 5.5 MEDIUM.

drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local
users to obtain sensitive information from kernel memory because
stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.

Fixed status
Patch is available at
lore.kernel.org/all/20220908145154.2284098-1-gregkh@linuxfoundation.org
but it has not been merged yet as of 2022-09-19.

CVE-2022-41218: media: dvb-core: Fix UAF due to refcount races at releasing

CVSS v3 score is not assigned.

In drivers/media/dvb-core/dmxdev.c in the Linux kernel through
5.19.10, there is a use-after-free caused by refcount races, affecting
dvb_demux_open and dvb_dmxdev_release.

It looks as if kernel 4.4 is affected too.

Fixed status
Patch is available on
https://lore.kernel.org/all/20220908132754.30532-1-tiwai@suse.de/ but
it hasn't been merged into the mainline yet.

CVE-2022-41222: mm/mremap: hold the rmap lock in write mode when
moving page table entries

CVSS v3 score is not assigned.

mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via
a stale TLB because an rmap lock is not held during a PUD move.

kernel 4.x doesn't have 2c91bd4 ("mm: speed up mremap by 20x on large
regions") and c49dd34 ("mm: speedup mremap on 1GB or larger regions")
so that these kernels won't be affected.

mainline: [97113eb39fa7972722ff490b947d8af023e1f6a2]
stable/5.10: [2613baa3ab2153cc45b175c58700d93f72ef36c4]
stable/5.4: [79e522101cf40735f1936a10312e17f937b8dcad]

* Updated CVEs

CVE-2021-4159: bpf: Verifer, adjust_scalar_min_max_vals to always call
update_reg_bounds()

4.14 was fixed this week.

Fixed status
mainline: [294f2fc6da27620a506e6c050241655459ccd6bd]
stable/4.14: [a7cf53f9ebcd887c19588c0c1b4b8260f41a3faa]
stable/4.19: [6c6b84ef5ea8dc0ca3559ccf69810960e348c555]
stable/5.4: [7c1134c7da997523e2834dd516e2ddc51920699a]

CVE-2022-40307: efi: capsule-loader: Fix use-after-free in efi_capsule_write

Stable kernels except 4.9 were fixed this week. Applying the patch to
4.9 was failed (https://lore.kernel.org/stable/166265645917687@kroah.com/).

Fixed status
mainline: [9cb636b5f6a8cc6d1b50809ec8f8d33ae0c84c95]
stable/4.14: [233d5c4d18971feee5fc2f33f00b63d8205cfc67]
stable/4.19: [021805af5bedeafc76c117fc771c100b358ab419]
stable/5.10: [918d9c4a4bdf5205f2fb3f64dddfb56c9a1d01d6]
stable/5.15: [dd291e070be0eca8807476b022bda00c891d9066]
stable/5.19: [d46815a8f26ca6db2336106a148265239f73b0af]
stable/5.4: [8028ff4cdbb3f20d3c1c04be33a83bab0cb94997]

CVE-2022-39188: unmap_mapping_range() race with munmap() on VM_PFNMAP
mappings leads to stale TLB entry

stable/4.19 56fa5f3 ("mm: Fix TLB flush for not-first PFNMAP mappings
in unmap_region()") and stable 5.10 891f03f ("mm: Fix TLB flush for
not-first PFNMAP mappings in unmap_region()") have been added.
These commits are stable specific patches which fix an issue when
backporting the upstream commit b67fbeb ("mmu_gather: Force tlb-flush
VM_PFNMAP vmas"). This fix has been sent to 5.4 and 5.15.

Fixed status
mainline: [b67fbebd4cf980aecbcc750e1462128bffe8ae15]
stable/4.14: [b8a54a2a45feacbc96065e5d6b9a1cbee2aa1e9d]
stable/4.19: [c3b1e88f14e7f442e2ddcbec94527eec84ac0ca3,
56fa5f3dd44a05a5eacd75ae9d00c5415046d371]
stable/4.9: [390f33a95419f7fa1254ba6b6feeabde480732f9]
stable/5.10: [895428ee124ad70b9763259308354877b725c31d,
891f03f688de8418f44b32b88f6b4faed5b2aa81]
stable/5.15: [3ffb97fce282df03723995f5eed6a559d008078e]
stable/5.4: [c9c5501e815132530d741ec9fdd22657f91656bc]

CVE-2022-2663: netfilter: nf_conntrack_irc: Tighten matching on DCC message

mainline and stable kernels were fixed. Commit 0efe125 ("netfilter:
nf_conntrack_irc: Fix forged IP logic") can be applied to 4.4.y-st
without any modification.

Fixed status
mainline: [0efe125cfb99e6773a7434f3463f7c2fa28f3a43]
stable/4.14: [6ce66e3442a5989cbe56a6884384bf0b7d1d0725]
stable/4.19: [3275f7804f40de3c578d2253232349b07c25f146]
stable/4.9: [eb4d8d6b44a23ff2b6e2af06c8240de73dff8a7d]
stable/5.10: [e12ce30fe593dd438c5b392290ad7316befc11ca]
stable/5.15: [451c9ce1e2fc9b9e40303bef8e5a0dca1a923cc4]
stable/5.19: [6cf0609154b2ce8d3ae160e7506ab316400a8d3d]
stable/5.4: [36f7b71f8ad8e4d224b45f7d6ecfeff63b091547]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 8 new CVEs and 0 updated CVEs.

* New CVEs

CVE-2022-3169: Request to NVME_IOCTL_RESET and NVME_IOCTL_SUBSYS_RESET
may cause a DOS

CVSS v3 score is 5.5 MEDIUM.

A denial of service flaw may occur if there is a consecutive request
of the NVME_IOCTL_RESET and the NVME_IOCTL_SUBSYS_RESET through the
device file of the driver, resulting in a PCIe link disconnect.

This bug was reported last October to the kernel bugzilla
(https://bugzilla.redhat.com/show_bug.cgi?id=2125341)  but it hasn't
been fixed yet.

Fixed status
Not fixed yet.

CVE-2022-40307: efi: capsule-loader: Fix use-after-free in efi_capsule_write

CVSS v3 score is 4.7 MEDIUM.

There is a race condition that occurs between the efi_capsule_write() and
efi_capsule_flush(). This race condition bug causes use-after-free bug.

Fixed status
mainline: [9cb636b5f6a8cc6d1b50809ec8f8d33ae0c84c95]

CVE-2022-3077: A buffer overflow vulnerability was found in the Linux
kernel Intel’s iSMT SMBus host controller driver

CVSS v3 score is not assigned.

A buffer overflow vulnerability was found in the Linux kernel Intel’s
iSMT SMBus host controller driver in the way it handled the
I2C_SMBUS_BLOCK_PROC_CALL case (via the ioctl I2C_SMBUS) with
malicious input data. This flaw could allow a local user to crash the
system.

This vulnerability was introduced by commit 5e9a97b ("i2c: ismt:
Adding support for I2C_SMBUS_BLOCK_PROC_CALL") in 5.11-rc1.
This commit is not backported to earlier versions so that 4.4, 4.9,
4.14, 4.19, and 5.10 are not vulnerabile.

Fixed status
mainline: [690b2549b19563ec5ad53e5c82f6a944d910086e]
stable/5.15: [24c6fc6e7453f64cf6cbb4218c62aafdecc16ee1]

CVE-2022-36280: An out-of-bounds(OOB) memory access vulnerability was
found in vmwgfx driver

CVSS v3 score is not assigned(NIST).
CVSS v3 score is 6.3 MEDIUM(CNA).

An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx
driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the
Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This
flaw allows a local attacker with a user account on the system to gain
privilege, causing a denial of service(DoS).

Above description said the vulnerability is in
drivers/gpu/vmxgfx/vmxgfx_kms.c but this file doesn't exist in the
mainline. It may be drivers/gpu/drm/vmwgfx/vmwgfx_kms.c instead.

Fixed status
Not fixed yet.

CVE-2022-38096: A NULL pointer dereference vulnerability was found in
vmwgfx driver

CVSS v3 score is 5.5 MEDIUM(NIST).
CVSS v3 score is 6.3 MEDIUM(CNA).

Above description said the vulnerability is in
drivers/gpu/vmxgfx/vmxgfx_kms.c but this file doesn't exist in the
mainline. It may be drivers/gpu/drm/vmwgfx/vmwgfx_kms.c instead.

Fixed status
Not fixed yet.

CVE-2022-38457: A use-after-free vulnerability was found int vmwgfx
drivers driver

CVSS v3 score is 5.5 MEDIUM(NIST).
CVSS v3 score is 6.3 MEDIUM(CNA).

A NULL pointer dereference vulnerability was found in vmwgfx driver in
drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel
with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a
local attacker with a user account on the system to gain privilege,
causing a denial of service(DoS).

Above description said the vulnerability is in
drivers/gpu/vmxgfx/vmxgfx_execbuf.c but this file doesn't exist in the
mainline. It may be drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c instead.

Fixed status
Not fixed yet.

CVE-2022-40133: A use-after-free vulnerability was found in vmwgfx driver

CVSS v3 score 5.5 MEDIUM(NIST).
CVSS v3 score is 6.3 MEDIUM(CNA).

A use-after-free(UAF) vulnerability was found in function
'vmw_execbuf_tie_context' in drivers/gpu/vmxgfx/vmxgfx_execbuf.c in
Linux kernel's vmwgfx driver with device file '/dev/dri/renderD128 (or
Dxxx)'. This flaw allows a local attacker with a user account on the
system to gain privilege, causing a denial of service(DoS).

Above description said the vulnerability is in
drivers/gpu/vmxgfx/vmxgfx_execbuf.c but this file doesn't exist in the
mainline. It may be drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c instead.

Fixed status
Not fixed yet.

CVE-2022-3202: Null Pointer Deference in jfs_evict_inode leads to
Denial of Service

CVSS v3 score is not assigned

A NULL pointer dereference flaw in diFree in fs/jfs/inode.c in
Journaled File System (JFS)in the Linux kernel. This could allow a
local attacker to crash the system or leak kernel internal
information.

All stable kernels and cip kernels are fixed this issue.

Fixed status
mainline: [a53046291020ec41e09181396c1e829287b48d47]
stable/4.14: [33bd243566a9b1ca94261dcc2e16c7b9e3a71c15]
stable/4.19: [2ef74e3e0089b6615ee124e1183746974c6bb561]
stable/4.9: [d2e45f0bc25da09efcac658d6e405115fcfa83c2]
stable/5.10: [b9c5ac0a15f24d63b20f899072fa6dd8c93af136]
stable/5.15: [d925b7e78b62805fcc5440d1521181c82b6f03cb]
stable/5.4: [e19c3149a80e4fc8df298d6546640e01601f3758]

* Updated CVEs

No update CVEs.

Fixed status

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 3 new CVEs and 2 updated CVEs.

* New CVEs

CVE-2022-3078: lack of check after calling vzalloc() and lack of free
after allocation in vidtv driver

CVSS v3 score is 5.5 MEDIUM.

The vidtv driver was introduced by commit f90cf60 ("media: vidtv: add
a bridge driver") was merged in 5.10-rc1.

There is a lack of check after calling vzalloc() and lack of free
after allocation in drivers/media/test-drivers/vidtv/vidtv_s302m.c.
Kernel 4.4, 4.9, 4.14, 4.19, and 5.4 are not affected.

No CIP member enables CONFIG_DVB_VIDTV.

Fixed status
mainline: [e6a21a14106d9718aa4f8e115b1e474888eeba44]
stable/5.10: [663e7a72871f89f7a10cc8d7b2f17f27c64e071d]
stable/5.15: [9dd2fd7a1f84c947561af29424c5ddcecfcf2cbe]

CVE-2022-39190: 'netfilter: nf_tables: disallow binding to already bound chain

CVSS v3 score is not assigned.

There is a lack of input value check in nft_verdict_init of the file
net/netfilter/nf_tables_api.c which will cause denial of service
vulnerability. This vulnerability was introduced by commit d0e2c7d
("netfilter: nf_tables: add NFT_CHAIN_BINDING") which was merged in
5.9-rc1.

Kernel 4.4, 4.9, 4.14, 4.19, and 5.4 are not affected.

Fixed status
mainline: [e02f0d3970404bfea385b6edb86f2d936db0ea2b]
stable/5.10: [c08a104a8bce832f6e7a4e8d9ac091777b9982ea]
stable/5.15: [51f192ae71c3431aa69a988449ee2fd288e57648]
stable/5.19: [fdca693fcf26c11596e7aa1e540af2b4a5288c76]

CVE-2022-39842: video: fbdev: pxa3xx-gcu: Fix integer overflow in
pxa3xx_gcu_write

CVSS v3 score is not assigned.

There is an integer overflow bug in pxa3xx_gcu_write() in PXA3XX_GCU driver.

All stable kernels(include 4.4) are affected by this issue.
No CIP member enables CONFIG_PXA3XX_GCU.

Fixed status
mainline: [a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7]

* Updated CVEs

CVE-2022-39188: unmap_mapping_range() race with munmap() on VM_PFNMAP
mappings leads to stale TLB entry

4.14, 4.19, 4.9, 5.10, 5.15, and 5.4 were fixed.

Fixed status
mainline: [b67fbebd4cf980aecbcc750e1462128bffe8ae15]
stable/4.14: [b8a54a2a45feacbc96065e5d6b9a1cbee2aa1e9d]
stable/4.19: [c3b1e88f14e7f442e2ddcbec94527eec84ac0ca3]
stable/4.9: [390f33a95419f7fa1254ba6b6feeabde480732f9]
stable/5.10: [895428ee124ad70b9763259308354877b725c31d]
stable/5.15: [3ffb97fce282df03723995f5eed6a559d008078e]
stable/5.4: [c9c5501e815132530d741ec9fdd22657f91656bc]

CVE-2022-3028: af_key: Do not call xfrm_probe_algs in parallel

4.14, 4.19, 4.9, and 5.4 were fixed.

Fixed status
mainline: [ba953a9d89a00c078b85f4b190bc1dde66fe16b5]
stable/4.14: [f1b1b63e307478e93548f59e18bd844744b396d3]
stable/4.19: [7dbfc8f25f22fe2a64dd808266e00c8d2661ebdd]
stable/4.9: [e580d3201ed222c4752ced7e629ad96bc0340713]
stable/5.10: [c5c4d4c9806dadac7bc82f9c29ef4e1b78894775]
stable/5.15: [103bd319c0fc90f1cb013c3a508615e6df8af823]
stable/5.19: [6901885656c029c976498290b52f67f2c251e6a0]
stable/5.4: [8ee27a4f0f1ad36d430221842767880df6494147]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 11 new CVEs and 7 updated CVEs.

* New CVEs

CVE-2022-2905: bpf: Don''t use tnum_range on array range checking for
poke descriptors

CVSS v3 score is not assigned.

A slab-out-of-bound read bug was found in the bpf subsystem. This bug
was introduced by commit d2e4c1e6c294 ("bpf: Constant map key tracking
forprog array pokes") was merged in 5.5-rc1.
This commit is not backported to 4.4, 4.9, 4.14, 4.19, and 5.4 kernels
so these kernels aren't affected.

Fixed status
mainline: [a657182a5c5150cdfacb6640aad1d2712571a409]
stable/5.10: [e8979807178434db8ceaa84dfcd44363e71e50bb]
stable/5.15: [4f672112f8665102a5842c170be1713f8ff95919]
stable/5.19: [a36df92c7ff7ecde2fb362241d0ab024dddd0597]

CVE-2022-2959: Linux Kernel Watch Queue Race Condition Privilege
Escalation Vulnerability

CVSS v3 score is not assigned.

A race condition bug was found in the watch queue feature due to a
missing lock in pip_resize_ring(). This bug allows an attacker to
escalate their privilege.

This bug was introduced by commit c73be61 ("pipe: Add general
notification queue support") that was merged in 5.8-rc1. The general
notification queue support isn't supported on 4.4, 4.14, 4.14, and
5.4.

Fixed status
mainline: [189b0ddc245139af81198d1a3637cac74f96e13a]

CVE-2022-2964: kernel: memory corruption in AX88179_178A based USB
ethernet device.

CVSS v3 score is not assigned.

An out-of-bound access vulnerability was found in linux kernel driver
for AX88179_178A based USB ethernet device.
The ax88179_rx_fixup() contains several out-of-bound access bugs. It
probably has out-of-bound write bug.

This bug was introduced by commit e2ca90c ("ax88179_178a: ASIX
AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver") which
was merged in 3.9-rc2.

Fixed status

CVE-2022-2977: kernel: use-after-free Read in put_device (/dev/vtpmx)

CVSS v3 score is not assigned.

A flaw was found in the kernel's implementation of proxied virtualized
TPM devices.

Commit 7e0438f8 ("tpm: fix reference counting for struct tpm_chip")
fixes following commits.

- fdc915f ("tpm: expose spaces via a device link /dev/tpmrm<n>")
- 8979b02 ("tpm: Fix reference count to main device")

Commit fdc915f and 8979b02 were merged in 4.12-rc1. Kernel 4.4 and 4.9
do not contain these commits.

Fixed status
mainline: [7e0438f83dc769465ee663bb5dcf8cc154940712]

CVE-2022-2991: kernel: heap-based overflow in LightNVM Subsystem may
lead to privilege escalation

CVSS v3 score is not assigned.

A heap-based buffer overflow was found in the Linux kernel's LightNVM
subsystem that an attacker will be able to escalate privileges.

The lightnvm subsystem was removed by commit 9ea9b9 ("remove the
lightnvm subsystem") in 5.15-rc1.
This fix disables CONFIG_NVM by default.

cip-kernel-config/4.4.y-cip-rt/x86/siemens_i386-rt.config enables CONFIG_NVM.

Fixed status
mainline: [9ea9b9c48387edc101d56349492ad9c0492ff78d]
stable/4.14: [a9ae9dc21233d3dbe165f5e3e33df3c8bf3c35d0]
stable/4.19: [455431805699e91c2fd66b7fe43db27643d9b3fd]
stable/4.9: [08cf860b84ff15d405f62d6d23ba3b7d194abb2e]
stable/5.10: [549209caabc89f2877ad5f62d11fca5c052e0e8f]
stable/5.4: [b2589647008f8086582055414bb914088bca4c78]

CVE-2022-XXXX: KVM instruction emulation doesn't clear
KVM_VCPU_PREEMPTED, breaking guest's TLB flushing

CVE ID hasn't been assigned yet.
CVSS v3 score is not assigned.

YAML file is CVE-2022-KVM_VCPU_PREEMPTED-guest-TLB-flush.yml.

The KVM_FEATURE_PV_TLB_FLUSH feature was introduced by commit 858a43a
("KVM: X86: use paravirtualized TLB Shootdown") was merged in
4.16-rc1. Therefore, 4.4, 4.9, and 4.14 are not affected.

This vulnerability is affected by x86/x86_64 architectures.

There is a flaw in TLB flush feature in KVM subsystem that an
unprivileged userspace inside a guest to compromise the guest kernel.

Fixed status
mainline: [6cd88243c7e03845a450795e134b488fc2afb736]
stable/5.15: [92343314d34e04da0923cefd3be67521d706fa35]

CVE-2022-XXXX: CVE-2022-race-VM_PFNMAP-stale-TLB-entry

CVE ID hasn't been assigned yet.
CVSS v3 score is not assigned.

YAML file is CVE-2022-race-VM_PFNMAP-stale-TLB-entry.yml.

A race between munmap() and unmap_mapping_range(), this will cause TLB
entries isn't flushed.

Fixed status
mainline: [b67fbebd4cf980aecbcc750e1462128bffe8ae15]

CVE-2022-21385: A flaw in net_rds_alloc_sgs() in Oracle Linux kernels
allows unprivileged local users to crash the machine.

CVSS V3 Score: 4.6 MEDIUM

A redundant copy_from_user() call will cause an unprivileged user crash machine.
Commit ea010070 ("net/rds: fix warn in rds_message_alloc_sgs") fixed
this bug. This commit was merged in 4.20.

Fixed status
mainline: [ea010070d0a7497253d5a6f919f6dd107450b31a]
stable/4.19: [5be4bb315de29ad3ae558a8f6b92f13a1b4bfb84]

CVE-2022-2663: netfilter: nf_conntrack_irc: Tighten matching on DCC message

CVSS v3 score is not assigned.

A bug in nf_conntrack_irc() that mishandles a message causes a
firewall may be able to be bypassed when users are using unencrypted
IRC with nf_conntrack_irc configured.

Fixed status
Patch is available in
https://lore.kernel.org/netfilter-devel/20220826045658.100360-1-dgl@dgl.cx/T/
but it hasn't been merged yet.

CVE-2022-3028: af_key: Do not call xfrm_probe_algs in parallel

A race condition bug was found in the XFRM subsystem when multiple
calls to xfrm_probe_algs occurred simultaneously.
This condition will cause out-of-bound write or out-of-bound read.

CVSS v3 score is not assigned.

Fixed status
mainline: [ba953a9d89a00c078b85f4b190bc1dde66fe16b5]
stable/5.10: [c5c4d4c9806dadac7bc82f9c29ef4e1b78894775]
stable/5.15: [103bd319c0fc90f1cb013c3a508615e6df8af823]
stable/5.19: [6901885656c029c976498290b52f67f2c251e6a0]

CVE-2022-3061: video: fbdev: i740fb: Error out if ''pixclock'' equals zero

CVSS v3 score is not assigned.

If a userspace application pass zero as pixclock value via ioctl, it
causes a divided zero error.

Fixed status
mainline: [15cf0b82271b1823fb02ab8c377badba614d95d5]

* Updated CVEs

CVE-2021-4159: bpf: Verifer, adjust_scalar_min_max_vals to always call
update_reg_bounds()

4.19 was fixed this week.

Fixed status
mainline: [294f2fc6da27620a506e6c050241655459ccd6bd]
stable/4.19: [6c6b84ef5ea8dc0ca3559ccf69810960e348c555]
stable/5.4: [7c1134c7da997523e2834dd516e2ddc51920699a]

CVE-2022-1679: Use-After-Free in ath9k_htc_probe_device() could cause
an escalation of privileges

4.14, 4.19, and 5.4 were fixed this week.

Fixed status
mainline: [0ac4827f78c7ffe8eef074bc010e7e34bc22f533]
stable/4.14: [62bc1ea5c7401d77eaf73d0c6a15f3d2e742856e]
stable/4.19: [ab7a0ddf5f1cdec63cb21840369873806fc36d80]
stable/5.10: [eccd7c3e2596b574241a7670b5b53f5322f470e5]
stable/5.15: [03ca957c5f7b55660957eda20b5db4110319ac7a]
stable/5.19: [b66ebac40f64336ae2d053883bee85261060bd27]
stable/5.4: [e9e21206b8ea62220b486310c61277e7ebfe7cec]

CVE-2022-2153: KVM: NULL pointer dereference in kvm_irq_delivery_to_apic_fast()

Added fixed commit to 4.14, 5.10, and 5.4.
Added 5cde0b9 and b8127a0 to 4.19.

Fixed status
mainline: [7ec37d1cbe17d8189d9562178d8b29167fe1c31a,
00b5f37189d24ac3ed46cb7f11742094778c46ce,
  b1e34d325397a33d97d845e312d7cf2a8b646b44]
stable/4.14: [a4bd692a950ada6d9757dbb78a6aea129ff8a943,
bcf0a450fbaabe7e14d71f885525805b4f86e855,
  3362843aa71898fc2850a90950debcef2897dd60]
stable/4.19: [2f4835b5188f3b73b2b048a761ae2553e845b027,
5cde0b9cc69fcbbf559674986c2d325ae4708036,
  b8127a0fd21d70ab42d8177f8bb97df74f503cc1]
stable/4.9: [95d51d058680766130098287f680474bc55f1679]
stable/5.10: [09c771c45c1243e295470225aaee726693fdc242,
ac7de8c2ba1292856fdd4a4c0764669b9607cf0a,
  4c85e207c1b58249ea521670df577324ad69442c]
stable/5.15: [569a229142e95610adc1041ae9ca1f417c4c6a3e,
0e5dbc0540baa89faf4c04ccc7e9c4fe6b1d7bf4,
  ba6e8c2df52047a32953588b49d9addbd843a098]
stable/5.4: [8fb5e77604442926db8b779fa590af7709d754e9,
8cdba919acefdd6fea5dd2b77a119f54fb88ce11,
  9e24d03dd4fee589da500861967d9fd9c0e6276d]

CVE-2022-2586: Linux kernel nf_tables cross-table reference UAF

4.19 and 5.4 were fixed.

Fixed status
mainline: [470ee20e069a6d05ae549f7d0ef2bdbcee6a81b2]
stable/4.19: [77d3b5038b7462318f5183e2ad704b01d57215a2]
stable/5.10: [1a4b18b1ff11ba26f9a852019d674fde9d1d1cff]
stable/5.15: [faafd9286f1355c76fe9ac3021c280297213330e]
stable/5.18: [f4fa03410f7c5f5bd8f90e9c11e9a8c4b526ff6f]
stable/5.19: [0d07039397527361850c554c192e749cfc879ea9]
stable/5.4: [fab2f61cc3b0e441b1749f017cfee75f9bbaded7]

CVE-2022-2588: Linux kernel cls_route UAF

Added fixed commit to 4.14, 4.19, 4.9, and 5.4.

Fixed status
mainline: [9ad36309e2719a884f946678e0296be10f0bb4c1]
stable/4.14: [d0cce31f328fa10e7256f314e6e044e13cdf6814]
stable/4.19: [73584dab72d0a826f286a45544305819b58f7b92]
stable/4.9: [34a475425612bef345634202dda8dac91820b6c8]
stable/5.10: [7018f03d97daf344e49b16200caf4363a1407cab]
stable/5.15: [57bbb691a93bd39d0644c5c879b354232d0e0eed]
stable/5.18: [e832c26e7edfa2ddbd2dcdd48016d13d747de6da]
stable/5.19: [ee3f18d90e80e79449d575fa3e7a6b775e9fc35e]
stable/5.4: [1fcd691cc2e7f808eca2e644adee1f1c6c1527fd]

CVE-2022-36946: kernel panic when sending nf_queue verdict with 1-byte
nfta_payload attribute

Added fixed commit to 4.14 and 4.9.

Fixed status
stable/4.14: [83636c64b796a7e44fa72f371777f803c1ef9e74]
stable/4.19: [f295d365b30626f82423a923695274024016380e]
stable/4.9: [3b3e2de462323d5fdeb85a3682334a4a3dd07400]
stable/5.10: [440dccd80f627e0e11ceb0429e4cdab61857d17e]
stable/5.15: [91c11008aab0282957b8b8ccb0707d90e74cc3b9]
stable/5.18: [883c20911d6261fc651820b63a77327b8c020264]
stable/5.4: [52be29e8b6455788a4d0f501bd87aa679ca3ba3c]

CVE-2022-2590: mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW

The mainline and 5.19 were fixed. This bug was introduced in 5.16 so
that less than 5.16 kernels aren't affected.

Fixed status
mainline: [5535be3099717646781ce1540cf725965d680e7b]
stable/5.19: [9def52eb10baab3b700858003d462fcf17d62873]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 5 new CVEs and 8 updated CVEs.

* New CVEs

CVE-2022-2308: undefined behavior or data leak in Virtio drivers with VDUSE

CVSS v3 score is not assigned.

The vDPA Device in Userspace returns uninitialized memory in
vduse_vdpa_get_config() if size of device config space is not valid.
It could cause undefined behavior or data leaks in Virtio drivers.

VDUSE has been introduced since 5.15-rc1. So following kernels aren't
affected by this issue.

- 4.4, 4.9, 4.19, 4.14
- 5.4, 5.10

Fixed status
Not fixed yet.

CVE-2022-2873: an out-of-bounds vulnerability in i2c-ismt driver

CVSS v3 score is not assigned.

An i2c_smbus_data union data structure has block member defined as
__u8 which value can be 0 to 255.
However, there was missing a check its upper limit. When
data->block[0] is bigger than I2C_SMBUS BLOCK MAX a DMA buffer will be
overwritten.

This issues was introduced by commit 5e9a97b ("i2c: ismt: Adding
support for I2C_SMBUS_BLOCK_PROC_CALL") in 5.11-rc1.
Following kernels aren't affected by this issue.

- 4.4, 4.9, 4.19, 4.14
- 5.4, 5.10

Fixed status
mainline: [690b2549b19563ec5ad53e5c82f6a944d910086e]
stable/5.15: [24c6fc6e7453f64cf6cbb4218c62aafdecc16ee1]

CVE-2022-2938: psi: Fix uaf issue when psi trigger is destroyed while
being polled

CVSS v3 score is not assigned.

A Use-after-free bug was found in psi feature that allows attacker to
trigger system crash or memory corruption.

Commit 0e94682 ("psi: introduce psi monitor") introduced this issue.
This commit was merged in 5.2-rc1 so less than 5.4 kernels aren't
affected by this issue.

Fixed status
mainline: [a06247c6804f1a7c86a2e5398a4c1f1db1471848]
stable/5.10: [d4e4e61d4a5b87bfc9953c306a11d35d869417fd]
stable/5.15: [d3e4c61e143e69671803ef3f52140cf7a7258ee7]
stable/5.4: [2fd752ed77ab9880da927257b73294f29a199f1a]

CVE-2022-2961: race condition in rose_bind()

CVSS v3 score is not assigned.

A use-after-free bug was found in the Amateur Radio X.25 Packet Layer
Protocol (PLP Rose).
There is a race condition bug in rose_bind(). If an attacker succeeded
race, it will case use-after-free bug.

No CIP member enables CONFIG_ROSE.

Fixed status
Not fixed yet.

CVE-2022-2978: fs: fix UAF/GPF bug in nilfs_mdt_destroy

CVSS v3 score is not assigned.

A freeing uninitialized memory bug was found in nilfs_mdt_destroy().
This bug occurs in an error path. If allocating memory for inode is
failed in inode_init_always(), it returns ENOMEM. Then
nilfs_mdt_destroy() is called which frees uninialized data.

It looks 4.4 kernel is affected this bug too.
btw, nilfs_i_callback() was renamed to nilfs_free_inode() since 5.2-rc.1

Patch was sent to linux-fsdevel but it's not merged yet.

Fixed status
Not fixed yet.

* Updated CVEs

CVE-2022-1882: fs/pipe: Deinitialize the watch_queue when pipe is freed

The mainline, 5.10, 5.15, 5.18 were fixed. 4.x and 5.4 kernels were
not vulnerable so all stable kernels were fixed.

Fixed status
mainline: [353f7988dd8413c47718f7ca79c030b6fb62cfe5]
stable/5.10: [0adf21eec59040b31af113e626efd85eb153c728]
stable/5.15: [ba3a8af8a21a81cfd0c8c689a81261caba934f97]
stable/5.18: [49cbb4820e4f1895130755732485afb2d18508f9]

CVE-2022-2585: Linux kernel POSIX CPU timer UAF

The mainline, 5.15, 5.18, 5.19 were fixed but 5.10 is not fixed yet.
4.x and 5.4 kernels were not vulnerable.

Fixed status
mainline: [e362359ace6f87c201531872486ff295df306d13]
stable/5.10: [541840859ace9c2ccebc32fa9e376c7bd3def490]
stable/5.15: [9e255ed238fc67058df87b0388ad6d4b2ef3a2bd]
stable/5.18: [e8cb6e8fd9890780f1bfcf5592889e1b879e779c]
stable/5.19: [b2fc1723eb65abb83e00d5f011de670296af0b28]

CVE-2022-2586: Linux kernel nf_tables cross-table reference UAF

stable/5.10 was fixed this week.

Fixed status
mainline: [470ee20e069a6d05ae549f7d0ef2bdbcee6a81b2]
stable/5.10: [1a4b18b1ff11ba26f9a852019d674fde9d1d1cff]
stable/5.15: [faafd9286f1355c76fe9ac3021c280297213330e]
stable/5.18: [f4fa03410f7c5f5bd8f90e9c11e9a8c4b526ff6f]
stable/5.19: [0d07039397527361850c554c192e749cfc879ea9]

CVE-2022-2588: Linux kernel cls_route UAF

stable/5.10 was fixed this week. Patch was backported to 4.9, 4.14,
4.19, and 5.4 but it hasn't been released yet.

Fixed status
mainline: [9ad36309e2719a884f946678e0296be10f0bb4c1]
stable/5.10: [7018f03d97daf344e49b16200caf4363a1407cab]
stable/5.15: [57bbb691a93bd39d0644c5c879b354232d0e0eed]
stable/5.18: [e832c26e7edfa2ddbd2dcdd48016d13d747de6da]
stable/5.19: [ee3f18d90e80e79449d575fa3e7a6b775e9fc35e]

CVE-2022-2153: KVM: NULL pointer dereference in kvm_irq_delivery_to_apic_fast()

Commit ac7de8c ("KVM: x86: Avoid theoretical NULL pointer dereference
in kvm_irq_delivery_to_apic_fast()") was added to stable/5.10.

Fixed status
mainline: [7ec37d1cbe17d8189d9562178d8b29167fe1c31a,
00b5f37189d24ac3ed46cb7f11742094778c46ce,
  b1e34d325397a33d97d845e312d7cf2a8b646b44]
stable/4.19: [2f4835b5188f3b73b2b048a761ae2553e845b027]
stable/4.9: [95d51d058680766130098287f680474bc55f1679]
stable/5.10: [09c771c45c1243e295470225aaee726693fdc242,
ac7de8c2ba1292856fdd4a4c0764669b9607cf0a]
stable/5.15: [569a229142e95610adc1041ae9ca1f417c4c6a3e,
0e5dbc0540baa89faf4c04ccc7e9c4fe6b1d7bf4,
  ba6e8c2df52047a32953588b49d9addbd843a098]

CVE-2022-1462: kernel: possible race condition in drivers/tty/tty_buffers.c

The mainline was fixed in v5.19-rc7. The mainline and all stable
kernels have been fixed.

Fixed status
mainline: [a501ab75e7624d133a5a3c7ec010687c8b961d23]
stable/4.14: [e9274a2732e1de3ca36076126284b4e5ffe6d587]
stable/4.19: [eb059bf8c237fe41fbaed4a6cccacce687b83222]
stable/4.9: [41ce14090db93fc2f0c8a27ce8a324b0192da7b5]
stable/5.10: [08afa87f58d83dfe040572ed591b47e8cb9e225c]
stable/5.15: [b2d1e4cd558cffec6bfe318f5d74e6cffc374d29]
stable/5.4: [f7785092cb7f022f59ebdaa181651f7c877df132]

CVE-2022-1679: Use-After-Free in ath9k_htc_probe_device() could cause
an escalation of privileges

The mainline, 5.10, 5.15, and 5.19 have been fixed this week.

Fixed status
mainline: [0ac4827f78c7ffe8eef074bc010e7e34bc22f533]
stable/5.10: [eccd7c3e2596b574241a7670b5b53f5322f470e5]
stable/5.15: [03ca957c5f7b55660957eda20b5db4110319ac7a]
stable/5.19: [b66ebac40f64336ae2d053883bee85261060bd27]

CVE-2022-23816: Mis-trained branch predictions for return instructions
may allow speculative code execution under certain microarchitecture-
dependent conditions on some AMD processors

5.10 was fixed this week.

Fixed status
mainline: [742ab6df974ae8384a2dd213db1a3a06cf6d8936,
a883d624aed463c84c22596006e5a96f5b44db31,
  369ae6ffc41a3c1137cab697635a84d0cc7cdcea,
00e1533325fd1fb5459229fe37f235462649f668,
  0b53c374b9eff2255a386f1f1cfb9a928e52a5ae,
15e67227c49a57837108acfe1c80570e1bd9f962,
  d9e9d2300681d68a775c28de6aa6e5290ae17796,
ee88d363d15617ff50ac24fab0ffec11113b2aeb,
  1f001e9da6bbf482311e45e48f53c2bd2179e59c,
d77cfe594ad50e0bf95d457e02ccd578791b2a15,
  af2e140f34208a5dfb6b7a8ad2d56bda88f0524d,
15583e514eb16744b80be85dea0774ece153177d,
  0ee9073000e8791f8b134a8ded31bcc767f7f232,
aa3d480315ba6c3025a60958e1981072ea37c3df,
  7c81c0c9210c9bfab2bae76aab2999de5bad27db,
951ddecf435659553ed15a9214e153a3af43a9a1,
  a149180fbcf336e97ce4eb2cdc13672727feb94d,
6b80b59b3555706508008f1f127b5412c89c7fd8,
  7fbf47c7ce50b38a64576b150e7011ae73d54669,
e8ec1b6e08a2102d8755ccb06fa26d540f26a2fa,
  caa0ff24d5d0e02abce5e65c3d2b7f20a6617be5,
2dbb887e875b1de3ca8f40ddf26bcfe55798c609,
  c779bc1a9002fa474175b80e72b85c9bf628abb0,
7c693f54c873691a4b7da05c7e0f74e67745d144,
  166115c08a9b0b846b783088808a27d739be6e8d,
6ad0ad2bf8a67e27d1f9d006a1dabb0e1c360cc3,
  bf5835bcdb9635c97f85120dba9bfa21e111130f,
9bb2ec608a209018080ca262f771e6a9ff203b6f,
  b75b7f8ef1148be1b9321ffc2f6c19238904b438,
d147553b64bad34d2f92cb7d8ba454ae95c3baac,
  3ebc170068885b6fc7bedda6c667bb2c4d533159,
0fe4aeea9c01baabecc8c3afc7889c809d939bc2,
  a09a6e2399ba0595c3042b3164f3ca68a3cff33e,
d7caac991feeef1b871ee6988fd2c9725df09039,
  b2620facef4889fefcbf2e87284f34dcd4189bce,
e6aa13622ea8283cc699cac5d018cc40a2ba2010,
  56aa4d221f1ee2c3a49b45b800778ec6e0ab73c5,
bbb69e8bee1bd882784947095ffb2bfe0f7c9470,
  acac5e98ef8d638a411cfa2ee676c87e1973f126,
8faea26e611189e933ea2281975ff4dc7c1106b6,
  8bd200d23ec42d66ccd517a72dd0b9cc6132d2fd,
bb06650634d3552c0f8557e9d16aa1a408040e28,
  fc02735b14fff8c6678b521d324ade27b1a3d4cf,
bea7e31a5caccb6fe8ed989c065072354f0ecb52,
  9756bba28470722dacb79ffce554336dd1f6a6cd,
07853adc29a058c5fd143c14e5ac528448a72ed9,
  7a05bc95ed1c5a59e47aaade9fb4083c27de9e62,
26aae8ccbc1972233afd08fb3f368947c0314265,
  f43b9876e857c739d407bc56df288b0ebe1a9164,
f54d45372c6ac9c993451de5e51312485f7d10bc,
  2c08b9b38f5b0f4a6c2d29be22b695e4ec4a556b,
2259da159fbe5dba8ac00b560cf00b6a6537fa18,
  697977d8415d61f3acbc4ee6d564c9dcf0309507,
4ad3278df6fe2b0852b00d5757fc2ccd8e92c26e,
  c27c753ea6fd1237f4f96abf8b623d7bab505513]
stable/5.10: [7070bbb66c5303117e4c7651711ea7daae4c64b5,
feec5277d5aa9780d4814084262b98af2b1a2242,
  6a2b142886c52244a9c1dfb0a36971daa963541a,
3e519ed8d509f5f2e1c67984f3cdf079b725e724,
  37b9bb094123a14a986137d693b5aa18a240128b,
270de63cf4a380fe9942d3e0da599c0e966fad78,
  716410960ba0a2d2c3f59cb46315467c9faf59b2,
8bdb25f7aee312450e9c9ac21ae209d9cf0602e5,
  446eb6f08936e6f87bea9f35be05556a7211df9b,
7723edf5edfdfdabd8234e45142be86598a04cad,
  00b136bb6254e0abf6aaafe62c4da5f6c4fea4cb,
e0e06a922706204df43d50032c05af75d8e75f8e,
  ee4996f07d868ee6cc7e76151dfab9a2344cdeb0,
d6eb50e9b7245a238872a9a969f84993339780a5,
  5b2edaf709b50c81b3c6ddb745c8a76ab6632645,
c9eb5dcdc8f4a848b45b97725f5a2b8d324bb31a,
  c70d6f82141b89db6c076b0cbf9a7a2edc29e46d,
df748593c55389892902aecb8691080ad5e8cff5,
  876750cca4f043bd626a3ac760ce887dda3b6ec7,
3f29791d56d32a610a2b57a9b700b1bc1912e41f,
  a989e75136192036d47e4dc4fe87ff9c961d6b46,
9e727e0d9486121de5c21cbb65fcc0c907834b17,
  3dddacf8c3cc29b9b37d8c4353f746e510ad1371,
6d7e13ccc4d73e5c88cc015bc0154b7d08f65038,
  dabc2a1b406ae0ff5286c91f7519b3e20ec2aa63,
a0f8ef71d762501769df69e35c4c4e7496866d90,
  e8142e2d6cb6b39fdd78bc17199429f79bcd051c,
55bba093fd91a76971134e3a4e3576e536c08f5c,
  28aa3fa0b2c9d0cd7bdac42d9eb7fe3d5f6c79e8,
f728eff26339d85825e588d461f0e55267bc6c3f,
  c8845b875437b8ea9cd023f15b44c436c9c5b62d,
fbab1c94eb1a3139d7ac0620dc6d7d6a33f3b255,
  0d1a8a16e62c8048f2ff7f9c6f448bf595d2a2a8,
ea1aa926f423a8cf1b2416bb909bfbea37d12b11,
  f1b01ace814b0a8318041e3aea5fd36cc74f09b0,
d29c07912a49fce965228f73a293e2c899bc7e35,
  aad83db22e9950577b5b827f57ed7108b3ca5553,
ce11f91b21c25dda8b06988817115bef1c636434,
  1dbefa57725204be0348351ea4756c52b10b3504,
df93717a32f57e1b033dbfa2a78809d7d4000648,
  07401c2311f6fddd3c49a392eafc2c28a899f768,
84061fff2ad98a7809f00e88a54f584f84830388,
  5269be9111e2b66572e78647f2e8948f7fc96466,
47ae76fb27398e867980d63789058ff7c4f12a35,
  4d7f72b6e1bc630bec7e4cd51814bc2b092bf153,
a74f5d23e68d9687ed06bd462d344867824707d8,
  f7851ed697be2ce86bd8baf29111762b7b3ff6cc,
b24fdd0f1c3328cf8ee0c518b93a7187f8cee097,
  609336351d08699395be24860902e6e0b7860e2b,
51552b6b52fc865f37ef3ddacd27d807a36695ac,
  c2ca992144281917cfae19d231b1195c02906a4e,
eb38964b6ff864b8bdf87c9cf6221d0b0611a990,
  c035ca88b0742952150b1671bb5d26b96f921245]
stable/5.18: [e492002673b03c636d2297fb869d68ae545c41c4,
e0ed7445cbb5a10bebec4f582894460453b3c0f6,
  079c71b6e380c40ee870bc59f176b36d93786db5,
7ce2011c8b28a44ae80d7081dc634eec174650ca,
  86fbd2844858c5aef57a28ebc3d53d298f37cc67,
e0c27dc584f6395e57d67f5c60b3ee2347a45590,
  262941a05615d39d66dcf47909d6e67ea69d371d,
eb84031e5c599a4b218ede3e10e7b5fd8ccc391a,
  0d15b9c30cb222d0e5ac2ff9ba7b93bd9af82d05,
ebe3ceb43f5b5b88062ffd62c08d19a57f5fa44b,
  3525abdb3a63680b8623b0294bd9614b2352ccce,
2fc0ed17c526b032c1c416d77ebc491f446f1269,
  a302187fb8f6d2707aaadf5e8a558ff046378a80,
a05146b2ac6ab1deff475a06441b825d176b320e,
  df777869fe2de25b60195561d3b674c9084aaeca,
9d75af6b406702b0af616cee49ae11ec0b2abe3a,
  64a98375f389bf695e2a2f199175b7a5ece44f45,
a70ed95a0b0a15cfa86b1df4004d47f074de7de2,
  f88b40812b6b3d483fb5de11b72aeb0c2bb73c59,
c85b5f77d3b224975d5caa329f28b22b7ea5addc,
  409586fb4a6e7b2331ecb4edec71e34e21750e05,
47e51d66d93d70d60e478cc81504deb0f4ff67ad,
  2c0d8e35807a6086542919e2d044cfa6683476de,
e604d260c633926089e81f8e52c90c91bd797f12,
  fb32593f8f383e32bb82fd85cc3dd372c89566ac,
5a3037b4de4dd52504c0842aac5f9498b3d450af,
  7b2649892c7728d4ad662d75a887f8b43a209189,
6864df0932578931f13c8de5006975345f8cea0d,
  4a691f1e69163dcfb7b064a25a082071da0bb633,
b75fada7f3cbbaf78beceb1bb71b67c2db3b473d,
  bbcfdf144d2d9394e3f4aa129463dec8f53bd3b1,
4c7f90f8a9554dd6a7e614529b3d7450a8dc84e2,
  a8a370f08eb55359980fe29165569333b1e0c54d,
80f8a9e9d530fec6094641b96fe3e5b5acb44830,
  3d6bdd768577847ae680b27bfb50c6de2037afe7,
3e89c42462722bbf778ac1e97236dca518fabbf9,
  ff110fe719555fd358ac9e0bd0ca549fae3e26e9,
8a95fadc8f3264dc98376d0de66ec59dd9eafb6f,
  7377eea29dbcad2ad042eee66df17c11b8421654,
43827446da732ed012c9008c429424f81e36331b,
  bcb9508413dc8a73cb8abd761a85dc5c6f9bd911,
245800423a576925d0bd571eacf09cc12e94a9ff,
  d58141112c9965092a0f39d354b22394882585b4,
48fe9931c7ddf18063aa0c8d16c3831f9d9a16c4,
  8c38306e2e9257af4af2819aa287a4711ff36329,
afd743f6dde87296c6f3414706964c491bb85862,
  373e6942143b5ca27b24ee953ae450dd26a0dbfb,
409f6047a43315f2b9661149cb29d6f2ef2440fe,
  813423f90f0553c81c5fb4d531fc688a5d506b24,
ee02cbcebb0985394910d8868c6eef49184b20f7,
  df6fc784e8db07b8fe5aa1c624411f381f3abeaa,
e2fe046fe230c5159660257712566a849847cffa,
  845351c56ca069162433cf935afb2257a4c021d1,
ffdd31e8db4e94f399e68727fadf776fc0a2d1ba,
  6461cc8f22a1266498290b122b56f040d51d9224]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 1 new CVEs and 6 updated CVEs.

* New CVEs

CVE-2022-2503: LoadPin bypass via dm-verity table reload

NIST: CVSS v3 score is not assigned.
Google: 6.9 MEDIUM

Dm-verity is used for extending root-of-trust to root filesystems.
LoadPin builds on this property to restrict module/firmware loads to
just the trusted root filesystem. Device-mapper table reloads
currently allow users with root privileges to switch out the target
with an equivalent dm-linear target and bypass verification till
reboot. This allows root to bypass LoadPin and can be used to load
untrusted and unverified kernel modules and firmware, which implies
arbitrary kernel execution and persistence for peripherals that do not
verify firmware updates.

The struct target_type verity_target is defined in
drivers/md/dm-verity.c in 4.4.302.

Fixed status
mainline: [4caae58406f8ceb741603eee460d79bacca9b1b5]
stable/4.14: [388bc1e69663956f8cee43af3bd02bd3061d222d]
stable/4.19: [6bff6107d1364c95109609c3fd680e6c8d7fa503]
stable/4.9: [27798cca4e54fe9c390396c4cc655480f827bbd5]
stable/5.10: [8df42bcd364cc3b41105215d841792aea787b133]
stable/5.15: [69712b170237ec5979f168149cd31e851a465853]
stable/5.18: [417c73db67ea7ad8f03dfd34c6b0bb5f54294fa9]
stable/5.4: [fd2f7e9984850a0162bfb6948b98ffac9fb5fa58]

* Updated CVEs

CVE-2021-4159: bpf: Verifer, adjust_scalar_min_max_vals to always call
update_reg_bounds()

stable 5.4 was fixed this week.

Fixed status
mainline: [294f2fc6da27620a506e6c050241655459ccd6bd]
stable/5.4: [7c1134c7da997523e2834dd516e2ddc51920699a]

CVE-2022-20369: media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP
buffers across ioctls

stable 5.4 was fixed this week.

Fixed status
mainline: [8310ca94075e784bbb06593cd6c068ee6b6e4ca6]
stable/5.10: [8a83731a09a5954b85b1ce49c01ff5c2a3465cb7]
stable/5.15: [48d00e24822e4384edcee3aae03d54c1b7982eba]
stable/5.4: [54e1abbe856020522a7952140c26a4426f01dab6]

CVE-2022-26373: Post-Barrier Return Stack Buffer Predictions (PBRSB)

stable 4.19, 5.10, 5.15, 5.18, and 5.4 were fixed this week.

Fixed status
mainline: [2b1299322016731d56807aa49254a5ea3080b6b3,
ba6e31af2be96c4d0536f2152ed6f7b6c11bca47]
stable/4.19: [b6c5011934a15762cd694e36fe74f2f2f93eac9b,
b1c9f470fb724d3cfd6cf8fe4a70c2ec4de2e9f4]
stable/5.10: [509c2c9fe75ea7493eebbb6bb2f711f37530ae19,
1bea03b44ea2267988cce064f5887b01d421b28c]
stable/5.15: [7fcd99e889c0634f8275ae7a6b06aec4a22c8715,
5c5c77746ce1108833d1fda005598a749eaef2cb]
stable/5.18: [0abdbbd9ae9c81615836278d787a8c8dcd576c36,
fd2128cd778f46f5444967ed203b91120ebdda72]
stable/5.19: [f826d0412d80348aa22274ec9884cab0950a350b,
f6664a403f11c97929ebde920da1ec1c10438428]
stable/5.4: [f2f41ef0352db9679bfae250d7a44b3113f3a3cc,
b58882c69f6633dcebd66bdb38658f688aa52ec9]

CVE-2022-36946: kernel panic when sending nf_queue verdict with 1-byte
nfta_payload attribute

stable/4.19 was fixed this week.

Fixed status
mainline: [99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164]
stable/4.19: [f295d365b30626f82423a923695274024016380e]
stable/5.10: [440dccd80f627e0e11ceb0429e4cdab61857d17e]
stable/5.15: [91c11008aab0282957b8b8ccb0707d90e74cc3b9]
stable/5.18: [883c20911d6261fc651820b63a77327b8c020264]
stable/5.4: [52be29e8b6455788a4d0f501bd87aa679ca3ba3c]

CVE-2022-2588: Linux kernel cls_route UAF

The mainline, stable 5.15, 5.18, and 5.19 were fixed this week.

Fixed status
mainline: [9ad36309e2719a884f946678e0296be10f0bb4c1]
stable/5.15: [57bbb691a93bd39d0644c5c879b354232d0e0eed]
stable/5.18: [e832c26e7edfa2ddbd2dcdd48016d13d747de6da]
stable/5.19: [ee3f18d90e80e79449d575fa3e7a6b775e9fc35e]


CVE-2022-2586: Linux kernel nf_tables cross-table reference UAF

The mainline was fixed this week. Stable 4.9 and 4.14 were failed to
apply 470ee20 (" netfilter: nf_tables: do not allow SET_ID to refer to
another table ").
The mainline, table 5.15, 5.18, and 5.19 were fixed this week.

Fixed status
mainline: [470ee20e069a6d05ae549f7d0ef2bdbcee6a81b2]
stable/5.15: [faafd9286f1355c76fe9ac3021c280297213330e]
stable/5.18: [f4fa03410f7c5f5bd8f90e9c11e9a8c4b526ff6f]
stable/5.19: [0d07039397527361850c554c192e749cfc879ea9]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 6 new CVEs and 0 updated CVEs.

* New CVEs

CVE-2022-2639: openvswitch: fix OOB access in reserve_sfa_size()

CVSS v3 score is not assigned.

An OOB write bug was found in reserve_sfa_size() in the openvswitch
subsystem. It will cause system crashes or potentially escalate their
privileges on the system.
This bug was fixed in the mainline, stable, and cip kernels.

Fixed status
cip/4.4-st: [25b37bbe34192188ae7f4b04a7bb857621b3a597]
mainline: [cefa91b2332d7009bc0be5d951d6cbbf349f90f8]
stable/4.14: [6cde4a87248e8d39fad5e5e72e104b6d74fcabef]
stable/4.19: [bbbf059337f9a74285c1cf088ff85ee92d149e64]
stable/4.9: [1aba176280dcd0eb08e291bc59ba6067df22af98]
stable/5.10: [0837ff17d052b7d755d5086208c3445867aaff82]
stable/5.15: [e411af98013dba5bce8118ee2b84bd1ad4c36b86]
stable/5.4: [aa70705560871725e963945a2d36ace7849c004e]

CVE-2022-2590: mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW

CVSS v3 score is not assigned.

This is kind of Dirty COW like vulnerability in shmem/tmpfs so that it
allows unprivileged users to modify read only files.
This bug was introduced by commit 9ae0f87d009c ("mm/shmem:
unconditionally set pte dirty in mfill_atomic_install_pte") which was
merged in 5.16-rc1. If kernel contains commit 9ae0f87d009c and is
compiled with CONFIG_USERFAULTFD=y, the kernel will affect this
vulnerability.

Kernel 4.4, 4.9, 4.19, 5.4, 5.10, 1.15 did not contain commit
9ae0f87d009c so they are not affected.

Fixed status
Patch is available
(https://lore.kernel.org/linux-mm/20220808073232.8808-1-david@redhat.com/)
but hasn't been merged into the mainline yet.

CVE-2022-2585: Linux kernel POSIX CPU timer UAF

CVSS v3 score is not assigned.

A use-after-free bug was found in posix_cpu_timer when a non-leader
thread calls execve().
This vulnerability may allow an attacker to escalate privilege escalation.

Commit 55e8c8eb2c7b ("posix-cpu-timers: Store a reference to a pid not
a task") isn't backported to 4.4, 4.9, 4.14, 4.19, and 5.4 kernels so
they won't be affected.

Patch is available on
https://lore.kernel.org/lkml/20220809170751.164716-1-cascardo@canonical.com/T/#u
.

Fixed status
Patch is available but it hasn't been merged into the mainline yet.

CVE-2022-2586: Linux kernel nf_tables cross-table reference UAF

CVSS v3 score is not assigned.

A use-after-free vulnerability was found in nf_tables. This
vulnerability may allow an attacker to escalate privilege escalation.
However, to exploit this vulnerability, it requires CAP_NET_ADMIN in
user or netns.

This bug was introduced by commit 958bee14d071 ("netfilter: nf_tables:
use new transaction infrastructure to handle sets") which was merged
in 3.16-rc1. So, all stable kernels are affected by this
vulnerability.

Patch is available on
https://lore.kernel.org/netfilter-devel/20220809170148.164591-1-cascardo@canonical.com/T/#t
.

Fixed status
Patch is available but it hasn't been merged into the mainline yet.

CVE-2022-2588: Linux kernel cls_route UAF

CVSS v3 score is not assigned.

A use-after-free vulnerability was found in the net scheduler
subsystem. This vulnerability may allow an attacker to escalate
privilege escalation. This vulnerability was introduced before the git
era. Therefore all stable kernels are affected.

Exploiting this vulnerability, it requires CAP_NET_ADMIN in user or netns.

Patch is available on
https://lore.kernel.org/netdev/20220809170518.164662-1-cascardo@canonical.com/T/#u
.

Fixed status
Patch is available but it hasn't been merged into the mainline yet.

CVE-2022-26373: Post-Barrier Return Stack Buffer Predictions (PBRSB)

NIST: CVSS v3 score is not assigned.
Intel: CVSS Base Score: 5.5 Medium

This vulnerability affects Intel CPUs.
The Enhanced Indirect Branch Restricted Speculation (eIBRS) mitigation
for Specre V2 doesn't work for RET instruction after VM exits. This
causes information disclosure via local access.

Fixed status
mainline: [2b1299322016731d56807aa49254a5ea3080b6b3,
ba6e31af2be96c4d0536f2152ed6f7b6c11bca47]

* Updated CVEs

no updates.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 5 new CVEs and 4 updated CVEs.

* New CVEs

CVE-2022-36946: kernel panic when sending nf_queue verdict with 1-byte
nfta_payload attribute

CVSS v3 score is not assigned.

A remote attacker to cause DoS when sending nf_queue verdict with
1-byte nfta_payload attribute.
In the nfqnl_mangle(), there was an insufficient data length check
that will result a kernel panic.

Fixed status
mainline: [99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164]
stable/5.10: [440dccd80f627e0e11ceb0429e4cdab61857d17e]
stable/5.15: [91c11008aab0282957b8b8ccb0707d90e74cc3b9]
stable/5.18: [883c20911d6261fc651820b63a77327b8c020264]
stable/5.4: [52be29e8b6455788a4d0f501bd87aa679ca3ba3c]

CVE-2022-36123: x86: Clear .brk area at early boot

CVSS v3 score is not assigned.

Kernel is vulnerable if kernel contains commit 8b87d8c
("x86/entry,xen: Early rewrite of
restore_regs_and_return_to_kernel()").
This vulnerability was affected to Xen PV guest.

Fixed status
mainline: [38fa5479b41376dc9d7f57e71c83514285a25ca0]
stable/4.14: [a24eebede57ff42d5123cca948c5077ccddbffcb]
stable/4.19: [36e2f161fb01795722f2ff1a24d95f08100333dd]
stable/4.9: [b3d7c509bcbd4384d4964dcdf028b3c3e0adb7f7]
stable/5.10: [136d7987fcfdeca73ee3c6a29e48f99fdd0f4d87]
stable/5.15: [26bb7afc027ce6ac8ab6747babec674d55689ff0]
stable/5.18: [2334bdfc2da469c9807767002a2831274b82c39a]
stable/5.4: [a3c7c1a726a4c6b63b85e8c183f207543fd75e1b]

CVE-2022-20158: mm: backing-dev: Take a reference to the bdi in use to
prevent UAF

CVSS v3 score is not assigned.

AOSP kernel 4.14 contains following 2 patches.
- 69e8f03c5ced3e4e6fb4181f4dac185104e3420b ("mm: backing-dev: Take a
reference to the bdi in use to prevent UAF")
- 80d91b86a199798ee2321a0ab0f09e6e12764678 ("fs: explicitly unregister
per-superblock BDIs")

The first commit 69e8f03("mm: backing-dev: Take a reference to the bdi
in use to prevent UAF") is not merged in the mainline and stable
kernels.
Commit 80d91b8 was merged in 5.16-rc1(commit hash is
0b3ea0926afb8dde70cfab00316ae0a70b93a7cc) which requires commit
c6fd3ac ("mm: export bdi_unregister") that exports symbol of
bdi_unregister().

Fixed status
mainline: [0b3ea0926afb8dde70cfab00316ae0a70b93a7cc]

CVE-2022-20368: net/packet: fix slab-out-of-bounds access in packet_recvmsg()

CVSS v3 score is not assigned.

This bug was introduced by commit 0fb375f ("[AF_PACKET]: Allow for > 8
byte hardware addresses.") which was merged in v2.6.14-rc3.
So, 4.4 kernel will be affected by this bug too.

Fixed status
mainline: [c700525fcc06b05adfea78039de02628af79e07a]
stable/4.14: [b1e27cda1e3c12b705875bb7e247a97168580e33]
stable/4.19: [a33dd1e6693f80d805155b3f69c18c2f642915da]
stable/4.9: [b9d5772d60f8e7ef34e290f72fc20e3a4883e7d0]
stable/5.10: [70b7b3c055fd4a464da8da55ff4c1f84269f9b02]
stable/5.15: [a055f5f2841f7522b44a2b1eccb1951b4b03d51a]
stable/5.4: [268dcf1f7b3193bc446ec3d14e08a240e9561e4d]

CVE-2022-20369: media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP
buffers across ioctls

CVSS v3 score is not assigned.

This issue was introduced in 2.6 era.
Patch is not backported to 4.x series yet. Applying the patch was
failed to 4.x series.

Fixed status
mainline: [8310ca94075e784bbb06593cd6c068ee6b6e4ca6]
stable/5.10: [8a83731a09a5954b85b1ce49c01ff5c2a3465cb7]
stable/5.15: [48d00e24822e4384edcee3aae03d54c1b7982eba]

* Updated CVEs

CVE-2022-21505: Kernel lockdown bypass bug

Stable 5.10, 5.15, 5.18, and 5.4 kernels were fixed. 4.x series are
not affected this issue.

Fixed status
mainline: [543ce63b664e2c2f9533d089a4664b559c3e6b5b]
stable/5.10: [ab5050fd7430dde3a9f073129036d3da3facc8ec]
stable/5.15: [0e66932a9dc9ba47e60405b392e3782a332bc44e]
stable/5.18: [f67ff524f283183c52d2575b11beec00cc4d5092]
stable/5.4: [ed3fea55066b4e054c4d212e54f9965abcac9685]

CVE-2022-29900: Information leak through mispredicted returns on AMD processors

Kernel 5.10 was fixed this week.

Fixed status
mainline: [742ab6df974ae8384a2dd213db1a3a06cf6d8936,
a883d624aed463c84c22596006e5a96f5b44db31,
  369ae6ffc41a3c1137cab697635a84d0cc7cdcea,
00e1533325fd1fb5459229fe37f235462649f668,
  0b53c374b9eff2255a386f1f1cfb9a928e52a5ae,
15e67227c49a57837108acfe1c80570e1bd9f962,
  d9e9d2300681d68a775c28de6aa6e5290ae17796,
ee88d363d15617ff50ac24fab0ffec11113b2aeb,
  1f001e9da6bbf482311e45e48f53c2bd2179e59c,
d77cfe594ad50e0bf95d457e02ccd578791b2a15,
  af2e140f34208a5dfb6b7a8ad2d56bda88f0524d,
15583e514eb16744b80be85dea0774ece153177d,
  0ee9073000e8791f8b134a8ded31bcc767f7f232,
aa3d480315ba6c3025a60958e1981072ea37c3df,
  7c81c0c9210c9bfab2bae76aab2999de5bad27db,
951ddecf435659553ed15a9214e153a3af43a9a1,
  a149180fbcf336e97ce4eb2cdc13672727feb94d,
6b80b59b3555706508008f1f127b5412c89c7fd8,
  7fbf47c7ce50b38a64576b150e7011ae73d54669,
e8ec1b6e08a2102d8755ccb06fa26d540f26a2fa,
  caa0ff24d5d0e02abce5e65c3d2b7f20a6617be5,
2dbb887e875b1de3ca8f40ddf26bcfe55798c609,
  c779bc1a9002fa474175b80e72b85c9bf628abb0,
7c693f54c873691a4b7da05c7e0f74e67745d144,
  166115c08a9b0b846b783088808a27d739be6e8d,
6ad0ad2bf8a67e27d1f9d006a1dabb0e1c360cc3,
  bf5835bcdb9635c97f85120dba9bfa21e111130f,
9bb2ec608a209018080ca262f771e6a9ff203b6f,
  b75b7f8ef1148be1b9321ffc2f6c19238904b438,
d147553b64bad34d2f92cb7d8ba454ae95c3baac,
  3ebc170068885b6fc7bedda6c667bb2c4d533159,
0fe4aeea9c01baabecc8c3afc7889c809d939bc2,
  a09a6e2399ba0595c3042b3164f3ca68a3cff33e,
d7caac991feeef1b871ee6988fd2c9725df09039,
  b2620facef4889fefcbf2e87284f34dcd4189bce,
e6aa13622ea8283cc699cac5d018cc40a2ba2010,
  56aa4d221f1ee2c3a49b45b800778ec6e0ab73c5,
bbb69e8bee1bd882784947095ffb2bfe0f7c9470,
  acac5e98ef8d638a411cfa2ee676c87e1973f126,
8faea26e611189e933ea2281975ff4dc7c1106b6,
  8bd200d23ec42d66ccd517a72dd0b9cc6132d2fd,
bb06650634d3552c0f8557e9d16aa1a408040e28,
  fc02735b14fff8c6678b521d324ade27b1a3d4cf,
bea7e31a5caccb6fe8ed989c065072354f0ecb52,
  9756bba28470722dacb79ffce554336dd1f6a6cd,
07853adc29a058c5fd143c14e5ac528448a72ed9,
  7a05bc95ed1c5a59e47aaade9fb4083c27de9e62,
26aae8ccbc1972233afd08fb3f368947c0314265,
  f43b9876e857c739d407bc56df288b0ebe1a9164,
f54d45372c6ac9c993451de5e51312485f7d10bc,
  2c08b9b38f5b0f4a6c2d29be22b695e4ec4a556b,
2259da159fbe5dba8ac00b560cf00b6a6537fa18,
  697977d8415d61f3acbc4ee6d564c9dcf0309507,
4ad3278df6fe2b0852b00d5757fc2ccd8e92c26e,
  c27c753ea6fd1237f4f96abf8b623d7bab505513]
stable/5.10: [7070bbb66c5303117e4c7651711ea7daae4c64b5,
feec5277d5aa9780d4814084262b98af2b1a2242,
  6a2b142886c52244a9c1dfb0a36971daa963541a,
3e519ed8d509f5f2e1c67984f3cdf079b725e724,
  37b9bb094123a14a986137d693b5aa18a240128b,
270de63cf4a380fe9942d3e0da599c0e966fad78,
  716410960ba0a2d2c3f59cb46315467c9faf59b2,
8bdb25f7aee312450e9c9ac21ae209d9cf0602e5,
  446eb6f08936e6f87bea9f35be05556a7211df9b,
7723edf5edfdfdabd8234e45142be86598a04cad,
  00b136bb6254e0abf6aaafe62c4da5f6c4fea4cb,
e0e06a922706204df43d50032c05af75d8e75f8e,
  ee4996f07d868ee6cc7e76151dfab9a2344cdeb0,
d6eb50e9b7245a238872a9a969f84993339780a5,
  5b2edaf709b50c81b3c6ddb745c8a76ab6632645,
c9eb5dcdc8f4a848b45b97725f5a2b8d324bb31a,
  c70d6f82141b89db6c076b0cbf9a7a2edc29e46d,
df748593c55389892902aecb8691080ad5e8cff5,
  876750cca4f043bd626a3ac760ce887dda3b6ec7,
3f29791d56d32a610a2b57a9b700b1bc1912e41f,
  a989e75136192036d47e4dc4fe87ff9c961d6b46,
9e727e0d9486121de5c21cbb65fcc0c907834b17,
  3dddacf8c3cc29b9b37d8c4353f746e510ad1371,
6d7e13ccc4d73e5c88cc015bc0154b7d08f65038,
  dabc2a1b406ae0ff5286c91f7519b3e20ec2aa63,
a0f8ef71d762501769df69e35c4c4e7496866d90,
  e8142e2d6cb6b39fdd78bc17199429f79bcd051c,
55bba093fd91a76971134e3a4e3576e536c08f5c,
  28aa3fa0b2c9d0cd7bdac42d9eb7fe3d5f6c79e8,
f728eff26339d85825e588d461f0e55267bc6c3f,
  c8845b875437b8ea9cd023f15b44c436c9c5b62d,
fbab1c94eb1a3139d7ac0620dc6d7d6a33f3b255,
  0d1a8a16e62c8048f2ff7f9c6f448bf595d2a2a8,
ea1aa926f423a8cf1b2416bb909bfbea37d12b11,
  f1b01ace814b0a8318041e3aea5fd36cc74f09b0,
d29c07912a49fce965228f73a293e2c899bc7e35,
  aad83db22e9950577b5b827f57ed7108b3ca5553,
ce11f91b21c25dda8b06988817115bef1c636434,
  1dbefa57725204be0348351ea4756c52b10b3504,
df93717a32f57e1b033dbfa2a78809d7d4000648,
  07401c2311f6fddd3c49a392eafc2c28a899f768,
84061fff2ad98a7809f00e88a54f584f84830388,
  5269be9111e2b66572e78647f2e8948f7fc96466,
47ae76fb27398e867980d63789058ff7c4f12a35,
  4d7f72b6e1bc630bec7e4cd51814bc2b092bf153,
a74f5d23e68d9687ed06bd462d344867824707d8,
  f7851ed697be2ce86bd8baf29111762b7b3ff6cc,
b24fdd0f1c3328cf8ee0c518b93a7187f8cee097,
  609336351d08699395be24860902e6e0b7860e2b,
51552b6b52fc865f37ef3ddacd27d807a36695ac,
  c2ca992144281917cfae19d231b1195c02906a4e,
eb38964b6ff864b8bdf87c9cf6221d0b0611a990,
  c035ca88b0742952150b1671bb5d26b96f921245]
stable/5.18: [e492002673b03c636d2297fb869d68ae545c41c4,
e0ed7445cbb5a10bebec4f582894460453b3c0f6,
  079c71b6e380c40ee870bc59f176b36d93786db5,
7ce2011c8b28a44ae80d7081dc634eec174650ca,
  86fbd2844858c5aef57a28ebc3d53d298f37cc67,
e0c27dc584f6395e57d67f5c60b3ee2347a45590,
  262941a05615d39d66dcf47909d6e67ea69d371d,
eb84031e5c599a4b218ede3e10e7b5fd8ccc391a,
  0d15b9c30cb222d0e5ac2ff9ba7b93bd9af82d05,
ebe3ceb43f5b5b88062ffd62c08d19a57f5fa44b,
  3525abdb3a63680b8623b0294bd9614b2352ccce,
2fc0ed17c526b032c1c416d77ebc491f446f1269,
  a302187fb8f6d2707aaadf5e8a558ff046378a80,
a05146b2ac6ab1deff475a06441b825d176b320e,
  df777869fe2de25b60195561d3b674c9084aaeca,
9d75af6b406702b0af616cee49ae11ec0b2abe3a,
  64a98375f389bf695e2a2f199175b7a5ece44f45,
a70ed95a0b0a15cfa86b1df4004d47f074de7de2,
  f88b40812b6b3d483fb5de11b72aeb0c2bb73c59,
c85b5f77d3b224975d5caa329f28b22b7ea5addc,
  409586fb4a6e7b2331ecb4edec71e34e21750e05,
47e51d66d93d70d60e478cc81504deb0f4ff67ad,
  2c0d8e35807a6086542919e2d044cfa6683476de,
e604d260c633926089e81f8e52c90c91bd797f12,
  fb32593f8f383e32bb82fd85cc3dd372c89566ac,
5a3037b4de4dd52504c0842aac5f9498b3d450af,
  7b2649892c7728d4ad662d75a887f8b43a209189,
6864df0932578931f13c8de5006975345f8cea0d,
  4a691f1e69163dcfb7b064a25a082071da0bb633,
b75fada7f3cbbaf78beceb1bb71b67c2db3b473d,
  bbcfdf144d2d9394e3f4aa129463dec8f53bd3b1,
4c7f90f8a9554dd6a7e614529b3d7450a8dc84e2,
  a8a370f08eb55359980fe29165569333b1e0c54d,
80f8a9e9d530fec6094641b96fe3e5b5acb44830,
  3d6bdd768577847ae680b27bfb50c6de2037afe7,
3e89c42462722bbf778ac1e97236dca518fabbf9,
  ff110fe719555fd358ac9e0bd0ca549fae3e26e9,
8a95fadc8f3264dc98376d0de66ec59dd9eafb6f,
  7377eea29dbcad2ad042eee66df17c11b8421654,
43827446da732ed012c9008c429424f81e36331b,
  bcb9508413dc8a73cb8abd761a85dc5c6f9bd911,
245800423a576925d0bd571eacf09cc12e94a9ff,
  d58141112c9965092a0f39d354b22394882585b4,
48fe9931c7ddf18063aa0c8d16c3831f9d9a16c4,
  8c38306e2e9257af4af2819aa287a4711ff36329,
afd743f6dde87296c6f3414706964c491bb85862,
  373e6942143b5ca27b24ee953ae450dd26a0dbfb,
409f6047a43315f2b9661149cb29d6f2ef2440fe,
  813423f90f0553c81c5fb4d531fc688a5d506b24,
ee02cbcebb0985394910d8868c6eef49184b20f7,
  df6fc784e8db07b8fe5aa1c624411f381f3abeaa,
e2fe046fe230c5159660257712566a849847cffa,
  845351c56ca069162433cf935afb2257a4c021d1,
ffdd31e8db4e94f399e68727fadf776fc0a2d1ba,
  6461cc8f22a1266498290b122b56f040d51d9224]

CVE-2022-29901: Information leak through mispredicted returns on Intel
processors

Kernel 5.10 was fixed this week.

Fixed status
mainline: [742ab6df974ae8384a2dd213db1a3a06cf6d8936,
a883d624aed463c84c22596006e5a96f5b44db31,
  369ae6ffc41a3c1137cab697635a84d0cc7cdcea,
00e1533325fd1fb5459229fe37f235462649f668,
  0b53c374b9eff2255a386f1f1cfb9a928e52a5ae,
15e67227c49a57837108acfe1c80570e1bd9f962,
  d9e9d2300681d68a775c28de6aa6e5290ae17796,
ee88d363d15617ff50ac24fab0ffec11113b2aeb,
  1f001e9da6bbf482311e45e48f53c2bd2179e59c,
d77cfe594ad50e0bf95d457e02ccd578791b2a15,
  af2e140f34208a5dfb6b7a8ad2d56bda88f0524d,
15583e514eb16744b80be85dea0774ece153177d,
  0ee9073000e8791f8b134a8ded31bcc767f7f232,
aa3d480315ba6c3025a60958e1981072ea37c3df,
  7c81c0c9210c9bfab2bae76aab2999de5bad27db,
951ddecf435659553ed15a9214e153a3af43a9a1,
  a149180fbcf336e97ce4eb2cdc13672727feb94d,
6b80b59b3555706508008f1f127b5412c89c7fd8,
  7fbf47c7ce50b38a64576b150e7011ae73d54669,
e8ec1b6e08a2102d8755ccb06fa26d540f26a2fa,
  caa0ff24d5d0e02abce5e65c3d2b7f20a6617be5,
2dbb887e875b1de3ca8f40ddf26bcfe55798c609,
  c779bc1a9002fa474175b80e72b85c9bf628abb0,
7c693f54c873691a4b7da05c7e0f74e67745d144,
  166115c08a9b0b846b783088808a27d739be6e8d,
6ad0ad2bf8a67e27d1f9d006a1dabb0e1c360cc3,
  bf5835bcdb9635c97f85120dba9bfa21e111130f,
9bb2ec608a209018080ca262f771e6a9ff203b6f,
  b75b7f8ef1148be1b9321ffc2f6c19238904b438,
d147553b64bad34d2f92cb7d8ba454ae95c3baac,
  3ebc170068885b6fc7bedda6c667bb2c4d533159,
0fe4aeea9c01baabecc8c3afc7889c809d939bc2,
  a09a6e2399ba0595c3042b3164f3ca68a3cff33e,
d7caac991feeef1b871ee6988fd2c9725df09039,
  b2620facef4889fefcbf2e87284f34dcd4189bce,
e6aa13622ea8283cc699cac5d018cc40a2ba2010,
  56aa4d221f1ee2c3a49b45b800778ec6e0ab73c5,
bbb69e8bee1bd882784947095ffb2bfe0f7c9470,
  acac5e98ef8d638a411cfa2ee676c87e1973f126,
8faea26e611189e933ea2281975ff4dc7c1106b6,
  8bd200d23ec42d66ccd517a72dd0b9cc6132d2fd,
bb06650634d3552c0f8557e9d16aa1a408040e28,
  fc02735b14fff8c6678b521d324ade27b1a3d4cf,
bea7e31a5caccb6fe8ed989c065072354f0ecb52,
  9756bba28470722dacb79ffce554336dd1f6a6cd,
07853adc29a058c5fd143c14e5ac528448a72ed9,
  7a05bc95ed1c5a59e47aaade9fb4083c27de9e62,
26aae8ccbc1972233afd08fb3f368947c0314265,
  f43b9876e857c739d407bc56df288b0ebe1a9164,
f54d45372c6ac9c993451de5e51312485f7d10bc,
  2c08b9b38f5b0f4a6c2d29be22b695e4ec4a556b,
2259da159fbe5dba8ac00b560cf00b6a6537fa18,
  697977d8415d61f3acbc4ee6d564c9dcf0309507,
4ad3278df6fe2b0852b00d5757fc2ccd8e92c26e,
  c27c753ea6fd1237f4f96abf8b623d7bab505513]
stable/5.10: [7070bbb66c5303117e4c7651711ea7daae4c64b5,
feec5277d5aa9780d4814084262b98af2b1a2242,
  6a2b142886c52244a9c1dfb0a36971daa963541a,
3e519ed8d509f5f2e1c67984f3cdf079b725e724,
  37b9bb094123a14a986137d693b5aa18a240128b,
270de63cf4a380fe9942d3e0da599c0e966fad78,
  716410960ba0a2d2c3f59cb46315467c9faf59b2,
8bdb25f7aee312450e9c9ac21ae209d9cf0602e5,
  446eb6f08936e6f87bea9f35be05556a7211df9b,
7723edf5edfdfdabd8234e45142be86598a04cad,
  00b136bb6254e0abf6aaafe62c4da5f6c4fea4cb,
e0e06a922706204df43d50032c05af75d8e75f8e,
  ee4996f07d868ee6cc7e76151dfab9a2344cdeb0,
d6eb50e9b7245a238872a9a969f84993339780a5,
  5b2edaf709b50c81b3c6ddb745c8a76ab6632645,
c9eb5dcdc8f4a848b45b97725f5a2b8d324bb31a,
  c70d6f82141b89db6c076b0cbf9a7a2edc29e46d,
df748593c55389892902aecb8691080ad5e8cff5,
  876750cca4f043bd626a3ac760ce887dda3b6ec7,
3f29791d56d32a610a2b57a9b700b1bc1912e41f,
  a989e75136192036d47e4dc4fe87ff9c961d6b46,
9e727e0d9486121de5c21cbb65fcc0c907834b17,
  3dddacf8c3cc29b9b37d8c4353f746e510ad1371,
6d7e13ccc4d73e5c88cc015bc0154b7d08f65038,
  dabc2a1b406ae0ff5286c91f7519b3e20ec2aa63,
a0f8ef71d762501769df69e35c4c4e7496866d90,
  e8142e2d6cb6b39fdd78bc17199429f79bcd051c,
55bba093fd91a76971134e3a4e3576e536c08f5c,
  28aa3fa0b2c9d0cd7bdac42d9eb7fe3d5f6c79e8,
f728eff26339d85825e588d461f0e55267bc6c3f,
  c8845b875437b8ea9cd023f15b44c436c9c5b62d,
fbab1c94eb1a3139d7ac0620dc6d7d6a33f3b255,
  0d1a8a16e62c8048f2ff7f9c6f448bf595d2a2a8,
ea1aa926f423a8cf1b2416bb909bfbea37d12b11,
  f1b01ace814b0a8318041e3aea5fd36cc74f09b0,
d29c07912a49fce965228f73a293e2c899bc7e35,
  aad83db22e9950577b5b827f57ed7108b3ca5553,
ce11f91b21c25dda8b06988817115bef1c636434,
  1dbefa57725204be0348351ea4756c52b10b3504,
df93717a32f57e1b033dbfa2a78809d7d4000648,
  07401c2311f6fddd3c49a392eafc2c28a899f768,
84061fff2ad98a7809f00e88a54f584f84830388,
  5269be9111e2b66572e78647f2e8948f7fc96466,
47ae76fb27398e867980d63789058ff7c4f12a35,
  4d7f72b6e1bc630bec7e4cd51814bc2b092bf153,
a74f5d23e68d9687ed06bd462d344867824707d8,
  f7851ed697be2ce86bd8baf29111762b7b3ff6cc,
b24fdd0f1c3328cf8ee0c518b93a7187f8cee097,
  609336351d08699395be24860902e6e0b7860e2b,
51552b6b52fc865f37ef3ddacd27d807a36695ac,
  c2ca992144281917cfae19d231b1195c02906a4e,
eb38964b6ff864b8bdf87c9cf6221d0b0611a990,
  c035ca88b0742952150b1671bb5d26b96f921245]
stable/5.18: [e492002673b03c636d2297fb869d68ae545c41c4,
e0ed7445cbb5a10bebec4f582894460453b3c0f6,
  079c71b6e380c40ee870bc59f176b36d93786db5,
7ce2011c8b28a44ae80d7081dc634eec174650ca,
  86fbd2844858c5aef57a28ebc3d53d298f37cc67,
e0c27dc584f6395e57d67f5c60b3ee2347a45590,
  262941a05615d39d66dcf47909d6e67ea69d371d,
eb84031e5c599a4b218ede3e10e7b5fd8ccc391a,
  0d15b9c30cb222d0e5ac2ff9ba7b93bd9af82d05,
ebe3ceb43f5b5b88062ffd62c08d19a57f5fa44b,
  3525abdb3a63680b8623b0294bd9614b2352ccce,
2fc0ed17c526b032c1c416d77ebc491f446f1269,
  a302187fb8f6d2707aaadf5e8a558ff046378a80,
a05146b2ac6ab1deff475a06441b825d176b320e,
  df777869fe2de25b60195561d3b674c9084aaeca,
9d75af6b406702b0af616cee49ae11ec0b2abe3a,
  64a98375f389bf695e2a2f199175b7a5ece44f45,
a70ed95a0b0a15cfa86b1df4004d47f074de7de2,
  f88b40812b6b3d483fb5de11b72aeb0c2bb73c59,
c85b5f77d3b224975d5caa329f28b22b7ea5addc,
  409586fb4a6e7b2331ecb4edec71e34e21750e05,
47e51d66d93d70d60e478cc81504deb0f4ff67ad,
  2c0d8e35807a6086542919e2d044cfa6683476de,
e604d260c633926089e81f8e52c90c91bd797f12,
  fb32593f8f383e32bb82fd85cc3dd372c89566ac,
5a3037b4de4dd52504c0842aac5f9498b3d450af,
  7b2649892c7728d4ad662d75a887f8b43a209189,
6864df0932578931f13c8de5006975345f8cea0d,
  4a691f1e69163dcfb7b064a25a082071da0bb633,
b75fada7f3cbbaf78beceb1bb71b67c2db3b473d,
  bbcfdf144d2d9394e3f4aa129463dec8f53bd3b1,
4c7f90f8a9554dd6a7e614529b3d7450a8dc84e2,
  a8a370f08eb55359980fe29165569333b1e0c54d,
80f8a9e9d530fec6094641b96fe3e5b5acb44830,
  3d6bdd768577847ae680b27bfb50c6de2037afe7,
3e89c42462722bbf778ac1e97236dca518fabbf9,
  ff110fe719555fd358ac9e0bd0ca549fae3e26e9,
8a95fadc8f3264dc98376d0de66ec59dd9eafb6f,
  7377eea29dbcad2ad042eee66df17c11b8421654,
43827446da732ed012c9008c429424f81e36331b,
  bcb9508413dc8a73cb8abd761a85dc5c6f9bd911,
245800423a576925d0bd571eacf09cc12e94a9ff,
  d58141112c9965092a0f39d354b22394882585b4,
48fe9931c7ddf18063aa0c8d16c3831f9d9a16c4,
  8c38306e2e9257af4af2819aa287a4711ff36329,
afd743f6dde87296c6f3414706964c491bb85862,
  373e6942143b5ca27b24ee953ae450dd26a0dbfb,
409f6047a43315f2b9661149cb29d6f2ef2440fe,
  813423f90f0553c81c5fb4d531fc688a5d506b24,
ee02cbcebb0985394910d8868c6eef49184b20f7,
  df6fc784e8db07b8fe5aa1c624411f381f3abeaa,
e2fe046fe230c5159660257712566a849847cffa,
  845351c56ca069162433cf935afb2257a4c021d1,
ffdd31e8db4e94f399e68727fadf776fc0a2d1ba,
  6461cc8f22a1266498290b122b56f040d51d9224]

CVE-2022-36879: xfrm: xfrm_policy: fix a possible double
xfrm_pols_put() in xfrm_bundle_lookup()

Stable 4.14, 4.19, 4.9, 5.10, 5.15, 5.18, and 5.4 kernels were fixed this week.

Fixed status

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 5 new CVEs and 5 updated CVEs.

* New CVEs

CVE-2020-36557: A race condition in the Linux kernel before 5.6.2
between the VT_DISALLOCATE ioctl and closing/opening of ttys could
lead to a use-after-free.

CVSS v3 score is not assigned.

When a user passes VT_DISALLOCATE command via ioctl() while
tty_release() is still running, causing a use-after-free in
con_shutdown().

This vulnerability was fixed by commit ca4463b ("vt: vt_ioctl: fix
VT_DISALLOCATE freeing in-use virtual console") which was merged in
5.7-rc1.

Fixed status
mainline: [ca4463bf8438b403596edd0ec961ca0d4fbe0220]
stable/4.14: [b9eb60a0ef3971101c94f9cddb09708c2f900b35]
stable/4.19: [54584f79579b9f6ed49b93cadcd2361223ecce28]
stable/4.9: [6bc9bf78618edf42b31cb7551fb0c83af340c54f]
stable/5.4: [acf0e94019310a9e1c4b6807c208f49a25f74573]

CVE-2020-36558: vt: vt_ioctl: fix race in VT_RESIZEX

CVSS v3 score is not assigned.

There was a race condition bug in vt_ioctl() while processing
VT_RESIZEX ioctl command. This race condition bug could lead system
crash because of a Null pointer dereference.

This vulnerability was fixed by commit 6cd1ed5 ("vt: vt_ioctl: fix
race in VT_RESIZEX") which was merged in 5.6-rc3.

Fixed status
mainline: [6cd1ed50efd88261298577cd92a14f2768eddeeb]
stable/4.14: [69931c044c9de837602cfd4bcfc28123ce4987e2]
stable/4.19: [ec9645f1a77eab98951944273754307e192e69ae]
stable/4.9: [160fbca8d5d74c1a4cec4b666f36b3e614c19f4f]
stable/5.4: [897d5aaf3397e64a56274f2176d9e1b13adcb92e]

CVE-2022-2209: A use-after-free bug was found when executing IORING_OP
CVE-2022-2327: A double free bug was found when executing IORING_OP

CVE-2022-2209 and CVE-2022-2327 were fixed by commit df3f3bb
("io_uring: add missing item types for various requests").

CVE-2022-2209
NIST: CVSSv3 Score is not assigned.
CNA: 7.8 HIGH

CVE-2022-2327
NIST: CVSSv3 Score is not assigned.
CNA: 7.5 HIGH

It seems as if CVE-2022-2209 and CVE-2022-2327 have same root cuase
that is why they were fixed by commit ("io_uring: add missing item
types for various requests"). The flag IO_WQ_WORK_FILES was merged in
5.10-rc1 commit 0f20376 ("io_uring: pass required context in as
flags") and has been removed since 5.12-rc1dontuse commit 44526be
("io_uring: remove any grabbing of context") so 5.10  kernel was only
affected by this vulnerability.

The commit df3f3bb ("io_uring: add missing item types for various
requests") had kernel panic bug. This kernel panic bug was fixed by
commit fb2fbb3 ("io_uring: use separate list entry for iopoll
requests").
The io_uring feature has merged since 5.1 so 4.X kernels are not affected.

Fixed status
stable/5.10: [df3f3bb5059d20ef094d6b2f0256c4bf4127a859]

CVE-2022-36879: xfrm: xfrm_policy: fix a possible double
xfrm_pols_put() in xfrm_bundle_lookup()

CVSSv3 Score is not assigned

The xfrm_pols_put() put policies via xfrm_pols_put() when
xfrm_expand_policies() returns error. However, xfrm_expand_policies()
already called xfrm_pols_put().

Fixed status
mainline: [f85daf0e725358be78dfd208dea5fd665d8cb901]

* Updated CVEs

CVE-2021-33655: When sending malicous data to kernel by ioctl cmd
FBIOPUT_VSCREENINFO,kernel will write memory out of bounds

Added patch to 4.19 and add more patches to 5.10.

Fixed status
mainline: [e64242caef18b4a5840b0e7a9bff37abd4f4f933,
65a01e601dbba8b7a51a2677811f70f783766682,
  6c11df58fd1ac0aefcb3b227f72769272b939e56]
stable/4.19: [eae522ed28fe1c00375a8a0081a97dce7996e4d8]
stable/5.10: [cecb806c766c78e1be62b6b7b1483ef59bbaeabe,
b727561ddc9360de9631af2d970d8ffed676a750,
  b81212828ad19ab3eccf00626cd04099215060bf]
stable/5.15: [9c9e44bb3dd5233232f2379c2dde0e403b1fd642]
stable/5.18: [365b729e36ca942f4d2d184afc8486017504a597]
stable/5.4: [af93e821973426ded00158ea66a977039483997e]

CVE-2022-21505: Fix kexec lockdown bypass with ima policy

The mainline was fixed this week.

Fixed status
mainline: [543ce63b664e2c2f9533d089a4664b559c3e6b5b]

CVE-2022-23816: Mis-trained branch predictions for return instructions
may allow speculative code execution under certain microarchitecture-
dependent conditions on some AMD processors..

5.18 was fixed this week.

mainline: [742ab6df974ae8384a2dd213db1a3a06cf6d8936,
a883d624aed463c84c22596006e5a96f5b44db31,
  369ae6ffc41a3c1137cab697635a84d0cc7cdcea,
00e1533325fd1fb5459229fe37f235462649f668,
  0b53c374b9eff2255a386f1f1cfb9a928e52a5ae,
15e67227c49a57837108acfe1c80570e1bd9f962,
  d9e9d2300681d68a775c28de6aa6e5290ae17796,
ee88d363d15617ff50ac24fab0ffec11113b2aeb,
  1f001e9da6bbf482311e45e48f53c2bd2179e59c,
d77cfe594ad50e0bf95d457e02ccd578791b2a15,
  af2e140f34208a5dfb6b7a8ad2d56bda88f0524d,
15583e514eb16744b80be85dea0774ece153177d,
  0ee9073000e8791f8b134a8ded31bcc767f7f232,
aa3d480315ba6c3025a60958e1981072ea37c3df,
  7c81c0c9210c9bfab2bae76aab2999de5bad27db,
951ddecf435659553ed15a9214e153a3af43a9a1,
  a149180fbcf336e97ce4eb2cdc13672727feb94d,
6b80b59b3555706508008f1f127b5412c89c7fd8,
  7fbf47c7ce50b38a64576b150e7011ae73d54669,
e8ec1b6e08a2102d8755ccb06fa26d540f26a2fa,
  caa0ff24d5d0e02abce5e65c3d2b7f20a6617be5,
2dbb887e875b1de3ca8f40ddf26bcfe55798c609,
  c779bc1a9002fa474175b80e72b85c9bf628abb0,
7c693f54c873691a4b7da05c7e0f74e67745d144,
  166115c08a9b0b846b783088808a27d739be6e8d,
6ad0ad2bf8a67e27d1f9d006a1dabb0e1c360cc3,
  bf5835bcdb9635c97f85120dba9bfa21e111130f,
9bb2ec608a209018080ca262f771e6a9ff203b6f,
  b75b7f8ef1148be1b9321ffc2f6c19238904b438,
d147553b64bad34d2f92cb7d8ba454ae95c3baac,
  3ebc170068885b6fc7bedda6c667bb2c4d533159,
0fe4aeea9c01baabecc8c3afc7889c809d939bc2,
  a09a6e2399ba0595c3042b3164f3ca68a3cff33e,
d7caac991feeef1b871ee6988fd2c9725df09039,
  b2620facef4889fefcbf2e87284f34dcd4189bce,
e6aa13622ea8283cc699cac5d018cc40a2ba2010,
  56aa4d221f1ee2c3a49b45b800778ec6e0ab73c5,
bbb69e8bee1bd882784947095ffb2bfe0f7c9470,
  acac5e98ef8d638a411cfa2ee676c87e1973f126,
8faea26e611189e933ea2281975ff4dc7c1106b6,
  8bd200d23ec42d66ccd517a72dd0b9cc6132d2fd,
bb06650634d3552c0f8557e9d16aa1a408040e28,
  fc02735b14fff8c6678b521d324ade27b1a3d4cf,
bea7e31a5caccb6fe8ed989c065072354f0ecb52,
  9756bba28470722dacb79ffce554336dd1f6a6cd,
07853adc29a058c5fd143c14e5ac528448a72ed9,
  7a05bc95ed1c5a59e47aaade9fb4083c27de9e62,
26aae8ccbc1972233afd08fb3f368947c0314265,
  f43b9876e857c739d407bc56df288b0ebe1a9164,
f54d45372c6ac9c993451de5e51312485f7d10bc,
  2c08b9b38f5b0f4a6c2d29be22b695e4ec4a556b,
2259da159fbe5dba8ac00b560cf00b6a6537fa18,
  697977d8415d61f3acbc4ee6d564c9dcf0309507,
4ad3278df6fe2b0852b00d5757fc2ccd8e92c26e,
  c27c753ea6fd1237f4f96abf8b623d7bab505513]
stable/5.18: [e492002673b03c636d2297fb869d68ae545c41c4,
e0ed7445cbb5a10bebec4f582894460453b3c0f6,
  079c71b6e380c40ee870bc59f176b36d93786db5,
7ce2011c8b28a44ae80d7081dc634eec174650ca,
  86fbd2844858c5aef57a28ebc3d53d298f37cc67,
e0c27dc584f6395e57d67f5c60b3ee2347a45590,
  262941a05615d39d66dcf47909d6e67ea69d371d,
eb84031e5c599a4b218ede3e10e7b5fd8ccc391a,
  0d15b9c30cb222d0e5ac2ff9ba7b93bd9af82d05,
ebe3ceb43f5b5b88062ffd62c08d19a57f5fa44b,
  3525abdb3a63680b8623b0294bd9614b2352ccce,
2fc0ed17c526b032c1c416d77ebc491f446f1269,
  a302187fb8f6d2707aaadf5e8a558ff046378a80,
a05146b2ac6ab1deff475a06441b825d176b320e,
  df777869fe2de25b60195561d3b674c9084aaeca,
9d75af6b406702b0af616cee49ae11ec0b2abe3a,
  64a98375f389bf695e2a2f199175b7a5ece44f45,
a70ed95a0b0a15cfa86b1df4004d47f074de7de2,
  f88b40812b6b3d483fb5de11b72aeb0c2bb73c59,
c85b5f77d3b224975d5caa329f28b22b7ea5addc,
  409586fb4a6e7b2331ecb4edec71e34e21750e05,
47e51d66d93d70d60e478cc81504deb0f4ff67ad,
  2c0d8e35807a6086542919e2d044cfa6683476de,
e604d260c633926089e81f8e52c90c91bd797f12,
  fb32593f8f383e32bb82fd85cc3dd372c89566ac,
5a3037b4de4dd52504c0842aac5f9498b3d450af,
  7b2649892c7728d4ad662d75a887f8b43a209189,
6864df0932578931f13c8de5006975345f8cea0d,
  4a691f1e69163dcfb7b064a25a082071da0bb633,
b75fada7f3cbbaf78beceb1bb71b67c2db3b473d,
  bbcfdf144d2d9394e3f4aa129463dec8f53bd3b1,
4c7f90f8a9554dd6a7e614529b3d7450a8dc84e2,
  a8a370f08eb55359980fe29165569333b1e0c54d,
80f8a9e9d530fec6094641b96fe3e5b5acb44830,
  3d6bdd768577847ae680b27bfb50c6de2037afe7,
3e89c42462722bbf778ac1e97236dca518fabbf9,
  ff110fe719555fd358ac9e0bd0ca549fae3e26e9,
8a95fadc8f3264dc98376d0de66ec59dd9eafb6f,
  7377eea29dbcad2ad042eee66df17c11b8421654,
43827446da732ed012c9008c429424f81e36331b,
  bcb9508413dc8a73cb8abd761a85dc5c6f9bd911,
245800423a576925d0bd571eacf09cc12e94a9ff,
  d58141112c9965092a0f39d354b22394882585b4,
48fe9931c7ddf18063aa0c8d16c3831f9d9a16c4,
  8c38306e2e9257af4af2819aa287a4711ff36329,
afd743f6dde87296c6f3414706964c491bb85862,
  373e6942143b5ca27b24ee953ae450dd26a0dbfb,
409f6047a43315f2b9661149cb29d6f2ef2440fe,
  813423f90f0553c81c5fb4d531fc688a5d506b24,
ee02cbcebb0985394910d8868c6eef49184b20f7,
  df6fc784e8db07b8fe5aa1c624411f381f3abeaa,
e2fe046fe230c5159660257712566a849847cffa,
  845351c56ca069162433cf935afb2257a4c021d1,
ffdd31e8db4e94f399e68727fadf776fc0a2d1ba,
  6461cc8f22a1266498290b122b56f040d51d9224]

CVE-2022-29900: Information leak through mispredicted returns on AMD processors

stable/5.18 was fixed this week.

Fixed status
mainline: [742ab6df974ae8384a2dd213db1a3a06cf6d8936,
a883d624aed463c84c22596006e5a96f5b44db31,
  369ae6ffc41a3c1137cab697635a84d0cc7cdcea,
00e1533325fd1fb5459229fe37f235462649f668,
  0b53c374b9eff2255a386f1f1cfb9a928e52a5ae,
15e67227c49a57837108acfe1c80570e1bd9f962,
  d9e9d2300681d68a775c28de6aa6e5290ae17796,
ee88d363d15617ff50ac24fab0ffec11113b2aeb,
  1f001e9da6bbf482311e45e48f53c2bd2179e59c,
d77cfe594ad50e0bf95d457e02ccd578791b2a15,
  af2e140f34208a5dfb6b7a8ad2d56bda88f0524d,
15583e514eb16744b80be85dea0774ece153177d,
  0ee9073000e8791f8b134a8ded31bcc767f7f232,
aa3d480315ba6c3025a60958e1981072ea37c3df,
  7c81c0c9210c9bfab2bae76aab2999de5bad27db,
951ddecf435659553ed15a9214e153a3af43a9a1,
  a149180fbcf336e97ce4eb2cdc13672727feb94d,
6b80b59b3555706508008f1f127b5412c89c7fd8,
  7fbf47c7ce50b38a64576b150e7011ae73d54669,
e8ec1b6e08a2102d8755ccb06fa26d540f26a2fa,
  caa0ff24d5d0e02abce5e65c3d2b7f20a6617be5,
2dbb887e875b1de3ca8f40ddf26bcfe55798c609,
  c779bc1a9002fa474175b80e72b85c9bf628abb0,
7c693f54c873691a4b7da05c7e0f74e67745d144,
  166115c08a9b0b846b783088808a27d739be6e8d,
6ad0ad2bf8a67e27d1f9d006a1dabb0e1c360cc3,
  bf5835bcdb9635c97f85120dba9bfa21e111130f,
9bb2ec608a209018080ca262f771e6a9ff203b6f,
  b75b7f8ef1148be1b9321ffc2f6c19238904b438,
d147553b64bad34d2f92cb7d8ba454ae95c3baac,
  3ebc170068885b6fc7bedda6c667bb2c4d533159,
0fe4aeea9c01baabecc8c3afc7889c809d939bc2,
  a09a6e2399ba0595c3042b3164f3ca68a3cff33e,
d7caac991feeef1b871ee6988fd2c9725df09039,
  b2620facef4889fefcbf2e87284f34dcd4189bce,
e6aa13622ea8283cc699cac5d018cc40a2ba2010,
  56aa4d221f1ee2c3a49b45b800778ec6e0ab73c5,
bbb69e8bee1bd882784947095ffb2bfe0f7c9470,
  acac5e98ef8d638a411cfa2ee676c87e1973f126,
8faea26e611189e933ea2281975ff4dc7c1106b6,
  8bd200d23ec42d66ccd517a72dd0b9cc6132d2fd,
bb06650634d3552c0f8557e9d16aa1a408040e28,
  fc02735b14fff8c6678b521d324ade27b1a3d4cf,
bea7e31a5caccb6fe8ed989c065072354f0ecb52,
  9756bba28470722dacb79ffce554336dd1f6a6cd,
07853adc29a058c5fd143c14e5ac528448a72ed9,
  7a05bc95ed1c5a59e47aaade9fb4083c27de9e62,
26aae8ccbc1972233afd08fb3f368947c0314265,
  f43b9876e857c739d407bc56df288b0ebe1a9164,
f54d45372c6ac9c993451de5e51312485f7d10bc,
  2c08b9b38f5b0f4a6c2d29be22b695e4ec4a556b,
2259da159fbe5dba8ac00b560cf00b6a6537fa18,
  697977d8415d61f3acbc4ee6d564c9dcf0309507,
4ad3278df6fe2b0852b00d5757fc2ccd8e92c26e,
  c27c753ea6fd1237f4f96abf8b623d7bab505513]
stable/5.18: [e492002673b03c636d2297fb869d68ae545c41c4,
e0ed7445cbb5a10bebec4f582894460453b3c0f6,
  079c71b6e380c40ee870bc59f176b36d93786db5,
7ce2011c8b28a44ae80d7081dc634eec174650ca,
  86fbd2844858c5aef57a28ebc3d53d298f37cc67,
e0c27dc584f6395e57d67f5c60b3ee2347a45590,
  262941a05615d39d66dcf47909d6e67ea69d371d,
eb84031e5c599a4b218ede3e10e7b5fd8ccc391a,
  0d15b9c30cb222d0e5ac2ff9ba7b93bd9af82d05,
ebe3ceb43f5b5b88062ffd62c08d19a57f5fa44b,
  3525abdb3a63680b8623b0294bd9614b2352ccce,
2fc0ed17c526b032c1c416d77ebc491f446f1269,
  a302187fb8f6d2707aaadf5e8a558ff046378a80,
a05146b2ac6ab1deff475a06441b825d176b320e,
  df777869fe2de25b60195561d3b674c9084aaeca,
9d75af6b406702b0af616cee49ae11ec0b2abe3a,
  64a98375f389bf695e2a2f199175b7a5ece44f45,
a70ed95a0b0a15cfa86b1df4004d47f074de7de2,
  f88b40812b6b3d483fb5de11b72aeb0c2bb73c59,
c85b5f77d3b224975d5caa329f28b22b7ea5addc,
  409586fb4a6e7b2331ecb4edec71e34e21750e05,
47e51d66d93d70d60e478cc81504deb0f4ff67ad,
  2c0d8e35807a6086542919e2d044cfa6683476de,
e604d260c633926089e81f8e52c90c91bd797f12,
  fb32593f8f383e32bb82fd85cc3dd372c89566ac,
5a3037b4de4dd52504c0842aac5f9498b3d450af,
  7b2649892c7728d4ad662d75a887f8b43a209189,
6864df0932578931f13c8de5006975345f8cea0d,
  4a691f1e69163dcfb7b064a25a082071da0bb633,
b75fada7f3cbbaf78beceb1bb71b67c2db3b473d,
  bbcfdf144d2d9394e3f4aa129463dec8f53bd3b1,
4c7f90f8a9554dd6a7e614529b3d7450a8dc84e2,
  a8a370f08eb55359980fe29165569333b1e0c54d,
80f8a9e9d530fec6094641b96fe3e5b5acb44830,
  3d6bdd768577847ae680b27bfb50c6de2037afe7,
3e89c42462722bbf778ac1e97236dca518fabbf9,
  ff110fe719555fd358ac9e0bd0ca549fae3e26e9,
8a95fadc8f3264dc98376d0de66ec59dd9eafb6f,
  7377eea29dbcad2ad042eee66df17c11b8421654,
43827446da732ed012c9008c429424f81e36331b,
  bcb9508413dc8a73cb8abd761a85dc5c6f9bd911,
245800423a576925d0bd571eacf09cc12e94a9ff,
  d58141112c9965092a0f39d354b22394882585b4,
48fe9931c7ddf18063aa0c8d16c3831f9d9a16c4,
  8c38306e2e9257af4af2819aa287a4711ff36329,
afd743f6dde87296c6f3414706964c491bb85862,
  373e6942143b5ca27b24ee953ae450dd26a0dbfb,
409f6047a43315f2b9661149cb29d6f2ef2440fe,
  813423f90f0553c81c5fb4d531fc688a5d506b24,
ee02cbcebb0985394910d8868c6eef49184b20f7,
  df6fc784e8db07b8fe5aa1c624411f381f3abeaa,
e2fe046fe230c5159660257712566a849847cffa,
  845351c56ca069162433cf935afb2257a4c021d1,
ffdd31e8db4e94f399e68727fadf776fc0a2d1ba,
  6461cc8f22a1266498290b122b56f040d51d9224]

CVE-2022-29901: Information leak through mispredicted returns on Intel
processors

stable/5.18 was fixed this week.

Fixed status
mainline: [742ab6df974ae8384a2dd213db1a3a06cf6d8936,
a883d624aed463c84c22596006e5a96f5b44db31,
  369ae6ffc41a3c1137cab697635a84d0cc7cdcea,
00e1533325fd1fb5459229fe37f235462649f668,
  0b53c374b9eff2255a386f1f1cfb9a928e52a5ae,
15e67227c49a57837108acfe1c80570e1bd9f962,
  d9e9d2300681d68a775c28de6aa6e5290ae17796,
ee88d363d15617ff50ac24fab0ffec11113b2aeb,
  1f001e9da6bbf482311e45e48f53c2bd2179e59c,
d77cfe594ad50e0bf95d457e02ccd578791b2a15,
  af2e140f34208a5dfb6b7a8ad2d56bda88f0524d,
15583e514eb16744b80be85dea0774ece153177d,
  0ee9073000e8791f8b134a8ded31bcc767f7f232,
aa3d480315ba6c3025a60958e1981072ea37c3df,
  7c81c0c9210c9bfab2bae76aab2999de5bad27db,
951ddecf435659553ed15a9214e153a3af43a9a1,
  a149180fbcf336e97ce4eb2cdc13672727feb94d,
6b80b59b3555706508008f1f127b5412c89c7fd8,
  7fbf47c7ce50b38a64576b150e7011ae73d54669,
e8ec1b6e08a2102d8755ccb06fa26d540f26a2fa,
  caa0ff24d5d0e02abce5e65c3d2b7f20a6617be5,
2dbb887e875b1de3ca8f40ddf26bcfe55798c609,
  c779bc1a9002fa474175b80e72b85c9bf628abb0,
7c693f54c873691a4b7da05c7e0f74e67745d144,
  166115c08a9b0b846b783088808a27d739be6e8d,
6ad0ad2bf8a67e27d1f9d006a1dabb0e1c360cc3,
  bf5835bcdb9635c97f85120dba9bfa21e111130f,
9bb2ec608a209018080ca262f771e6a9ff203b6f,
  b75b7f8ef1148be1b9321ffc2f6c19238904b438,
d147553b64bad34d2f92cb7d8ba454ae95c3baac,
  3ebc170068885b6fc7bedda6c667bb2c4d533159,
0fe4aeea9c01baabecc8c3afc7889c809d939bc2,
  a09a6e2399ba0595c3042b3164f3ca68a3cff33e,
d7caac991feeef1b871ee6988fd2c9725df09039,
  b2620facef4889fefcbf2e87284f34dcd4189bce,
e6aa13622ea8283cc699cac5d018cc40a2ba2010,
  56aa4d221f1ee2c3a49b45b800778ec6e0ab73c5,
bbb69e8bee1bd882784947095ffb2bfe0f7c9470,
  acac5e98ef8d638a411cfa2ee676c87e1973f126,
8faea26e611189e933ea2281975ff4dc7c1106b6,
  8bd200d23ec42d66ccd517a72dd0b9cc6132d2fd,
bb06650634d3552c0f8557e9d16aa1a408040e28,
  fc02735b14fff8c6678b521d324ade27b1a3d4cf,
bea7e31a5caccb6fe8ed989c065072354f0ecb52,
  9756bba28470722dacb79ffce554336dd1f6a6cd,
07853adc29a058c5fd143c14e5ac528448a72ed9,
  7a05bc95ed1c5a59e47aaade9fb4083c27de9e62,
26aae8ccbc1972233afd08fb3f368947c0314265,
  f43b9876e857c739d407bc56df288b0ebe1a9164,
f54d45372c6ac9c993451de5e51312485f7d10bc,
  2c08b9b38f5b0f4a6c2d29be22b695e4ec4a556b,
2259da159fbe5dba8ac00b560cf00b6a6537fa18,
  697977d8415d61f3acbc4ee6d564c9dcf0309507,
4ad3278df6fe2b0852b00d5757fc2ccd8e92c26e,
  c27c753ea6fd1237f4f96abf8b623d7bab505513]
stable/5.18: [e492002673b03c636d2297fb869d68ae545c41c4,
e0ed7445cbb5a10bebec4f582894460453b3c0f6,
  079c71b6e380c40ee870bc59f176b36d93786db5,
7ce2011c8b28a44ae80d7081dc634eec174650ca,
  86fbd2844858c5aef57a28ebc3d53d298f37cc67,
e0c27dc584f6395e57d67f5c60b3ee2347a45590,
  262941a05615d39d66dcf47909d6e67ea69d371d,
eb84031e5c599a4b218ede3e10e7b5fd8ccc391a,
  0d15b9c30cb222d0e5ac2ff9ba7b93bd9af82d05,
ebe3ceb43f5b5b88062ffd62c08d19a57f5fa44b,
  3525abdb3a63680b8623b0294bd9614b2352ccce,
2fc0ed17c526b032c1c416d77ebc491f446f1269,
  a302187fb8f6d2707aaadf5e8a558ff046378a80,
a05146b2ac6ab1deff475a06441b825d176b320e,
  df777869fe2de25b60195561d3b674c9084aaeca,
9d75af6b406702b0af616cee49ae11ec0b2abe3a,
  64a98375f389bf695e2a2f199175b7a5ece44f45,
a70ed95a0b0a15cfa86b1df4004d47f074de7de2,
  f88b40812b6b3d483fb5de11b72aeb0c2bb73c59,
c85b5f77d3b224975d5caa329f28b22b7ea5addc,
  409586fb4a6e7b2331ecb4edec71e34e21750e05,
47e51d66d93d70d60e478cc81504deb0f4ff67ad,
  2c0d8e35807a6086542919e2d044cfa6683476de,
e604d260c633926089e81f8e52c90c91bd797f12,
  fb32593f8f383e32bb82fd85cc3dd372c89566ac,
5a3037b4de4dd52504c0842aac5f9498b3d450af,
  7b2649892c7728d4ad662d75a887f8b43a209189,
6864df0932578931f13c8de5006975345f8cea0d,
  4a691f1e69163dcfb7b064a25a082071da0bb633,
b75fada7f3cbbaf78beceb1bb71b67c2db3b473d,
  bbcfdf144d2d9394e3f4aa129463dec8f53bd3b1,
4c7f90f8a9554dd6a7e614529b3d7450a8dc84e2,
  a8a370f08eb55359980fe29165569333b1e0c54d,
80f8a9e9d530fec6094641b96fe3e5b5acb44830,
  3d6bdd768577847ae680b27bfb50c6de2037afe7,
3e89c42462722bbf778ac1e97236dca518fabbf9,
  ff110fe719555fd358ac9e0bd0ca549fae3e26e9,
8a95fadc8f3264dc98376d0de66ec59dd9eafb6f,
  7377eea29dbcad2ad042eee66df17c11b8421654,
43827446da732ed012c9008c429424f81e36331b,
  bcb9508413dc8a73cb8abd761a85dc5c6f9bd911,
245800423a576925d0bd571eacf09cc12e94a9ff,
  d58141112c9965092a0f39d354b22394882585b4,
48fe9931c7ddf18063aa0c8d16c3831f9d9a16c4,
  8c38306e2e9257af4af2819aa287a4711ff36329,
afd743f6dde87296c6f3414706964c491bb85862,
  373e6942143b5ca27b24ee953ae450dd26a0dbfb,
409f6047a43315f2b9661149cb29d6f2ef2440fe,
  813423f90f0553c81c5fb4d531fc688a5d506b24,
ee02cbcebb0985394910d8868c6eef49184b20f7,
  df6fc784e8db07b8fe5aa1c624411f381f3abeaa,
e2fe046fe230c5159660257712566a849847cffa,
  845351c56ca069162433cf935afb2257a4c021d1,
ffdd31e8db4e94f399e68727fadf776fc0a2d1ba,
  6461cc8f22a1266498290b122b56f040d51d9224]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 3 CVEs and no updated CVEs.

* New CVEs

CVE-2021-33655: When sending malicous data to kernel by ioctl cmd
FBIOPUT_VSCREENINFO,kernel will write memory out of bounds.

CVSS v3 score is not assigned.

This vulnerability allows buffer overwrite when a user passes an
invalid font size.
There are three patches in the mainline. Each commit contains an
affected version.

e64242c ("fbcon: Prevent that screen size is smaller than font size"): 5.4+
65a01e6 ("fbcon: Disallow setting font bigger than screen size"): 4.14+
6c11df5 ("fbmem: Check virtual screen sizes in fb_set_var()"): 5.4+

Fixed status
mainline: [e64242caef18b4a5840b0e7a9bff37abd4f4f933,
65a01e601dbba8b7a51a2677811f70f783766682,
  6c11df58fd1ac0aefcb3b227f72769272b939e56]
stable/5.10: [cecb806c766c78e1be62b6b7b1483ef59bbaeabe]
stable/5.15: [9c9e44bb3dd5233232f2379c2dde0e403b1fd642]
stable/5.18: [365b729e36ca942f4d2d184afc8486017504a597]
stable/5.4: [af93e821973426ded00158ea66a977039483997e]

CVE-2021-33656: When setting font with malicous data by ioctl cmd
PIO_FONT,kernel will write memory out of bounds.

CVSS v3 score is not assigned.

This vulnerability requires a user to have permission to access a
console device(e.g. /dev/tth1).

Fixed status
mainline: [ff2047fb755d4415ec3c70ac799889371151796d]
stable/4.14: [259742e9ad3551d5be58cd4754e65e0aabc1f9c8]
stable/4.19: [b15d5731b708a2190fec836990b8aefbbf36b07a]
stable/4.9: [dc1421db273b725ebe90978a4b2d9bfba5cef702]
stable/5.10: [3acb7dc242ca25eb258493b513ef2f4b0f2a9ad1]
stable/5.4: [c87e851b23e5cb2ba90a3049ef38340ed7d5746f]

CVE-2022-21505: Kernel lockdown bypass bug

CVSS v3 score is not assigned.

When UEFI Secure Boot is disable and linux boots with
"ima_appraise=log" parameter, user is able to do kexec even if the
lockdown feature is enabled.
A reporter attached a
patch(https://www.openwall.com/lists/oss-security/2022/07/19/4) but it
hasn't been merged yet.
This vulnerability was introduced by commit 29d3c1c ("kexec: Allow
kexec_file() with appropriate IMA policy when locked down") which was
merged in 5.4. Less than 5.4 kernels aren't affected by this issue.

Fixed status
Patch is available but not merged yet

* Updated CVEs

No updated CVEs this week.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 8 CVEs and 8 updated CVEs.
As you may know, there was another speculative execution attacks
bug(Retbleed) was published this week.
CNA and Intel provided CVSS base scores for Retbleed. They set medium
level score to it.

* New CVEs

CVE-2022-34494: rpmsg_virtio_add_ctrl_dev in
drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has
a double free

CVSS v3 score is not assigned.

A double free bug in rpmsg_virtio_add_ctrl_dev() which will cause system crash.

CVE-2022-34494 and CVE-2022-34495 were introduced by commit c486682
("rpmsg: virtio: Register the rpmsg_char device") which was merged in
5.13-rc1.
This commit wasn't backported to stable kernels, so 5.12 or earlier
kernels aren't affected by this bug.

Fixed status
mainline: [1680939e9ecf7764fba8689cfb3429c2fe2bb23c]
stable/5.15: [b94d40c792de7f0ceda6a2fd8a8dc0597eca6d22]
stable/5.18: [d51720ac069d465101d937273acecde1f71ea411]

CVE-2022-34495: rpmsg_probe in drivers/rpmsg/virtio_rpmsg_bus.c in the
Linux kernel before 5.18.4 has a double free.

CVSS v3 score is not assigned.

A double free bug in rpmsg_probe() which will cause system crash.

CVE-2022-34494 and CVE-2022-34495 were introduced by commit c486682
("rpmsg: virtio: Register the rpmsg_char device") which was merged in
5.13-rc1.
This commit wasn't backported to stable kernels, so 5.12 or earlier
kernels aren't affected by this bug.

Fixed status
mainline: [c2eecefec5df1306eafce28ccdf1ca159a552ecc]
stable/5.15: [eaf37bb6b4f7c48a5adaf1be4879107daf4d6024]
stable/5.18: [b7e88e4bb41dea89b1dadf7a985d7aff53720629]

CVE-2022-2380: video: fbdev: sm712fb: Fix crash in smtcfb_read()

CVSS v3 score is not assigned.

A crash occured when reading data framebuffer.
The mainline, stable kernels, and cip kernels(includes 4.4) have been fixed

Fixed status
mainline: [bd771cf5c4254511cc4abb88f3dab3bd58bdf8e8]
stable/4.14: [2a616cc4513217c850865482cbc0bc6e7188580c]
stable/4.19: [1caa40af491dcfe17b3ae870a854388d8ea01984]
stable/4.9: [e6766bb02614ad69218dcd849668524e46916e11]
stable/5.10: [72af8810922eb143ed4f116db246789ead2d8543]
stable/5.15: [46cdbff26c88fd75dccbf28df1d07cbe18007eac]
stable/5.4: [478154be3a8c21ff106310bb1037b1fc9d81dc62]

CVE-2022-23825: Aliases in the branch predictor may cause some AMD processors to
predict the wrong branch type potentially leading to information disclosure

CVSS v3 score is not assigned by NVD.
Intel gives CVSS Base score as 4.7 Medium.

This CVE affects to AMD processors.

Fixed status
Not fixed yet.

CVE-2022-28693: Unprotected alternative channel of return branch
target prediction in some Intel(R) Processors may allow an authorized
user to potentially enable information disclosure via local access.

CVSS v3 score is not assigned.

This CVE affects to Intel processors.

Fixed status
Not fixed yet.

CVE-2022-23816: Mis-trained branch predictions for return instructions
may allow arbitrary speculative code execution under certain
microarchitecture-dependent conditions on some AMD processors
CVE-2022-29900: Information leak through mispredicted returns on AMD processors
CVE-2022-29901: Information leak through mispredicted returns on Intel
processors

According to the openwall mailing
list(https://www.openwall.com/lists/oss-security/2022/07/13/1),
CVE-2022-23816 and CVE-2022-29900 are duplite each other.

CVSS v3 score is not assigned by NVD.
CVESS Base Score 5.6 MEDIUM by CNA.
CVESS Base Score 4.7 MEDIUM by Intel.

This is RETbleed bug(https://comsec.ethz.ch/research/microarch/retbleed/).

CVE-2022-29900 affect to AMD processors. According to the
cve.mitre.org, it described that "AMD microprocessor families 15h to
18h are affected by a new Spectre variant that is able to bypass their
retpoline mitigation in the kernel to leak arbitrary data. An attacker
with unprivileged user access can hijack return instructions to
achieve arbitrary speculative code execution under certain
microarchitecture-dependent conditions."

CVE-2022-29901 affects to Intel processors. According to the
cve.mitre.org, it described that "Intel microprocessor generations 6
to 8 are affected by a new Spectre variant that is able to bypass
their retpoline mitigation in the kernel to leak arbitrary data. An
attacker with unprivileged user access can hijack return instructions
to achieve arbitrary speculative code execution under certain
microarchitecture-dependent conditions."

The mainline has 55 commits to fix this CVEs.

Fixed status
mainline: [742ab6df974ae8384a2dd213db1a3a06cf6d8936,
a883d624aed463c84c22596006e5a96f5b44db31,
  369ae6ffc41a3c1137cab697635a84d0cc7cdcea,
00e1533325fd1fb5459229fe37f235462649f668,
  0b53c374b9eff2255a386f1f1cfb9a928e52a5ae,
15e67227c49a57837108acfe1c80570e1bd9f962,
  d9e9d2300681d68a775c28de6aa6e5290ae17796,
ee88d363d15617ff50ac24fab0ffec11113b2aeb,
  1f001e9da6bbf482311e45e48f53c2bd2179e59c,
d77cfe594ad50e0bf95d457e02ccd578791b2a15,
  af2e140f34208a5dfb6b7a8ad2d56bda88f0524d,
15583e514eb16744b80be85dea0774ece153177d,
  0ee9073000e8791f8b134a8ded31bcc767f7f232,
aa3d480315ba6c3025a60958e1981072ea37c3df,
  7c81c0c9210c9bfab2bae76aab2999de5bad27db,
951ddecf435659553ed15a9214e153a3af43a9a1,
  a149180fbcf336e97ce4eb2cdc13672727feb94d,
6b80b59b3555706508008f1f127b5412c89c7fd8,
  7fbf47c7ce50b38a64576b150e7011ae73d54669,
e8ec1b6e08a2102d8755ccb06fa26d540f26a2fa,
  caa0ff24d5d0e02abce5e65c3d2b7f20a6617be5,
2dbb887e875b1de3ca8f40ddf26bcfe55798c609,
  c779bc1a9002fa474175b80e72b85c9bf628abb0,
7c693f54c873691a4b7da05c7e0f74e67745d144,
  166115c08a9b0b846b783088808a27d739be6e8d,
6ad0ad2bf8a67e27d1f9d006a1dabb0e1c360cc3,
  bf5835bcdb9635c97f85120dba9bfa21e111130f,
9bb2ec608a209018080ca262f771e6a9ff203b6f,
  b75b7f8ef1148be1b9321ffc2f6c19238904b438,
d147553b64bad34d2f92cb7d8ba454ae95c3baac,
  3ebc170068885b6fc7bedda6c667bb2c4d533159,
0fe4aeea9c01baabecc8c3afc7889c809d939bc2,
  a09a6e2399ba0595c3042b3164f3ca68a3cff33e,
d7caac991feeef1b871ee6988fd2c9725df09039,
  b2620facef4889fefcbf2e87284f34dcd4189bce,
e6aa13622ea8283cc699cac5d018cc40a2ba2010,
  56aa4d221f1ee2c3a49b45b800778ec6e0ab73c5,
bbb69e8bee1bd882784947095ffb2bfe0f7c9470,
  acac5e98ef8d638a411cfa2ee676c87e1973f126,
8faea26e611189e933ea2281975ff4dc7c1106b6,
  8bd200d23ec42d66ccd517a72dd0b9cc6132d2fd,
bb06650634d3552c0f8557e9d16aa1a408040e28,
  fc02735b14fff8c6678b521d324ade27b1a3d4cf,
bea7e31a5caccb6fe8ed989c065072354f0ecb52,
  9756bba28470722dacb79ffce554336dd1f6a6cd,
07853adc29a058c5fd143c14e5ac528448a72ed9,
  7a05bc95ed1c5a59e47aaade9fb4083c27de9e62,
26aae8ccbc1972233afd08fb3f368947c0314265,
  f43b9876e857c739d407bc56df288b0ebe1a9164,
f54d45372c6ac9c993451de5e51312485f7d10bc,
  2c08b9b38f5b0f4a6c2d29be22b695e4ec4a556b,
2259da159fbe5dba8ac00b560cf00b6a6537fa18,
  697977d8415d61f3acbc4ee6d564c9dcf0309507,
4ad3278df6fe2b0852b00d5757fc2ccd8e92c26e,
  c27c753ea6fd1237f4f96abf8b623d7bab505513]

* Updated CVEs

CVE-2022-2318: UAF vulnerabilities in rose protocol

The mainline and stable kernels were fixed.

Fixed status
mainline: [9cc02ede696272c5271a401e4f27c262359bc2f6]
stable/4.14: [597b3bbe230caca60c321eeb08de14b9bc4d47c0]
stable/4.19: [2661f2d88f40e35791257d73def0319b4560b74b]
stable/4.9: [3ab68a9528780870b84200bbd91efaa47a586a3c]
stable/5.10: [8f74cb27c2b4872fd14bf046201fa7b36a46885e]
stable/5.15: [659d39545260100628d8a30020d09fb6bf63b915]
stable/5.18: [570b99c2e1508708c4a32a58f98071fbc3c2c351]
stable/5.4: [bb91556d2af066f8ca2e7fd8e334d652e731ee29]

CVE-2022-26365: Xen Linux disk/nic frontends data leaks

Stable kernels were fixed.

Fixed status
mainline: [2f446ffe9d737e9a844b97887919c4fda18246e7]
stable/4.14: [44dc5bcac4b0ec4e876110a69ead25a9b130234b]
stable/4.19: [f4a1391185e30c977bfe1648435c152f806211c7]
stable/4.9: [4fbda9d1fc771b44e96ee4cea58f37d926010ffc]
stable/5.10: [cfea428030be836d79a7690968232bb7fa4410f1]
stable/5.15: [7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9]
stable/5.18: [62b5d188a270a25138a88c18409c596c1406b993]
stable/5.4: [42112e8f94617d83943f8f3b8de2b66041905506]

CVE-2022-33740: Xen Linux disk/nic frontends data leaks

Stable kernels were fixed.

Fixed status
mainline: [307c8de2b02344805ebead3440d8feed28f2f010]
stable/4.14: [f2c6f208a52df7e201f9fc34ae5efd7f9f40133e]
stable/4.19: [3650ac3218c1640a3d597a8cee17d8e2fcf0ed4e]
stable/4.9: [d1d69e0c838c2df7089357ec27000942086325c4]
stable/5.10: [728d68bfe68d92eae1407b8a9edc7817d6227404]
stable/5.15: [5dd0993c36832d33820238fc8dc741ba801b7961]
stable/5.18: [6d98cf6e58b5867225c3b4ea49bc431895ef33f0]
stable/5.4: [04945b5beb73019145ac17a2565526afa7293c14]

CVE-2022-33741: Xen Linux disk/nic frontends data leaks

Stable kernels were fixed.

Fixed status
mainline: [4491001c2e0fa69efbb748c96ec96b100a5cdb7e]
stable/4.14: [019eaffbb7cfdbe01b1b4e1b61e7f91688c76c2a]
stable/4.19: [4b67d8e42dbba42cfafe22ac3e4117d9573fdd74]
stable/4.9: [c6e941364608d911ac7b055d27d86e360fd94aed]
stable/5.10: [4923217af5742a796821272ee03f8d6de15c0cca]
stable/5.15: [ed3cfc690675d852c3416aedb271e0e7d179bf49]
stable/5.18: [3893cd0fec5e80e8d1c681794ee43167eb799e4d]
stable/5.4: [ede57be88a5fff42cd00e6bcd071503194d398dd]

CVE-2022-33742: Xen Linux disk/nic frontends data leaks

Stable kernels were fixed.

Fixed status
mainline: [2400617da7eebf9167d71a46122828bc479d64c9]
stable/4.14: [0b06590646e0857a804c9a08545791feb2278ab6]
stable/4.19: [981de55fb6b5253fa7ae345827c6c3ca77912e5c]
stable/4.9: [8dad9a67100245295373523375610be850999b37]
stable/5.10: [cbbd2d2531539212ff090aecbea9877c996e6ce6]
stable/5.15: [6d0a9127279a4533815202e30ad1b3a39f560ba3]
stable/5.18: [3ebaa2c13f680889c4fb9f090b243499d25017d0]
stable/5.4: [60ac50daad36ef3fe9d70d89cfe3b95d381db997]

CVE-2022-33743: Xen network backend may cause Linux netfront to use freed SKBs

stable/5.10, 5.15, and 5.18 were fixed.

Fixed status
mainline: [f63c2c2032c2e3caad9add3b82cc6e91c376fd26]
stable/5.10: [547b7c640df545a344358ede93e491a89194cdfa]
stable/5.15: [1052fc2b7391a43b25168ae69ad658fff5170f04]
stable/5.18: [a74adaffc8db86b4dbdd98762deff70b155b0f4d]

CVE-2022-33744: Xen Arm guests can cause Dom0 DoS via PV devices

Stable kernels were fixed.

Fixed status
mainline: [b75cd218274e01d026dc5240e86fdeb44bbed0c8]
stable/4.14: [01b86faa64b1f5aa04c0b3ca2001b0a8474f3006]
stable/4.19: [274cb74da15ed13292fcec9097f04332eb3eea17]
stable/4.9: [856d1b8e6e826b5087f1ea3fdbabda3557d73599]
stable/5.10: [43c8d33ce353091f15312cb6de3531517d7bba90]
stable/5.15: [9f83c8f6ab14bbf4311b70bf1b7290d131059101]
stable/5.18: [efd9826d4c08abac7e8840757e3e1bfcf2876f70]
stable/5.4: [5c03cad51b84fb26ccea7fd99130d8ec47949cfc]

CVE-2022-34918: netfilter: nf_tables: stricter validation of element data

stable 5.10, 5.15, and 5.18 were fixed.

Fixed status
mainline: [7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6]
stable/5.10: [0a5e36dbcb448a7a8ba63d1d4b6ade2c9d3cc8bf]
stable/5.15: [c1784d2075138992b00c17ab4ffc6d855171fe6d]
stable/5.18: [6b7488071ea8ed6265a39afebd5a5920f6975d02]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 8 CVEs and 2 updated CVEs.

* New CVEs

CVE-2022-2318: UAF vulnerabilities in rose protocol

CVSS v3 score is not assigned.

A use-after-free bug was found in net/rose/rose_timer.c. An attacker
will be able to crash system via this vulnerability.
4.4 kernel is vulnerable too.

No CIP member enables CONFIG_ROSE.

Fixed status
mainline: [9cc02ede696272c5271a401e4f27c262359bc2f6]

CVE-2022-26365: Xen Linux disk/nic frontends data leaks

CVSS v3 score is not assigned.

When allocating a shared page in
fill_grant_buffer()/blkfront_setup_indirect() via alloc_page(), it
doesn't initialize the allocated page.
In the result, unintended data in the page will leak.

4.4 kernel seems to be vulnerable.

Fixed status
mainline: [2f446ffe9d737e9a844b97887919c4fda18246e7]

CVE-2022-33740: Xen Linux disk/nic frontends data leaks

CVSS v3 score is not assigned.

When allocating a shared page in xennet_alloc_one_rx_buffer() via
alloc_page(), it doesn't initialize the allocated page.
In the result, unintended data in the page will leak.

4.4 kernel seems to be vulnerable.

Fixed status
mainline: [307c8de2b02344805ebead3440d8feed28f2f010]

CVE-2022-33741: Xen Linux disk/nic frontends data leaks

CVSS v3 score is not assigned.

Xen backend will be able to read data from a shared page which is not
related to this backend.

Commit 4491001 ("xen/netfront: force data bouncing when backend is
untrusted") is based on commit fd07160 ("xen-netfront: avoid packet
loss when ethernet header crosses page boundary") which is not merged
in 4.4.

Fixed status
mainline: [4491001c2e0fa69efbb748c96ec96b100a5cdb7e]

CVE-2022-33742: Xen Linux disk/nic frontends data leaks

CVSS v3 score is not assigned.

Xen backend will be able to read data from a shared page which is not
related to this backend.

Commit 2400617 ("xen/blkfront: force data bouncing when backend is
untrusted") is based on commit 3df0e50 ("xen/blkfront: pseudo support
for multi hardware queues/rings") which is not merged in 4.4.

Fixed status
mainline: [2400617da7eebf9167d71a46122828bc479d64c9]

CVE-2022-33743: Xen network backend may cause Linux netfront to use freed SKBs

CVSS v3 score is not assigned.

Xen's network backend will use freed SKBs which will cause system crash.

4.4 seems vulnerable.
Apply commit f63c2c2 will fail because it modifies blkif_free_ring()
which is introduced by commit 3df0e50 ("xen/blkfront: pseudo support
for multi hardware queues/rings").

Fixed status
mainline: [f63c2c2032c2e3caad9add3b82cc6e91c376fd26]

CVE-2022-33744: Xen Arm guests can cause Dom0 DoS via PV devices

CVSS v3 score is not assigned.

Arm guests can cause Dom0 DoS via PV devices When mapping pages of
guests on Arm.
4.4 seems to be vulnerable.

Fixed status
mainline: [b75cd218274e01d026dc5240e86fdeb44bbed0c8]

CVE-2022-34918: netfilter: nf_tables: stricter validation of element data

CVSS v3 score is not assigned.

A heap overflow bug was found in nft_set_elem_init() in netfilter
subsystem. This bug lead to a local privilege escalation.
This vulnerability was introduced by commit fdb9c40 ("netfilter:
nf_tables: allow up to 64 bytes in the set element data area") which
is merged in 5.8-r1. The commit fdb9c40 is not backported to 4.x
stable kernels.
However, commit 7e6bc1f ("netfilter: nf_tables: stricter validation of
element data") mentions 7d7402642ea ("netfilter: nf_tables: variable
sized set element keys / data") introduced this bug. So, it seems that
a vulnerability was introduced by commit fdb9c40 and a bug not
vulnerable bug was introduced by commit 7d7402642eaf.

Fixed status
Fixed in netdev
tree(https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6)but
not merged into the mainline yet.

* Updated CVEs

CVE-2021-33624: Linux kernel BPF protection against speculative
execution attacks can be bypassed to read arbitrary kernel memory

Commit 30ea1c5 ("bpf, selftests: Adjust few selftest outcomes wrt
unreachable code") was added to stable/5.10.

Fixed status
mainline: [d203b0fd863a2261e5d00b97f3d060c4c2a6db71,
fe9a5ca7e370e613a9a75a13008a3845ea759d6e,
 9183671af6dbf60a1219371d4ed73e23f43b49db,
973377ffe8148180b2651825b92ae91988141b05]
stable/4.19: [0abc8c9754c953f5cd0ac7488c668ca8d53ffc90,
c510c1845f7b54214b4117272e0d87dff8732af6,
  9df311b2e743642c5427ecf563c5050ceb355d1d,
c15b387769446c37a892f958b169744dabf7ff23]
stable/5.10: [e9d271731d21647f8f9e9a261582cf47b868589a,
8c82c52d1de931532200b447df8b4fc92129cfd9,
  5fc6ed1831ca5a30fb0ceefd5e33c7c689e7627b,
30ea1c535291e88e41413464277fcf98a95cf8c6]
stable/5.12: [408a4956acde24413f3c684912b1d3e404bed8e2,
68a1936e1812653b68c5b68e698d88fb35018835,
  4a99047ed51c98a09a537fe2c12420d815dfe296,
e5e2010ac3e27efa1e6e830b250f491da82d51b4]
stable/5.4: [283d742988f6b304f32110f39e189a00d4e52b92,
d2f790327f83b457db357e7c66f942bc00d43462,
  fd568de5806f8859190e6305a1792ba8cb20de61,
a0f66ddf05c2050e1b7f53256bd9c25c2bb3022b]

CVE-2022-23038: Xen: fix race conditions, resulting in potential data
leaks, data corruption, DoS by malicious backends

stable 4.19 was fixed this week.

Fixed status
mainline: [6b1775f26a2da2b05a6dc8ec2b5d14e9a4701a1a,
33172ab50a53578a95691310f49567c9266968b0]
stable/4.19: [17659846fe336366b1663194f5669d10f5947f53,
62a696c15cfcfd32527f81ca3d94f2bde57475dc]
stable/4.9: [73e1d9b33f2bd93ce30719dfc8990b6328243b7e,
98bdfdf89e987406f4afdc7694cbdbb715383d8e]
stable/5.10: [3d81e85f30a8f712c3e4f2a507553d9063a20ed6,
3047255182774266950b22acc29c22a2d76e859e]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported no new CVEs and 5 updated CVEs.

* New CVEs

No new CVEs.

* Updated CVEs

CVE-2022-0812: NFS over RDMA random memory leakage

stable 4.14, 4.19, and 4.9 were fixed this week.

Fixed status
mainline: [912288442cb2f431bf3c8cb097a5de83bc6dbac1]
stable/4.14: [4779af1ec4a6c88a7005c8aabe69f409cf926d58]
stable/4.19: [4103bc54d8684a099615ae1fbab0590cf2167024]
stable/4.9: [ca6226b5c5b4cf8c41ab7c759686c9aab43a2a33]
stable/5.4: [c8a4452da9f4b09c28d904f70247b097d4c14932]

CVE-2022-0854: swiotlb information leak with DMA_FROM_DEVICE

stable/4.9 was fixed this week.

Fixed status
mainline: [ddbd89deb7d32b1fbb879f48d68fda1a8ac58e8e,
aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13]
stable/4.19: [8d9ac1b6665c73f23e963775f85d99679fd8e192,
06cb238b0f7ac1669cb06390704c61794724c191]
stable/4.9: [c132f2ba716b5ee6b35f82226a6e5417d013d753,
fd97de9c7b973f46a6103f4170c5efc7b8ef8797]
stable/5.10: [d4d975e7921079f877f828099bb8260af335508f,
f3f2247ac31cb71d1f05f56536df5946c6652f4a]
stable/5.15: [7403f4118ab94be837ab9d770507537a8057bc63,
2c1f97af38be151527380796d31d3c9adb054bf9]
stable/5.16: [270475d6d2410ec66e971bf181afe1958dad565e,
62b27d925655999350d0ea775a025919fd88d27f]

CVE-2022-1011: fuse: fix pipe buffer lifetime for direct_io

stable/4.9 was fixed this week.

Fixed status
mainline: [0c4bcfdecb1ac0967619ee7ff44871d93c08c909]
stable/4.14: [0ab55e14cf5fd40c39109969c8b04a25870f5d1e]
stable/4.19: [99db28212be68030c1db3a525f6bbdce39b039e9]
stable/4.9: [b79d4d0da659a3c7bd1d5913e62188ceb9be9c49]
stable/5.10: [ab5595b45f732212b3b1974041b43a257153edb7]
stable/5.15: [ca62747b38f59d4e75967ebf63c992de8852ca1b]
stable/5.16: [58a9bdff32fde29137731e574b17c42592875fd0]
stable/5.4: [a9174077febfb1608ec3361622bf5f91e2668d7f]

CVE-2022-1012: secure_seq: use the 64 bits of the siphash for port
offset calculation

stable 4.14, 4.9, 5.4 were fixed this week.
stable 4.19 and 5.10 were added more patches.

Fixed status
mainline: [b2d057560b8107c633b39aabe517ff9d93f285e3,
9e9b70ae923baf2b5e8a0ea4fd0c8451801ac526,
  4dfa9b438ee34caca4e6a4e5e961641807367f6f,
ca7af0402550f9a0b3316d5f1c30904e42ed257d,
  e9261476184be1abd486c9434164b2acbe0ed6c2,
4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5,
  e8161345ddbb66e449abde10d2fdce93f867eba9]
stable/4.14: [40d20f3186ddd9b6b94598f4ef3d07644b0fa43c,
f1e99d0a7dbb313c0059d3b4c9d834759541b3ac,
  a14619ff0dcc034024256f4a4de87202bac88e78,
43995cd1fec2da248ff60be3baba8ed730f03a66,
  9c251cc4f664a4ae922c9431f2eb4559cb3c737a,
9044e70fadec49482c3cb3c2f49e81825796ea6d,
  6a2659e2e940b405895c4e19a683aa7fa846a785]
stable/4.19: [abcf4e1277d169b82dd7ee290006487ed16016ce,
695309c5c71526d32f5539f008bbf20ed2218528,
  11abd17d923c041441f7346a4811735b86318773,
22788ee7230772f5040113d53fe757b682f790da,
  9b8fba5d9e19548ecf7538917a04071c3c432985,
514cd2859c5017fdc487165b093b328e24afe954,
  9b40c2b72362a5ea92128ca7b83307986ac6246f]
stable/4.9: [576696ed0dee677ec868960c39d96ae3b8c95a3f,
2ed413f140bbb527745e3b42550f44d07c9dfd2a,
  aa7722529f6d7f3be1dd7b94dcce3f2689ba9756,
dd82067bd6cabbc25aa0f459e91a8e5e08fa4782,
  3c78eea640f69e2198b69128173e6d65a0bcdc02,
a81a6b204a303116e64e0a6288b701cbda9d4de7]
stable/5.10: [d254309aab27fdcdc68e6bc9c663e51f3e7b37dc,
a5c68f457fbf52c5564ca4eea03f84776ef14e41,
  dd46a868fcfdf3aac8ffb20b2321e174a0156fb2,
d28e64b1c63eced06aedadcacb0be4997c10c7c1,
  24b922a5da0055f1bb8b391b83e494d2e5d56508,
9429b75bc271b6f29e50dbb0ee0751800ff87dd9,
  7ccb026ecb997405b59d391140c25ee347891504]
stable/5.15: [1a8ee547da2b64d6a2aedbd38a691578eff14718,
ff01554d8755bdbe2aec2e2cff322d95f328cb89,
  f41f6336bfc43500e4e94ada703cd5aebb91789e,
b763fce193b42048444afd85d066b136288ad2c8,
  4a3eefa399e675c4a5239497832a72733281a20f,
952a238d779eea4ecb2f8deb5004c8f56be79bc9,
  f26c6f9404e1d6f3bfc9780ffba82a01a595d147]
stable/5.17: [6976724355f5fdada89de528730f9a7b4928f2e3,
27003fa8b581098aa9768bc03f82d5654368cb02,
  3a8081f81323e1550c241157244318db166b660e,
c2cef1db8f8aa81330fee4538a1158e1f6fd5bd1,
  01e16c23823a057667feb5cf26ba0c963fef6afd,
e3ee7bb47d6509c3e8a3e96e5d8e3bf21549b6e8,
  5034cbb361e1c447911a15b1d3982d5df7aa17b9]
stable/5.4: [ab5b00cfe0500f5f5a3648ca945b892156b839fb,
53c5de3092ade55f82ed4f5373d8a8ca115df818,
  6e34ee5b5b921d25992f54141aaaf9859733863f,
7c0a777b7dbdcd39eb45996afe6df7770f7926ac,
  77d29f3b18c466a6b88bdfceccec3085961a7d0e,
c26e1addf15763ae404f4bbf131719a724e768ab,
  2e1591c27b954f1f60ef8ce5d214e8fee1b4d304]

CVE-2022-32296: tcp: increase source port perturb table to 2^16

stable 4.14, 4.19, 4.9, 5.10, and 5.4 were fixed this week.

Fixed status
mainline: [4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5]
stable/4.14: [9044e70fadec49482c3cb3c2f49e81825796ea6d]
stable/4.19: [514cd2859c5017fdc487165b093b328e24afe954]
stable/4.9: [3c78eea640f69e2198b69128173e6d65a0bcdc02]
stable/5.10: [9429b75bc271b6f29e50dbb0ee0751800ff87dd9]
stable/5.15: [952a238d779eea4ecb2f8deb5004c8f56be79bc9]
stable/5.17: [e3ee7bb47d6509c3e8a3e96e5d8e3bf21549b6e8]
stable/5.4: [c26e1addf15763ae404f4bbf131719a724e768ab]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 6 new CVEs and 4 updated CVEs.

* New CVEs

CVE-2022-2078: Add several sanity checks for nft_set_desc_concat_parse().

CVSS v3 score is not assigned.

A buffer overflow bug was found in nft_set_desc_concat_parse(). This
bug allows an attacker to system crash or possibly execute run code.
This issue was introduced by commit f3a2181 ("netfilter: nf_tables:
Support for sets with multiple ranged fields") in 5.6-rc1. This commit
isn't backported to earlier than 5.6 kernels.

Fixed status
mainline: [fecf31ee395b0295f2d7260aa29946b7605f7c85]
stable/5.10: [c0aff1faf66b6b7a19103f83e6a5d0fdc64b9048]
stable/5.15: [89ef50fe03a55feccf5681c237673a2f98161161]
stable/5.18: [c9a46a3d549286861259c19af4747e12cfaeece9]

CVE-2022-21166: Device Register Partial Write (DRPW)
CVE-2022-21125: Shared Buffers Data Sampling (SBDS)
CVE-2022-21123: Shared Buffers Data Read (SBDR)

CVSS v3 score is not assigned.

CVE-2022-21166, CVE-2022-21125, and CVE-2022-21123 are related to
"Processor MMIO Stale Data Vulnerabilities are a class of
memory-mapped I/O (MMIO) vulnerabilities".
Please refer to the document
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/hw-vuln/processor_mmio_stale_data.rst
 for more details.

These vulnerabilities were fixd in a merge commit
https://github.com/torvalds/linux/commit/8e8afafb0b5571b7cb10b529dc60cadb7241bed4
.
This merge commit includes 11 commits. All of them were applied to all
stable kernels.

Fixed status
mainline: [4419470191386456e0b8ed4eb06a70b0021798a6,
51802186158c74a0304f51ab963e7c2b3a2b046f,
  f52ea6c26953fed339aa4eae717ee5c2133c7ff2,
8cb861e9e3c9a55099ad3d08e1a3b653d29c33ca,
  e5925fb867290ee924fcf2fe3ca887b792714366,
99a83db5a605137424e1efe29dc0573d6a5b6316,
  8d50cdf8b8341770bc6367bce40c0c1bb0e1d5b3,
22cac9c677c95f3ac5c9244f8ca0afdc7c8afb19,
  a992b8a4682f119ae035a01b40d4d0665c4a2875,
027bbb884be006b05d9c577d6401686053aa789e,
  1dc6ff02c8bf77d71b9b5d11cbc9df77cfb28626]
stable/4.14: [62cf367c5fd1af75e005495ddcacde0f5eab85f0,
c00f2194c05c30a5f2f6a38d1555a8c6a9694cff,
  ba0a1237c5ef0479d8799f9435ba04c4e022bbd8,
d6087dda37d3ffa3c8efe6385757d73d9ed173c5,
  87e9881d5ad3d06cb8278062ecdafb4a5b5f423b,
e0fccc13ebe3ed1205f69d119d49789ef039c1fd,
  ae620928044d93e1ab9b785e931854ee033e52c7,
ed4fa7697ca4039eed5142c983c5905e46039c36,
  532c3a51316b6b1fdc6cb01926e2d139ef7e25da,
ac87ab4460f35b5064b2b9db1be146def2941fee,
  66b7fb8b6de97d02255611eb83a0a64d88f01710]
stable/4.19: [2bb1c263b6797e2701a5f4ffe503a8ce15c0167e,
9277b11cafd0472db9e7d634de52d7c5d8d25462,
  d03de576a604899741a0ebadcfe2a4a19ee53ba3,
9f2ce43ebc33713ba02a89a66bd5f93c2f3a82cf,
  54974c8714283feb5bf64df3bfe0f44267db5a3c,
8b42145e8c9903d4805651e08f4fca628e166642,
  f2983fbba1cccac611d4966277f0336374fad0be,
3ecb6dbad25b448ed8240f0ec2c7a8ff5155b7ea,
  0e94464009ee37217a7e450c96ea1f8d42d3a6b5,
e0d1437042f0b491bf2cb7880628b0bd7783f80d,
  0255c936bfaa1887f7043b995f1c9e1049bb25f1]
stable/4.9: [63c10e92b86a6cddd5294cda9f80eb7961cb1046,
19aa53c9eb2cf3a78ee44800e20bb34babe60f45,
  91ab1073814aa5d44fb3d8e2423ffdc61a421cac,
a11f2f05f5c605d1f6573b0cdcd2a6f38667fda1,
  5da4d16872d3d15dac54b5a6f83f54e28bc3a477,
6ecdbc9dc777a5b66a9ec293af88ab330dd644a2,
  8acd4bf9427eaf18a801db3f2508a2d89914d51d,
48e40e2cccb37c1f9c345014ca55c41bb8baee66,
  b7efb3a62fffa509e21d076aa2e75331c79fe36d,
da06c60d1dfef826512068d09aed3b6a70b5e5c9,
  71078b82164e36c893dc0764866e3783b1988fb4]
stable/5.10: [f8a85334a57e7842320476ff27be3a5f151da364,
e66310bc96b74ed3df9993e5d835ef3084d62048,
  f83d4e5be4a3955a6c8af61ecec0934d0ece40c0,
26f6f231f6a5a79ccc274967939b22602dec76e8,
  56f0bca5e9c8456b7bb7089cbb6de866a9ba6da9,
3eb1180564fa0ecedc33b44029da7687c0a9fbf5,
  001415e4e626403c9ff35f2498feb0021d0c8328,
cf1c01a5e4c3e269b9211ae2ef0a57f8c9474bfc,
  6df693dca31218f76c63b6fd4aa7b7db3bd6e049,
bde15fdcce44956278b4f50680b7363ca126ffb9,
  aa238a92cc94a15812c0de4adade86ba8f22707a]
stable/5.15: [1fcc3d646f0b719a2571aa68e4983c7a96fdc806,
d822b10f97f6bf83fcde3ed56caa58cde562eedd,
  8b9521e711799f6260765209d5562fe6e6fbf3fc,
d74f4eb1ddf076a55ff0682a89e66af5c1974321,
  407d97b99f276c7a761b905891a9d7a0fb727730,
2044838ab2283c23869ffa7b062e5f388136e432,
  531eb5fe3171f11cece79c7aac28bb5a085fb3fa,
30120b433c1f53cd0a081e6e86fe016a60a423fc,
  ebd0f558b48082c265fd594ffb205ae5350bfe79,
59d665a709b0446957261e8875ac9f7eb1bb1e96,
  147ae04a7c52e8cec0b81b1057c13fc29dab143a]
stable/5.18: [2a00e432ef05d813956e811718e828076b3f3027,
d88769c6dd78a77c049a55d4d39542648740321f,
  647afa778f7a98be3c690e579211d26d051fabfc,
bc4d37b2338a32a6668d94803feebc9cbc85572e,
  e3718d0753ff30f93e3cb9dccc26b0452f90c6b1,
8547d4ae6a95543b69d523f3706dbf887496e9f3,
  1baf738f30ee91be35003b0d106190ba8bfa8f1c,
bafc2b2727b4ebd219b112e87143cf0cf136d3fa,
  dce28a791e9632f96ba018f2ef708e012edb4133,
0b4bd3f44c674ba215f8f7918e4145d045bf5396,
  4064fc1ce85e4066a5aa97186766b71fe5f303d1]
stable/5.4: [91f8147c8371cb228bef738641abcd183d7adaf1,
814ccb6730358c2e30e00cb81fb84f4d480ff34f,
  ae649e0cbf76c665cf3a92dc16ddef27789b0447,
0800f1b45bf6d85e5a168db9ae91fb816f0a8c34,
  7f898baa2044094accfbe49c846f50fecc58e043,
8d25482fc96aa2cb24a221295fdd498f40565415,
  020ce7495cfccec17693bf58b42282707dece24d,
bc64f38b5a3839f14896cb9e2de7614d47151fc3,
  d961592635932bd1ea32a534412a41fb794e2212,
d49c22094e6f698a86dfdfd8f22b2a220e797bd4,
  4cc40b1022bbfe6da2dda489006b7ab6548bcd61]

CVE-2022-33981: floppy: disable FDRAWCMD by default

CVSS v3 score is not assigned.

It is duplicated of CVE-2022-1836.
A use-after-free bug was found in drivers/block/floppy.c which will
result denial of service.

Fixed status
mainline: [233087ca063686964a53c829d547c7571e3f67bf]
stable/4.14: [b7fa84ae1171a3c5ea5d710899080a6e63cfe084]
stable/4.19: [0e535976774504af36fab1dfb54f3d4d6cc577a9]
stable/4.9: [0dd02ff72c6daf4e7800fb5dd1109fbacdde97dc]
stable/5.10: [54c028cfc49624bfc27a571b94edecc79bbaaab4]
stable/5.15: [e52da8e4632f9c8fe78bf1c5881ce6871c7e08f3]
stable/5.4: [7dea5913000c6a2974a00d9af8e7ffb54e47eac1]

CVE-2022-2153: KVM: NULL pointer dereference in kvm_irq_delivery_to_apic_fast()

CVSS v3 score is not assigned.

This vulnerability was introduced by commit 1e08ec4 ("KVM: optimize
apic interrupt delivery") that was merged in 3.7-rc1.
There is a NULL pointer dereference bug in
kvm_irq_delivery_to_apic_fast() that triggers local DoS.

Commit 7ec37d1 (KVM: x86: Check lapic_in_kernel() before attempting to
set a SynIC irq) and commit 00b5f37("KVM: x86: Avoid theoretical NULL
pointer dereference in kvm_irq_delivery_to_apic_fast()") are failed to
apply to 4.14, 4.19, 4.9, 5.4, and 5.10.

Fixed status
mainline: [7ec37d1cbe17d8189d9562178d8b29167fe1c31a,
00b5f37189d24ac3ed46cb7f11742094778c46ce,
  b1e34d325397a33d97d845e312d7cf2a8b646b44]
stable/4.19: [2f4835b5188f3b73b2b048a761ae2553e845b027]
stable/4.9: [95d51d058680766130098287f680474bc55f1679]
stable/5.10: [09c771c45c1243e295470225aaee726693fdc242]
stable/5.15: [569a229142e95610adc1041ae9ca1f417c4c6a3e,
0e5dbc0540baa89faf4c04ccc7e9c4fe6b1d7bf4,
  ba6e8c2df52047a32953588b49d9addbd843a098]

* Updated CVEs

CVE-2022-1353: af_key: add __GFP_ZERO flag for compose_sadb_supported
in function pfkey_register

stable/4.9 was fixed this week.

Fixed status
mainline: [9a564bccb78a76740ea9d75a259942df8143d02c]
stable/4.14: [fcdaaeb7eb5d52941ceb2fdcec0e2170c9bf3031]
stable/4.19: [693fe8af9a2625139de07bd1ae212a7d89c37795]
stable/4.9: [7b0e01a9b7f2aaeb6fa73b35864b1d7dc6e795c4]
stable/5.10: [8d3f4ad43054619379ccc697cfcbdb2c266800d8]
stable/5.15: [d06ee4572fd916fbb34d16dc81eb37d1dff83446]
stable/5.4: [ef388db2fe351230ff7194b37d507784bef659ec]

CVE-2022-1976: io_uring: reinstate the inflight tracking

stable/5.18 was fixed this week.

Fixed status
mainline: [9cae36a094e7e9d6e5fe8b6dcd4642138b3eb0c7]
stable/5.18: [bba36a27c38650eefc79d18c33a0acd0dcbeabb8]

CVE-2022-1508: io_uring: reexpand under-reexpanded iters

Added fixed commit to stable/5.10.

Fixed status
mainline: [89c2b3b74918200e46699338d7bcc19b1ea12110,
2112ff5ce0c1128fe7b4d19cfe7f2b8ce5b595fa]
stable/5.10: [8adb751d294ed3b668f1c7e41bd7ebe49002a744]

CVE-2022-1184: use-after-free and memory errors in ext4 when mounting
and operating on a corrupted image

The mainline and stable kernels were fixed this week.

Fixed status
mainline: [46c116b920ebec58031f0a78c5ea9599b0d2a371,
3ba733f879c2a88910744647e41edeefbc0d92b2]
stable/4.14: [d27d3caddbeff10871982d5e25e6557be0fdc29a,
24b8206fec1db21d7e82f21f0b2ff5e5672cf5b3]
stable/4.19: [78398c2b2cc14f9a9c8592cf6d334c5a479ed611,
b3ad9ff6f06c1dc6abf7437691c88ca3d6da3ac0]
stable/4.9: [93bbf0498ba20eadcd7132bd3cfdaff54eb72751]
stable/5.10: [da2f05919238c7bdc6e28c79539f55c8355408bb,
ff4cafa51762da3824881a9000ca421d4b78b138]
stable/5.15: [ca17db384762be0ec38373a12460081d22a8b42d,
3a3ce941645407cd0b0b7f01ad9e2ea3770f46cc]
stable/5.18: [298659c0e7074f774a794fc293df4014617b87be,
6084240bfc44bf265ab6ae7d96980469b05be0f1]
stable/5.4: [17034d45ec443fb0e3c0e7297f9cd10f70446064,
e157c8f87e8fac112d6c955e69a60cdb9bc80a60]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 3 new CVEs and 3 updated CVEs.

FYI: A new side-channel attack which is called "Hertzbleed Attack" has
been published.
This vulnerability has assigned to CVE-2022-23823 and CVE-2022-24436.
Researchers confirmed Intel's 8th to the 11th generation Core
microarchitecture and AMD Ryzen processors are affected but the
haven't confirmed other processors(e.g. ARM) are affected or not.
Intel and AMD provided guidance to mitigate the Heartbleed Attack.
However, researchers said that Intel and AMD haven't planned to
provide microcode patches.

https://www.hertzbleed.com/

* New CVEs

CVE-2022-32981: powerpc/32: Fix overread/overwrite of thread_struct via ptrace

CVSS v3 score is not assigned.

This vulnerability only affects powerpc 32bit architecture.
There is a buffer overflow in ptrace PEEKUSER and POKEUSER (aka
PEEKUSR and POKEUSR) when accessing floating point registers.

Fixed status
mainline: [8e1278444446fc97778a5e5c99bca1ce0bbc5ec9]
stable/4.14: [d13c94c4b6f816e79b8e4df193db1bdcc7253610]
stable/4.19: [a0e38a2808ea708beb4196a8873cecc23efb8e64]
stable/4.9: [89dda10b73b7ce184caf18754907126ce7ce3fad]
stable/5.10: [3be74fc0afbeadc2aff8dc69f3bf9716fbe66486]
stable/5.15: [2a0165d278973e30f2282c15c52d91788749d2d4]
stable/5.18: [7764a258356c454fe56b9f56fc07c0e146a3bccb]
stable/5.4: [0c4bc0a2f8257f79a70fe02b9a698eb14695a64b]

CVE-2022-32250: use-after-free bug in net/netfilter/nf_tables_api.c
causes a local user to escalate privileges.

CVSS v3 score is 7.8 HIGH

net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1
allows a local user (able to create user/net namespaces) to escalate
privileges to root because an incorrect NFT_STATEFUL_EXPR check leads
to a use-after-free.

The bug fix commit 5207780 ("netfilter: nf_tables: disallow
non-stateful expression in sets earlier") and  bug introduced commit
0b2d8a7 ("netfilter: nf_tables: add helper functions for expression
handling") are same as CVE-2022-1966.
So, it looks like this CVE is a duplicate of CVE-2022-1966.

Fixed status
mainline: [520778042ccca019f3ffa136dd0ca565c486cedd]
stable/4.14: [5b732a9e8e22395d911b3e6c343cbed0e1cec275]
stable/4.19: [ed44398b45add3d9be56b7457cc9e05282e518b4]
stable/4.9: [94e9b75919619ba8c4072abc4917011a7a888a79]
stable/5.10: [ea62d169b6e731e0b54abda1d692406f6bc6a696]
stable/5.15: [f692bcffd1f2ce5488d24fbcb8eab5f351abf79d]
stable/5.17: [d8db0465bcc4d4b54ecfb67b820ed26eb1440da7]
stable/5.18: [8f44c83e51b4ca49c815f8dd0d9c38f497cdbcb0]
stable/5.4: [f36736fbd48491a8d85cd22f4740d542c5a1546e]

CVE-2022-1976: io_uring: reinstate the inflight tracking

CVSS v3 score is not assigned.

There is a use-after-free bug in fs/io_uring.c that caused a system crash.
This issue was introduced by commit d536123 ("io_uring: drop the old
style inflight file tracking") in 5.18-rc2.
5.18 and the mainline are affected by this vulnerability. Kernel 5.17
contains the commit d536123 but this version is EOL.

Fixed status
mainline: [9cae36a094e7e9d6e5fe8b6dcd4642138b3eb0c7]

* Updated CVEs

CVE-2021-4034: kernel vs pkexec API confusion leads to easy local root

Added 4.14, 5.4, 5.15 and 5.17 kernel fixed commits.

Fixed status
mainline: [dcd46d897adb70d63e025f175a00a89797d31a43]
stable/4.14: [98e0c7c702894987732776736c99b85ade6fba45]
stable/4.19: [b50fb8dbc8b81aaa126387de428f4c42a7c72a73]
stable/4.9: [41f6ea5b9aaa28b740d47ffe995a5013211fdbb0]
stable/5.10: [27a6f495b63a1804cc71be45911065db7757a98c]
stable/5.15: [1290eb4412aa0f0e9f3434b406dc8e255da85f9e]
stable/5.17: [cfbfff8ce5e3d674947581f1eb9af0a1b1807950]
stable/5.4: [1fe82bfd9e4ce93399d815ca458b58505191c3e8]

CVE-2022-1973: fs/ntfs3: Fix invalid free in log_replay

Stable kernels 5.15, 5.17, and 5.18 were fixed. All kernels are fixed.

Fixed status
mainline: [f26967b9f7a830e228bb13fb41bd516ddd9d789d]
stable/5.15: [61decb58486d7c0cbded25fe4d301ab4fa148cd8]
stable/5.17: [2088cc00491e8d25a99d0f247df843e9c3df2040]
stable/5.18: [2aafbe9fb210a355d6e0e92a91f294dee80e5d44]

CVE-2022-1966: netfilter: nf_tables: disallow non-stateful expression
in sets earlier

stable 4.14, 4.19, 4.9, and 5.4 were fixed.

Fixed status
mainline: [520778042ccca019f3ffa136dd0ca565c486cedd]
stable/4.14: [5b732a9e8e22395d911b3e6c343cbed0e1cec275]
stable/4.19: [ed44398b45add3d9be56b7457cc9e05282e518b4]
stable/4.9: [94e9b75919619ba8c4072abc4917011a7a888a79]
stable/5.10: [ea62d169b6e731e0b54abda1d692406f6bc6a696]
stable/5.15: [f692bcffd1f2ce5488d24fbcb8eab5f351abf79d]
stable/5.17: [d8db0465bcc4d4b54ecfb67b820ed26eb1440da7]
stable/5.18: [8f44c83e51b4ca49c815f8dd0d9c38f497cdbcb0]
stable/5.4: [f36736fbd48491a8d85cd22f4740d542c5a1546e]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 12 new CVEs and 5 updated CVEs.

* New CVEs

CVE-2022-1972: nf_tables: sanitize nft_set_desc_concat_parse()

CVSS v3 score is not assigned.

An OOB write bug was found in the netfilter module.
This bug was introduced by commit f3a2181 ("netfilter: nf_tables:
Support for sets with multiple ranged fields") in 5.6-rc1.
This commit wasn't backported to 5.4 and prior kernels so these
kernels aren't affected by this vulnerability.

Fixed status
mainline: [fecf31ee395b0295f2d7260aa29946b7605f7c85]
stable/5.10: [c0aff1faf66b6b7a19103f83e6a5d0fdc64b9048]
stable/5.15: [89ef50fe03a55feccf5681c237673a2f98161161]
stable/5.17: [c88f3e3d243d701586239c5b69356ec2b1fd05f1]
stable/5.18: [c9a46a3d549286861259c19af4747e12cfaeece9]

CVE-2022-1974: nfc: replace improper check device_is_registered() in
netlink related functions

CVSS v3 score is not assigned.

An UAF bug was found in /net/nfc/core.c that allow an attacker to
crash linux kernel by simulating nfc device from user-space.

Fixed status
cip/4.4: [0630ce232266d13644cd7a86dd7911d4825324b4]
cip/4.4-st: [0630ce232266d13644cd7a86dd7911d4825324b4]
mainline: [da5c0f119203ad9728920456a0f52a6d850c01cd]
stable/4.14: [6f0ac4cd0377ab4e0b49b8f6efd37057c21336a9]
stable/4.19: [7deebb94a311da0e02e621e765c3aef3d5936572]
stable/4.9: [fa2217b66467917a623993c14d671661ad625fb6]
stable/5.10: [8a9e7c64f4a02c4c397e55ba379609168ec7df4a]
stable/5.15: [a2168fb3128a576d0175443403c15dcf8bf128f6]
stable/5.17: [8b58d6e565d83443c51b3fc076bd4472674aca0c]
stable/5.4: [85aecdef77f9c5b5c0d8988db6681960f0d46ab3]

CVE-2022-1975: NFC: netlink: fix sleep in atomic bug when firmware
download timeout

When the nlmsg_new() is called from fw_dnld_timeout() which is a timer
handler, nlmsg_new() allocates memory with GFP_KERNEL . So,
nlmsg_new() may sleep to allocate memory.  If nlmsg_new() sleeps in
the context, it will cause a kernel panic.

CVSS v3 score is not assigned.

Fixed status
cip/4.4: [12ddd94e76f674056ee706557e6ce5be43bc06e8]
cip/4.4-st: [12ddd94e76f674056ee706557e6ce5be43bc06e8]
mainline: [4071bf121d59944d5cd2238de0642f3d7995a997]
stable/4.14: [c33b2afffe8ae90e0bd4790e0505edd92addf14c]
stable/4.19: [d360fc8df363ecd7892d755d69ffc8c61d699e38]
stable/4.9: [a93ea9595fde438996d7b9322749d4d1921162f7]
stable/5.10: [879b075a9a364a325988d4484b74311edfef82a1]
stable/5.15: [7bd81a05d48942ef2c48630e5e7963b187e95727]
stable/5.17: [63a545103b77091f2309b44a8975cdf255bb99b2]
stable/5.4: [01d4363dd7176fd780066cd020f66c0f55c4b6f9]

CVE-2022-32296: tcp: increase source port perturb table to 2^16

CVSS v3 score is not assigned.

The Linux kernel before 5.17.9 allows TCP servers to identify clients
by observing what source ports are used.
The INET_TABLE_PERTURB_SHIFT macro was introduced by commmit 190cc82
("tcp: change source port randomizarion at connect() time") in
5.12-rc1-dontuse. This commit has been backported to 4.14, 4.19, and
5.10 so these kernels affected by this vulnerability. This backport
was done recently.

Fixed status
mainline: [4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5]
stable/5.15: [952a238d779eea4ecb2f8deb5004c8f56be79bc9]
stable/5.17: [e3ee7bb47d6509c3e8a3e96e5d8e3bf21549b6e8]

CVE-2022-20132: vulnerability in USB HID subsystem

CVSS v3 score is not assigned.

No vunerability details yet.
According to the
https://source.android.com/security/bulletin/2022-06-01, this
vulnerability causes information disclosure.

It looks as if following commits fix related to vulnerability.
- f83baa0 ("HID: add hid_is_usb() function to make it simpler for USB
detection")
- 918aa1e ("HID: bigbenff: prevent null pointer dereference")
- 720ac46 ("HID: wacom: fix problems when device is not a valid USB device")
- 9302095 ("HID: check for valid USB device for many HID drivers")

Following commits fix build error.
- 30cb3c2 ("HID: add USB_HID dependancy to hid-prodikeys")
- d080811 ("HID: add USB_HID dependancy to hid-chicony")
- f237d90 ("HID: add USB_HID dependancy on some USB HID drivers")

Fixed status
mainline: [f83baa0cb6cfc92ebaf7f9d3a99d7e34f2e77a8a,
30cb3c2ad24b66fb7639a6d1f4390c74d6e68f94,
  d080811f27936f712f619f847389f403ac873b8f,
f237d9028f844a86955fc9da59d7ac4a5c55d7d5,
  918aa1ef104d286d16b9e7ef139a463ac7a296f0,
720ac467204a70308bd687927ed475afb904e11b,
  93020953d0fa7035fd036ad87a47ae2b7aa4ae33]
stable/4.19: [b1efa723b986a84f84a95b6907cffe3a357338c9,
cb54ea86f247a28ce5d8ec147e58c13de669d04a,
  de8ac0cf03f1124ef39debb337811e54f3e2f55c,
b0f286d9b1f8a2448373aa45ac8333645c48ea85,
  945e3464ba6671692d0692d4b4325ec003db18c5,
128074f16e32c188fa2ed6edac625067c842606e]
stable/4.9: [28d8244f3ec961a11bfb4ad83cdc48ff9b8c47a7,
5b8d74ff145de1b5adb133895fd63cd533d68422,
  4435bc144fb6295db371e9753305a96f0c19b2ef,
c57e3b8082a4860f31f71d113b3e66bb64b4eb0a,
  1309eb2ef1001c4cc7e07b867ad9576d2cfeab47,
10d0f0aaa5cde52bd5685ee8d0adc02f1efb1983]
stable/5.10: [61144329606cb9518642b7d2e940b21eb3214204,
28989ed4d79e95dc59de6143c81c5826251b85e4,
  a7e9c5ddf562cf1923b21e5a085567807a059046,
d877651afd60dcbbcdc31f9efded3c27813afd1a,
  918aa1ef104d286d16b9e7ef139a463ac7a296f0,
889c39113f7e2219da49446b7e8772d1f62d0dca,
  89f3edc98ffe48557405ecfd9520f73244d099c9]
stable/5.15: [e1e21632a4c4d2f85587e204939883ce59d18447,
10b05037d7a831249bd513ba125e88b242c35a4b,
  8c765cf5f1bccf6d6f945db9c9e3a7602ad8bb46,
30d3150d909431fd7424ab8ff4c4c2c795554e30,
  58f15f5ae7786c824868f3a7e093859b74669ce7,
05ca95256abaf3971f73fdcf61a1f6091957f8fb,
  a579510a64ed15463a69cd6fe1a3339bf9ded33b]
stable/5.4: [6e1e0a01425810494ce00d7b800b69482790b198,
ee8477d1dbcee286e4f88ac9187b2f2fd0d0e156,
  f8a6538587b49ad48e0aa45e50d4fa3f7253c2ee,
31520ec149d28845f34c527a4e861502ea290a53,
  8e0ceff632f48175ec7fb4706129c55ca8a7c7bd,
e9114b9dc8ea3826b9d1b9af2462debeb91ed294,
  a7944962ee1f867711642fcdd8acd574a00dcdf7]

CVE-2022-20141: igmp: Add ip_mc_list lock in ip_check_mc_rcu

CVSS v3 score is not assigned.

An UAF bug was found in ip_check_mc_rcu() in net/ipv4/igmp.c.
According to the
https://source.android.com/security/bulletin/2022-06-01, this
vulnerability causes privilege escalation.
Fixed status
cip/4.4: [b24065948ae6c48c9e20891f8cfe9850f1d748be]
cip/4.4-rt: [b24065948ae6c48c9e20891f8cfe9850f1d748be]
mainline: [23d2b94043ca8835bd1e67749020e839f396a1c2]
stable/4.14: [78967749984cf3614de346c90f3e259ff8272735]
stable/4.19: [4768973dffed4d0126854514335ed4fe87bec1ab]
stable/4.9: [e9924c4204ede999b0515fd31a370a1e27f676bc]
stable/5.10: [ddd7e8b7b84836c584a284b98ca9bd7a348a0558]
stable/5.4: [d84708451d9041dff8a81e3718f821f12d2eb6c5]

CVE-2022-20148: An UAF bug was found in f2fs

CVSS v3 score is not assigned.

According to the
https://source.android.com/security/bulletin/pixel/2022-06-01, this
vulnerability causes privilege escalation.

Commit 5429c9d ("f2fs: fix UAF in f2fs_available_free_memory") fixes
an UAF bug which was introduced by commit d6d2b49 ("f2fs: allow to
change discard policy based on cached discard cmds") in v5.13-rc1. The
commit d6d2b49 isn't backported to stable kernels.

Fixed status
mainline: [d6d2b491a82e1e411a6766fbfb87c697d8701554,
5429c9dbc9025f9a166f64e22e3a69c94fd5b29b]
stable/5.15: [d6d2b491a82e1e411a6766fbfb87c697d8701554,
5e1b901dd470659bcfeaa76811d2af9165579d77]

CVE-2022-20153: io_uring: return back safer resurrect

CVSS v3 score is not assigned.

According to the
https://source.android.com/security/bulletin/pixel/2022-06-01, this
vulnerability causes privilege escalation.
This fix reverts commit cb5e1b8 ("Revert "io_uring: wait potential
->release() on resurrect"") that is merged in 5.12-rc1-dontuse.
Earlier than 5.1 kernels aren't affected by this issue because
io_uring was introduced since 5.1.

Fixed status
mainline: [f70865db5ff35f5ed0c7e9ef63e7cca3d4947f04]
stable/5.10: [dc1163203ae6e24b86168390fe5b4a3295fcba7f]

CVE-2022-20154: sctp: use call_rcu to free endpoint

CVSS v3 score is not assigned.

An UAF bug was found in sctp_sock_dump() in net/sctp subsystem.
According to the
https://source.android.com/security/bulletin/pixel/2022-06-01, this
vulnerability causes privilege escalation.
This commit fixes commit d25adbe ("sctp: fix an use-after-free issue
in sctp_sock_dump") which introduced in 4.14-rc1.
The commit d25adbe isn't backported to 4.4.y so 4.4.y kernel isn't
affected by this issue.

Fixed status
mainline: [5ec7d18d1813a5bead0b495045606c93873aecbb]
stable/4.14: [8873140f95d4977bf37e4cf0d5c5e3f6e34cdd3e]
stable/4.19: [af6e6e58f7ebf86b4e7201694b1e4f3a62cbc3ec]
stable/5.10: [769d14abd35e0e153b5149c3e1e989a9d719e3ff]
stable/5.15: [75799e71df1da11394740b43ae5686646179561d]

CVE-2022-20166: drivers core: Use sysfs_emit and sysfs_emit_at for
show(device *...) functions

CVSS v3 score is not assigned.

No vunerability details yet.
This fix changes from using sprintf() to sysfs_emit(), so it looks it
prevents buffer overflow bug.
According to the
https://source.android.com/security/bulletin/pixel/2022-06-01, this
vulnerability causes privilege escalation.
The commit aa83889 ("drivers core: Use sysfs_emit and sysfs_emit_at
for show(device *...) ……functions") was merged in 5.10-rc1.
This commit isn't backported to 4.x kernels. So, if backporting the
commit CVE-2022-20166 to 4.x series, commit aa83889 is required.

Fixed status
mainline: [aa838896d87af561a33ecefea1caa4c15a68bc47]
stable/5.4: [9e9241d3345af3f2a78a5b60701a9cf0d15bf942]

CVE-2022-1973: fs/ntfs3: Fix invalid free in log_replay

CVSS v3 score is not assigned.

An invalid free pointer in log_replay() ntfs3 subsystem. When
log_read_rst() returns ENOMEM error, it accesses uninitialized value
and
attempts call kfree that cause kernel crash. The ntfs3 subsystem was
introduced in 5.15 so earlier than this versions aren't affected by
this issue.

Fixed status
mainline: [f26967b9f7a830e228bb13fb41bd516ddd9d789d]

CVE-2022-1998: fanotify: Fix stale file descriptor in copy_event_to_user()

CVSS v3 score is not assigned.

An UAF vulnerability was found in fanotify subsystem. To exploit this
vulnerability, an attacker need to have CAP_SYS_ADMIN capability.

This vulnerability was introduced by commit f644bc4 ("fanotify: fix
copy_event_to_user() fid error clean up") in 5.13-rc7.
The commit f644bc4 isn't backported to earlier than 5.10 kernels.

Fixed status
mainline: [ee12595147ac1fbfb5bcb23837e26dd58d94b15d]
stable/5.10: [7b4741644cf718c422187e74fb07661ef1d68e85]
stable/5.15: [60765e43e40fbf7a1df828116172440510fcc3e4]

* Updated CVEs

CVE-2022-1966: netfilter: nf_tables: disallow non-stateful expression
in sets earlier

The mainline, 5.10, 5.15, 5.17, and 5.18 were fixed this week.

Fixed status
mainline: [520778042ccca019f3ffa136dd0ca565c486cedd]
stable/5.10: [ea62d169b6e731e0b54abda1d692406f6bc6a696]
stable/5.15: [f692bcffd1f2ce5488d24fbcb8eab5f351abf79d]
stable/5.17: [d8db0465bcc4d4b54ecfb67b820ed26eb1440da7]
stable/5.18: [8f44c83e51b4ca49c815f8dd0d9c38f497cdbcb0]

CVE-2022-21499: lockdown: also lock down previous kgdb use

5.4 was fixed this week.

Fixed status
mainline: [eadb2f47a3ced5c64b23b90fd2a3463f63726066]
stable/5.10: [a8f4d63142f947cd22fa615b8b3b8921cdaf4991]
stable/5.15: [69c5d307dce1560fafcb852f39d7a1bf5e266641]
stable/5.17: [281d356a035132f2603724ee0f04767d70e2e98e]
stable/5.18: [eca56bf0066ef2f1e7be0e3fa7564b85a309872c]
stable/5.4: [8bb828229da903bb5710d21065e0a29f9afd30e0]

CVE-2022-0494: block-map: add __GFP_ZERO flag for alloc_page in
function bio_copy_kern

4.14, 4.19, and 4.9 kernels were fixed this week.

Fixed status
mainline: [cc8f7fe1f5eab010191aa4570f27641876fa1267]
stable/4.14: [4f3ea768c56e8dce55ae538f18b37420366c5c22]
stable/4.19: [18243d8479fd77952bdb6340024169d30b173a40]
stable/4.9: [d59073bedb7cf752b8cd4027dd0f67cf7ac4330f]
stable/5.10: [a439819f4797f0846c7cffa9475f44aef23c541f]
stable/5.15: [a1ba98731518b811ff90009505c1aebf6e400bc2]
stable/5.16: [f8c61361a4f52c2a186269982587facc852dba62]

CVE-2022-1012: secure_seq: use the 64 bits of the siphash for port
offset calculation

Commit 695309c5 ("secure_seq: use the 64 bits of the siphash for port
offset calculation") was added to 4.19.

Fixed status
mainline: [b2d057560b8107c633b39aabe517ff9d93f285e3,
9e9b70ae923baf2b5e8a0ea4fd0c8451801ac526,
  4dfa9b438ee34caca4e6a4e5e961641807367f6f,
ca7af0402550f9a0b3316d5f1c30904e42ed257d,
  e9261476184be1abd486c9434164b2acbe0ed6c2,
4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5,
  e8161345ddbb66e449abde10d2fdce93f867eba9]
stable/4.19: [abcf4e1277d169b82dd7ee290006487ed16016ce,
695309c5c71526d32f5539f008bbf20ed2218528]
stable/5.10: [d254309aab27fdcdc68e6bc9c663e51f3e7b37dc,
a5c68f457fbf52c5564ca4eea03f84776ef14e41]
stable/5.15: [1a8ee547da2b64d6a2aedbd38a691578eff14718,
ff01554d8755bdbe2aec2e2cff322d95f328cb89,
  f41f6336bfc43500e4e94ada703cd5aebb91789e,
b763fce193b42048444afd85d066b136288ad2c8,
  4a3eefa399e675c4a5239497832a72733281a20f,
952a238d779eea4ecb2f8deb5004c8f56be79bc9,
  f26c6f9404e1d6f3bfc9780ffba82a01a595d147]
stable/5.17: [6976724355f5fdada89de528730f9a7b4928f2e3,
27003fa8b581098aa9768bc03f82d5654368cb02,
  3a8081f81323e1550c241157244318db166b660e,
c2cef1db8f8aa81330fee4538a1158e1f6fd5bd1,
  01e16c23823a057667feb5cf26ba0c963fef6afd,
e3ee7bb47d6509c3e8a3e96e5d8e3bf21549b6e8,
  5034cbb361e1c447911a15b1d3982d5df7aa17b9]

CVE-2022-1852: KVM: x86: avoid calling x86 emulator without a decoded
instruction

5.10, 5.15, 5.17, and 5.18 were fixed this week.

Fixed status
mainline: [fee060cd52d69c114b62d1a2948ea9648b5131f9]
stable/5.10: [3d8fc6e28f321d753ab727e3c3e740daf36a8fa3]
stable/5.15: [531d1070d864c78283b7597449e60ddc53319d88]
stable/5.17: [dca5ea67a3e627a3022fe58722a2807c1ef61c29]
stable/5.18: [02ea15c02befea2539d5f0d6b60ce8df88de418b]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 6 new CVEs and 3 updated CVEs.

* New CVEs

CVE-2022-1678: tcp: fix possible socket leaks in internal pacing mode

CVSS v3 score is not assigned.

An issue was discovered in the Linux Kernel from 4.18 to 4.19, an
improper update of sock reference in TCP pacing can lead to
memory/netns leak, which can be used by remote clients.

This issue was introduced by commit 73a6bab5 ("tcp: switch pacing
timer to softirq based hrtimer") which was merged in 4.18-rc1. This
patch wasn't backported to 4.9, 4.4. So 4.4 and 4.9 aren't affected by
this issue.

In the mainline, this issue was fixed by commit 864e5c0 ("tcp:
optimize tcp internal pacing").
However, in the stable/4.19, this issues was fixed by commit 0a70f11
("tcp: fix possible socket leaks in internal pacing mode").
The commit 0a70f11 describes that "In linux-4.20, TCP stack adopted
EDT (Earliest DepartureTime) model and this issue was incidentally
fixed.".

The mainline and stable kernels were fixed.

Fixed status
mainline: [864e5c090749448e879e86bec06ee396aa2c19c5:]
stable/4.19: [0a70f118475e037732557796accd0878a00fc25a]

CVE-2022-1462: kernel: possible race condition in drivers/tty/tty_buffers.c

CVSS v3 score is not assigned.

An oob read bug was found in the TeleTYpe subsystem. A local user use
TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC to make a race
condition in the flush_to_ldisc(). It will cause an user can  to crash
the system or read unauthorized random data from memory.

Fixed status
Not fixed yet

CVE-2022-1882: fs/pipe: Deinitialize the watch_queue when pipe is freed

CVSS v3 score is not assigned.

According to the RZ
bugzilla(https://bugzilla.redhat.com/show_bug.cgi?id=2089701) , that
describes the following detail.
A UAF flaw in Linux Kernel found in pipes functionality. The problem
located in function free_pipe_info of the fs/pipe.c.
When a pipe node is freed, it doesn't make pipe->watch_queue->pipe
null. When function post_one_notification is called, it will use this
field, but it has been freed and watch_queue->pipe is a dangling
pointer.
The problem was introduced since commit db8facfc9fafacefe8a835
"watch_queue, pipe: Free watchqueue state after clearing pipe ring".

Fixed status
Patch is available but it hasn't been merged yet.

CVE-2022-1852: KVM: x86: avoid calling x86 emulator without a decoded
instruction

CVSS v3 score is not assigned.

When x86_decode_emulated_instruction() detects a break point and
kvm_vcpu_check_breakpoint() set 0 to "r" function argument, it is
misunderstood as EMULATION_OK and x86_emulate_instruction() is called
without having decoded the instruction.
This causes various havoc from running with a stale emulation context.

This bug was introduced by commit 4aa2691 ("KVM: x86: Factor out x86
instruction emulation with decoding") in 5.12-rc1-dontuse.
The commit 4aa2691 was backported to 5.10 so that 5.10 affected by
this isuse too.

Fixed status
mainline: [fee060cd52d69c114b62d1a2948ea9648b5131f9]

CVE-2022-1966: netfilter: nf_tables: disallow non-stateful expression
in sets earlier

CVSS v3 score is not assigned.

An UAF write bug was found in the netfilter subsystem that will cause
privilege escalation. This vulnerability is triggered by creating
user/net namespace.

This vulnerability was introduced by commit 0b2d8a7 ("netfilter:
nf_tables: add helper functions for expression handling") in 4.1-rc1.

Fixed status
fixed in the netfilter
tree(https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/net/netfilter?id=520778042ccca019f3ffa136dd0ca565c486cedd)
but it hasn't been merged into the mainline yet.

CVE-2022-1943: udf: Avoid using stale lengthOfImpUse

CVSS v3 score is not assigned.

udf_write_fi() uses lengthOfImpUse of the entry it is writing to.
However this field has not yet been initialized so it either contains
completely bogus value or value from last directory entry at that
place.
In either case this is wrong and can lead to filesystem corruption or
kernel crashes.

This bug was introduced by commit 979a6e28dd96 ("udf: Get rid of
0-length arrays in struct fileIdentDesc") which was merged in
5.15-rc1.
Earlier than 5.15 kernels aren't affected by this issue.

Fixed status
mainline: [c1ad35dd0548ce947d97aaf92f7f2f9a202951cf]
stable/5.15: [9e951f2d85c9430ea8ae0c8448e47e3c234f1580]
stable/5.17: [cfd64b858cb2b56969138df7970cb0b7f2388fb0]

* Updated CVEs

CVE-2022-1012: secure_seq: use the 64 bits of the siphash for port
offset calculation

Commit a5c68f4 ("secure_seq: use the 64 bits of the siphash for port
offset calculation") was backported to stable/5.10 this week.

Fixed status
mainline: [b2d057560b8107c633b39aabe517ff9d93f285e3,
9e9b70ae923baf2b5e8a0ea4fd0c8451801ac526,
  4dfa9b438ee34caca4e6a4e5e961641807367f6f,
ca7af0402550f9a0b3316d5f1c30904e42ed257d,
  e9261476184be1abd486c9434164b2acbe0ed6c2,
4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5,
  e8161345ddbb66e449abde10d2fdce93f867eba9]
stable/4.19: [abcf4e1277d169b82dd7ee290006487ed16016ce]
stable/5.10: [d254309aab27fdcdc68e6bc9c663e51f3e7b37dc,
a5c68f457fbf52c5564ca4eea03f84776ef14e41]
stable/5.15: [1a8ee547da2b64d6a2aedbd38a691578eff14718,
ff01554d8755bdbe2aec2e2cff322d95f328cb89,
  f41f6336bfc43500e4e94ada703cd5aebb91789e,
b763fce193b42048444afd85d066b136288ad2c8,
  4a3eefa399e675c4a5239497832a72733281a20f,
952a238d779eea4ecb2f8deb5004c8f56be79bc9,
  f26c6f9404e1d6f3bfc9780ffba82a01a595d147]
stable/5.17: [6976724355f5fdada89de528730f9a7b4928f2e3,
27003fa8b581098aa9768bc03f82d5654368cb02,
  3a8081f81323e1550c241157244318db166b660e,
c2cef1db8f8aa81330fee4538a1158e1f6fd5bd1,
  01e16c23823a057667feb5cf26ba0c963fef6afd,
e3ee7bb47d6509c3e8a3e96e5d8e3bf21549b6e8,
  5034cbb361e1c447911a15b1d3982d5df7aa17b9]

CVE-2022-1789: KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID

5.10, 5.15, and 5.17 were fixed this week.

Fixed status
mainline: [9f46c187e2e680ecd9de7983e4d081c3391acc76]
stable/5.10: [9b4aa0d80b18b9d19e62dd47d22e274ce92cdc95]
stable/5.15: [acd12d16528152b32fa09be2c5ef95047f69af05]
stable/5.17: [19a66796d1f0dd4ce4b05f76d53ce1d0a7dc817d]

CVE-2022-21499: lockdown: also lock down previous kgdb use

5.10, 5.15, and 5.17 were fixed this week.

Fixed status
mainline: [eadb2f47a3ced5c64b23b90fd2a3463f63726066]
stable/5.10: [a8f4d63142f947cd22fa615b8b3b8921cdaf4991]
stable/5.15: [69c5d307dce1560fafcb852f39d7a1bf5e266641]
stable/5.17: [281d356a035132f2603724ee0f04767d70e2e98e]
stable/5.18: [eca56bf0066ef2f1e7be0e3fa7564b85a309872c]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 6 new CVEs and 3 updated CVEs.

* New CVEs

CVE-2022-1729: perf: Fix sys_perf_event_open() race against self

CVSS v3 score is not assigned.

Introduced by commit f63a8da ("perf: Fix event->ctx locking") that was
merged in 4.0-rc1.
This race condition bug allows a local user privilege escalation.
To set kernel.perf_event_paranoid >= 3, effectively rendering the
vulnerability harmless.

The mainline and stable kernels were fixed.

Fixed status
mainline: [3ac6487e584a1eb54071dbe1212e05b884136704]
stable/4.14: [dee63319e2d1abd5d37a89de046ccf32ca8a8451]
stable/4.19: [6cdd53a49aa7413e53c14ece27d826f0b628b18a]
stable/4.9: [a1466528d8ae5d9a3bb29781f0098fa3476e9e1c]
stable/5.10: [3ee8e109c3c316073a3e0f83ec0769c7ee8a7375]
stable/5.15: [e085354dde254bc6c83ee604ea66c2b36f9f9067]
stable/5.17: [22fb2974224c9836eeaf0d24fdd481fcdaa0aea8]
stable/5.4: [dd0ea88b0a0f913f82500e988ef38158a9ad9885]

CVE-2022-1789: KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID

CVSS v3 score is not assigned.

Null pointer dereference bug was found in kvm_mmu_invpcid_gva() in
arch/x86/kvm/mmu/mmu.c.
4.4 is vulnerable too. Patch needs to be modified to apply 4.4.

Fixed status
mainline: [9f46c187e2e680ecd9de7983e4d081c3391acc76]

CVE-2021-33135: A vulnerability in x86/SGX driver which will allow a
local attacker to do local DoS.

CVSS v3 score is 5.5 MEDIUM.

Uncontrolled resource consumption in the Linux kernel drivers for
Intel(R) SGX may allow an authenticated user to potentially enable
denial of service via local access.

This bug was introduced by the commit 1728ab5 (x86/sgx: Add a page
reclaimer) was merged in 5.11-rc1. Earlier than 5.11-rc1 kernels
aren't affected by this vulnerability.

Fixed status
mainline: [08999b2489b4c9b939d7483dbd03702ee4576d96]
stable/5.15: [ce91f0f023adfc239b44261f6dccb4a883d44d92]

CVE-2022-1786: io_uring: always use original task when preparing req identity

CVSS v3 score is not assigned.

A freeing memory bug was found in the io_uring module. This bug allows
an attacker to escalate privilege.
The reporter describes this bug affects 5.10 and 5.11. The mainline
was fixed in commit 4379bf8 ("io_uring: remove io_identity") which was
merged in 5.12-rc1-dontuse.

Fixed status
mainline: [4379bf8bd70b5de6bba7d53015b0c36c57a634ee]
stable/5.10: [29f077d070519a88a793fbc70f1e6484dc6d9e35]

CVE-2022-1836: floppy: disable FDRAWCMD by default

CVSS v3 score is not assigned.

An UAF bug was found in the floppy driver. This bug potentially will
leds local DoS, kernel information leak.
The mainline and all stable kernels were fixed.

Fixed status
mainline: [233087ca063686964a53c829d547c7571e3f67bf]
stable/4.14: [b7fa84ae1171a3c5ea5d710899080a6e63cfe084]
stable/4.19: [0e535976774504af36fab1dfb54f3d4d6cc577a9]
stable/4.9: [0dd02ff72c6daf4e7800fb5dd1109fbacdde97dc]
stable/5.10: [54c028cfc49624bfc27a571b94edecc79bbaaab4]
stable/5.15: [e52da8e4632f9c8fe78bf1c5881ce6871c7e08f3]
stable/5.17: [d91ca05d52fabf68c0376bcfeed1a52be68a8e1b]
stable/5.4: [7dea5913000c6a2974a00d9af8e7ffb54e47eac1]

CVE-2022-21499: lockdown: also lock down previous kgdb use

CVSS v3 score is not assigned.

Using gdb or kgdb, it will be able to read/write kernel memory even
though the lockdown feature is enabled.
The lockdown feature was introduced in 5.4. Earlier than 5.4 kernels
aren't affected by this issue.

The mainline and all stable kernels were fixed.

Fixed status
mainline: [eadb2f47a3ced5c64b23b90fd2a3463f63726066]
stable/5.15: [69c5d307dce1560fafcb852f39d7a1bf5e266641]
stable/5.17: [281d356a035132f2603724ee0f04767d70e2e98e]

* Updated CVEs

CVE-2022-0854: swiotlb information leak with DMA_FROM_DEVICE

4.19 and 5.10 were fixed this week.

Fixed status
mainline: [ddbd89deb7d32b1fbb879f48d68fda1a8ac58e8e,
aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13]
stable/4.19: [8d9ac1b6665c73f23e963775f85d99679fd8e192,
06cb238b0f7ac1669cb06390704c61794724c191]
stable/5.10: [d4d975e7921079f877f828099bb8260af335508f,
f3f2247ac31cb71d1f05f56536df5946c6652f4a]
stable/5.15: [7403f4118ab94be837ab9d770507537a8057bc63,
2c1f97af38be151527380796d31d3c9adb054bf9]
stable/5.16: [270475d6d2410ec66e971bf181afe1958dad565e,
62b27d925655999350d0ea775a025919fd88d27f]

CVE-2022-1652: A concurrency use-after-free in bad_flp_intr

All stable kernels were fixed this week.

Fixed status
mainline: [f71f01394f742fc4558b3f9f4c7ef4c4cf3b07c8]
stable/4.14: [dc650d53bad770f169e498f1231671c51b0b321d]
stable/4.19: [3392d8711ad9e5b688999c948fd36d798c0d075d]
stable/4.9: [2adafe1c646b462c755e99216f966927eec96059]
stable/5.10: [911b36267855501f7f80a75927c128c0ac03fe58]
stable/5.15: [fc2bee93e31bbba920e9eeba76af72264ced066f]
stable/5.17: [88887ced7803132ed357a42d050560a2fb5c7ce6]
stable/5.4: [67e2b62461b5d02a1e63103e8a02c0bca75e26c7]

CVE-2022-28893: SUNRPC: Ensure we flush any closed sockets before xs_xprt_free()

5.4 was fixed this week. The mainline and all stable kernels were fixed.

Fixed status
mainline: [f00432063db1a0db484e85193eccc6845435b80e]
stable/5.10: [e68b60ae29de10c7bd7636e227164a8dbe305a82]
stable/5.15: [54f6834b283d9b4d070b0639d9ef5e1d156fe7b0]
stable/5.16: [7a0921a23cae42e9fa5ce964f6907181b6dc80d8]
stable/5.17: [d21287d8a4589dd8513038f887ece980fbc399cf]
stable/5.4: [2f8f6c393b11b5da059b1fc10a69fc2f2b6c446a]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 9 new CVEs and 10 updated CVEs.

* New CVEs

CVE-2022-0171: KVM: cache incoherence issue in SEV API may lead to kernel crash

CVSS v3 score is not assigned.

Bug was found in KVM SEV API that non-root users crash the host kernel
by creating a confidential guest vm instance in AMD CPU that supports
AMD's SEV.

Introduced by commit f980f9c ("x86/sev-es: Compile early handler code
into kernel image") which was merged in 5.10-rc1.
Kernel versions less than 5.10 are not affected.

Fixed status

mainline: [683412ccf61294d727ead4a73d97397396e69a6b]

CVE-2022-1247: kernel: A race condition bug in rose_connect()

CVSS v3 score is not assigned.

A race condition bug was found in the rose driver(Amateur Radio X.25
PLP (Rose)).
No CIP member enables CONFIG_ROSE.

Fixed status

Not fixed yet.

CVE-2022-1679: Use-After-Free in ath9k_htc_probe_device() could cause
an escalation of privileges

CVSS v3 score is not assigned.

An UAF bug was found in ath9k_htc_probe_device() in the ath9k driver.
This vulnerability allows a local attacker to crash system or
potentially escalate their privileges on the system
Patch is available(https://lore.kernel.org/lkml/87ilqc7jv9.fsf@kernel.org/t/)
but not merged into the mainline yet.

This issue was introduced by commit fb9987d ("ath9k_htc: Support for
AR9271 chipset.") which was merged in 2.6.35-rc1.

Fixed status

Not fixed yet.

CVE-2022-30594: ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on
PTRACE_SEIZE

CVSS v3 score is not assigned.

Missing permission check bug was found in the seccomp module by using
the PTRACE_SEIZE flag.
This bug was introduced by commit 13c4a90 ("seccomp: add ptrace
options for suspend/resume") that was merged in 4.3-rc1.

Fixed status

mainline: [ee1fee900537b5d9560e9f937402de5ddc8412f3]
stable/4.14: [f1442ed84c43610ca8ab77deb9ca991e7354746c]
stable/4.19: [b1f438f872dcda10a79e6aeaf06fd52dfb15a6ab]
stable/4.9: [4f96b94a8342fac058117962f1a76fc7ebd1c245]
stable/5.10: [5a41a3033a9344d7683340e3d83f5435ffb06501]
stable/5.15: [b6d75218ff65f4d63c9cf4986f6c55666fb90a1a]
stable/5.17: [4d51bbc8a3799febf50471eb6888b1b58e87111e]
stable/5.4: [2458ecd21f29a3e5571d7d97764c043083deed5e]

CVE-2022-1734: nfc: nfcmrvl: main: reorder destructive operations in
nfcmrvl_nci_unregister_dev to avoid bug

CVSS v3 score is not assigned.

A reorder destructive operations bug found in the nfc module which
leads to double free/UAF/null pointer dereference bugs.
This bug was introduced by commit 194c68 ("NFC: nfcmrvl: add firmware
download support") that was merged in 4.4.
No CIP member enables CONFIG_NFC_MRVL.

Fixed status

mainline: [d270453a0d9ec10bb8a802a142fb1b3601a83098]
stable/4.14: [ced30680fb1c7c1daae39a9384d23cd1a022585f]
stable/4.19: [b266f492b2af82269aaaab871ac3949420ae678c]
stable/4.9: [4721695be941626e4b18b89e0641e36fc385cfd8]
stable/5.10: [1961c5a688edb53fe3bc25cbda57f47adf12563c]
stable/5.15: [b8f2b836e7d0a553b886654e8b3925a85862d2eb]
stable/5.17: [f4bfbac45121c8638db5eacb1ebbb61ee956c668]
stable/5.4: [33d3e76fc7a7037f402246c824d750542e2eb37f]

CVE-2022-29581: net/sched: cls_u32: fix netns refcount changes in u32_change()

CVSS v3 score is 7.8 HIGH.

Improper update of reference count bug was found in net/sched module.
This bug allows a local attacker to cause privilege escalation.

The mainline and cip kernels, and stable kernels were fixed.
This bug was introduced by commit 35c55fc156d8 ("cls_u32: use
tcf_exts_get_net() before call_rcu()" in 4.14.

Fixed status

mainline: [3db09e762dc79584a69c10d74a6b98f89a9979f8]
stable/4.14: [0511cdd41a03ab396602dded4e778c5edcd8dcd1]
stable/4.19: [75b0cc7904da7b40c6e8f2cf3ec4223b292b1184]
stable/5.10: [43ce33a68e2bcc431097e1075aad5393d0bf53ba]
stable/5.15: [ba9e9a794fd1689bf7e8a7452c55f3d3cbda7728]
stable/5.17: [64c87076791198b23da730186b0c141d9a6ce80c]
stable/5.4: [5a4f3eba211a532b2eb5045102ad3ceea5e9f0f9]

CVE-2022-1116: Integer Overflow or Wraparound vulnerability in io_uring

CVSS v3 score is 7.8 HIGH.

This bug is the 5.4 kernel specific issue. The commit cac68d1
("io_uring: grab ->fs as part of async offload") introduced this
issue.

Fixed status

stable/5.4: [1a623d361ffe5cecd4244a02f449528416360038]

CVE-2022-1671: A NULL pointer dereference flaw was found in
rxrpc_preparse_s in net/rxrpc/server_key.c

CVSS v3 score is not assigned.

A null pointer dereference bug in net/rxrpc/server_key.c in
rxrpc_preparse_s. This bug allows a local attacker to crash the system
or leak internal kernel information.

This vulnerability was introduced by 12da59f ("rxrpc: Hand server key
parsing off to the security class") which was merged in 5.11-rc1.
Linux kernel versions less than 5.11 are not affected.

Fixed status

mainline: [ff8376ade4f668130385839cef586a0990f8ef87]
stable/5.15: [432297011caf71dbc95c3365a65adf365e79aff3]
stable/5.17: [4e1f670e1b440dc783dbeb881d575bca31474f73]

* Updated CVEs

CVE-2021-26401: The speculative execution window of AMD LFENCE/JMP
mitigation (MITIGATION V2-2) may be large enough to be exploited on
AMD CPUs.

Added more patches to mainline, 4.19, 4.9, and 5.10.

Fixed status

mainline: [244d00b5dd4755f8df892c86cab35fb2cfd4f14b,
e9b6013a7ce31535b04b02ba99babefe8a8599fa,
  eafd987d4a82c7bb5aa12f0e3b4f8f3dea93e678,
0de05d056afdb00eca8c7bbb0c79a3438daf700c]
stable/4.14: [85938688be23ecd36a06757096896b2779b80d97]
stable/4.19: [d3cb3a6927222268a10b2f12dfb8c9444f7cc39e,
c034d344e733a3ac574dd09e39e911a50025c607,
  8bfdba77595aee5c3e83ed1c9994c35d6d409605,
9711b12a3f4c0fc73dd257c1e467e6e42155a5f1]
stable/4.9: [b6a1aec08a84ccb331ce526c051df074150cf3c5,
0db1c4307aded2c5e618654f9341a249e0c1051f,
  8edabefdc13294a9b15671937d165b948cf34d69,
0753760184745250e39018bb25ba77557390fe91]
stable/5.10: [2fdf67a1d215574c31b1a716f80fa0fdccd401d7,
e335384560d1e106b609e8febd7e0427075a8938,
  cc9e3e55bde71b2fac1494f503d5ffc560c7fb8d,
d04937ae94903087279e4a016b7741cdee59d521]
stable/5.15: [a56566d7a957c34811384d6300a53a97be94cd20]
stable/5.4: [b1bacf22a847d21a12900bd6a1eacaecb5bca253]

CVE-2022-0494: block-map: add __GFP_ZERO flag for alloc_page in
function bio_copy_kern

5.10 and 5.4 were fixed this week.

Fixed status

mainline: [cc8f7fe1f5eab010191aa4570f27641876fa1267]
stable/5.10: [a439819f4797f0846c7cffa9475f44aef23c541f]
stable/5.15: [a1ba98731518b811ff90009505c1aebf6e400bc2]
stable/5.16: [f8c61361a4f52c2a186269982587facc852dba62]
stable/5.4: [c7337efd1d11acb6f84c68ffee57d3f312e87b24]

CVE-2022-1048: race condition in snd_pcm_hw_free leading to use-after-free

5.4 was fixed this week

Fixed status

mainline: [92ee3c60ec9fe64404dc035e7c41277d74aa26cb,
dca947d4d26dbf925a64a6cfb2ddbc035e831a3d,
 3c3201f8c7bb77eb53b08a3ca8d9a4ddc500b4c0,
69534c48ba8ce552ce383b3dfdb271ffe51820c3]
stable/5.10: [0f6947f5f5208f6ebd4d76a82a4757e2839a23f8,
8527c8f052fb42091c6569cb928e472376a4a889,
  a38440f006974e693f92a1ea10f819eccc4dcc37,
b560d670c87d7d40b3cf6949246fa4c7aa65a00a]
stable/5.15: [33061d0fba51d2bf70a2ef9645f703c33fe8e438,
47711ff10c7e126702cfa725f6d86ef529d15a5f,
  cb6a39c5ebd0a125c420c5a10999813daaece019,
51fce708ab8986a9879ee5da946a2cc120f1036d]
stable/5.16: [0090c13cbbdffd7da079ac56f80373a9a1be0bf8,
4d1b0ace2d56dc27cc4921eda7fae57f77f03eb5,
  e1ff3a347ed1531eec40a24c47eab15f0efbf835,
a21d2f323b5a978dedf9ff1d50f101f85e39b3f2]
stable/5.17: [1bbf82d9f961414d6c76a08f7f843ea068e0ab7b,
dd2f8c684da3e226e5ec7a81c89ff5fd4a957a03,
  e9d05532252ec41d000021d3cf40f3a2084fd5f9,
5ed8f8e3c4e59d0396b9ccf2e639711e24295bb6]
stable/5.4: [fbeb492694ce0441053de57699e1e2b7bc148a69,
08d1807f097a63ea00a7067dad89c1c81cb2115e,
  2a559eec81acf4836d190d32b1e965d0c587c7ae,
37b12c16beb6f6c1c3c678c1aacbc46525c250f7]

CVE-2022-1195: kernel: A possible race condition (use-after-free) in
drivers/net/hamradio/6pack ( mkiss.c) after unregister_netdev

4.14 was fixed this week.

Fixed status

mainline: [3e0588c291d6ce225f2b891753ca41d45ba42469,
0b9111922b1f399aba6ed1e1b8f2079c3da1aed8,
  81b1d548d00bcd028303c4f3150fa753b9b8aa71,
b2f37aead1b82a770c48b5d583f35ec22aabb61e]
stable/4.14: [eaa816a86e629cbcc0a94f38391fee09231628c7,
feb3d627facbf5df5cc0fc3dd4b64c5b8cb7ceff,
  1a15c23af256aacd9284194bee4c9327ce657ff9,
a7b0ae2cc486fcb601f9f9d87d98138cc7b7f7f9]
stable/4.19: [896193a02a2981e60c40d4614fd095ce92135ccd,
b68f41c6320b2b7fbb54a95f07a69f3dc7e56c59,
  9d2a1b180f0d5fdf0844cb4c740fafd67bebb9d2,
3befa9b67f2205f10c3b01cc687672e3969be569]
stable/4.9: [8a1a314965a17c62084a056b4f2cb7a770854c90,
83ba6ec97c74fb1a60f7779a26b6a94b28741d8a]
stable/5.10: [450121075a6a6f1d50f97225d3396315309d61a1,
7dd52af1eb5798f590d9d9e1c56ed8f5744ee0ca,
  80a4df14643f78b14f1e8e2c7f9ca3da41b01654,
cfa98ffc42f16a432b77e438e2fefcdb942eeb04]
stable/5.15: [cb6c99aedd2c843056a598a8907a6128cb07603b,
c799c18a287e024e1c885da329aad8f719b255c3,
  9873fe0f3857c500fa21f92fe43b2a177e8de208,
03d00f7f1815ec00dab5035851b3de83afd054a8]
stable/5.4: [ef5f7bfa19e3fc366f4c6d1a841ceaddf7a9f5d4,
7361a35bf33064da203e521357acc4fccb8927e5,
  c9af90f0c6b8c461426abfe50f495dc5608399ba,
a5c6a13e9056d87805ba3042c208fbd4164ad22b]

CVE-2022-1419: drm/vgem: Close use-after-free race in vgem_gem_create

4.14 and 4.19 were fixed this week.

Fixed status

mainline: [4b848f20eda5974020f043ca14bacf7a7e634fc8]
stable/4.14: [d2b8e8fbac9f175388d2808ade90d86402642b01]
stable/4.19: [df2c1f38939aabb8c6beca108f08b90f050b9ebc]
stable/5.4: [3ea7f138cec139be98f8bb9fc1a6b432003f834e]

CVE-2021-39713: locking issue in net/sched module

4.9 was fixed this week.

Fixed status

mainline: [e368fdb61d8e7c67ac70791b23345b26d7bbc661,
9d7e82cec35c027756ec97e274f878251f271181,
  3a7d0d07a386716b459b00783b11a8211cefcc0f,
86bd446b5cebd783187ea3772ff258210de77d99,
  6f99528e9797794b91b43321fbbc93fe772b0803]
stable/4.19: [ae214e04b95ff64a4b0e9aab6742520bfde6ff0c,
da1d324088c40fa0a382224c466175fc5c704106,
  f602ed9f8574512e7ea1ab65c3db7ba71053bf27,
92833e8b5db6c209e9311ac8c6a44d3bf1856659,
  cd25f1099284a0cbe916344fc1e6c1ffed6c5306]
stable/4.9: [2b29404f4eea7da878a8a8c5b301d9adf6f56d55]

CVE-2022-1012: secure_seq: use the 64 bits of the siphash for port
offset calculation

The mainline was fixed this week. Fixed in the mainline in 5.18-rc6.
This issue was introduced by commit 7cd23e5 ("secure_seq: use SipHash
in place of MD5") which was merged in 4.11-rc1.

Added fixed commits to 4.19, 5.10, 5.15, and 5.17 this week.

Fixed status

mainline: [b2d057560b8107c633b39aabe517ff9d93f285e3,
9e9b70ae923baf2b5e8a0ea4fd0c8451801ac526,
  4dfa9b438ee34caca4e6a4e5e961641807367f6f,
ca7af0402550f9a0b3316d5f1c30904e42ed257d,
  e9261476184be1abd486c9434164b2acbe0ed6c2,
4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5,
  e8161345ddbb66e449abde10d2fdce93f867eba9]
stable/4.19: [abcf4e1277d169b82dd7ee290006487ed16016ce]
stable/5.10: [d254309aab27fdcdc68e6bc9c663e51f3e7b37dc]
stable/5.15: [1a8ee547da2b64d6a2aedbd38a691578eff14718,
ff01554d8755bdbe2aec2e2cff322d95f328cb89,
  f41f6336bfc43500e4e94ada703cd5aebb91789e,
b763fce193b42048444afd85d066b136288ad2c8,
  4a3eefa399e675c4a5239497832a72733281a20f,
952a238d779eea4ecb2f8deb5004c8f56be79bc9,
  f26c6f9404e1d6f3bfc9780ffba82a01a595d147]
stable/5.17: [6976724355f5fdada89de528730f9a7b4928f2e3,
27003fa8b581098aa9768bc03f82d5654368cb02,
  3a8081f81323e1550c241157244318db166b660e,
c2cef1db8f8aa81330fee4538a1158e1f6fd5bd1,
  01e16c23823a057667feb5cf26ba0c963fef6afd,
e3ee7bb47d6509c3e8a3e96e5d8e3bf21549b6e8,
  5034cbb361e1c447911a15b1d3982d5df7aa17b9]

CVE-2022-1048: race condition in snd_pcm_hw_free leading to use-after-free

4.14 and 4.19 were fixed this week.

Fixed status

mainline: [92ee3c60ec9fe64404dc035e7c41277d74aa26cb,
dca947d4d26dbf925a64a6cfb2ddbc035e831a3d,
  3c3201f8c7bb77eb53b08a3ca8d9a4ddc500b4c0,
69534c48ba8ce552ce383b3dfdb271ffe51820c3]
stable/4.14: [a42aa926843acca96c0dfbde2e835b8137f2f092,
73867cb2bc7dfa7fbd219e53a0b68d253d8fda09,
  a1d54f97da10f7eea4817d8aae09cf20c40fa111,
e7786c445bb67a9a6e64f66ebd6b7215b153ff7d]
stable/4.19: [9cb6c40a6ebe4a0cfc9d6a181958211682cffea9,
b3830197aa7413c65767cf5a1aa8775c83f0dbf7,
  47cef5937a43a412405ea54ad6e0a91d2890493e,
e14dca613e0a6ddc2bf6e360f16936a9f865205b]
stable/5.10: [0f6947f5f5208f6ebd4d76a82a4757e2839a23f8,
8527c8f052fb42091c6569cb928e472376a4a889,
  a38440f006974e693f92a1ea10f819eccc4dcc37,
b560d670c87d7d40b3cf6949246fa4c7aa65a00a]
stable/5.15: [33061d0fba51d2bf70a2ef9645f703c33fe8e438,
47711ff10c7e126702cfa725f6d86ef529d15a5f,
  cb6a39c5ebd0a125c420c5a10999813daaece019,
51fce708ab8986a9879ee5da946a2cc120f1036d]
stable/5.16: [0090c13cbbdffd7da079ac56f80373a9a1be0bf8,
4d1b0ace2d56dc27cc4921eda7fae57f77f03eb5,
  e1ff3a347ed1531eec40a24c47eab15f0efbf835,
a21d2f323b5a978dedf9ff1d50f101f85e39b3f2]
stable/5.17: [1bbf82d9f961414d6c76a08f7f843ea068e0ab7b,
dd2f8c684da3e226e5ec7a81c89ff5fd4a957a03,
  e9d05532252ec41d000021d3cf40f3a2084fd5f9,
5ed8f8e3c4e59d0396b9ccf2e639711e24295bb6]
stable/5.4: [fbeb492694ce0441053de57699e1e2b7bc148a69,
08d1807f097a63ea00a7067dad89c1c81cb2115e,
  2a559eec81acf4836d190d32b1e965d0c587c7ae,
37b12c16beb6f6c1c3c678c1aacbc46525c250f7]

CVE-2022-28893: SUNRPC: Ensure we flush any closed sockets before xs_xprt_free()

5.10 and 5.15 were fixed this week. all stable kernels are fixed.

Fixed status

mainline: [f00432063db1a0db484e85193eccc6845435b80e]
stable/5.10: [e68b60ae29de10c7bd7636e227164a8dbe305a82]
stable/5.15: [54f6834b283d9b4d070b0639d9ef5e1d156fe7b0]
stable/5.16: [7a0921a23cae42e9fa5ce964f6907181b6dc80d8]
stable/5.17: [d21287d8a4589dd8513038f887ece980fbc399cf]

CVE-2022-1652: A concurrency use-after-free in bad_flp_intr

An UAF bug in floppy driver. The mainline was fixed this week.

Fixed status

mainline: [f71f01394f742fc4558b3f9f4c7ef4c4cf3b07c8]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 4 new CVEs and 2 updated CVEs.
There were no critical vulnerabilities this week.

* New CVEs

CVE-2021-26401: The speculative execution window of AMD LFENCE/JMP
mitigation (MITIGATION V2-2) may be large enough to be exploited on
AMD CPUs.

CVSS v3 score is 5.6 MEDIUM.

To mitigate CVE-2017-5715(Spectre Variant 2) wasn't sufficient on some AMD CPUs.
Affected CPUs are listed on the web
page(https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036).

All stable kernels have fixed this issue. cip/4.19 and cip/5.10 have
been fixed too.

Fixed status

mainline: [244d00b5dd4755f8df892c86cab35fb2cfd4f14b]
stable/4.14: [85938688be23ecd36a06757096896b2779b80d97]
stable/4.19: [d3cb3a6927222268a10b2f12dfb8c9444f7cc39e]
stable/4.9: [b6a1aec08a84ccb331ce526c051df074150cf3c5]
stable/5.10: [2fdf67a1d215574c31b1a716f80fa0fdccd401d7]
stable/5.15: [a56566d7a957c34811384d6300a53a97be94cd20]
stable/5.4: [b1bacf22a847d21a12900bd6a1eacaecb5bca253]

CVE-2022-1012: secure_seq: use the 64 bits of the siphash for port
offset calculation

CVSS v3 score is not assigned.

A memory leak issue was found in secure_ipv4_port_ephemeral() and
secure_ipv6_port_ephemeral().
Commit 7cd23e5 ("secure_seq: use SipHash in place of MD5") is
referenced as the cause of this bug. This commit was merged in
4.11-rc1.
This bug was fixed in 5.18-rc6.

Fixed status

mainline: [b2d057560b8107c633b39aabe517ff9d93f285e3]

CVE-2022-1651: virt: acrn: fix a memory leak in acrn_dev_ioctl() in
drivers/virt/acrn/hsm.c.

CVSS v3 score is not assigned.

A memory leak bug was found in acrn_dev_ioctl() in
Commit 9c5137a ("virt: acrn: Introduce VM management interfaces") and
2ad2aae ("virt: acrn: Introduce an ioctl to set vCPU registers state")
are cause of this issue. Both commits were merged in 5.12-rc1-dontuse.

This bug was fixed in 5.18-rc1.

Fixed status

mainline: [ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b]
stable/5.15: [1d5103d9bb7d42fc220afe9f01ec6b9fe0ea5773]
stable/5.17: [f8e6e18d117e461110c849a11c6a396dcccdbd4e]

CVE-2022-1652: A concurrency use-after-free in bad_flp_intr

CVSS v3 score is not assigned.

An UAF bug was found in the floppy driver. When after freeing an
object in floppy_end_request(), reset_interrupt() still holds the
freed object.

Fixed status

Not fixed yet.

* Updated CVEs

CVE-2022-1195: kernel: A possible race condition (use-after-free) in
drivers/net/hamradio/6pack ( mkiss.c) after unregister_netdev

5.4 kernel was fixed this week.

Fixed status

mainline: [3e0588c291d6ce225f2b891753ca41d45ba42469,
0b9111922b1f399aba6ed1e1b8f2079c3da1aed8,
  81b1d548d00bcd028303c4f3150fa753b9b8aa71,
b2f37aead1b82a770c48b5d583f35ec22aabb61e]
stable/4.19: [896193a02a2981e60c40d4614fd095ce92135ccd,
b68f41c6320b2b7fbb54a95f07a69f3dc7e56c59,
  9d2a1b180f0d5fdf0844cb4c740fafd67bebb9d2,
3befa9b67f2205f10c3b01cc687672e3969be569]
stable/4.9: [8a1a314965a17c62084a056b4f2cb7a770854c90,
83ba6ec97c74fb1a60f7779a26b6a94b28741d8a]
stable/5.10: [450121075a6a6f1d50f97225d3396315309d61a1,
7dd52af1eb5798f590d9d9e1c56ed8f5744ee0ca,
  80a4df14643f78b14f1e8e2c7f9ca3da41b01654,
cfa98ffc42f16a432b77e438e2fefcdb942eeb04]
stable/5.15: [cb6c99aedd2c843056a598a8907a6128cb07603b,
c799c18a287e024e1c885da329aad8f719b255c3,
  9873fe0f3857c500fa21f92fe43b2a177e8de208,
03d00f7f1815ec00dab5035851b3de83afd054a8]
stable/5.4: [ef5f7bfa19e3fc366f4c6d1a841ceaddf7a9f5d4,
7361a35bf33064da203e521357acc4fccb8927e5,
  c9af90f0c6b8c461426abfe50f495dc5608399ba,
a5c6a13e9056d87805ba3042c208fbd4164ad22b]

CVE-2022-29968: io_uring: fix uninitialized field in rw io_kiocb

5.17 was fixed this week.

Fixed status

mainline: [32452a3eb8b64e01e2be717f518c0be046975b9d]
stable/5.17: [77089e6ff273f43c42e99a690ae45ee39a6a62de]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 4 new CVEs and 2 updated CVEs.
There were no critical vulnerabilities this week.

* New CVEs

CVE-2022-1508 : io_uring: reexpand under-reexpanded iters

CVSS v3 score is not provided

An OOB read bug was reported by KASAN. A local attacker can read some
memory by this bug.
Since io_uring was introduced in 5.1, kernels below this version will
not be affected.
This vulnerability was fixed in 5.15-rc1.

Fixed status

mainline: [89c2b3b74918200e46699338d7bcc19b1ea12110,
2112ff5ce0c1128fe7b4d19cfe7f2b8ce5b595fa]

CVE-2022-29968: io_uring: fix uninitialized field in rw io_kiocb

CVSS v3 score is not provided

This bug was introduced by commit 3e08773 ("block: switch polling to
be bio based") which was merged in 5.16-rc1. Therefore earlier than
5.16 kernels aren't affected by this issue.

Fixed status

mainline: [32452a3eb8b64e01e2be717f518c0be046975b9d]

CVE-2022-1516: net/x25: Fix null-ptr-deref caused by x25_disconnect

CVSS v3 score is not provided

A null pointer dereference bug was found in x25_disconnect(). This bug
was intoroduced by commit 4becb7e ("net/x25: Fix x25_neigh refcnt leak
when x25 disconnect"). This patch was backported to 4.4. so 4.4 kernel
is affected by this issue.
No CIP members enable CONFIG_X25.

Fixed status

mainline: [7781607938c8371d4c2b243527430241c62e39c2]
stable/4.14: [858642789ada1b48630f322e59416ca9fca3e6b7]
stable/4.19: [4c240c5a105557e4546d0836e694868f22fd09b0]
stable/4.9: [dffc859d1d9560da594e4282091781b8d2715f00]
stable/5.10: [5c94b6205e87411dbe9dc1ca088eb36b8837fb47]
stable/5.15: [409570a619c1cda2e0fde6018a256b9e3d3ba0ee]
stable/5.17: [671529db75e6be777bb1c76aa07c2bdd2992be6d]
stable/5.4: [9acf05b4e7b55fdb712ef7b331dbce5bcd391d0f]

CVE-2022-20008: mmc: block: fix read single on recovery logic

CVSS v3 score is not provided

An information disclosure vulnerability was found in mmc driver.
This vulnerability was introduced by 8119697 ("mmc: block: Add blk-mq
support") that was merged in 4.16-rc1.

Fixed status

mainline: [54309fde1a352ad2674ebba004a79f7d20b9f037]
stable/4.19: [c91b06297563e84ac072464fe6cc141cc15435f0]
stable/5.10: [ab2b4e65a130d67478bd5b35ca9004b2075805fa]

* Updated CVEs

CVE-2022-1195: kernel: A possible race condition (use-after-free) in
drivers/net/hamradio/6pack( mkiss.c) after unregister_netdev

Commit 9d2a1b1 ("hamradio: defer 6pack kfree after unregister_netdev")
and 3befa9b ("hamradio: remove needs_free_netdev to avoid UAF") were
added to 4.19.

Fixed status

mainline: [3e0588c291d6ce225f2b891753ca41d45ba42469,
0b9111922b1f399aba6ed1e1b8f2079c3da1aed8,
    81b1d548d00bcd028303c4f3150fa753b9b8aa71,
b2f37aead1b82a770c48b5d583f35ec22aabb61e]
stable/4.19: [896193a02a2981e60c40d4614fd095ce92135ccd,
b68f41c6320b2b7fbb54a95f07a69f3dc7e56c59,
  9d2a1b180f0d5fdf0844cb4c740fafd67bebb9d2,
3befa9b67f2205f10c3b01cc687672e3969be569]
stable/4.9: [8a1a314965a17c62084a056b4f2cb7a770854c90,
83ba6ec97c74fb1a60f7779a26b6a94b28741d8a]
stable/5.10: [450121075a6a6f1d50f97225d3396315309d61a1,
7dd52af1eb5798f590d9d9e1c56ed8f5744ee0ca,
  80a4df14643f78b14f1e8e2c7f9ca3da41b01654,
cfa98ffc42f16a432b77e438e2fefcdb942eeb04]
stable/5.15: [cb6c99aedd2c843056a598a8907a6128cb07603b,
c799c18a287e024e1c885da329aad8f719b255c3,
  9873fe0f3857c500fa21f92fe43b2a177e8de208,
03d00f7f1815ec00dab5035851b3de83afd054a8]

CVE-2022-0500: kernel: Linux ebpf logic vulnerability leads to
critical memory read and write gaining root privileges

stable/5.15 was fixed this week.

Fixed status

mainline: [20b2aff4bc15bda809f994761d5719827d66c0b4,
216e3cd2f28dbbf1fe86848e0e29e6693b9f0a20,
  34d3a78c681e8e7844b43d1a2f4671a04249c821,
3c4807322660d4290ac9062c034aed6b87243861,
  48946bd6a5d695c50b34546864b79c1f910a33c1,
c25b2ae136039ffa820c26138ed4a5e5f3ab3841,
  cf9f2f8d62eca810afbd1ee6cc0800202b000e57]
stable/5.15: [b453361384c2db1c703dacb806d5fd36aec4ceca,
2a77c58726aba893129a369ed3d2be004dda41cd,
  15166bb3000fc8b5faa8fa606eb25d300e6892ef,
3c141c82b95807473d77079936769e04a84e4ca3,
  d58a396fa6c98bde64772c1db715dfca32610597,
8d38cde47a7e17b646401fa92d916503caa5375e,
  b710f73704d61069b2f05358309290551e5a8732]
stable/5.16: [e982070f8970bb62e69ed7c9cafff886ed200349,
4a6c35debbd46d796c81eb3ffcd6c747e76ec7a3,
  199cdd057eb747b36a193ecf96d2452e36643163,
5b33e437dc6a02e3298858ca8591096f36b1421d,
  bcd98af3eb7527f6ba39c976cbcf4454fa1106e1,
77459bc4d5e2c6f24db845780b4d9d60cf82d06a,
  6f6edc4211b379ef6de25d9182148c7ca26ffcfb]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 2 new CVEs and 7 updated CVEs.

* New CVEs

CVE-2022-1419 : drm/vgem: Close use-after-free race in vgem_gem_create

CVSS v3 score is not provided

Fixed in 5.6-rc2. An attacker should have the privilege to access drm
to abuse this bug.

Fixed status

mainline: [4b848f20eda5974020f043ca14bacf7a7e634fc8]
stable/5.4: [3ea7f138cec139be98f8bb9fc1a6b432003f834e]

CVE-2022-29582: io_uring: fix race between timeout flush and removal

CVSS v3 score is not provided

A race condition bug will cause an UAF bug.
io_uring was introduced in 5.1. 5.4 doesn't have io_flush_timeouts()
so 5.4 may not be affected by this issue.

Fixed status

mainline: [e677edbcabee849bfdd43f1602bccbecf736a646]
stable/5.10: [2827328e646d0c2d3db1bfcad4b5f5016ce0d643]
stable/5.15: [ba7261af2b030ab2c06189be1fc77b273716839f]
stable/5.17: [11cd7959400258beb1dc17c8680055966263f316]

* Updated CVEs

CVE-2022-1263: KVM: avoid NULL pointer dereference in kvm_dirty_ring_push

The mainline, 5.15, and 5.17 were fixed this week.

This bug was introduced by commit fb04a1e ("KVM: X86: Implement
ring-based dirty memory tracking") so all stable kernels were fixed.

Fixed status

mainline: [5593473a1e6c743764b08e3b6071cb43b5cfa6c4]
stable/5.15: [226b4327ef5c88572fc12187193f1b5073c10837]
stable/5.17: [e8d7f0dad29e634e26d4614cfbd081514c16e042]

CVE-2022-0812: NFS over RDMA random memory leakage

This bug was introduced  in 4.7-rc1 by 302d3de ("xprtrdma: Prevent
inline overflow") , then fixed in 5.8-rc6.
4.4 isn't affected by this issue.

Fixed status

mainline: [912288442cb2f431bf3c8cb097a5de83bc6dbac1]
stable/5.4: [c8a4452da9f4b09c28d904f70247b097d4c14932]

CVE-2022-1204: UAF caused by binding operation when ax25 device is detaching

4.14 and 4.19 were fixed this week.

Fixed status

mainline: [d01ffb9eee4af165d83b08dd73ebdf9fe94a519b,
87563a043cef044fed5db7967a75741cc16ad2b1,
  feef318c855a361a1eccd880f33e88c460eb63b4,
9fd75b66b8f68498454d685dc4ba13192ae069b0,
  5352a761308397a0e6250fdc629bb3f615b94747]
stable/4.14: [ef0a2a0565727a48f2e36a2c461f8b1e3a61922d,
9f444dedb486b9e184bd774caebbd09733ccf859,
  b8c07f33aa35dacf5444e7053ed9662d1869f536,
c44a453ffe16eb08acdc6129ac4fa0192dbc0456,
  62accd4682d1d85290a9859091d201e6a4701205]
stable/4.19: [e2b558fe507a1ed4c43db2b0057fc6e41f20a14c,
a518be5772d36fcd0e4815d156e06feb137aad82,
  b1e0a6fc7f17500484c402ad1cd018c24dfc14b3,
de55a1338e6a48ff1e41ea8db1432496fbe2a62b,
  1bf1b2a8a2caf9bc0d3cf1aa903a8dcaaa4371d0]
stable/5.10: [5ea00fc60676c0eebfa8560ec461209d638bca9d,
5ddae8d064412ed868610127561652e90acabeea,
  57cc15f5fd550316e4104eaf84b90fbc640fd7a5,
b20a5ab0f5fb175750c6bafd4cf12daccf00c738,
  a4942c6fea879972a7fee50f7e92e2e10f3fc23e]
stable/5.15: [9af0fd5c4453a44c692be0cbb3724859b75d739b,
bc706d89199b0d8ee5e2229e18fdb9c0720f6ba8,
  b982492ec3a115e0a136856a1b2dbe32f2d21a0e,
452ae92b99062d2f6a34324eaf705a3b7eac9f8b,
  1bf8946d5826788c82971977245bcd3313678eac]
stable/5.17: [d01ffb9eee4af165d83b08dd73ebdf9fe94a519b,
87563a043cef044fed5db7967a75741cc16ad2b1,
  feef318c855a361a1eccd880f33e88c460eb63b4,
534156dd4ed768e30a43de0036f45dca7c54818f,
  01619aa347d35ac8b79751757784ec6f507a3215]
stable/5.4: [418993bbaafb0cd48f904ba68eeda052d624c821,
1db0b2c55c934a33b6fa4d4a4865f5a5be641344,
  7528d0f2210c3a1154186175516ed37aa970f2b1,
9e1e088a57c23251f1cfe9601bbd90ade2ea73b9,
  eaa7eb23fa76db45f7da1b6192518705863d0ebe]

CVE-2022-1205: Null pointer dereference and use-after-free in
net/ax25/ax25_timer.c

4.14 and 4.19 were fixed this week.

Fixed status

mainline: [fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009,
82e31755e55fbcea6a9dfaae5fe4860ade17cbc0]
stable/4.14: [331210983ba5ce82bf63b827bca0e1c833f293db,
093ab7f96dd3ebaf240fee02d6752c6b0825cc0b]
stable/4.19: [512f09df261b51b088f17d86dbdf300a3492523d,
3082f32c45465b692c314131c2a3657e0c23e09d]
stable/5.10: [f934fa478dd17411bc6884153dc824ff9e7505d8,
5c62d3bf14100a88d30888b925fcb61a8c11c012]
stable/5.15: [43c107021d9160f6a1610bafba6dadc0323ae548,
85f25bb9a0051198af48ac2f3afc9f16f2277114]
stable/5.17: [a45dba71849a963c427637b3330e2ccf098f42d1,
76ff66bb3b22f202c226ddbb0a811f8fb8aab2fa]
stable/5.4: [40cb8b3b19c087a4e20f6740701e53fefbe19a7b,
a83a18c4c9033fb6604c587f52a2d78857cf0ac2]

CVE-2022-28388: can: usb_8dev: usb_8dev_start_xmit(): fix double
dev_kfree_skb() in error path

4.14, 4.19, and 5.4 were fixed this week.

Fixed status

mainline: [3d3925ff6433f98992685a9679613a2cc97f3ce2]
stable/4.14: [a5e2259173eb52a728bbf32e02aa9a388451e614]
stable/4.19: [8eb78da898079c0d7250c32ebf0c35fb81737abe]
stable/5.10: [5318cdf4fd834856ce71238b064f35386f9ef528]
stable/5.15: [f2ce5238904f539648aaf56c5ee49e5eaf44d8fc]
stable/5.16: [3e006cf0fb809815d56e59c9de4486fbe253ccdf]
stable/5.17: [29d6c06168faa23ce23db3321981c8fde576c95c]
stable/5.4: [660784e7194ac2953aebe874c1f75f2441ba3d19]

CVE-2022-1199: Null pointer dereference and use-after-free in ax25_release()

4.14 was fixed this week.
Added commit cb18d72 ("ax25: fix NPD bug in ax25_disconnect") to 4.19.

Fixed status

mainline: [4e0f718daf97d47cf7dec122da1be970f145c809,
7ec02f5ac8a5be5a3f20611731243dc5e1d9ba10,
  71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac]
stable/4.14: [a509dbde35fa51d140512cbcf50068a84fdb7aad,
0b0ae8b9813b84f73dfcdec197b6455844ae6bf1,
  d03aba820f1549c9f3b1d14bf48fa082663d22b5]
stable/4.19: [3072e72814de56f3c674650a8af98233ddf78b19,
5ab8de9377edde3eaf1de9872e2f01d43157cd6c,
  cb18d72179bf42a6ccd2b311739017b0ba9bc26e]
stable/4.9: [851901d339b2ba766ffcf754d37a6f52fa07cea2,
cad71f1094834eb69f7ceec8100d300c26b43053]
stable/5.10: [b9a229fd48bfa45edb954c75a57e3931a3da6c5f,
e2201ef32f933944ee02e59205adb566bafcdf91,
  145ea8d213e8f46667cd904ae79d17f298750f00]
stable/5.15: [4c958f0c5714812461da7785393315b35145ac8c,
da6509fba636f7f8b2e902b1e4742fdbf1bf059f,
  46ad629e58ce3a88c924ff3c5a7e9129b0df5659]
stable/5.4: [cfc8b37ef0418529e3719c2d128e59e74a3114b0,
d2be5b563ef391f684592a28440067f4fa3735f4,
  0a64aea5fe023cf1e4973676b11f49038b1f045b]

CVE-2022-1280: concurrency use-after-free between drm_setmaster_ioctl
and drm_mode_getresources

Fixed in the mainline. Some patches were backported to stable kernels.

The mainline contains the following patches.

b436acd ("drm: Fix use-after-free read in drm_getunique()") was merged
in v5.13-rc6
c336a5e ("drm: Lock pointer access in drm_master_release()") was
merged in v5.13-rc6
869e76f ("drm: avoid circular locks in drm_mode_getconnector") was
merged in v5.15-rc1
5eff958 ("drm: avoid blocking in drm_clients_info's rcu section") was
merged in  v5.15-rc1
1f7ef07 ("drm: add a locked version of drm_is_current_master") was
merged in v5.15-rc1
0b0860a ("drm: serialize drm_file.master with a new spinlock") was
merged in v5.15-rc1
56f0729 ("drm: protect drm_master pointers in drm_lease.c") was merged
in v5.15-rc1
28be240 ("drm: use the lookup lock in drm_is_current_master") was
merged in v5.15-rc1
2bc5da5 ("drm/vmwgfx: fix potential UAF in vmwgfx_surface.c") was
merged in v5.15-rc1

The commit 1f7ef07 was reverted in
5.10(https://lore.kernel.org/stable/20210628142607.32218-97-sashal@kernel.org/).
Searching in lore.kernel.org, the commit 869e76f looks as if it isn't
backported to stable kernels.
Searching in lore.kernel.org, the commit 28be240 looks as if it isn't
backported to stable kernels.

Fixed status

mainline: [b436acd1cf7fac0ba987abd22955d98025c80c2b,
c336a5ee984708db4826ef9e47d184e638e29717,
  869e76f7a918f010bd4518d58886969b1f642a04,
5eff9585de220cdd131237f5665db5e6c6bdf590,
  1f7ef07cfa14fb8557d1f1b7a14c76926142a4fb,
0b0860a3cf5eccf183760b1177a1dcdb821b0b66,
  56f0729a510f92151682ff6c89f69724d5595d6e,
28be2405fb753927e18bc1a891617a430b2a0684,
  2bc5da528dd570c5ecabc107e6fbdbc55974276f]
stable/4.19: [7d233ba700ceb593905ea82b42dadb4ec8ef85e9,
a376f7e66b654cb290fa9d16d8dab5bfef744463]
stable/4.9: [8e250a134c8fe2a945d10b421d0ccb54e85d8683]
stable/5.10: [491d52e0078860b33b6c14f0a7ac74ca1b603bd6,
aa8591a58cbd2986090709e4202881f18e8ae30e,
  54e51d288b38377e8cd645a83e1ad08cc9d20ccc,
06a553a99bacb00d3bc25f79e75c8e0fbf7a5025,
  34609faad0c9f9f08d4b59d25c94b78bf5710d93,
d6c91423993e8164ca4162ff046c6437bbd75b53]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 2 new CVEs and 11 updated CVEs.

* New CVEs

CVE-2022-1353: af_key: add __GFP_ZERO flag for compose_sadb_supported
in function pfkey_register

CVSS v3 score is not provided

An information leak bug was found in pfkey_register() in
net/key/af_key.c. A local user unprivileged user can read internal
kernel memory by this issue.
Patch can be applied to 4.4 without any error. This patch hasn't been
merged to 4.9 as of 2022/04/19.

Fixed status

mainline: [9a564bccb78a76740ea9d75a259942df8143d02c]
stable/4.14: [fcdaaeb7eb5d52941ceb2fdcec0e2170c9bf3031]
stable/4.19: [693fe8af9a2625139de07bd1ae212a7d89c37795]
stable/5.10: [8d3f4ad43054619379ccc697cfcbdb2c266800d8]
stable/5.15: [d06ee4572fd916fbb34d16dc81eb37d1dff83446]
stable/5.4: [ef388db2fe351230ff7194b37d507784bef659ec]

CVE-2022-1184: use-after-free and memory errors in ext4 when mounting
and operating on a corrupted image

CVSS v3 score is not provided

An UAF flaw was found in dx_insert_block() in fs/ext4/namei.c. It
causes a local user can crash the system.

Fixed status

Not fixed yet.

* Updated CVEs

CVE-2021-4197: cgroup: Use open-time creds and namespace for migration
perm checks

4.14, 4.19 and 5.4 were fixed this week.

Fixed status

mainline: [1756d7994ad85c2479af6ae5a9750b92324685af,
0d2b5955b36250a9428c832664f2079cbf723bec,
  e57457641613fef0d147ede8bd6a3047df588b95]
stable/4.14: [a70bcf9ed08f3628a9324f054b0e041697b26853,
f1ce7855afe6310f8cd9a472f6d52c872feb578b,
  2337c8257cd2a4f01bef92288458483955605bd1]
stable/4.19: [0bd407959f7d6671ba0617e2dbda3e89d8a0419f,
de37e01dd20e3228b010fe5fbd3e205747481b96,
  74ac12c718e7d3f7eb346ee90a4c9904a8b6b6d2]
stable/5.10: [f28364fe384feffbe7d44b095ef4571285465c47,
824a950c3f1118eb06b1877c49ed1b2eca8e236d,
  4665722d36ad13c6abc6b2ef3fe5150c0a92d870]
stable/5.15: [c6ebc35298848accb5e50c37fdb2490cf4690c92,
50273128d640e8d21a13aec5f4bbce4802f17d7d,
  43fa0b3639c5fd48c96b19d645d0c7ff2327651a]
stable/5.4: [691a0fd625e06c138f7662286a87ffba48773f34,
9bd1ced6466e71dcb08b24b59b8dd87bb2369d07,
  8a887060af61b451c46938149c426defe16add77]

CVE-2022-0854: swiotlb information leak with DMA_FROM_DEVICE

5.4 was fixed this week.

Fixed status

mainline: [ddbd89deb7d32b1fbb879f48d68fda1a8ac58e8e,
aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13]
stable/5.10: [d4d975e7921079f877f828099bb8260af335508f]
stable/5.15: [7403f4118ab94be837ab9d770507537a8057bc63,
2c1f97af38be151527380796d31d3c9adb054bf9]
stable/5.16: [270475d6d2410ec66e971bf181afe1958dad565e,
62b27d925655999350d0ea775a025919fd88d27f]

CVE-2022-1011: fuse: fix pipe buffer lifetime for direct_io

4.14, 4.19 was fixed this week.

Fixed status

mainline: [0c4bcfdecb1ac0967619ee7ff44871d93c08c909]
stable/4.14: [0ab55e14cf5fd40c39109969c8b04a25870f5d1e]
stable/4.19: [99db28212be68030c1db3a525f6bbdce39b039e9]
stable/5.10: [ab5595b45f732212b3b1974041b43a257153edb7]
stable/5.15: [ca62747b38f59d4e75967ebf63c992de8852ca1b]
stable/5.16: [58a9bdff32fde29137731e574b17c42592875fd0]
stable/5.4: [a9174077febfb1608ec3361622bf5f91e2668d7f]

CVE-2022-1158: KVM: x86/mmu: do compare-and-exchange of gPTE via the
user address

5.4 was fixed.

Fixed status

mainline: [2a8859f373b0a86f0ece8ec8312607eacf12485d]
stable/5.10: [e90518d10c7dd59d5ebbe25b0f0083a7dbffa42f]
stable/5.15: [8771d9673e0bdb7148299f3c074667124bde6dff]
stable/5.16: [9a611c57530050dc359a83177c2f97678b1f961e]
stable/5.17: [5051c04d70c6e035c2c923c04fbe015a4468b08d]
stable/5.4: [1553126eccf4fad17afaeaed08db9e5944aa2d55]

CVE-2022-1198: use-after-free in drivers/net/hamradio/6pack.c

4.19 and 5.4 kernels were fixed this week.

Fixed status

mainline: [efe4186e6a1b54bf38b9e05450d43b0da1fd7739]
stable/4.14: [a2793cb58444d4411810cc555eb45b8f4a228018]
stable/4.19: [79e2f40c210a47f283bca352745068207798fbb9]
stable/4.9: [45d1a63bacf2b6ab27f9b11b5a2431e19d34d01f]
stable/5.10: [f67a1400788f550d201c71aeaf56706afe57f0da]
stable/5.15: [3eb18f8a1d02a9462a0e4903efc674ca3d0406d1]
stable/5.16: [4356343fb70c899901bce33acedf4fede797d21f]
stable/5.4: [28c8fd84bea13cbf238d7b19d392de2fcc31331c]

CVE-2022-28389: can: mcba_usb: mcba_usb_start_xmit(): fix double
dev_kfree_skb in error path

4.14, 4.19 and 5.4 were fixed.

Fixed status

mainline: [04c9b00ba83594a29813d6b1fb8fdc93a3915174]
stable/4.14: [cdced1015a63a7f100b5867ebb9a40271f891411]
stable/4.19: [a8bba9fd73775e66b4021b18f2193f769ce48a59]
stable/5.10: [0801a51d79389282c1271e623613b2e1886e071e]
stable/5.15: [37f07ad24866c6c1423b37b131c9a42414bcf8a1]
stable/5.16: [f913412848defa326a155c47d026267624472190]
stable/5.17: [42a4b0dfd365c4f77f96fd1f73a64b47ae443a38]
stable/5.4: [2dfe9422d528630e2ce0d454147230cce113f814]

CVE-2022-28390: can: ems_usb: ems_usb_start_xmit(): fix double
dev_kfree_skb() in error path

4.14, 4.19, 4.9 and 5.4 were fixed this week.

Fixed status

mainline: [c70222752228a62135cee3409dccefd494a24646]
stable/4.14: [29d967c18737ce04f372831c4542e71da1a8d5c8]
stable/4.19: [dec3ed0c76483748268bf36ec278af660b0f80ba]
stable/4.9: [e9c4ee674586ff0b098d17638af719aa56c9c272]
stable/5.10: [b417f9c50586588754b2b0453a1f99520cf7c0e8]
stable/5.15: [459b19f42fd5e031e743dfa119f44aba0b62ff97]
stable/5.16: [41f6be840f138c7d42312d7619a6b44c001d6b6e]
stable/5.17: [3f71f499395545119383f10760b8b19703d2a7dd]
stable/5.4: [e27caad38b59b5b00b9c5228d04c13111229deec]

CVE-2022-1195: kernel: A possible race condition (use-after-free) in
drivers/net/hamradio/6pack ( mkiss.c) after unregister_netdev

5.10 and 5.15 kernels were fixed this week.

Fixed status

mainline: [3e0588c291d6ce225f2b891753ca41d45ba42469,
0b9111922b1f399aba6ed1e1b8f2079c3da1aed8,
  81b1d548d00bcd028303c4f3150fa753b9b8aa71,
b2f37aead1b82a770c48b5d583f35ec22aabb61e]
stable/4.19: [896193a02a2981e60c40d4614fd095ce92135ccd,
b68f41c6320b2b7fbb54a95f07a69f3dc7e56c59]
stable/4.9: [8a1a314965a17c62084a056b4f2cb7a770854c90,
83ba6ec97c74fb1a60f7779a26b6a94b28741d8a]
stable/5.10: [450121075a6a6f1d50f97225d3396315309d61a1,
7dd52af1eb5798f590d9d9e1c56ed8f5744ee0ca,
  80a4df14643f78b14f1e8e2c7f9ca3da41b01654,
cfa98ffc42f16a432b77e438e2fefcdb942eeb04]
stable/5.15: [cb6c99aedd2c843056a598a8907a6128cb07603b,
c799c18a287e024e1c885da329aad8f719b255c3,
  9873fe0f3857c500fa21f92fe43b2a177e8de208,
03d00f7f1815ec00dab5035851b3de83afd054a8]

CVE-2022-1199: Null pointer dereference and use-after-free in ax25_release()

5.10, 5.15, and 5.4 were fixed this week.

Fixed status

mainline: [4e0f718daf97d47cf7dec122da1be970f145c809,
7ec02f5ac8a5be5a3f20611731243dc5e1d9ba10,
  71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac]
stable/4.19: [3072e72814de56f3c674650a8af98233ddf78b19,
5ab8de9377edde3eaf1de9872e2f01d43157cd6c]
stable/4.9: [851901d339b2ba766ffcf754d37a6f52fa07cea2,
cad71f1094834eb69f7ceec8100d300c26b43053]
stable/5.10: [b9a229fd48bfa45edb954c75a57e3931a3da6c5f,
e2201ef32f933944ee02e59205adb566bafcdf91,
  145ea8d213e8f46667cd904ae79d17f298750f00]
stable/5.15: [4c958f0c5714812461da7785393315b35145ac8c,
da6509fba636f7f8b2e902b1e4742fdbf1bf059f,
  46ad629e58ce3a88c924ff3c5a7e9129b0df5659]
stable/5.4: [cfc8b37ef0418529e3719c2d128e59e74a3114b0,
d2be5b563ef391f684592a28440067f4fa3735f4,
  0a64aea5fe023cf1e4973676b11f49038b1f045b]

CVE-2022-1204: UAF caused by binding operation when ax25 device is detaching

5.10, 5.15, and 5.4 were fixed this week.

Fixed status

mainline: [d01ffb9eee4af165d83b08dd73ebdf9fe94a519b,
87563a043cef044fed5db7967a75741cc16ad2b1,
  feef318c855a361a1eccd880f33e88c460eb63b4,
9fd75b66b8f68498454d685dc4ba13192ae069b0,
  5352a761308397a0e6250fdc629bb3f615b94747]
stable/5.10: [5ea00fc60676c0eebfa8560ec461209d638bca9d,
5ddae8d064412ed868610127561652e90acabeea,
  57cc15f5fd550316e4104eaf84b90fbc640fd7a5,
b20a5ab0f5fb175750c6bafd4cf12daccf00c738,
  a4942c6fea879972a7fee50f7e92e2e10f3fc23e]
stable/5.15: [9af0fd5c4453a44c692be0cbb3724859b75d739b,
bc706d89199b0d8ee5e2229e18fdb9c0720f6ba8,
  b982492ec3a115e0a136856a1b2dbe32f2d21a0e,
452ae92b99062d2f6a34324eaf705a3b7eac9f8b,
  1bf8946d5826788c82971977245bcd3313678eac]
stable/5.17: [d01ffb9eee4af165d83b08dd73ebdf9fe94a519b,
87563a043cef044fed5db7967a75741cc16ad2b1,
  feef318c855a361a1eccd880f33e88c460eb63b4,
534156dd4ed768e30a43de0036f45dca7c54818f,
  01619aa347d35ac8b79751757784ec6f507a3215]
stable/5.4: [418993bbaafb0cd48f904ba68eeda052d624c821,
1db0b2c55c934a33b6fa4d4a4865f5a5be641344,
  7528d0f2210c3a1154186175516ed37aa970f2b1,
9e1e088a57c23251f1cfe9601bbd90ade2ea73b9,
  eaa7eb23fa76db45f7da1b6192518705863d0ebe]

CVE-2022-1205: Null pointer dereference and use-after-free in
net/ax25/ax25_timer.c

5.10, 5.15, and 5.4 were fixed this week.

Fixed status

mainline: [fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009,
82e31755e55fbcea6a9dfaae5fe4860ade17cbc0]
stable/5.10: [f934fa478dd17411bc6884153dc824ff9e7505d8,
5c62d3bf14100a88d30888b925fcb61a8c11c012]
stable/5.15: [43c107021d9160f6a1610bafba6dadc0323ae548,
85f25bb9a0051198af48ac2f3afc9f16f2277114]
stable/5.17: [a45dba71849a963c427637b3330e2ccf098f42d1,
76ff66bb3b22f202c226ddbb0a811f8fb8aab2fa]
stable/5.4: [40cb8b3b19c087a4e20f6740701e53fefbe19a7b,
a83a18c4c9033fb6604c587f52a2d78857cf0ac2]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,


-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 9 new CVEs and 9 updated CVE.
There is no notable new vulnerabilities.
CVE-2022-28390(Spectre-BHB for arm) has updated. 19 patches were added
to 4.9 kernel.

* New CVEs

CVE-2021-39800: Information leak bug in Android ION code

CVSS v3 score is not provided

ION was remove by commit e722a29 ("staging: ion: remove from the
tree") which was merged in 5.11-rc1.
There is a big different between 4.9 and 4.19/5.10 so 4.19 and 5.10
may not have this issue. 4.4 may affected by this issue.
However, no CIP member enables CONFIG_ION in 4.4 kernel.

Fixed status

stable/4.9: [504e1d6ee65d5b5a053253ae62f46035d774353c,
a8200613c8c9fbaf7b55d4d438376ebaf0c4ce7e,
  c47385c73fced27375559d1a2eb10f165a0869b0]

CVE-2021-39801: privilege escalation bug in Android ION code

CVSS v3 score is not provided

This vulnerability is related to CVE-2021-39800. CVE-2021-39800 and
CVE-2021-39801 use same patch to fix its vulnerability.

stable/4.9: [504e1d6ee65d5b5a053253ae62f46035d774353c,
a8200613c8c9fbaf7b55d4d438376ebaf0c4ce7e,
  c47385c73fced27375559d1a2eb10f165a0869b0]

Fixed status

CVE-2022-1195: kernel: A possible race condition (use-after-free) in
drivers/net/hamradio/6pack ( mkiss.c) after unregister_netdev

CVSS v3 score is not provided

An UFA bug found in hamradio driver that a local attacker will be able
to crash the system.

The mainline has 4 patches.

3e0588c: hamradio: defer ax25 kfree after unregister_netdev
0b91119: hamradio: defer 6pack kfree after unregister_netdev
81b1d54: hamradio: remove needs_free_netdev to avoid UAF
b2f37ae: hamradio: improve the incomplete fix to avoid NPD

b2f37ae fixes 3e0588c and 81b1d54 fixes 0b91119.

This vulnerability has been fixed in 5.16.

Fixed status

mainline: [3e0588c291d6ce225f2b891753ca41d45ba42469,
0b9111922b1f399aba6ed1e1b8f2079c3da1aed8,
  81b1d548d00bcd028303c4f3150fa753b9b8aa71,
b2f37aead1b82a770c48b5d583f35ec22aabb61e]
stable/4.19: [896193a02a2981e60c40d4614fd095ce92135ccd,
b68f41c6320b2b7fbb54a95f07a69f3dc7e56c59]
stable/4.9: [8a1a314965a17c62084a056b4f2cb7a770854c90,
83ba6ec97c74fb1a60f7779a26b6a94b28741d8a]
stable/5.10: [450121075a6a6f1d50f97225d3396315309d61a1,
7dd52af1eb5798f590d9d9e1c56ed8f5744ee0ca]

CVE-2022-1263: Null pointer dereference bug in the kvm module which
can lead to DoS

CVSS v3 score is not provided

Added kvm_dirty_ring_free() in kvm_vcpu_destroy() was commit fb04a1e
("KVM: X86: Implement ring-based dirty memory tracking") that was
merged in 5.11-rc1. So, earlier than 5.11 kernels may not be affected
by this vulnerability.

Fixed status

Fixed in kvm tree as of
2022/04/08(https://www.spinics.net/lists/kvm/msg273052.html).

CVE-2022-1158: KVM: x86/mmu: do compare-and-exchange of gPTE via the
user address

CVSS v3 score is not provided

Reporter said that "/dev/kvm is accessible by unprivileged local
users, so a userspace process
may leverage this bug to corrupt the kernel, resulting in a denial of
service condition or potentially achieving privilege escalation. But, since
the write is a compare-and-exchange operation that only updates the
Access/Dirty bit, we don't think exploiting this single bug will be easy.".

This vulnerability was introduced by commit bd53cb3 (X86/KVM: Handle
PFNs outside of kernel reach when touching GPTEs) was merged in
5.2-rc1 so that 4.x kernels are not affected by this issue.

Fixed status

mainline: [2a8859f373b0a86f0ece8ec8312607eacf12485d]
stable/5.10: [e90518d10c7dd59d5ebbe25b0f0083a7dbffa42f]
stable/5.15: [8771d9673e0bdb7148299f3c074667124bde6dff]
stable/5.16: [9a611c57530050dc359a83177c2f97678b1f961e]
stable/5.17: [5051c04d70c6e035c2c923c04fbe015a4468b08d]

CVE-2022-28796: jbd2_journal_wait_updates in fs/jbd2/transaction.c in
the Linux kernel
  before 5.17.1 has a use-after-free caused by a transaction_t race
  condition

CVSS v3 score is not provided

jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel
before 5.17.1 has a use-after-free caused by a transaction_t race
condition.

This vulnerability was introduced by commit 4f98186 ("jbd2: refactor
wait logic for transaction updates into a common function") which was
merged in 5.17-rc3.

Fixed status

mainline: [cc16eecae687912238ee6efbff71ad31e2bc414e]
stable/5.17: [bff94c57bd130e3062afa94414c2294871314096]

CVE-2022-28893: SUNRPC: Ensure we flush any closed sockets before xs_xprt_free()

CVSS v3 score is not provided

The SUNRPC subsystem in the Linux kernel through 5.17.2 can call
xs_xprt_free before ensuring that sockets are in the intended state.
This is an UAF bug that causes in inet_put_port().

This vulnerability was introduced by commit a73881c ("SUNRPC: Fix an
Oops in udp_poll()") which was merged in 5.8-rc1.
The commit a73881c fixes commit 0ffe86f("SUNRPC: Use poll() to fix up
the socket requeue races") which was merged in 5.8-rc1.
Commit 0ffe86f does not exist in less than 5.8 kernels so that these
kernels aren't affected by this issue.

Fixed status

mainline: [f00432063db1a0db484e85193eccc6845435b80e]
stable/5.16: [7a0921a23cae42e9fa5ce964f6907181b6dc80d8]
stable/5.17: [d21287d8a4589dd8513038f887ece980fbc399cf]

CVE-2022-1280: concurrency use-after-free between drm_setmaster_ioctl
and drm_mode_getresources

CVSS v3 score is not provided

The reporter found this bug in 4.19.237. Kernel 5.15 and newer are
already fixed (https://www.openwall.com/lists/oss-security/2022/04/12/4)
but not described which commit(s) fixes this bug.

According to the
PoC(https://www.openwall.com/lists/oss-security/2022/04/12/3), it
needs to open /dev/dri/card0.
However, /dev/dri/card0's permission is following.

crw-rw----+ 1 root video 226, 0 Apr 13 09:15 /dev/dri/card0

So, attacker must have correct privilege to abuse this CVE.

Fixed status

Not fixed yet.

CVE-2022-29156: drivers/infiniband/ulp/rtrs/rtrs-clt.c in the Linux
kernel before 5.16.12
  has a double free related to rtrs_clt_dev_release

CVSS v3 score is not provided

This vulnerability is introduced by commit eab0982 ("RDMA/rtrs-clt:
Refactor the failure cases in alloc_clt") which fixes commit 6a98d71
("RDMA/rtrs: client: main functionality"). Commit eab0982 was merged
in 5.12-rc1-dontuse, commmit 6a98d71 was merged in 5.8-rc1.
This driver was introduced in 5.8 so less than 5.8 kernels aren't
affected this issue.

Fixed status

mainline: [8700af2cc18c919b2a83e74e0479038fd113c15d]
stable/5.16: [fa498059c631e94e91dcb6d78070909d8de56d99]

* Updated CVEs

CVE-2022-0854: swiotlb information leak with DMA_FROM_DEVICE

stable/5.10 was fixed this week.

Fixed status

mainline: [ddbd89deb7d32b1fbb879f48d68fda1a8ac58e8e,
aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13]
stable/5.10: [d4d975e7921079f877f828099bb8260af335508f]
stable/5.15: [7403f4118ab94be837ab9d770507537a8057bc63,
2c1f97af38be151527380796d31d3c9adb054bf9]
stable/5.16: [270475d6d2410ec66e971bf181afe1958dad565e,
62b27d925655999350d0ea775a025919fd88d27f]

CVE-2022-1198: use-after-free in drivers/net/hamradio/6pack.c

stable/5.10 and stable/5.15 were fixed this week.

Fixed status

mainline: [efe4186e6a1b54bf38b9e05450d43b0da1fd7739]
stable/5.10: [f67a1400788f550d201c71aeaf56706afe57f0da]
stable/5.15: [3eb18f8a1d02a9462a0e4903efc674ca3d0406d1]
stable/5.16: [4356343fb70c899901bce33acedf4fede797d21f]

CVE-2022-1204: UAF caused by binding operation when ax25 device is detaching

stable/5.17 was fixed this week.

Fixed status

mainline: [d01ffb9eee4af165d83b08dd73ebdf9fe94a519b,
87563a043cef044fed5db7967a75741cc16ad2b1,
  feef318c855a361a1eccd880f33e88c460eb63b4,
9fd75b66b8f68498454d685dc4ba13192ae069b0,
  5352a761308397a0e6250fdc629bb3f615b94747]
stable/5.17: [d01ffb9eee4af165d83b08dd73ebdf9fe94a519b,
87563a043cef044fed5db7967a75741cc16ad2b1,
  feef318c855a361a1eccd880f33e88c460eb63b4,
534156dd4ed768e30a43de0036f45dca7c54818f,
  01619aa347d35ac8b79751757784ec6f507a3215]

CVE-2022-28388: can: usb_8dev: usb_8dev_start_xmit(): fix double
dev_kfree_skb() in error path

Backporting to 4.x kernels were faild.

4.19: https://lore.kernel.org/stable/1648815686221218@kroah.com/
4.14: https://lore.kernel.org/stable/164881568517591@kroah.com/
4.9: https://lore.kernel.org/stable/1648815685196254@kroah.com/

Fixed status

mainline: [3d3925ff6433f98992685a9679613a2cc97f3ce2]
stable/5.10: [5318cdf4fd834856ce71238b064f35386f9ef528]
stable/5.15: [f2ce5238904f539648aaf56c5ee49e5eaf44d8fc]
stable/5.16: [3e006cf0fb809815d56e59c9de4486fbe253ccdf]
stable/5.17: [29d6c06168faa23ce23db3321981c8fde576c95c]

CVE-2022-28389: can: mcba_usb: mcba_usb_start_xmit(): fix double
dev_kfree_skb in error path

stable/5.x kernels were fixed this week.

Fixed status

mainline: [04c9b00ba83594a29813d6b1fb8fdc93a3915174]
stable/5.10: [0801a51d79389282c1271e623613b2e1886e071e]
stable/5.15: [37f07ad24866c6c1423b37b131c9a42414bcf8a1]
stable/5.16: [f913412848defa326a155c47d026267624472190]
stable/5.17: [42a4b0dfd365c4f77f96fd1f73a64b47ae443a38]

CVE-2022-28390: can: ems_usb: ems_usb_start_xmit(): fix double
dev_kfree_skb() in error path

stable/5.x kernels were fixed this week.

Fixed status

mainline: [c70222752228a62135cee3409dccefd494a24646]
stable/5.10: [b417f9c50586588754b2b0453a1f99520cf7c0e8]
stable/5.15: [459b19f42fd5e031e743dfa119f44aba0b62ff97]
stable/5.16: [41f6be840f138c7d42312d7619a6b44c001d6b6e]
stable/5.17: [3f71f499395545119383f10760b8b19703d2a7dd]

CVE-2022-0168: smb2_ioctl_query_info NULL Pointer Dereference

The mainline and stable/5.10, 5,15, 5.16, and 5.17 kernels ware fixed this week.
Commit d6f5e3 said bug was in smb2_ioctl_query_info() which was merged
in 5.20-rc1, so less than 4.20 kernels aren't affected by this bug.

Fixed status

mainline: [d6f5e358452479fa8a773b5c6ccc9e4ec5a20880]
stable/5.10: [edefc4b2a8e8310eee8e2b1714709ad5b2a93928]
stable/5.15: [39a4bf7d1a23dd172526c2fb0db480c5d5c63bd6]
stable/5.16: [0f0ce73e7dad17084222da19989049ebfb8be541]
stable/5.17: [49bef50e585d738e957060f669e872b4ad15eb87]

CVE-2022-23960: Arm cpus BHI problem

stable/4.9 added more patches this week.
Following patches were merged.
0a59e9c 6835855 a212d16 ee04ed1 99cbe34 2ce6f5d 283bcb8 1f7da61
bd69a09 944ecb1 ac96573 218ddd9 aee10c2 1451b7f 094a410 4dd8aae
df04484 9396d5e 7815cbf

Fixed status

mainline: [9dd78194a3722fa6712192cdd4f7032d45112a9a,
04e91b7324760a377a725e218b5ee783826d30f5,
  8d9d651ff2270a632e9dc497b142db31e8911315,
b9baf5c8c5c356757f4f9d8180b5e9d234065bc3,
  25875aa71dfefd1959f07e626c4d285b88b27ac2,
4330e2c5c04c27bebf89d34e0bc14e6943413067,
  1b33d4860deaecf1d8eec3061b7e7ed7ab0bae8d,
5bdf3437603d4af87f9c7f424b0c8aeed2420745,
  d739da1694a0eaef0358a42b76904b611539b77b,
03aff3a77a58b5b52a77e00537a42090ad57b80b,
  c091fb6ae059cda563b2a4d93fdbc548ef34e1d6,
6c5bf79b69f911560fbf82214c0971af6e58e682,
  ed50da7764535f1e24432ded289974f2bf2b0c5a,
13d7a08352a83ef2252aeb464a5e08dfc06b5dfd,
  c47e4d04ba0f1ea17353d85d45f611277507e07a,
a9c406e6462ff14956d690de7bbe5131a5677dc9,
  aff65393fa1401e034656e349abd655cfe272de0,
ba2689234be92024e5635d30fe744f4853ad97db,
  b28a8eebe81c186fdb1a0078263b30576c8e1f42,
bd09128d16fac3c34b80bd6a29088ac632e8ce09,
  dee435be76f4117410bbd90573a881fd33488f37,
558c303c9734af5a813739cd284879227f7297d2,
  a5905d6af492ee6a4a2205f0d550b3f931b03d03,
228a26b912287934789023b4132ba76065d9491c,
  58c9a5060cb7cd529d49c93954cdafe81c1d642a]
stable/4.19: [dc64af755099d1e51fd64e99fe3a59b75595814a,
45c25917ceb7a5377883ef4c3a675276fba8a268,
  67e1f18a972be16363c6e88d7b29cde880774164,
99e14db3b711c27f93079ba9d7f2fff169916d5f,
  29db7e4b67fccf5e1fe28ec89f2add90ce74d77b,
e8bfe29afc09ac77b347540a0f4c789e6530a436,
  87eccd56c52fcdd6c55b048d789da5c9c2e51ed3,
51acb81130d1feee7fd043760b75f5377ab8d4f0,
  266b1ef1368e06ac4c5a89eb9774ef2bbaa54e19,
ebcdd80d0016c7445e8395cec99b9ce266a26001,
  af484e69b5e83095609d8b5c8abaf13a5460229e,
f689fa53bb944873f75fe1584f446cae1aabd2c1,
  9e056623dfc538909ed2a914f70a66d68ec71ec3,
22fdfcf1c2cea8e6dc383d46cbbe59d476d24a96,
  901c0a20aa94d09a9328899e2dd69a8d43a3a920,
91429ed04ebe9dbec88f97c6fd136b722bc3f3c5,
  e18876b523d5f5fd8b8f34721f60a470caf20aa1,
5b5ca2608fbd6f250281b6a1d0d73613f250e6f1,
  7b012f6597e55a2ea4c7efe94b5d9a792b6e5757,
a68912a3ae3413be5febcaa40e7e0ec1fd62adee,
  c20d551744797000c4af993f7d59ef8c69732949,
5f051d32b03f08a0507ac1afd7b9c0a30c8e5d59,
  a44e7ddb5822b943cd50c5ad6a2541fb445d58bd,
ed5dec3fae86f20db52930e1d9a7cc38403994cc]
stable/4.9: [b24d4041cfb6dab83f9edf40573375bd1365e619,
dfea9912129157ba3c5a9d060e58df17fb688e72,
  964aafb29a07cb7cdea71ef41a75394e879f529c,
da3dfb69bbc3fdfeb3e5930fe28bcd689751a594,
  48b1aa98e19d189703d518166ddb2520164b3164,
0a59e9cf1f29f446ab5a3dc91a23af8ca0cf5bea,
  6835855140dc7adecd5af713a17d488f93fd8226,
a212d166a9d7c35e56ba11f15d6706eee3dd499b,
  ee04ed16acb65f7dfde8cb74ae774f4314c5c816,
99cbe345732d49d4626052908754259ac9222bb2,
  2ce6f5deed712c6768e5b19ac4e23d4aaa828ff4,
283bcb8f640ecc3e4a74f5084c15cdd9ce350951,
  1f7da613bf57d10b0ff6807b36bd7eda27482ab6,
bd69a09d7d229303286a685f59b9033c384f72b1,
  944ecb18c729545ea73c53f9ee9b802637c549d0,
ac965734ce0f87c194f0a666889a4f37436b2421,
  218ddd9cb91e7bc0bb69d53fc40f600b0b217a16,
aee10c2dd01383a8a01111d647b6e17b9a3cc791,
  1451b7fe7a3689113e70d2936b92fa4d50e68371,
094a410426b4a5cbb0d68609050a15110124aeda,
  4dd8aae585a51a1d276911fe19096ad90144e9fe,
df0448480b9c2f0a2f5a5055e04afa80bf0a5301,
  9396d5ede3df91cc71c70a7fb11826a10c34e775,
7815cbf19ac47ca0cc22b0d8aa25d6ec6ab2ad81]
stable/5.10: [b7f1e73c4ddf2044530091e69114a5fc1a1229d0,
46deb224680bb33c8e87440a7b909d16e5a7d7c5,
  29d9b56df1e18a8ff2e669b79e511163972a8b65,
3f9c958e3572b19b1cfb9d28eeb15be0a5d80193,
  302754d023a06171113e8fb20c7b2a18ebf9088f,
dc5b630c0d532140e194997d350f587dbcc78bfb,
  7048a21086fb16ec67287a25b62e88b0cd17c8c3,
192023e6baf7cce7fb76ff3a5c24c55968c774ff,
  5242d6971e106be115d9dace9c1441f4a2e1cb25,
d93b25a6654812e0511b71a6d4a207f6b1ce5dfe,
  bda89602814c69e6f027878209b0b9453133ada2,
5275fb5ea5f573ce1ecd2bf0bcd928abb916b43d,
  e55025063276fcf7b07e9340c38d70b04aa8a7b9,
8c691e5308c531deede16bef4f2d933d5f859ce7,
  73ee716a1f6356ca86d16d4ffc97fcfc7961d3ef,
26211252c1c104732a0fea6c37645f1b670587f5,
  49379552969acee3237387cc258848437e127d98,
3f21b7e355237aa2f8196ad44c2b7456a739518d,
  56cf5326bdf9c20de9a45e4a7a4c0ae16833e561,
1f63326a5211208e2c5868650e47f13a9072afde,
  13a807a0a080383ceab6c40e53c0228108423e51,
e192c8baa69ac8a5585d61ac535aa1e5eb795e80,
  38c26bdb3cc53f219d6ab75ac1a95436f393c60f,
551717cf3b58f11311d10f70eb027d4b275135de,
  b65b87e718c33caa46d5246d8fbeda895aa9cf5b,
f3c12fc53e0a1fffbe102a9501c7bb6efdabbe99,
  fc8070a9c5ad3e0ac343532df7d4d2d709b173a8,
86171569312b5870aaedc74b4b28d444c0f72105,
  b19eaa004f2eeae94a4fcf5f0cadac35cc579a72,
7ae8127e412361025e7b4a0e6347ca9e8f3ed109,
  dbcfa98539531bff0d7e4d6087741702dfa50f06,
162aa002ec1a78e91cf2f0b8e7450e2770b2941f,
  97d8bdf33182494b7cb327ed555313d17d80c639]
stable/5.15: [f02cab2bed1a3493a230e54d83ff117bc59f480e,
878ad97f745ebc6b135d87b6901dbe93d07745d3,
  2dca61693e6cb6d163e5ba2cf18f2c3270d7ec30,
576548846f1ee53a4d04fa5f91e6a088adbfe3f8,
  842f2d498ee1e75fc9bf78555ee5b59c894c071b,
b7beeab84f02091124b176ba34c71a601762d1de,
  44adac5908ff712e0fee34e3472f884c17af8025,
368a1fd8c4a600ed8ae605afa27904f359a57161,
  479c9bb741bf6e1ac300d2f3c2797c7fbce117c0,
4a691bbf56a186f9df432b0bfd666dc2e82e4334,
  e25a9dced2bdbace585d613444f2cf317b84cda5,
2e09754a03a7e54eae6017d94fb9c265217288f1,
  be9c5526aad63ab0b13d72978206aec12ede9d76,
a40472d463f9ab6f971850989aa5a21f704b5cfd,
  6895584a92eeaa0702afc47c9758b7fca6345fec,
517f988ee0500688ac23e011bc3bbbf502e76a23,
  ffb8a34c0fd81fdcf677bc8e9af251ea526e8c49,
50e700a117669e072fb9e47ff3ea49e4a8cacf04,
  cfd0c38125aa27a15617473d053897eb7967ab1c,
d7066114dcd6a295122c5942791025e16a33f89f,
  8e55b9b0e76575e3755919820848b9ca53d82381,
4bbfd0c280254b273c564767021bb9b0f945148e,
  fb2bb2ec137c3a8afbd91c949d9384d9e8a913c9,
8979720ac64c70af1395ce78e5c6ffb546b43e0d,
  3317d21b84e91be72df14744040513a280b88946]
stable/5.16: [f5eb0f1dcde4b7c2b5ee920ae53bcecaaba03947,
0f0fd6ef76dee10aae861c69635c42b1c427e577,
  21ceffd3628edfc775d33851cf56ea1d85c528fc,
9fd1d31810ccf6b4e4df8ccf2e68bbdcf528d186,
  680e356c1be19a7663d8077be12e0ab048430ebd,
d1e3d6d26d9eab22548c3b7373ec12bbfecc765f,
  346793c01582f62f4a5536c325a3dfc627ca543a,
46af6fc4f7a22ada597982ff01db34fb4bdba6a3,
  7b63df956358d183c25178e970f6ed304cd0f659,
57e9a5fbd1f8b8ac5b7f849715fcdf5a32dda040,
  62cfcf8d06ca7786e781e1b60f57b67f43448868,
5da0c4bbae492434b534ffd39aac5d5610190491,
  dfb25997bdefca7a3cd69c1dea872ba52133d31f,
e0077b0a66f14998c0d18508bf945a40a0d3ebab,
  984e7e3ebac334d7af0069a4d3636cf2338525df,
483fa5319f16b627e7873c1079e35ebbfb04cf45,
  448a95af1b7ae205eb762c2c1fb35b290cc3032e,
d535ca624f6d439424aeeb0a3cc4a426cfd9a993,
  b9c29587c533faaa0aefeaaf7a4a4ff834975ba4,
d4293ed32d390ce363d964a9216ce9ab0ff9d74c,
  f0567fc3fb835499eda68f20e30ce16f9b83d774,
0b2bf1b37b5ebd90e69e30d8c2d6e1cd0c1f37b4,
  e1e87704621efcf0310bd1543a8e6352156a43bd,
2df4d0aba0e673d37be14901e853d1d540b19bbd,
  80d1978b8062cbad01cbea2aec2a5aac8f61c366]

CVE-2021-4197: cgroup: Use open-time creds and namespace for migration
perm checks

Commit 4665722 ("cgroup: Use open-time credentials for process
migraton perm checks") was added to stable/5.10.

Fixed status

mainline: [1756d7994ad85c2479af6ae5a9750b92324685af,
0d2b5955b36250a9428c832664f2079cbf723bec,
  e57457641613fef0d147ede8bd6a3047df588b95]
stable/5.10: [f28364fe384feffbe7d44b095ef4571285465c47,
824a950c3f1118eb06b1877c49ed1b2eca8e236d,
  4665722d36ad13c6abc6b2ef3fe5150c0a92d870]
stable/5.15: [c6ebc35298848accb5e50c37fdb2490cf4690c92,
50273128d640e8d21a13aec5f4bbce4802f17d7d,
  43fa0b3639c5fd48c96b19d645d0c7ff2327651a]


Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 11 new CVEs and 1 updated CVE.
There are three can/usb driver bugs and three ax25 protocol bugs.

* New CVEs

CVE-2021-3714: Remote Page Deduplication Attacks

CVSS v3 score is not provided

Red hat bugzilla describes that an attacker can leak information via this issue.

Fixed status

Not fixed yet.

CVE-2022-1198: use-after-free in drivers/net/hamradio/6pack.c

CVSS v3 score is not provided

An UAF bug was found in drivers/net/hamradio/6pack.c . An attacker is
able to crash system by this vulnerability.
This bug looks to exist in 5.10, 4.19, and 4.4 kernels. However,
backpoting this patch requires fixing conflicts.

Fixed status

mainline: [efe4186e6a1b54bf38b9e05450d43b0da1fd7739]
stable/5.16: [4356343fb70c899901bce33acedf4fede797d21f]

CVE-2022-1199: Null pointer dereference and use-after-free in ax25_release()

CVSS v3 score is not provided

An UAF bug was found in net/ax25/af_ax25.c. An attacker is able to
crash system by this vulnerability.

Patches were merged in the mainline by following order.

2022-03-09: ax25: Fix NULL pointer dereference in
ax25_kill_by_device(71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac)
2022-02-09: ax25: fix NPD bug in
ax25_disconnect(7ec02f5ac8a5be5a3f20611731243dc5e1d9ba10)
2022-01-28: ax25: improve the incomplete fix to avoid UAF and NPD
bugs(4e0f718daf97d47cf7dec122da1be970f145c809)

Commit 7ec02f5 ("fix NPD bug in ax25_disconnect") changed releasing
order to sock struct to avoid NULL pointer dereference if sk is NULL.
- release_sock(sk);
  ax25_disconnect(s, ENETUNREACH);
+ release_sock(sk);

However, commit 71171ac ("ax25: Fix NULL pointer dereference in
ax25_kill_by_device") added NULL pointer check before releasing sock
struct.

+ if (!sk) {
+ spin_unlock_bh(&ax25_list_lock);
+ s->ax25_dev = NULL;
+ ax25_disconnect(s, ENETUNREACH);
+ spin_lock_bh(&ax25_list_lock);
+ goto again;
+ }

So, it looks like commit 7ec02f5 ("fix NPD bug in ax25_disconnect") is
not needed to fix this CVE to older kernels.
Additionally commit 7ec02f5 is the route cause of CVE-2022-1205.

v4.4 looks to be affected by this CVE.

Fixed status

mainline: [4e0f718daf97d47cf7dec122da1be970f145c809,
7ec02f5ac8a5be5a3f20611731243dc5e1d9ba10,
  71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac]
stable/4.19: [3072e72814de56f3c674650a8af98233ddf78b19,
5ab8de9377edde3eaf1de9872e2f01d43157cd6c]
stable/4.9: [851901d339b2ba766ffcf754d37a6f52fa07cea2,
cad71f1094834eb69f7ceec8100d300c26b43053]
stable/5.10: [b9a229fd48bfa45edb954c75a57e3931a3da6c5f,
e2201ef32f933944ee02e59205adb566bafcdf91]


CVE-2022-1204: UAF caused by binding operation when ax25 device is detaching

CVSS v3 score is not provided

An UAF bug was found in net/ax25/af_ax25.c. An attacker is able to
crash system by this vulnerability.

Patches were merged in the following order.

2022-03-29: ax25: fix UAF bug in
ax25_send_control(5352a761308397a0e6250fdc629bb3f615b94747) fixes
9fd75b6
2022-03-21: ax25: Fix refcount leaks caused by
ax25_cb_del(9fd75b66b8f68498454d685dc4ba13192ae069b0) fixes d01ffb9,
87563a0, and feef318
2022-02-09: ax25: fix UAF bugs of net_device caused by rebinding
operation(feef318c855a361a1eccd880f33e88c460eb63b4)
2022-02-03: ax25: fix reference count leaks of
ax25_dev(87563a043cef044fed5db7967a75741cc16ad2b1) fixes d01ffb9
2022-01-28: ax25: add refcount in ax25_dev to avoid UAF
bugs(d01ffb9eee4af165d83b08dd73ebdf9fe94a519b)

It looks like the route cause is commit d01ffb ("ax25: add refcount in
ax25_dev to avoid UAF bugs"). It was merged in 5.17-rc3. This commit
isn't backported to stable kernels. So, stable kernels seem not to be
affected by this CVE.

Fixed status

mainline: [d01ffb9eee4af165d83b08dd73ebdf9fe94a519b,
87563a043cef044fed5db7967a75741cc16ad2b1,
  feef318c855a361a1eccd880f33e88c460eb63b4,
9fd75b66b8f68498454d685dc4ba13192ae069b0,
  5352a761308397a0e6250fdc629bb3f615b94747]


CVE-2022-1205: Null pointer dereference and use-after-free in
net/ax25/ax25_timer.c

CVSS v3 score is not provided

A Null pointer dereference and use after free in net/ax25/ax25_timer.c.
An attacker is able to crash the system by this vulnerability.

This bug was introduced by commit 7ec02f5 ("ax25: fix NPD bug in
ax25_disconnect") which was merged in 5.17-rc4. This commit isn't
backported to stable kernels so that this bug only affects the
mainline kernel.

Fixed status

mainline: [fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009,
82e31755e55fbcea6a9dfaae5fe4860ade17cbc0]

CVE-2022-28356: llc: fix netdevice reference leaks in llc_ui_bind()

CVSS v3 score is not provided

A refcount leak bug was found in net/llc/af_llc.c.

This bug was introduced before git era.
Patch can be applied to 4.4-st.

Fixed status

mainline: [764f4eb6846f5475f1244767d24d25dd86528a4a]
stable/4.14: [0f294bc04be87f1c9e1d1a908db9fcc84ce94210]
stable/4.19: [d14193111c436fc5de33206c67c7afd45c730099]
stable/4.9: [0a7aad979bfb43c4a78d33a5f356caf4ceb28bca]
stable/5.10: [571df3393f523b59cba87e2f3e80a3a624030f9c]
stable/5.15: [e9072996108387ab19b497f5b557c93f98d96b0b]
stable/5.16: [6f5bf395c60ed2643de51f2b1041cb0882e9d97f]
stable/5.17: [ef1a6fe3563cf47ce4fd555727ca80085cf18884]
stable/5.4: [572f9a0d3f3feb8bd3422e88ad71882bc034b3ff]

CVE-2022-28388: can: usb_8dev: usb_8dev_start_xmit(): fix double
dev_kfree_skb() in error path

CVSS v3 score is not provided

A double free bug was found in usb_8dev_start_xmit() in
drivers/net/can/usb/usb_8dev.c.

Applying this fix to 4.4, it needs to modify the patch to fix conflict.

Fixed status

mainline: [3d3925ff6433f98992685a9679613a2cc97f3ce2]

CVE-2022-28389: can: mcba_usb: mcba_usb_start_xmit(): fix double
dev_kfree_skb in error path

CVSS v3 score is not provided

A double free bug in mcba_usb_start_xmit() in drivers/net/can/usb/mcba_usb.c.
This bug was introduced by commit 51f3baa ("can: mcba_usb: Add support
for Microchip CAN BUS Analyzer") which was merged in 4.12-rc1.
So, 4.9 and 4.4 kernels aren't affected by this issue.

Fixed status

mainline: [04c9b00ba83594a29813d6b1fb8fdc93a3915174]

CVE-2022-28390: can: ems_usb: ems_usb_start_xmit(): fix double
dev_kfree_skb() in error path

CVSS v3 score is not provided

A double free bug in ems_usb_start_xmit() in drivers/net/can/usb/ems_usb.c.
This patch can be applied to 4.4.y without any errors.

Fixed status

mainline: [c70222752228a62135cee3409dccefd494a24646]

CVE-2021-39802: The most severe vulnerability in this section could
lead to local escalation of privilege with no additional execution
privileges needed. User interaction is not needed for exploitation

CVSS v3 score is not provided

ac44888: Revert "FROMGIT: mm: improve mprotect(R|W) efficiency on
pages referenced once"
b44e46b: FROMGIT: mm: improve mprotect(R|W) efficiency on pages referenced once
67d075d: Revert "FROMGIT: mm: improve mprotect(R|W) efficiency on
pages referenced once"
6f9aba5: FROMGIT: mm: improve mprotect(R|W) efficiency on pages referenced once

Commit ac44888 reverts b44e46b and commit 67d075d reverts 6f9aba5.
These commits aren't in the mainline.
It seems as if this vulnerability android kernel specific.

Fixed status

Fixed in android kernel

CVE-2021-0707: dmabuf: fix use-after-free of dmabuf's file->f_inode

CVSS v3 score is not provided

An UAF bug was found in dma_buf_release().
This bug was introduced by commit 4ab59c3 ("dma-buf: Move
dma_buf_release() from fops to dentry_ops") which was merged in
v5.8-rc4.
The commit 4ab59c3 ("dma-buf: Move dma_buf_release() from fops to
dentry_ops") fixes bb2bb90 ("dma-buf: add DMA_BUF_SET_NAME ioctls")
which was merged in 5.3-rc1. Therefore, kernel 4.4, 4.9, and 4.19 are
not affected by this vulnerability.
This vulnerability was fixed in 5.11-rc3. The mainline and stable
kernels are fixed.

Fixed status

mainline: [05cd84691eafcd7959a1e120d5e72c0dd98c5d91]
stable/5.10: [a19dae4254c434a1ac8937a809fe08fd15ad3be5]
stable/5.4: [ef8133b1b47ed67873c291e9248fafd428d1767d]

* Updated CVEs

CVE-2021-33061: Intel(R) 82599 Ethernet Controllers and Adapters may
allow an authenticated user to potentially
enable denial of service via local access

Fixed in 5.18-rc1.

This patch can't be applied to 4.4.y because it modifies
ixgbe_priv_flags_strings(), ixgbe_get_priv_flags(), and
ixgbe_set_priv_flags() in
drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c but 4.4.y doesn't
have these functions and drivers/net/ethernet/intel/ixgbe/ixgbe.h
doesn't contain IXGBE_FLAG2_ macros in it.

Fixed status

mainline: [008ca35f6e87be1d60b6af3d1ae247c6d5c2531d]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 6 new CVEs and 4 updated CVEs.

* New CVEs

CVE-2022-0168: smb2_ioctl_query_info NULL Pointer Dereference

CVSS v3 score is not provided

A local DoS issue was found in smb2_ioctl_query_info() . A local user
with privileged (CAP_SYS_ADMIN) can crash the system.
The smb2_ioctl_query_info() was introduced by commit f5b05d6 ("cifs:
add IOCTL for QUERY_INFO passthrough to userspace") which was merged
in 4.20-rc1.

Fixed status

Not fixed yet.

CVE-2022-1055: net: sched: fix use-after-free in tc_new_tfilter()

CVSS v3 score is 6.3 MEDIUM

An UFA bug was found in tc_new_tfilter().
This issue was introduced by commit 470502d ("net: sched: unlock rules
update API") which was merged in 5.1-rc1.
The mainline and stable kernels were fixed.

Fixed status

mainline: [04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5]
stable/5.10: [e7be56926397cf9d992be8913f74a76152f8f08d]
stable/5.15: [f36cacd6c933183c1a8827d5987cf2cfc0a44c76]
stable/5.16: [95e34f61b58a152656cbe8d6e19843cc343fb089]
stable/5.4: [b1d17e920dfcd4b56fa2edced5710c191f7e50b5]

CVE-2022-1048: race condition in snd_pcm_hw_free leading to use-after-free

CVSS v3 score is not provided

An UFA bug was found in the ALSA pcm module. This bug can be the cause
of system crash or privilege escalation by a local user.

Applying patches to 4.4, it needs to be modified.

Fixed status

mainline: [92ee3c60ec9fe64404dc035e7c41277d74aa26cb,
dca947d4d26dbf925a64a6cfb2ddbc035e831a3d,
  3c3201f8c7bb77eb53b08a3ca8d9a4ddc500b4c0,
69534c48ba8ce552ce383b3dfdb271ffe51820c3]
stable/5.10: [0f6947f5f5208f6ebd4d76a82a4757e2839a23f8,
8527c8f052fb42091c6569cb928e472376a4a889,
  a38440f006974e693f92a1ea10f819eccc4dcc37,
b560d670c87d7d40b3cf6949246fa4c7aa65a00a]
stable/5.15: [33061d0fba51d2bf70a2ef9645f703c33fe8e438,
47711ff10c7e126702cfa725f6d86ef529d15a5f,
  cb6a39c5ebd0a125c420c5a10999813daaece019,
51fce708ab8986a9879ee5da946a2cc120f1036d]
stable/5.16: [0090c13cbbdffd7da079ac56f80373a9a1be0bf8,
4d1b0ace2d56dc27cc4921eda7fae57f77f03eb5,
  e1ff3a347ed1531eec40a24c47eab15f0efbf835,
a21d2f323b5a978dedf9ff1d50f101f85e39b3f2]
stable/5.17: [1bbf82d9f961414d6c76a08f7f843ea068e0ab7b,
dd2f8c684da3e226e5ec7a81c89ff5fd4a957a03,
    e9d05532252ec41d000021d3cf40f3a2084fd5f9,
5ed8f8e3c4e59d0396b9ccf2e639711e24295bb6]

CVE-2022-1015: OOB access bug in netfilter

CVSS v3 score is not provided

This issue leads to local privilege escalation.
This root cause was introduced by commit 49499c3 ("netfilter:
nf_tables: switch registers to 32 bit addressing") which merged in
4.1-rc.
However, it is exploitable by commit 345023b ("netfilter: nftables:
add nft_parse_register_store() and use it") which merged in
5.12-rc1-dontuse.
Therefore, earlier than 5.12 kernels have an OOB bug but they wouldn't
exploit via this bug.

Fixed status

mainline: [6e1acfa387b9ff82cfc7db8cc3b6959221a95851]
stable/5.15: [1bd57dea456149619f3b80d67eee012122325af8]
stable/5.16: [2c8ebdaa7c9755b85d90c07530210e83665bad9a]
stable/5.17: [afdc3f4b81f0ec9f97f0910476af4620a2481a6d]

CVE-2022-1016: kernel information leak bug in netfilter

CVSS v3 score is not provided

There is an uninitialized stack in the nft_do_chain routine that can
lead to kernel information leak.
This bug was introduced by commit 9651851 ("netfilter: add nftables")
that was merged in 3.13-rc1.

For 4.4

Applying commit 4c905f has a merge conflict but is easy to fix.

Fixed status

mainline: [4c905f6740a365464e91467aa50916555b28213d]
stable/4.14: [a3cc32863b175168283cb0a5fde08de6a1e27df9]
stable/4.19: [88791b79a1eb2ba94e95d039243e28433583a67b]
stable/4.9: [4d28522acd1c4415c85f6b33463713a268f68965]
stable/5.10: [2c74374c2e88c7b7992bf808d9f9391f7452f9d9]
stable/5.15: [fafb904156fbb8f1dd34970cd5223e00b47c33be]
stable/5.16: [64f24c76dd0ce53d0fa3a0bfb9aeea507c769485]
stable/5.17: [dd03640529204ef4b8189fbdea08217d8d98271f]
stable/5.4: [06f0ff82c70241a766a811ae1acf07d6e2734dcb]

CVE-2022-27950: memory leak bug in drivers/hid/hid-elo.c

CVSS v3 score is not provided

A memory leak bug was found in elo_probe() in drivers/hid/hid-elo.c
when hid_parse() fails.
This bug was introduced by commit fbf4272 ("HID: elo: update the
reference count of the usb device structure") which was merged in
5.15-rc1. This bug exists between 5.15 to 5.16.11.

Fixed status

mainline: [817b8b9c5396d2b2d92311b46719aad5d3339dbe]
stable/5.15: [de0d102d0c8c681fc9a3263d842fb35f7cf662f4]
stable/5.16: [80dad7483e3940dc9d9d55f8b34d1f4ba85a505e]

* Updated CVEs

CVE-2021-4197: cgroup: Use open-time creds and namespace for migration
perm checks

stable/5.10 was updated this week.

Fixed status

mainline: [1756d7994ad85c2479af6ae5a9750b92324685af,
0d2b5955b36250a9428c832664f2079cbf723bec,
  e57457641613fef0d147ede8bd6a3047df588b95]
stable/5.10: [f28364fe384feffbe7d44b095ef4571285465c47,
824a950c3f1118eb06b1877c49ed1b2eca8e236d]
stable/5.15: [c6ebc35298848accb5e50c37fdb2490cf4690c92,
50273128d640e8d21a13aec5f4bbce4802f17d7d,
  43fa0b3639c5fd48c96b19d645d0c7ff2327651a]

CVE-2022-27666, CVE-2022-0886: esp: Fix possible buffer overflow in
ESP transformation

stable/4.14, stable/4.19, and stable/5.4 kernels were fixed this week.
All kernels are fixed.

Fixed status

mainline: [ebe48d368e97d007bfeb76fcb065d6cfc4c96645]
stable/4.14: [2c8abafd6c72ef04bc972f40332c76c1dd04446d]
stable/4.19: [ce89087966651ad41e103770efc5ce2742046284]
stable/5.10: [9248694dac20eda06e22d8503364dc9d03df4e2f]
stable/5.15: [4aaabbffc3b0658ce80eebdde9bafa20a3f932e0]
stable/5.16: [9afe83f62aac348db1facb28bfc106109a06e44d]
stable/5.4: [fee4dfbda68ba10f3bbcf51c861d6aa32f08f9e4]

CVE-2022-26490: nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION

stable kernels are fixed this week.

Fixed status

mainline: [4fbcc1a4cb20fe26ad0225679c536c80f1648221]
stable/4.14: [d908d2776464a8021a1f63eba6e7417fbe7653c9]
stable/4.19: [0043b74987acb44f1ade537aad901695511cfebe]
stable/4.9: [c1184fa07428fb81371d5863e09795f0d06d35cf]
stable/5.10: [25c23fe40e6e1ef8e6d503c52b4f518b2e520ab7]
stable/5.15: [a34c47b1ab07153a047476de83581dc822287f39]
stable/5.16: [0646efbb6e100a3f93eba3b6a10a7f4c28dd1478]
stable/5.4: [0aef7184630b599493a0dcad4eec6d42b3e68e91]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 8 new CVEs and 2 updated CVEs.

* New CVEs

CVE-2022-0995: ouf of bounds writes in watch_queue event notification subsystem

CVSS v3 score is not provided

A OOB bug was found in watch_queue event notification subsystem. This
bug may cause a local user to gain privileges access or cause DoS.
This issue was introduced by c73be61 ("pipe: Add general notification
queue support") that was merged in 5.8-rc1.

Fixed status

mainline: [c993ee0f9f81caf5767a50d1faeba39a0dc82af2,
db8facfc9fafacefe8a835416a6b77c838088f8b,
  c1853fbadcba1497f4907971e7107888e0714c81,
96a4d8912b28451cd62825fd7caa0e66e091d938,
  a66bd7575b5f449ee0ba20cfd21c3bc5b04ef361,
3b4c0371928c17af03e8397ac842346624017ce6,
  7ea1a0124b6da246b5bc8c66cddaafd36acf3ecb,
2ed147f015af2b48f41c6f0b6746aa9ea85c19f3,
  4edc0760412b0c4ecefc7e02cb855b310b122825]
stable/5.10: [d729d4e99fb85f734805ff37dd79f38e7db21c0f,
2039900aadba14f438b04d262721ffebc4d33547,
  e2b52ca4988e12ad75aeece53c4f0af849f0d9dc,
880acbb718e15e46d37fcde75fa52d5cb4336dca,
  06ab8444392acdbffb57869d6220fb6654a8c95e,
ec03510e0a7784c4fb5c4b3297878a72cca834d5,
  24d268130e3cbbef0f9ebb1f350e4c6fcdfffb65,
648895da69ced90ca770fd941c3d9479a9d72c16]

CVE-2022-0998: vdpa: clean up get_config_size ret value handling

CVSS v3 score is not provided

An integer overflow bug was found in Vhost driver for vDPA-based backend.
It introduced by 3ed21c1 ("vdpa: check that offsets are within
bounds") that merged in 5.16-rc6.
The commit was backported to 5.10 so 5.10 is affected by this bug.
This driver was introduced in 5.7-rc1.

It looks no CIP member enabled CONFIG_VHOST_VDPA.

Fixed status

mainline: [3ed21c1451a14d139e1ceb18f2fa70865ce3195a]
stable/5.10: [51f6302f81d243772047a74ffeceddfb11c964d5]
stable/5.15: [b08b3bfcc720686cd73888ab20111acd9cbfcb19]

CVE-2022-1011: fuse: fix pipe buffer lifetime for direct_io

CVSS v3 score is not provided

An UAF bug was found in FUSE filesystem. An local attacker can read
any data from filesystem.

It was introduced by commit c302162 ("fuse: support splice() reading
from fuse device") that was merged in 2.6.35-rc1.
The commit 0c4bcfd was failed to apply to 4.9, 4.14, and 4.19 as of 2022/03/18.

Fixed status

mainline: [0c4bcfdecb1ac0967619ee7ff44871d93c08c909]
stable/5.10: [ab5595b45f732212b3b1974041b43a257153edb7]
stable/5.15: [ca62747b38f59d4e75967ebf63c992de8852ca1b]
stable/5.16: [58a9bdff32fde29137731e574b17c42592875fd0]
stable/5.4: [a9174077febfb1608ec3361622bf5f91e2668d7f]

CVE-2021-45868: UAF bug in fs/quota/quota_tree.c

CVSS v3 score is not provided

UAF bug was found in remove_tree() and find_tree_dqentry() in
fs/quota/quota_tree.c.
The mainline and all stable kernels, includes 4.4, were fixed.

Fixed status

mainline: [9bf3d20331295b1ecb81f4ed9ef358c51699a050]
stable/4.14: [1d0606dc3e27e6c281a2684cb8bdf47134051114]
stable/4.19: [e5222c87dc441dcc8a66e93cb3fd34dfff03d3ec]
stable/4.4: [7a40f3e53f5de1d6876df8a9e8025b50616b8818]
stable/4.9: [f7dd331a896700728492e02c20a69e53221cd7a4]
stable/5.10: [ceeb0a8a8716a1c72af3fa4d4f98c3aced32b037]
stable/5.15: [332db0909293f3f4d853ee2ea695272c75082d87]
stable/5.4: [10b808307d37d09b132fc086002bc1aa9910d315]


CVE-2022-0854: swiotlb information leak with DMA_FROM_DEVICE

CVSS v3 score is not provided

A memory leak bug was found in DMA subsystem that cause local user may
be able to read kernel memory.

Commit aa6f8dc fixes ddbd89d. commit ddbd89d was marged in 5.17-rc6.
Commit ddbd89d describes commit a45b599 ("scsi: sg: allocate with
__GFP_ZERO in sg_build_indirect()") in the bug flaw steps. The commit
a45b599 was backported to stable kernels(includes 4.4.y). So it seems
as if stable kernels are affected by this issue.
Patches were failed to apply to 4.9, 4.19, 5.4, and 5.10. Also,
kernel/dma/swiotlb.c and related files were moved from lib/ since
4.18-rc2 by commit cf65a0f ("dma-mapping: move all DMA mapping code to
kernel/dma")

Fixed status

mainline: [ddbd89deb7d32b1fbb879f48d68fda1a8ac58e8e,
aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13]
stable/5.15: [7403f4118ab94be837ab9d770507537a8057bc63,
2c1f97af38be151527380796d31d3c9adb054bf9]
stable/5.16: [270475d6d2410ec66e971bf181afe1958dad565e,
62b27d925655999350d0ea775a025919fd88d27f]

CVE-2022-0494: block-map: add __GFP_ZERO flag for alloc_page in
function bio_copy_kern

CVSS v3 score is not provided

A kernel information leak bug was found in bio_copy_kern(). An local
attacker send SCSI_IOCTL_SEND_COMMAND command via scsi_ioctl(), there
is a path to return uninitialized buffer to user which cause kernel
information leak.

The commit ce288e0 ("block: remove BLK_BOUNCE_ISA support") that was
marged in 5.13-rc1, changed page allocation strategy in
bio_copy_kern().

-   page = alloc_page(q->bounce_gfp | gfp_mask);
+ page = alloc_page(GFP_NOIO | gfp_mask);

Also, bio_copy_kern() was moved from block/bio.c to /block/blk-map.c
by commit 130879f ("block: move bio_map_* to blk-map.c") which was
merged in 5.7-rc1. so, applying patch to before 5.13 kernels will be
fail.

Its looks like earlier than 5.13 kernels may be affected by this issue.

Fixed status

mainline: [cc8f7fe1f5eab010191aa4570f27641876fa1267]
stable/5.15: [a1ba98731518b811ff90009505c1aebf6e400bc2]
stable/5.16: [f8c61361a4f52c2a186269982587facc852dba62]

CVE-2022-0886, CVE-2022-27666: esp: Fix possible buffer overflow in
ESP transformation

CVSS v3 score is not provided

According to the
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0886,
CVE-2022-0886 is duplicated of CVE-2022-27666.

A buffer overflow bug was found in net/ipv4/esp4.c and
net/ipv6/esp6.c. A local attacker may be able to gain privileges by
this bug.

This issue was introduced by commit cac2661 ("esp4: Avoid skb_cow_data
whenever possible") and 03e2a30 ("esp6: Avoid skb_cow_data whenever
possible") these commits were merged in 4.11-rc1.

Applying patch to 4.14, 4.19, and 5.4 were failed.
4.14: https://lore.kernel.org/stable/16472498745560@kroah.com/
4.19: https://lore.kernel.org/stable/164724987424249@kroah.com/
5.4: https://lore.kernel.org/stable/16472498744220@kroah.com/

Fixed status

mainline: [ebe48d368e97d007bfeb76fcb065d6cfc4c96645]
stable/5.10: [9248694dac20eda06e22d8503364dc9d03df4e2f]
stable/5.15: [4aaabbffc3b0658ce80eebdde9bafa20a3f932e0]
stable/5.16: [9afe83f62aac348db1facb28bfc106109a06e44d]

CVE-2022-1043: io_uring: fix xa_alloc_cycle() error return value check

CVSS v3 score is not provided

A flaw was found in the Linux kernels io_uring implementation where an
attacker with a local account can corrupt system memory, crash the
system or escalate privileges.

This issue is affected to 5.6 to 5.14-rc6.

Fixed status

mainline: [a30f895ad3239f45012e860d4f94c1a388b36d14]
stable/5.10: [695ab28a7fa107d0350ab19eba8ec89fac45a95d]

* Updated CVEs

CVE-2021-3772: Invalid chunks may be used to remotely remove existing
associations

There was two updates this week.

- stable/4.14 was fixed.
- Added commit 6056abc to stable/5.10.

Fixed status

mainline: [4f7019c7eb33967eb87766e0e4602b5576873680,
eae5783908042a762c24e1bd11876edb91d314b1,
  438b95a7c98f77d51cbf4db021f41b602d750a3f,
a64b341b8695e1c744dd972b39868371b4f68f83,
  aa0f697e45286a6b5f0ceca9418acf54b9099d99,
ef16b1734f0a176277b7bb9c71a6d977a6ef3998,
  9d02831e517aa36ee6bdb453a0eb47bd49923fe3]
stable/4.14: [82ad781d98040b4a5eea4eeb9a5acdd200a420c6,
878cc8e47413d6c35995187992039b1a664ea4f6,
  8a7952ec41de8f855f0cddb552cf3f5340a80482,
9f22d1fed3bb7b8d4e79b24b76962f1e39cce660,
  202d5cd14f2e707259d45a3db05a9097725ed9fb,
32ceffec2a9a23346d33c0b48f4a7269ede2480d,
  a9ded117c98b0aa20e20cb82943ba5f0c34c8881]
stable/4.19: [1f52dfacca7bb315d89f5ece5660b0337809798e,
86044244fc6f9eaec0070cb668e0d500de22dbba,
  aa0f697e45286a6b5f0ceca9418acf54b9099d99,
ef16b1734f0a176277b7bb9c71a6d977a6ef3998,
  9d02831e517aa36ee6bdb453a0eb47bd49923fe3]
stable/4.4: [629d2823abf957bcbcba32154f1f6fd49bdb850c,
c0b5302e3a74997b57985b561e776269d1951ac7]
stable/4.9: [42ce7a69f8140783bab908dc29a93c0bcda315d5,
16d0bfb045abf587c72d46dfea56c20c4aeda927]
stable/5.10: [a7112b8eeb14b3db21bc96abc79ca7525d77e129,
c2442f721972ea7c317fbfd55c902616b3151ad5,
  14c1e02b11c2233343573aff90766ef8472f27e7,
dad2486414b5c81697aa5a24383fbb65fad13cae,
  8c50693d25e4ab6873b32bc3cea23b382a94d05f,
ad111d4435d85fd3eeb2c09692030d89f8862401,
  6056abc99b58fe55033577f3ad6e28d001a27641]
stable/5.14: [332933f9ae0a17f6e362ec0f35ed51e7bc8e76d6,
6277d424ead2702798e8b981fb6f51b8ec2304ec,
  7975f42f10380ff9743a7ee94ef3cb81f1a8275d,
44ef3ecbc24a532fde6a8c7b87b3e55d4ad1c1d1,
  dd82b3a345abf6fc325e748469d9d7f477a0b718,
1c255b5f68f4dac3f1f0f24741575aac2325470a,
  0717c71deae69aa3511492c302dd44a2f3722184]
stable/5.4: [5953ee99bab134d74c805a00eaa20fed33f54255,
5fe74d5e4d58262e4adde277ef773032c57e873d,
  d6470c2200253da67a439aa18c9ce32a127c5a61,
0aa322b5fe70204d3d7f9d1d4cd265fdff2e5a1f,
  df527764072c5fb7ede93a41cc8f3acbf41dde8c,
0f5b4c57dc8573bdb9926b17748065ac2104b1d1]

CVE-2022-23960: Arm cpus BHI problem

Following patches were backported to stable/4.19 this week.

e8bfe29, 87eccd5, 51acb81, 266b1ef, ebcdd80, af484e6, f689fa5,
9e05662, 22fdfcf, 901c0a2, 91429ed, e18876b, 5b5ca26, 7b012f6,
a68912a, c20d551, 5f051d3, a44e7dd, ed5dec3

Fixed status

mainline: [9dd78194a3722fa6712192cdd4f7032d45112a9a,
04e91b7324760a377a725e218b5ee783826d30f5,
  8d9d651ff2270a632e9dc497b142db31e8911315,
b9baf5c8c5c356757f4f9d8180b5e9d234065bc3,
  25875aa71dfefd1959f07e626c4d285b88b27ac2,
4330e2c5c04c27bebf89d34e0bc14e6943413067,
  1b33d4860deaecf1d8eec3061b7e7ed7ab0bae8d,
5bdf3437603d4af87f9c7f424b0c8aeed2420745,
  d739da1694a0eaef0358a42b76904b611539b77b,
03aff3a77a58b5b52a77e00537a42090ad57b80b,
  c091fb6ae059cda563b2a4d93fdbc548ef34e1d6,
6c5bf79b69f911560fbf82214c0971af6e58e682,
  ed50da7764535f1e24432ded289974f2bf2b0c5a,
13d7a08352a83ef2252aeb464a5e08dfc06b5dfd,
  c47e4d04ba0f1ea17353d85d45f611277507e07a,
a9c406e6462ff14956d690de7bbe5131a5677dc9,
  aff65393fa1401e034656e349abd655cfe272de0,
ba2689234be92024e5635d30fe744f4853ad97db,
  b28a8eebe81c186fdb1a0078263b30576c8e1f42,
bd09128d16fac3c34b80bd6a29088ac632e8ce09,
  dee435be76f4117410bbd90573a881fd33488f37,
558c303c9734af5a813739cd284879227f7297d2,
  a5905d6af492ee6a4a2205f0d550b3f931b03d03,
228a26b912287934789023b4132ba76065d9491c,
  58c9a5060cb7cd529d49c93954cdafe81c1d642a]
stable/4.19: [dc64af755099d1e51fd64e99fe3a59b75595814a,
45c25917ceb7a5377883ef4c3a675276fba8a268,
  67e1f18a972be16363c6e88d7b29cde880774164,
99e14db3b711c27f93079ba9d7f2fff169916d5f,
  29db7e4b67fccf5e1fe28ec89f2add90ce74d77b,
e8bfe29afc09ac77b347540a0f4c789e6530a436,
  87eccd56c52fcdd6c55b048d789da5c9c2e51ed3,
51acb81130d1feee7fd043760b75f5377ab8d4f0,
  266b1ef1368e06ac4c5a89eb9774ef2bbaa54e19,
ebcdd80d0016c7445e8395cec99b9ce266a26001,
  af484e69b5e83095609d8b5c8abaf13a5460229e,
f689fa53bb944873f75fe1584f446cae1aabd2c1,
  9e056623dfc538909ed2a914f70a66d68ec71ec3,
22fdfcf1c2cea8e6dc383d46cbbe59d476d24a96,
  901c0a20aa94d09a9328899e2dd69a8d43a3a920,
91429ed04ebe9dbec88f97c6fd136b722bc3f3c5,
  e18876b523d5f5fd8b8f34721f60a470caf20aa1,
5b5ca2608fbd6f250281b6a1d0d73613f250e6f1,
  7b012f6597e55a2ea4c7efe94b5d9a792b6e5757,
a68912a3ae3413be5febcaa40e7e0ec1fd62adee,
  c20d551744797000c4af993f7d59ef8c69732949,
5f051d32b03f08a0507ac1afd7b9c0a30c8e5d59,
  a44e7ddb5822b943cd50c5ad6a2541fb445d58bd,
ed5dec3fae86f20db52930e1d9a7cc38403994cc]
stable/4.9: [b24d4041cfb6dab83f9edf40573375bd1365e619,
dfea9912129157ba3c5a9d060e58df17fb688e72,
  964aafb29a07cb7cdea71ef41a75394e879f529c,
da3dfb69bbc3fdfeb3e5930fe28bcd689751a594,
  48b1aa98e19d189703d518166ddb2520164b3164]
stable/5.10: [b7f1e73c4ddf2044530091e69114a5fc1a1229d0,
46deb224680bb33c8e87440a7b909d16e5a7d7c5,
  29d9b56df1e18a8ff2e669b79e511163972a8b65,
3f9c958e3572b19b1cfb9d28eeb15be0a5d80193,
  302754d023a06171113e8fb20c7b2a18ebf9088f,
dc5b630c0d532140e194997d350f587dbcc78bfb,
  7048a21086fb16ec67287a25b62e88b0cd17c8c3,
192023e6baf7cce7fb76ff3a5c24c55968c774ff,
  5242d6971e106be115d9dace9c1441f4a2e1cb25,
d93b25a6654812e0511b71a6d4a207f6b1ce5dfe,
  bda89602814c69e6f027878209b0b9453133ada2,
5275fb5ea5f573ce1ecd2bf0bcd928abb916b43d,
  e55025063276fcf7b07e9340c38d70b04aa8a7b9,
8c691e5308c531deede16bef4f2d933d5f859ce7,
  73ee716a1f6356ca86d16d4ffc97fcfc7961d3ef,
26211252c1c104732a0fea6c37645f1b670587f5,
  49379552969acee3237387cc258848437e127d98,
3f21b7e355237aa2f8196ad44c2b7456a739518d,
  56cf5326bdf9c20de9a45e4a7a4c0ae16833e561,
1f63326a5211208e2c5868650e47f13a9072afde,
  13a807a0a080383ceab6c40e53c0228108423e51,
e192c8baa69ac8a5585d61ac535aa1e5eb795e80,
  38c26bdb3cc53f219d6ab75ac1a95436f393c60f,
551717cf3b58f11311d10f70eb027d4b275135de,
  b65b87e718c33caa46d5246d8fbeda895aa9cf5b,
f3c12fc53e0a1fffbe102a9501c7bb6efdabbe99,
  fc8070a9c5ad3e0ac343532df7d4d2d709b173a8,
86171569312b5870aaedc74b4b28d444c0f72105,
  b19eaa004f2eeae94a4fcf5f0cadac35cc579a72,
7ae8127e412361025e7b4a0e6347ca9e8f3ed109,
  dbcfa98539531bff0d7e4d6087741702dfa50f06,
162aa002ec1a78e91cf2f0b8e7450e2770b2941f,
  97d8bdf33182494b7cb327ed555313d17d80c639]
stable/5.15: [f02cab2bed1a3493a230e54d83ff117bc59f480e,
878ad97f745ebc6b135d87b6901dbe93d07745d3,
  2dca61693e6cb6d163e5ba2cf18f2c3270d7ec30,
576548846f1ee53a4d04fa5f91e6a088adbfe3f8,
  842f2d498ee1e75fc9bf78555ee5b59c894c071b,
b7beeab84f02091124b176ba34c71a601762d1de,
  44adac5908ff712e0fee34e3472f884c17af8025,
368a1fd8c4a600ed8ae605afa27904f359a57161,
  479c9bb741bf6e1ac300d2f3c2797c7fbce117c0,
4a691bbf56a186f9df432b0bfd666dc2e82e4334,
  e25a9dced2bdbace585d613444f2cf317b84cda5,
2e09754a03a7e54eae6017d94fb9c265217288f1,
  be9c5526aad63ab0b13d72978206aec12ede9d76,
a40472d463f9ab6f971850989aa5a21f704b5cfd,
  6895584a92eeaa0702afc47c9758b7fca6345fec,
517f988ee0500688ac23e011bc3bbbf502e76a23,
  ffb8a34c0fd81fdcf677bc8e9af251ea526e8c49,
50e700a117669e072fb9e47ff3ea49e4a8cacf04,
  cfd0c38125aa27a15617473d053897eb7967ab1c,
d7066114dcd6a295122c5942791025e16a33f89f,
  8e55b9b0e76575e3755919820848b9ca53d82381,
4bbfd0c280254b273c564767021bb9b0f945148e,
  fb2bb2ec137c3a8afbd91c949d9384d9e8a913c9,
8979720ac64c70af1395ce78e5c6ffb546b43e0d,
  3317d21b84e91be72df14744040513a280b88946]
stable/5.16: [f5eb0f1dcde4b7c2b5ee920ae53bcecaaba03947,
0f0fd6ef76dee10aae861c69635c42b1c427e577,
  21ceffd3628edfc775d33851cf56ea1d85c528fc,
9fd1d31810ccf6b4e4df8ccf2e68bbdcf528d186,
  680e356c1be19a7663d8077be12e0ab048430ebd,
d1e3d6d26d9eab22548c3b7373ec12bbfecc765f,
  346793c01582f62f4a5536c325a3dfc627ca543a,
46af6fc4f7a22ada597982ff01db34fb4bdba6a3,
  7b63df956358d183c25178e970f6ed304cd0f659,
57e9a5fbd1f8b8ac5b7f849715fcdf5a32dda040,
  62cfcf8d06ca7786e781e1b60f57b67f43448868,
5da0c4bbae492434b534ffd39aac5d5610190491,
  dfb25997bdefca7a3cd69c1dea872ba52133d31f,
e0077b0a66f14998c0d18508bf945a40a0d3ebab,
  984e7e3ebac334d7af0069a4d3636cf2338525df,
483fa5319f16b627e7873c1079e35ebbfb04cf45,
  448a95af1b7ae205eb762c2c1fb35b290cc3032e,
d535ca624f6d439424aeeb0a3cc4a426cfd9a993,
  b9c29587c533faaa0aefeaaf7a4a4ff834975ba4,
d4293ed32d390ce363d964a9216ce9ab0ff9d74c,
  f0567fc3fb835499eda68f20e30ce16f9b83d774,
0b2bf1b37b5ebd90e69e30d8c2d6e1cd0c1f37b4,
  e1e87704621efcf0310bd1543a8e6352156a43bd,
2df4d0aba0e673d37be14901e853d1d540b19bbd,
  80d1978b8062cbad01cbea2aec2a5aac8f61c366]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,


-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 11 new CVEs and 5 updated CVE.
Seven of eleven new CVEs are Xen's vulnerabilities.

* New CVEs

CVE-2022-23036, CVE-2022-23037, CVE-2022-23038, CVE-2022-23039,
CVE-2022-23040 : Xen: fix race conditions, resulting in potential data
leaks, data corruption, DoS by malicious backends

CVSS v3 score is not provided

CVE-2022-23036, CVE-2022-23037, CVE-2022-23038, CVE-2022-23039, and
CVE-2022-23040 are kind of group. These CVEs are Xen's vulnerability.
These vulnerability will cause race conditions, resulting in potential
data leaks, data corruption, DoS by malicious backends(blkfront,
netfront, scsifront, gntalloc, xenbus).

Xen advisory said that "blkfront, netfront, scsifront and the gntalloc
driver are testing
whether a grant reference is still in use. If this is not the case,
they assume that a following removal of the granted access will always
succeed, which is not true in case the backend has mapped the granted
page between those two operations. As a result the backend can keep
access to the memory page of the guest no matter how the page will be
used after the frontend I/O has finished. The xenbus driver has a
similar problem, as it doesn't check the success of removing the
granted access of a shared ring buffer."

Each CVE is assigned to each backend.

CVE-2022-23036 : blkfront
CVE-2022-23037 : netfront
CVE-2022-23038 : scsifront
CVE-2022-23039 : gntalloc
CVE-2022-23040 : xenbus

For 4.4.

6b1775f: can be applied
abf1fd5: backport 3df0e50 ("xen/blkfront: pseudo support for multi
hardware queues/rings") or modify abf1fd5 is needed
31185df: can be applied
33172ab: can be applied with a small modification
d3b6372: can be applied

Fixed status

CVE-2022-23036:
mainline: [6b1775f26a2da2b05a6dc8ec2b5d14e9a4701a1a,
abf1fd5919d6238ee3bc5eb4a9b6c3947caa6638]
stable/4.19: [17659846fe336366b1663194f5669d10f5947f53,
423a3a50dce9a48d10d2d2a70cd2f78064c13703]
stable/4.9: [73e1d9b33f2bd93ce30719dfc8990b6328243b7e,
f306575016dcf47ed6cd40e1fe872a4d8c665a8b]
stable/5.10: [3d81e85f30a8f712c3e4f2a507553d9063a20ed6,
96219af4e504d0e96a231a0ba86062ec5b3af979]

CVE-2022-23037:
mainline: [31185df7e2b1d2fa1de4900247a12d7b9c7087eb]
stable/4.19: [927e4eb8ddf4968b6a33be992b28063f84552c72]
stable/4.9: [1112bb311ec13e7e6e7045ae4a0b7091bedc6b7a]
stable/5.10: [f6690dd9446a2a4bd9b024f00f71dd827a98317f]

CVE-2022-23038:
mainline: [6b1775f26a2da2b05a6dc8ec2b5d14e9a4701a1a,
33172ab50a53578a95691310f49567c9266968b0]
stable/4.9: [73e1d9b33f2bd93ce30719dfc8990b6328243b7e,
98bdfdf89e987406f4afdc7694cbdbb715383d8e]
stable/5.10: [3d81e85f30a8f712c3e4f2a507553d9063a20ed6,
3047255182774266950b22acc29c22a2d76e859e]

CVE-2022-23039:
mainline: [d3b6372c5881cb54925212abb62c521df8ba4809]
stable/4.19: [fbc57368ea527dcfa909908fc47a851a56e4e5ce]
stable/4.9: [97b835c6de03a24db79d374b02d532f0b562fd38]
stable/5.10: [5f36ae75b847e7f87e4144602f418a624ca074b7]

CVE-2022-23040:
mainline: [3777ea7bac3113005b7180e6b9dadf16d19a5827]
stable/4.19: [8d521d960aef22781ff499e16899c30af899de8d]
stable/4.9: [8f80d12f6946a6fe7c64bfc204c062a57f83c7f8]
stable/5.10: [5c600371b8fd02cbbb0eb83a9f664e3f0b75c28e]

CVE-2022-23041: Xen: fix race conditions, resulting in potential data
leaks, data corruption, DoS by malicious backends

CVSS v3 score is not provided

Xen advisory said that "blkfront, netfront, scsifront, usbfront,
dmabuf, xenbus, 9p, kbdfront,
and pvcalls are using a functionality to delay freeing a grant reference
until it is no longer in use, but the freeing of the related data page
is not synchronized with dropping the granted access. As a result the
backend can keep access to the memory page even after it has been freed
and then re-used for a different purpose."

for 4.4
5cadd4b: Patch to net/9p/trans_xen.c but 4.4.302 doesn't have it. may be ignored
b0576cc: Patch to drivers/xen/pvcalls-front. but 4.4.302 doesn't have
it. can be ignored
42baefa: can be applied with modification

Fixed status

mainline: [5cadd4bb1d7fc9ab201ac14620d1a478357e4ebd,
b0576cc9c6b843d99c6982888d59a56209341888,
  42baefac638f06314298087394b982ead9ec444b]
stable/4.19: [2466bed361f3274e3e0ca9d8e539532481c06fea,
f85d03f0f482cc28a2ee15a1fed2ae57ae359412,
  92dc0e4a219602242407dedd987dc9c8263c959b]
stable/4.9: [ae6f8a67b98144827e78874c8dba41cccb02be5b]
stable/5.10: [8357d75bfdb85ea63253cf369f405830c7b13d78,
c4b16486d6023f6365a4f8671351961e97428f2d,
  39c00d09286c67567cdf23ebc8e00e47722ef769]

CVE-2022-23042: Xen: fix race conditions, resulting in potential data
leaks, data corruption, DoS by malicious backends

CVSS v3 score is not provided

Xen advisory said that "netfront will fail a BUG_ON() assertion if it
fails to revoke access in
the rx path. This will result in a Denial of Service (DoS) situation of
the guest which can be triggered by the backend."

for 4.4
66e3531: need to modify

Fixed status

mainline: [66e3531b33ee51dad17c463b4d9c9f52e341503d]
stable/4.19: [c307029d811e03546d18d0e512fe295b3103b8e5]
stable/4.9: [c4497b057b14274e159434f0ed70439a21f3d2a9]
stable/5.10: [206c8e271ba2630f1d809123945d9c428f93b0f0]

CVE-2022-26878: Bluetooth: virtio_bt: fix memory leak in virtbt_rx_handle()

CVSS v3 score is not provided

This bug was introduced since 5.13-rc1, so before this versions aren't
affected by this issue.
The mainline and all stable kernels are already fixed.

Fixed status

mainline: [1d0688421449718c6c5f46e458a378c9b530ba18]
stable/5.15: [1f2270e161f978912100dd7acdfe1894bebcd4f6]
stable/5.16: [ad7cb5f6fa5f7ea37208c98a9457dd98025a89ca]

CVE-2022-26966: sr9700: sanity check for packet length

CVSS v3 score is not provided

This bug will cause heap data leak to user space.
The mainline and all stable kernels are already fixed.

for 4.4
4.4 kernel doesn't check packet length. Therefore 4.4 has same issue.
Patch can be applied to 4.4.

Fixed status

mainline: [e9da0b56fe27206b49f39805f7dcda8a89379062]
stable/4.14: [fbc3c962b6eb42b1483d00d8ea28b61b9f2fff26]
stable/4.19: [dde5ddf02a47487dd6efcc7077307f1d4e1ba337]
stable/4.9: [89260e0e191e8a3a9872f72836bdf0641853c87f]
stable/5.10: [4f5f5411f0c14ac0b61d5e6a77d996dd3d5b5fd3]
stable/5.15: [9f2d614779906f3d8ad4fb882c5b3e5ad6150bbe]
stable/5.16: [639f72dce8667a3d601561e0e47d53ad999e7f8a]
stable/5.4: [b95d71abeb7d31d4d51cd836d80f99fd783fd6d5]

CVE-2022-0742: A memory leak flaw was found in the Linux kernel’s
ICMPv6 networking protocol

CVSS v3 score is not provided

A remote attacker can crash victim host via malicious ICMP6 packet.
This vulnerability was introduced at commit f185de2 ("mld: add new
workqueues for process mld events").
This commit was merged in 5.13-rc1, so before this versions are not
affected by this issue.
The mainline and stable kernels are fixed.

Fixed status

mainline: [2d3916f3189172d5c69d33065c3c21119fe539fc]
stable/5.15: [771aca9bc70709771f66c3e7c00ce87339aa1790]
stable/5.16: [5ed9983ce67341b405cf6fda826e29aed26a7371]

CVE-2022-27223: USB: gadget: validate endpoint index for xilinx udc

The endpoint index is not validated and might be manipulated by the
host for out-of-array access.

For 4.4
Patch can be applied to 4.4 without modification.

Fixed status

mainline: [7f14c7227f342d9932f9b918893c8814f86d2a0d]
stable/4.14: [fdc22192d49fa577d8397b39f8ef8141cb1d62aa]
stable/4.19: [ebc465e894890a534ce05e035eae4829a2a47ba1]
stable/4.9: [958b6ab4d70bf991e8c90233504d4cb863aaef8a]
stable/5.10: [bfa8ffbaaaaf9752f66bc7cabcef2de715e7621f]
stable/5.15: [2c775ad1fd5e014b35e483da2aab8400933fb09d]
stable/5.16: [3221ef49ba18924e55a4d42a2ea4080cfea12c6c]
stable/5.4: [6b23eda989236fd75b4a9893cc816cd690c29dfc]

* Updated CVEs

CVE-2022-0001: Sharing of branch predictor selectors between contexts
on Intel CPUs

Stable 4.14, 4.19, 4.9, 5.10, 5.15, 5.16, and 5.4 kernels were updated.

Fixed status

mainline: [d45476d9832409371537013ebdd8dc1a7781f97a,
1e19da8522c81bf46b335f84137165741e0d82b7,
  5ad3eb1132453b9795ce5fd4572b1c18b292cca9,
44a3918c8245ab10c6c9719dd12e7a8d291980d8,
  244d00b5dd4755f8df892c86cab35fb2cfd4f14b,
e9b6013a7ce31535b04b02ba99babefe8a8599fa,
  eafd987d4a82c7bb5aa12f0e3b4f8f3dea93e678,
0de05d056afdb00eca8c7bbb0c79a3438daf700c]
stable/4.14: [35c13d13becb5b951ea0fc708dda03fe900cf879,
716c06c7196f2ff22777b5bb3c713094ec677a93,
  d2109c347ec237f6a4cf4d44336abdeeab82ec8f,
383973dc1a9dfc7baf12652b9e75498bef16aed9,
  85938688be23ecd36a06757096896b2779b80d97,
416ec8f017b368ab953f624b075a7b0ffd296b9e,
  2b871b5fedb85c1962ccab26c64bef9bf6f377d4,
38c557efd4cd5e59dee1d021009278b491523fee]
stable/4.19: [25440a8c77dd2fde6a8e9cfc0c616916febf408e,
3f66bedb96ff4c064a819e68499f79b38297ba26,
  7af95ef3ec6248696300fce5c68f6c8c4f50e4a4,
995629e1d8e6751936c6e2b738f70b392b0461de,
  d3cb3a6927222268a10b2f12dfb8c9444f7cc39e,
c034d344e733a3ac574dd09e39e911a50025c607,
  8bfdba77595aee5c3e83ed1c9994c35d6d409605,
9711b12a3f4c0fc73dd257c1e467e6e42155a5f1]
stable/4.9: [a771511caa8e31cb5cac4fa39165ebbca3e62795,
d0ba50275860b456ff570edf3dcc2db5d2eb9eb8,
  f9238d33710d74ac3dd668abaa53b2274f8e6fe6,
6481835a9a5b74e349e5c20ae8a9cb10a2e907fa,
  b6a1aec08a84ccb331ce526c051df074150cf3c5,
0db1c4307aded2c5e618654f9341a249e0c1051f,
  8edabefdc13294a9b15671937d165b948cf34d69,
0753760184745250e39018bb25ba77557390fe91]
stable/5.10: [f38774bb6e231d647d40ceeb8ddf9082eabde667,
a6a119d647ad1f73067d3cffb43104df3f920bcc,
  071e8b69d7808d96f388d7c5ed606e75fd3d518d,
afc2d635b5e18e2b33116d8e121ee149882e33eb,
  2fdf67a1d215574c31b1a716f80fa0fdccd401d7,
e335384560d1e106b609e8febd7e0427075a8938,
  cc9e3e55bde71b2fac1494f503d5ffc560c7fb8d,
d04937ae94903087279e4a016b7741cdee59d521]
stable/5.15: [f150b6fccf7fa0e7e7275f0785798547db832c7b,
d7771f380c90e53a7b22f8e8a20b09c09e3583c7,
  eb459641775636c3b4382ecc43ba3d6aa16892d5,
316e4a16524a2d2ce321f57c1abe4df9ef90f950,
  a56566d7a957c34811384d6300a53a97be94cd20,
36fbbd78471c319a3a6f6402b99447c6d4686c69,
  074d7260463962b44a8b8a61dcdd6ef513022e88,
bf048d1921b6cdc50bfc5a1b21b6fdd2d22e1fe1]
stable/5.16: [56829c19c8171303faca18d6ab3511ecdf3e7e23,
9b629eeb33222615a367eee8f038db907a797d3f,
  227649a0a673da2c87c02c26c476a8599989a4d8,
6710bd548ec701bfedc175d145323cbf6930decb,
  1984feb9872b905420af97d471d60051b6dd5851,
23cc87c04704f7ed978c85a4ec5901719fd26580,
  19b78a9a32286216ec4aa64924d39ba5748b506d,
db3eaccf6e16c2d15d3fc8dc7c430d7df7c7bcc4]
stable/5.4: [41b50510e593541e2ee1537614652e91e71f6bf5,
96b3d45aeae03092637bd278ec4daadb48441906,
  327a4da9b0ef89628a1d2aa825ce709049a402f1,
1e47ab3df908bbe1b6114374003c7a070ef35f01,
  b1bacf22a847d21a12900bd6a1eacaecb5bca253,
865da3868b56a39b98003dcaa44cfbcdef0995fe,
  7c7702569422ed49d66917e163df81dba763e983,
6c1599fd1bf8782f2b368e9eacc55571a7c3dd54]

CVE-2022-0002: Sharing of branch predictor selectors in same context
on Intel CPUs

Stable 4.14, 4.19, 4.9, 5.10, 5.15, 5.16, and 5.4 kernels were updated.

Fixed status

mainline: [d45476d9832409371537013ebdd8dc1a7781f97a,
1e19da8522c81bf46b335f84137165741e0d82b7,
  5ad3eb1132453b9795ce5fd4572b1c18b292cca9,
44a3918c8245ab10c6c9719dd12e7a8d291980d8,
  244d00b5dd4755f8df892c86cab35fb2cfd4f14b,
e9b6013a7ce31535b04b02ba99babefe8a8599fa,
  eafd987d4a82c7bb5aa12f0e3b4f8f3dea93e678,
0de05d056afdb00eca8c7bbb0c79a3438daf700c]
stable/4.14: [35c13d13becb5b951ea0fc708dda03fe900cf879,
716c06c7196f2ff22777b5bb3c713094ec677a93,
  d2109c347ec237f6a4cf4d44336abdeeab82ec8f,
383973dc1a9dfc7baf12652b9e75498bef16aed9,
  85938688be23ecd36a06757096896b2779b80d97,
416ec8f017b368ab953f624b075a7b0ffd296b9e,
  2b871b5fedb85c1962ccab26c64bef9bf6f377d4,
38c557efd4cd5e59dee1d021009278b491523fee]
stable/4.19: [25440a8c77dd2fde6a8e9cfc0c616916febf408e,
3f66bedb96ff4c064a819e68499f79b38297ba26,
  7af95ef3ec6248696300fce5c68f6c8c4f50e4a4,
995629e1d8e6751936c6e2b738f70b392b0461de,
  d3cb3a6927222268a10b2f12dfb8c9444f7cc39e,
c034d344e733a3ac574dd09e39e911a50025c607,
  8bfdba77595aee5c3e83ed1c9994c35d6d409605,
9711b12a3f4c0fc73dd257c1e467e6e42155a5f1]
stable/4.9: [a771511caa8e31cb5cac4fa39165ebbca3e62795,
d0ba50275860b456ff570edf3dcc2db5d2eb9eb8,
  f9238d33710d74ac3dd668abaa53b2274f8e6fe6,
6481835a9a5b74e349e5c20ae8a9cb10a2e907fa,
  b6a1aec08a84ccb331ce526c051df074150cf3c5,
0db1c4307aded2c5e618654f9341a249e0c1051f,
  8edabefdc13294a9b15671937d165b948cf34d69,
0753760184745250e39018bb25ba77557390fe91]
stable/5.10: [f38774bb6e231d647d40ceeb8ddf9082eabde667,
a6a119d647ad1f73067d3cffb43104df3f920bcc,
  071e8b69d7808d96f388d7c5ed606e75fd3d518d,
afc2d635b5e18e2b33116d8e121ee149882e33eb,
  2fdf67a1d215574c31b1a716f80fa0fdccd401d7,
e335384560d1e106b609e8febd7e0427075a8938,
  cc9e3e55bde71b2fac1494f503d5ffc560c7fb8d,
d04937ae94903087279e4a016b7741cdee59d521]
stable/5.15: [f150b6fccf7fa0e7e7275f0785798547db832c7b,
d7771f380c90e53a7b22f8e8a20b09c09e3583c7,
  eb459641775636c3b4382ecc43ba3d6aa16892d5,
316e4a16524a2d2ce321f57c1abe4df9ef90f950,
  a56566d7a957c34811384d6300a53a97be94cd20,
36fbbd78471c319a3a6f6402b99447c6d4686c69,
  074d7260463962b44a8b8a61dcdd6ef513022e88,
bf048d1921b6cdc50bfc5a1b21b6fdd2d22e1fe1]
stable/5.16: [56829c19c8171303faca18d6ab3511ecdf3e7e23,
9b629eeb33222615a367eee8f038db907a797d3f,
  227649a0a673da2c87c02c26c476a8599989a4d8,
6710bd548ec701bfedc175d145323cbf6930decb,
  1984feb9872b905420af97d471d60051b6dd5851,
23cc87c04704f7ed978c85a4ec5901719fd26580,
  19b78a9a32286216ec4aa64924d39ba5748b506d,
db3eaccf6e16c2d15d3fc8dc7c430d7df7c7bcc4]
stable/5.4: [41b50510e593541e2ee1537614652e91e71f6bf5,
96b3d45aeae03092637bd278ec4daadb48441906,
  327a4da9b0ef89628a1d2aa825ce709049a402f1,
1e47ab3df908bbe1b6114374003c7a070ef35f01,
  b1bacf22a847d21a12900bd6a1eacaecb5bca253,
865da3868b56a39b98003dcaa44cfbcdef0995fe,
  7c7702569422ed49d66917e163df81dba763e983,
6c1599fd1bf8782f2b368e9eacc55571a7c3dd54]

CVE-2022-23960: Arm cpus BHI problem

Stable 4.19, 4.9, 5.10, 5.15, and 5.16 kernels were updated.

Fixed status

mainline: [9dd78194a3722fa6712192cdd4f7032d45112a9a,
04e91b7324760a377a725e218b5ee783826d30f5,
  8d9d651ff2270a632e9dc497b142db31e8911315,
b9baf5c8c5c356757f4f9d8180b5e9d234065bc3,
  25875aa71dfefd1959f07e626c4d285b88b27ac2,
4330e2c5c04c27bebf89d34e0bc14e6943413067,
  1b33d4860deaecf1d8eec3061b7e7ed7ab0bae8d,
5bdf3437603d4af87f9c7f424b0c8aeed2420745,
  d739da1694a0eaef0358a42b76904b611539b77b,
03aff3a77a58b5b52a77e00537a42090ad57b80b,
  c091fb6ae059cda563b2a4d93fdbc548ef34e1d6,
6c5bf79b69f911560fbf82214c0971af6e58e682,
  ed50da7764535f1e24432ded289974f2bf2b0c5a,
13d7a08352a83ef2252aeb464a5e08dfc06b5dfd,
  c47e4d04ba0f1ea17353d85d45f611277507e07a,
a9c406e6462ff14956d690de7bbe5131a5677dc9,
  aff65393fa1401e034656e349abd655cfe272de0,
ba2689234be92024e5635d30fe744f4853ad97db,
  b28a8eebe81c186fdb1a0078263b30576c8e1f42,
bd09128d16fac3c34b80bd6a29088ac632e8ce09,
  dee435be76f4117410bbd90573a881fd33488f37,
558c303c9734af5a813739cd284879227f7297d2,
  a5905d6af492ee6a4a2205f0d550b3f931b03d03,
228a26b912287934789023b4132ba76065d9491c,
  58c9a5060cb7cd529d49c93954cdafe81c1d642a]
stable/4.19: [dc64af755099d1e51fd64e99fe3a59b75595814a,
45c25917ceb7a5377883ef4c3a675276fba8a268,
  67e1f18a972be16363c6e88d7b29cde880774164,
99e14db3b711c27f93079ba9d7f2fff169916d5f,
  29db7e4b67fccf5e1fe28ec89f2add90ce74d77b]
stable/4.9: [b24d4041cfb6dab83f9edf40573375bd1365e619,
dfea9912129157ba3c5a9d060e58df17fb688e72,
  964aafb29a07cb7cdea71ef41a75394e879f529c,
da3dfb69bbc3fdfeb3e5930fe28bcd689751a594,
  48b1aa98e19d189703d518166ddb2520164b3164]
stable/5.10: [b7f1e73c4ddf2044530091e69114a5fc1a1229d0,
46deb224680bb33c8e87440a7b909d16e5a7d7c5,
  29d9b56df1e18a8ff2e669b79e511163972a8b65,
3f9c958e3572b19b1cfb9d28eeb15be0a5d80193,
  302754d023a06171113e8fb20c7b2a18ebf9088f,
dc5b630c0d532140e194997d350f587dbcc78bfb,
  7048a21086fb16ec67287a25b62e88b0cd17c8c3,
192023e6baf7cce7fb76ff3a5c24c55968c774ff,
  5242d6971e106be115d9dace9c1441f4a2e1cb25,
d93b25a6654812e0511b71a6d4a207f6b1ce5dfe,
  bda89602814c69e6f027878209b0b9453133ada2,
5275fb5ea5f573ce1ecd2bf0bcd928abb916b43d,
  e55025063276fcf7b07e9340c38d70b04aa8a7b9,
8c691e5308c531deede16bef4f2d933d5f859ce7,
  73ee716a1f6356ca86d16d4ffc97fcfc7961d3ef,
26211252c1c104732a0fea6c37645f1b670587f5,
  49379552969acee3237387cc258848437e127d98,
3f21b7e355237aa2f8196ad44c2b7456a739518d,
  56cf5326bdf9c20de9a45e4a7a4c0ae16833e561,
1f63326a5211208e2c5868650e47f13a9072afde,
  13a807a0a080383ceab6c40e53c0228108423e51,
e192c8baa69ac8a5585d61ac535aa1e5eb795e80,
  38c26bdb3cc53f219d6ab75ac1a95436f393c60f,
551717cf3b58f11311d10f70eb027d4b275135de,
  b65b87e718c33caa46d5246d8fbeda895aa9cf5b,
f3c12fc53e0a1fffbe102a9501c7bb6efdabbe99,
  fc8070a9c5ad3e0ac343532df7d4d2d709b173a8,
86171569312b5870aaedc74b4b28d444c0f72105,
  b19eaa004f2eeae94a4fcf5f0cadac35cc579a72,
7ae8127e412361025e7b4a0e6347ca9e8f3ed109,
  dbcfa98539531bff0d7e4d6087741702dfa50f06,
162aa002ec1a78e91cf2f0b8e7450e2770b2941f,
  97d8bdf33182494b7cb327ed555313d17d80c639]
stable/5.15: [f02cab2bed1a3493a230e54d83ff117bc59f480e,
878ad97f745ebc6b135d87b6901dbe93d07745d3,
  2dca61693e6cb6d163e5ba2cf18f2c3270d7ec30,
576548846f1ee53a4d04fa5f91e6a088adbfe3f8,
  842f2d498ee1e75fc9bf78555ee5b59c894c071b,
b7beeab84f02091124b176ba34c71a601762d1de,
  44adac5908ff712e0fee34e3472f884c17af8025,
368a1fd8c4a600ed8ae605afa27904f359a57161,
  479c9bb741bf6e1ac300d2f3c2797c7fbce117c0,
4a691bbf56a186f9df432b0bfd666dc2e82e4334,
  e25a9dced2bdbace585d613444f2cf317b84cda5,
2e09754a03a7e54eae6017d94fb9c265217288f1,
  be9c5526aad63ab0b13d72978206aec12ede9d76,
a40472d463f9ab6f971850989aa5a21f704b5cfd,
  6895584a92eeaa0702afc47c9758b7fca6345fec,
517f988ee0500688ac23e011bc3bbbf502e76a23,
  ffb8a34c0fd81fdcf677bc8e9af251ea526e8c49,
50e700a117669e072fb9e47ff3ea49e4a8cacf04,
  cfd0c38125aa27a15617473d053897eb7967ab1c,
d7066114dcd6a295122c5942791025e16a33f89f,
  8e55b9b0e76575e3755919820848b9ca53d82381,
4bbfd0c280254b273c564767021bb9b0f945148e,
  fb2bb2ec137c3a8afbd91c949d9384d9e8a913c9,
8979720ac64c70af1395ce78e5c6ffb546b43e0d,
  3317d21b84e91be72df14744040513a280b88946]
stable/5.16: [f5eb0f1dcde4b7c2b5ee920ae53bcecaaba03947,
0f0fd6ef76dee10aae861c69635c42b1c427e577,
  21ceffd3628edfc775d33851cf56ea1d85c528fc,
9fd1d31810ccf6b4e4df8ccf2e68bbdcf528d186,
  680e356c1be19a7663d8077be12e0ab048430ebd,
d1e3d6d26d9eab22548c3b7373ec12bbfecc765f,
  346793c01582f62f4a5536c325a3dfc627ca543a,
46af6fc4f7a22ada597982ff01db34fb4bdba6a3,
  7b63df956358d183c25178e970f6ed304cd0f659,
57e9a5fbd1f8b8ac5b7f849715fcdf5a32dda040,
  62cfcf8d06ca7786e781e1b60f57b67f43448868,
5da0c4bbae492434b534ffd39aac5d5610190491,
  dfb25997bdefca7a3cd69c1dea872ba52133d31f,
e0077b0a66f14998c0d18508bf945a40a0d3ebab,
  984e7e3ebac334d7af0069a4d3636cf2338525df,
483fa5319f16b627e7873c1079e35ebbfb04cf45,
  448a95af1b7ae205eb762c2c1fb35b290cc3032e,
d535ca624f6d439424aeeb0a3cc4a426cfd9a993,
  b9c29587c533faaa0aefeaaf7a4a4ff834975ba4,
d4293ed32d390ce363d964a9216ce9ab0ff9d74c,
  f0567fc3fb835499eda68f20e30ce16f9b83d774,
0b2bf1b37b5ebd90e69e30d8c2d6e1cd0c1f37b4,
  e1e87704621efcf0310bd1543a8e6352156a43bd,
2df4d0aba0e673d37be14901e853d1d540b19bbd,
  80d1978b8062cbad01cbea2aec2a5aac8f61c366]

CVE-2020-26555: BR/EDR pin code pairing broken

The commit 6d19628f ("Bluetooth: SMP: Fail if remote and local public
keys are identical") was merged in 5.13-rc1.
All stable kernels are fixed.

Fixed status

mainline: [6d19628f539fccf899298ff02ee4c73e4bf6df3f]
stable/4.14: [4555cee33f7d75c1ee69902c872c9d1e9568ebd5]
stable/4.19: [30126d4ba73119565f1748b116b9869ac6bbda6b]
stable/4.4: [75523bbfb0eaead670c97fbcf096ca2ab556f0c0]
stable/4.9: [6555a006b21ab49090b9a7b36e92d0421db19328]
stable/5.10: [d8d261c7cfb3a5dd921b4aeeb944718afc3f3961]
stable/5.4: [f97257cde764ad6979a7dbeb460b9fb69276342e]

CVE-2021-4149: description: Improper lock operation in btrfs

4.14, 4.19, and 4.9 kernels were fixed.

For 4.4
This patch can be applied to 4.4.

Fixed status

mainline: [19ea40dddf1833db868533958ca066f368862211]
stable/4.14: [e0956dd95ddd6b02b7eb084d127b926a509ae8e7]
stable/4.19: [73d55fa1b9310573f623195a4f7ab3170bbaf248]
stable/4.9: [43bfa08ba62a1ca7a22365c7092e491e04327efb]
stable/5.10: [206868a5b6c14adc4098dd3210a2f7510d97a670]
stable/5.4: [005a07c9acd6cf8a40555884f0650dfd4ec23fbe]
ubuntu/focal: [d1866774f0ef5d586ed62017838dd89869fe5dbb]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.



CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 12 new CVEs and 3 updated CVEs.

CVE-2022-0847 is Dirty Pipe.
CVE-2022-0001, CVE-2022-0002, and 2022-23960 are BHI(Spectre-V2 variant).

* New CVEs

CVE-2022-26490 : nfc: st21nfca: Fix potential buffer overflows in
EVT_TRANSACTION

CVSS v3 score is not provided

st21nfca_connectivity_event_received in drivers/nfc/st21nfca/se.c in
the Linux kernel through 5.16.12 has EVT_TRANSACTION buffer overflows
because of untrusted length parameters.

Patch can be applied to 4.4.y without any conflict.

Fixed status

mainline: [4fbcc1a4cb20fe26ad0225679c536c80f1648221]

CVE-2022-0847: lib/iov_iter: initialize "flags" in new pipe_buffer

CVSS v3 score is not provided

A flaw was found in the way the "flags" member of the new pipe buffer
structure was lacking proper initialization in copy_page_to_iter_pipe
and push_pipe functions in the Linux kernel and could thus contain
stale values. An unprivileged local user could use this flaw to write
to pages in the page cache backed by read only files and as such
escalate their privileges on the system. This flaw affects Linux
kernel versions prior to 5.17-rc6.

This uninitialized bug was introduced by commit 241699cd ("new
iov_iter flavour: pipe-backed") that was merged at 4.9.
However, the commit f6dd975583bd ("pipe: merge anon_pipe_buf*_ops")
that was merged at 5.8-rc1 made this bug become exploitable.

4.4.y isn't affected by this issue.

fixed status

mainline: [9d2231c5d74e13b2a0546fee6737ee4446017903]
stable/4.14: [a162b11c975ef9a03a75027c04052906ed7710da]
stable/4.19: [d46c42d8d2742742eddf9290e72df4b563f2e301]
stable/4.9: [c460ef6e0596eb5ca844c45338c20f6023f1e43c]
stable/5.10: [b19ec7afa9297d862ed86443e0164643b97250ab]
stable/5.15: [114e9f141822e6977633d322c1b03e89bd209932]
stable/5.16: [eddef98207d678f21261c2bd07da55938680df4e]
stable/5.4: [87c575d2a238febe8a04241008f18252fe5d093d]

CVE-2021-39686: A race condition bug was found in Android Binder driver

CVSS v3 score is not provided

According to the commit message, there was a race condition bug in
Android Binder driver. Commit 29bc22a and c21a80c mentioned that these
patches fix kernel 4.4 as well.
It seems no CIP member enables this driver.

Fixed status

mainline: [29bc22ac5e5bc63275e850f0c8fc549e3d0e306b,
52f88693378a58094c538662ba652aff0253c4fe,
  4d5b5539742d2554591751b4248b0204d20dcc9d,
c21a80ca0684ec2910344d72556c816cb8940c01]
stable/4.19: [5d40061285b81a7e213dc9b37acc4a0545eedf32,
e82f3f9638f17d58e9a217bce127e2376aefcb9d,
  c3b9f29fca6682550d731c80745b421415c1e0af]
stable/4.9: [443fc43d2fdbf55be7aa86faae1f7655e761e683,
22d4a6dacee058b58640ef8109b0c8fc5d1b80e2,
  404fb1097298690b1d7d1c59eab806bbdd757267]
stable/5.10: [bd9cea41ac6e08f615030dea28b23e12b7a2674f,
0d9f4ae7cd6f5283dd0e343265268c695ef592b0,
  afbec52fbce006a775edb21f87ccae713bc0e7d6,
4402cf0402526f7c5befa97481be13b131797838]
stable/5.15: [ff1bd01f490ba60d82c765100d95d13cc00c1625,
3f3c31dd0f8cfdc4ce301a4a605488fb73602ea5,
  6e8813eadf8bcf0ea26360658b1679971d0a501c,
849d86e85951ea409b09e384d1f0060a3adfdb58]
stable/5.4: [28a1e470b000d45bcf6c05f18a01d07cdc0b3235,
fc9c470cd519e5bb37cf4c92603b2d4e604f5b71,
  db39f49ee7d50e68bf46796c05d9deae256ce986,
aaa83768ba39586fe0abe2fb1825b89f3bf6270c]

CVE-2021-39711: bpf: fix panic due to oob in bpf_prog_test_run_skb

CVSS v3 score is not provided

OOB bug in bpf BPF_PROG_TEST_RUN command.
This bug was introduced by commit 1cf1cae ("bpf: introduce
BPF_PROG_TEST_RUN command") which was merged at 4.12-rc1.
This bug was fixed in v4.18-rc6. So, only stable/4.14 is affected by this issue.

Fixed status

mainline: [6e6fddc78323533be570873abb728b7e0ba7e024]
stable/4.14: [20fdf274472998123a8d173ba4cb6282ff6b63bd]

CVE-2021-39698: binder: use wake_up_pollfree()

CVSS v3 score is not provided

There is no details. However, one of commits a880b28 ("binder: use
wake_up_pollfree()") fixes the Android Binder driver so it seems a
vulnerability will be in this driver.

From the commit message, it said added wake_up_pollfree() function to
wake up all exclusive waiters. The epoll and aio poll may not be
affected by this issue but it's very fragile.
Therefore this patches series contains aio and epoll patches.

The commit a880b28 ("binder: use wake_up_pollfree()") fixes f5cb779
("ANDROID: binder: remove waitqueue when thread exits.") that was
merged at 4.16-rc1.

The commit 9537bae ("signalfd: use wake_up_pollfree()") fixes d80e731
("epoll: introduce POLLFREE to flush ->signalfd_wqh before kfree() ")
that was merged at 3.3-rc5.

The commit 363bee2 ("aio: keep poll requests on waitqueue until
completed") fixes commit 2c14fa8 ("aio: implement IOCB_CMD_POLL") that
was merged at 4.18-rc1.

The commit 50252e4 ("aio: fix use-after-free due to missing POLLFREE
handling") fixes commit 2c14fa8 ("aio: implement IOCB_CMD_POLL") that
was merged at 4.18-rc1.

Fixed status

mainline: [42288cb44c4b5fff7653bc392b583a2b8bd6a8c0,
a880b28a71e39013e357fd3adccd1d8a31bc69a8,
  9537bae0da1f8d1e2361ab6d0479e8af7824e160,
363bee27e25804d8981dd1c025b4ad49dc39c530,
  50252e4b5e989ce64555c7aef7516bdefc2fea72]
stable/4.19: [8dd7c46a59756bdc29cb9783338b899cd3fb4b83,
32288f504035b6c359cc33ee615f74f14be2e38a,
  f226fdd855b7d9c1f2a6e878d82eb3e1fbc880e9,
580c7e023303ce3a187adcaa40868bfc740725d2,
  321fba81ec034f88aea4898993c1bf15605c023f]
stable/4.9: [0e92a7e47a0411d5208990c83a3d200515e314e8,
0487ea896e62b5a90a81ac6e73c35e595d77f499,
  5ecb4e93d70a21f3b7094029986ef0c3e321f56c]
stable/5.10: [8e04c8397bf98235b1aa41153717de7a05e652a2,
9f3acee7eac8d8690134b09ba55e2c12164d24ae,
  fc2f636ffc446d8e9530e441897f877922269051,
e4d19740bccab792f16c7ca6fd1f9aea06193cb2,
  47ffefd88abfffe8a040bcc1dd0554d4ea6f7689]
stable/5.15: [1ebb6cd8c754bfe1a5f9539027980756bce7cb08,
f12d997683a7a97e7af834d3181fad61ad67df47,
  8d6760fd5d1604df29dd7651033167ef99a7698d,
924f51534d428e91c98ea309ab16270f5e8289c6,
  60d311f9e6381d779d7d53371f87285698ecee24]
stable/5.4: [e0c03d15cd03476dd698c1ae7fb32a16d3e87f5c,
1a478a0522e5618480ee298e886eed18dcac1459,
  aac8151624b6376e42b2c60410fe7e3aba3a3d1b,
380185111fa881fa68382ecf7328c608212218dd,
  4105e6a128e8a98455dfc9e6dbb2ab0c33c4497f]

CVE-2021-39713: locking issue in net/sched module

CVSS v3 score is not provided

There is no details. These patch series modified locking strategies
that use Qdisc rcu API instead of rtnl lock.

All patches were merged at 4.20-rc1 in the mainline.

Fixed status

mainline: [e368fdb61d8e7c67ac70791b23345b26d7bbc661,
9d7e82cec35c027756ec97e274f878251f271181,
  3a7d0d07a386716b459b00783b11a8211cefcc0f,
86bd446b5cebd783187ea3772ff258210de77d99,
  6f99528e9797794b91b43321fbbc93fe772b0803]
stable/4.19: [ae214e04b95ff64a4b0e9aab6742520bfde6ff0c,
da1d324088c40fa0a382224c466175fc5c704106,
  f602ed9f8574512e7ea1ab65c3db7ba71053bf27,
92833e8b5db6c209e9311ac8c6a44d3bf1856659,
  cd25f1099284a0cbe916344fc1e6c1ffed6c5306]

CVE-2021-39714: staging: android: ion: Drop ion_map_kernel interface

CVSS v3 score is not provided

There is no details. This patch removes some functions in
drivers/staging/android/ion/ion.c.
The ion driver was removed from the mainline in 5.11-rc1.
This fix was merged in 4.12-rc1.

The patch removes ion_handle_kmap_get(), ion_map_kernel(), and
ion_unmap_kernel().

For 4.4, ion_handle_kmap_get() is called from ion_map_kernel() but it
looks ion_map_kernel() isn't called from anywhere.
So, It seems to be okay to remove these functions from 4.4.y.

Fixed status

mainline: [e3b914bc7eb6bcecc5b597ee6e31fc40442c291f]
stable/4.9: [16b34e53eaadda6cbb1f0452fd99700c44db23be]

CVE-2022-0850: kernel: information leak in copy_page_to_iter() in iov_iter.c

CVSS v3 score is not provided

This is an information leak bug in ext4 file system.
The mainline and stable kernels, and 4.4 kernels are already fixed.
This bug was fixed in 5.14-rc1.

Fixed status

cip/4.4: [ce14bff239a107344b153bd6504a2f8165f672e9]
cip/4.4-rt: [ce14bff239a107344b153bd6504a2f8165f672e9]
mainline: [ce3aba43599f0b50adbebff133df8d08a3d5fffe]
stable/4.14: [29d882f9a6a6219a1c59729e1f43fa40663903e4]
stable/4.19: [9ed3a3d3a8d2cbe99d9e4386a98856491f0eade0]
stable/4.9: [25dcc64fa0c9399653e1fd1a4bad6c1e8cb31f3f]
stable/5.10: [ea5466f1a77720217a25a859b5a58b618aaba544]
stable/5.4: [ed628b2531196cc76d7c9b730abe4020cad26b0b]

CVE-2022-20003: net/packet: rx_owner_map depends on pg_vec

CVSS v3 score is not provided

The commit ec6af09 ("net/packet: rx_owner_map depends on pg_vec") also
fixes CVE-2021-22600. It may be a duplicate of the CVE-2021-22600 or
different symptom but same root cause.

4.9 and 4.4 kernels aren't affected by CVE-2021-22600 so if
CVE-2022-20003 and CVE-2021-22600 have the same issue, we don't have
to take care of these kernels.

Fixed status

mainline: [ec6af094ea28f0f2dda1a6a33b14cd57e36a9755]
stable/4.14: [a829ff7c8ec494eca028824628a964cde543dc76]
stable/4.19: [18c73170de6719491f79b04c727ea8314c246b03]
stable/5.10: [7da349f07e457cad135df0920a3f670e423fb5e9]
stable/5.15: [feb116a0ecc5625d6532c616d9a10ef4ef81514b]
stable/5.4: [027a13973dadb64ef4f19db56c9b619ee82c3375]

CVE-2022-0001 and CVE-2022-0002: Sharing of branch predictor selectors
between contexts on Intel CPUs

CVSS v3 score is not provided

It is called BHI(or Spectre-BHB) which is a Spectre V2 variant. This
CVE is tracked by BHI for Intel cpus.
One of the mitigation methods is to disable unprivileged eBPF.

Fixed in mainline as of 2022/03/09 but not released yet.

Fixed status

mainline: [d45476d9832409371537013ebdd8dc1a7781f97a,
1e19da8522c81bf46b335f84137165741e0d82b7,
  5ad3eb1132453b9795ce5fd4572b1c18b292cca9,
44a3918c8245ab10c6c9719dd12e7a8d291980d8,
  244d00b5dd4755f8df892c86cab35fb2cfd4f14b,
e9b6013a7ce31535b04b02ba99babefe8a8599fa,
  eafd987d4a82c7bb5aa12f0e3b4f8f3dea93e678,
0de05d056afdb00eca8c7bbb0c79a3438daf700c]

CVE-2022-23960: Arm cpus BHI problem

CVSS v3 score is not provided

It is called BHI(or Spectre-BHB) which is a Spectre V2 variant. This
CVE is tracked by BHI for Arm cpus.
It also disables unprivileged eBPF is recommended.

Fixed in mainline as of 2022/03/09 but not released yet.

Fixed status

mainline: [9dd78194a3722fa6712192cdd4f7032d45112a9a,
04e91b7324760a377a725e218b5ee783826d30f5,
  8d9d651ff2270a632e9dc497b142db31e8911315,
b9baf5c8c5c356757f4f9d8180b5e9d234065bc3,
  25875aa71dfefd1959f07e626c4d285b88b27ac2,
4330e2c5c04c27bebf89d34e0bc14e6943413067,
  1b33d4860deaecf1d8eec3061b7e7ed7ab0bae8d,
5bdf3437603d4af87f9c7f424b0c8aeed2420745,
  d739da1694a0eaef0358a42b76904b611539b77b,
03aff3a77a58b5b52a77e00537a42090ad57b80b,
  c091fb6ae059cda563b2a4d93fdbc548ef34e1d6,
6c5bf79b69f911560fbf82214c0971af6e58e682,
  ed50da7764535f1e24432ded289974f2bf2b0c5a,
13d7a08352a83ef2252aeb464a5e08dfc06b5dfd,
  c47e4d04ba0f1ea17353d85d45f611277507e07a,
a9c406e6462ff14956d690de7bbe5131a5677dc9,
  aff65393fa1401e034656e349abd655cfe272de0,
ba2689234be92024e5635d30fe744f4853ad97db,
  b28a8eebe81c186fdb1a0078263b30576c8e1f42,
bd09128d16fac3c34b80bd6a29088ac632e8ce09,
  dee435be76f4117410bbd90573a881fd33488f37,
558c303c9734af5a813739cd284879227f7297d2,
  a5905d6af492ee6a4a2205f0d550b3f931b03d03,
228a26b912287934789023b4132ba76065d9491c,
  58c9a5060cb7cd529d49c93954cdafe81c1d642a]

* Updated CVEs

CVE-2022-25636: netfilter: nf_tables_offload: incorrect flow offload
action array size

This issue was introduced by commit be2861d ("netfilter:
nft_{fwd,dup}_netdev: add offload support") that was merged since
5.4-rc1.
This week, stable/5.x series were fixed.

Fixed status

mainline: [b1a5983f56e371046dcf164f90bfaf704d2b89f6]
stable/5.10: [68f19845f580a1d3ac1ef40e95b0250804e046bb]
stable/5.15: [6c5d780469d6c3590729940e2be8a3bd66ea4814]
stable/5.16: [6bff27caef1ee07a8b190f34cf32c99d6cc37a33]
stable/5.4: [49c011a44edd14adb555dbcbaf757f52b1f2f748]

CVE-2020-36310: KVM: SVM: avoid infinite loop on NPF from bad address

This bug was introduced in v4.16-rc1 and fixed in v5.8-rc1.
Fix commit e72436b ("KVM: SVM: avoid infinite loop on NPF from bad
address") wasn't fixed enough. So 55467fc ("KVM: SVM: Never reject
emulation due to SMAP errata for !SEV guests") is a new commit to fix
CVE-2020-36310.

Fixed status

mainline: [55467fcd55b89c622e62b4afe60ac0eb2fae91f2]
stable/5.10: [9dcedbe943be8c93722c1ed68b59001b28b0d889]
stable/5.15: [3470722fac229594182d7c2b46041323560b1924]
stable/5.16: [0b0dd3ef2d3586cc6518fe2430aa29a208ded295]

CVE-2022-24958: drivers/usb/gadget/legacy/inode.c mishandles dev->buf release

Stable kernels were fixed this week.

Fixed status

mainline: [89f3594d0de58e8a57d92d497dea9fee3d4b9cda,
501e38a5531efbd77d5c73c0ba838a889bfc1d74]
stable/4.14: [6936d1097e9cb891e1daaa8aab1b9c080f5e59a2,
70959fa1a003cb7c6ed2fd0e0f887125d08b8bf6]
stable/4.19: [70196d12856306a17ddc3eae0f022b9c1d748e52,
6b432b7b5a77e8bfd041da0ba00c98fa31097c4e]
stable/4.9: [be1bb345f180482b0e57768d967ef020d7cba592,
e09100044e658fb7906494ed5109323ba64f3e7a]
stable/5.10: [c13159a588818a1d2cd6519f4d3b6f7e17a9ffbd,
fdd64084e405544c5c11841ca9261785c988e2a1]
stable/5.15: [07de9a494b5ae41b9253411a8e9576d7fceedcc3,
ab3656acb7b4f33a30970a920ed90f0db36d940b]
stable/5.16: [9e5c16b2a9812cd250f0de0b77391c2d63adf2f2,
030b335a1dd1f306da6cee0514f22e602576389e]
stable/5.4: [ba6fdd55b16677dcc1d7011270c140d2a37e5f35,
58b419d16e8791e16f8865463aa28bbcef726e26]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 2 new CVEs and 2 updated CVE.

* New CVEs

CVE-2020-36516: Off-Path TCP Exploits of the Mixed IPID Assignment

CVSS v3 score is not provided

An issue was discovered in the Linux kernel through 5.16.11. The mixed
IPID assignment method with the hash-based IPID assignment policy
allows an off-path attacker to inject data into a victim's TCP session
or terminate that session.

According to the commit 23f5740 ("ipv4: avoid using shared IP
generator for connected sockets ") this bug was introduced by commit
73f156a ("inetpeer: get rid of ip_id_count") which was merged at
3.16-rc1.

The 4.4 kernel was fixed in its maintenance phase.

Fixed status

mainline: [23f57406b82de51809d5812afd96f210f8b627f3]
stable/4.14: [853f58791145b6d7e6d2b6ff2a982119e920e21a]
stable/4.19: [eb04c6d1ec67e30f3aa5ef82112cbfdbddfd4f65]
stable/4.4: [e1b3fa7b6471e1b2f4c7573711e7f8ee2e9f3dc3]
stable/4.9: [2b77927a8cb7f540ca2bccff4017745104fe371b]
stable/5.10: [b26fed25e67bc09f28f998569ed14022e07b174b]
stable/5.15: [dee686cbfdd13ca022f20be344a14f595a93f303]
stable/5.16: [32ac95e4478f7aeb1d9f9539430361737eec8459]
stable/5.4: [1f748455a8f0e984dc91fc09e6dfe99f0e58cfbe]

CVE-2022-0812: NFS over RDMA random memory leakage

CVSS v3 score is not provided

According to the red hat bugzilla, it described that "An information
leak flaw was found in NFS over RDMA in the
net/sunrpc/xprtrdma/rpc_rdma.c function in RPCRDMA_HDRLEN_MIN (7) (in
rpcrdma_max_call_header_size, rpcrdma_max_reply_header_size). This
flaw allows an attacker with normal user privileges to leak kernel
information.".

Vulnerable functions rpcrdma_max_call_header_size() and
rpcrdma_max_reply_header_size() were added by commit 302d3de
("xprtrdma: Prevent inline overflow"). These functions are introduced
in 4.7-rc1. The 4.4 kernel's size calculation logic is different from
others so it looks like 4.4 doesn't affect this issue.

Fixed status

Not fixed yet.

* Updated CVEs

CVE-2022-0646: mctp: serial: Cancel pending work from ndo_uninit handler

This bug was introduced by commit 7bd9890 ("mctp: serial: cancel tx
work on ldisc close"). This commit was merged in 5.17-rc1 and has not
been backported to stable kernels. So, stable kernels aren't affected
by this issue.

Fixed status

mainline: [6c342ce2239c182c2428ce5a44cb32330434ae6e]

CVE-2022-25636: netfilter: nf_tables_offload: incorrect flow offload
action array size

This issue was introduced by commit be2861d ("netfilter:
nft_{fwd,dup}_netdev: add offload support") that was merged since
5.4-rc1.

Fixed status

mainline: [b1a5983f56e371046dcf164f90bfaf704d2b89f6]
stable/5.10: [68f19845f580a1d3ac1ef40e95b0250804e046bb]
stable/5.15: [6c5d780469d6c3590729940e2be8a3bd66ea4814]
stable/5.16: [6bff27caef1ee07a8b190f34cf32c99d6cc37a33]
stable/5.4: [49c011a44edd14adb555dbcbaf757f52b1f2f748]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 7 new CVEs and 1 updated CVE.

* New CVEs

CVE-2022-0644: vfs: check fd has read access in kernel_read_file_from_fd()

CVSS v3 score is not provided

There was a missing permission check in kernel_read_file_from_fd()
which causes an unprivileged user can read a file without permission.
This bug was introduced by commit b844f0e("vfs: define
kernel_copy_file_from_fd()") which was merged at 4.6-rc1.
The mainline and stable kernels were fixed.

Fixed status

mainline: [032146cda85566abcd1c4884d9d23e4e30a07e9a]
stable/4.14: [aaa5e83805b09c7ed24c06227321575278e3de1d]
stable/4.19: [c1ba20965b59c2eeb54a845ca5cab4fc7bcf9735]
stable/4.9: [52ed5a196b1146e0368e95edc23c38fa1b50825a]
stable/5.10: [b721500c979b71a9f02eb84ca384082722c62d4e]
stable/5.4: [0f218ba4c8aac7041cd8b81a5a893b0d121e6316]

CVE-2022-0646: mctp: serial: Cancel pending work from ndo_uninit handler

CVSS v3 score is not provided

MCTP serial transport driver was introduced at 5.17-rc1 so that stable
kernels aren't affected by this issue.
The patch was merged into netdev/net.git tree.

Fixed status

Not fixed yet.

CVE-2022-25258: USB: gadget: validate interface OS descriptor requests

CVSS v3 score is not provided

The USB Gadget subsystem lacks certain validation of interface OS
descriptor requests (ones with a large array index and ones associated
with NULL function pointer retrieval). Memory corruption might occur.

Patch can be applied to 4.4 with a bit modification to fix merge conflicts.

The mainline and stable kernels were fixed.

Fixed status

mainline: [75e5b4849b81e19e9efe1654b30d7f3151c33c2c]
stable/4.14: [c7ad83d561df15ac6043d3b0d783aee777cf1731]
stable/4.19: [e5eb8d19aee115d8fb354d1eff1b8df700467164]
stable/4.9: [f3bcd744b0bc8dcc6cdb3ac5be20f54aecfb78a4]
stable/5.10: [22ec1004728548598f4f5b4a079a7873409eacfd]
stable/5.15: [3e33e5c67cb9ebd2b791b9a9fb2b71daacebd8d4]
stable/5.16: [8895017abfc76bbc223499b179919dd205047197]
stable/5.4: [38fd68f55a7ef57fb9cc3102ac65d1ac474a1a18]

CVE-2022-25265: kernel: Executable Space Protection Bypass

CVSS v3 score is not provided

A certain binary files may have the exec-all attribute if they were
built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel
2.4.20). This can cause execution of bytes located in supposedly
non-executable regions of a file.

Fixed status

Not fixed yet.

CVE-2022-0500: kernel: Linux ebpf logic vulnerability leads to
critical memory read and write gaining root privileges

CVSS v3 score is not provided

OOB write bug was found in unrestricted eBPF usage by the BPF_BTF_LOAD.
According to the
https://lore.kernel.org/bpf/20211217003152.48334-1-haoluo@google.com/
, commit 34d3a78 ("bpf: Make per_cpu_ptr return rdonly PTR_TO_MEM") is
the main fix for this issue. This commit fixes commit 63d9b80 ("bpf:
Introducte bpf_this_cpu_ptr()"), eaa6bcb ("bpf: Introduce
bpf_per_cpu_ptr()"), and 4976b71 ("bpf: Introduce pseudo_btf_id").
These commits were merged from 5.10-rc1. So, stable 5.4, 4.19, 4.9,
and 4.4 kernels are not included in the commit.

To mitigate this issue, disable unprivileged eBPF.

Fixed status

mainline: [20b2aff4bc15bda809f994761d5719827d66c0b4,
216e3cd2f28dbbf1fe86848e0e29e6693b9f0a20,
  34d3a78c681e8e7844b43d1a2f4671a04249c821,
3c4807322660d4290ac9062c034aed6b87243861,
  48946bd6a5d695c50b34546864b79c1f910a33c1,
c25b2ae136039ffa820c26138ed4a5e5f3ab3841,
  cf9f2f8d62eca810afbd1ee6cc0800202b000e57]
stable/5.16: [e982070f8970bb62e69ed7c9cafff886ed200349,
4a6c35debbd46d796c81eb3ffcd6c747e76ec7a3,
  199cdd057eb747b36a193ecf96d2452e36643163,
5b33e437dc6a02e3298858ca8591096f36b1421d,
  bcd98af3eb7527f6ba39c976cbcf4454fa1106e1,
77459bc4d5e2c6f24db845780b4d9d60cf82d06a,
  6f6edc4211b379ef6de25d9182148c7ca26ffcfb]

CVE-2022-25375: usb: gadget: rndis: check size of RNDIS_MSG_SET command

CVSS v3 score is not provided

Kernel data leak bug was found in the RNDIS USB Gadget. Patch can be
applied to 4.4 without any errors.
The mainline and stable kernels were already fixed.

Fixed status

mainline: [38ea1eac7d88072bbffb630e2b3db83ca649b826]
stable/4.14: [4c22fbcef778badb00fb8bb9f409daa29811c175]
stable/4.19: [db9aaa3026298d652e98f777bc0f5756e2455dda]
stable/4.9: [ff0a90739925734c91c7e39befe3f4378e0c1369]
stable/5.10: [fb4ff0f96de37c44236598e8b53fe43b1df36bf3]
stable/5.15: [2da3b0ab54fb7f4d7c5a82757246d0ee33a47197]
stable/5.16: [2724ebafda0a8df08a9cb91557d33226bee80f7b]
stable/5.4: [c9e952871ae47af784b4aef0a77db02e557074d6]

CVE-2022-25636: netfilter: nf_tables_offload: incorrect flow offload
action array size

CVSS v3 score is not provided

net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10
allows local users to gain privileges because of a heap out-of-bounds
write. This is related to nf_tables_offload.

This issue was introduced by commit be2861d ("netfilter:
nft_{fwd,dup}_netdev: add offload support") that was merged since
5.4-rc1.

Fixed status

fixed in netfilter tree commit b1a5983 ("netfilter: nf_tables_offload:
incorrect flow offload action array size") but hasn't been merged into
the mainline yet.

* Updated CVEs

CVE-2021-32606: net/can/isotp: race condition leads to local privilege
escalation

This bug was introduced by commit 921ca57 ("can: isotp: add
SF_BROADCAST support for functional addressing") which was merged at
5.11-rc1. so before 5.11 kernels aren't  affected by this issue.
However, this patch was backported to 5.10 but it wasn't merged into
5.10( https://lore.kernel.org/stable/20220216063137.2023-2-socketcan@hartkopp.net/
). Therefore 921ca57 and 5d42865 were merged into 5.10 now and
backported patches correctly.

Fixed status

mainline: [2b17c400aeb44daf041627722581ade527bb3c1d]
stable/5.10: [5d42865fc311af63785c9aa45ca30d1717c1c653]
stable/5.12: [b190618d8337b9466d985854e417dc0e8b012e3c]


Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 9 new CVEs.

* New CVEs

CVE-2021-44879: f2fs: fix to do sanity check on inode type during
garbage collection

CVSS v3 score is not provided

In gc_data_segment in fs/f2fs/gc.c in the Linux kernel before 5.16.3,
special files are not considered, leading to a move_data_page NULL
pointer dereference.

The gc_data_segment() in the 4.4 kernel does a different check from
other kernels so that patch cannot be applied.

Fixed status

mainline: [9056d6489f5a41cfbb67f719d2c0ce61ead72d9f]
stable/5.15: [0ddbdc0b7f0cec3815ac05a30b2c2f6457be3050]
stable/5.16: [d667b9f61df7bdfcb59dd1406fd2392c358f0008]

CVE-2022-0435: tipc: improve size validations for received domain records

CVSS v3 score is not provided

This issue was introduced by commit 35c55c9 ("tipc: add neighbor
monitoring framework") which was merged in 4.8-rc1. It was fixed in
5.17-rc4. The 4.4 kernel isn't affected.

Fixed status

mainline: [9aa422ad326634b76309e8ff342c246800621216]
stable/4.14: [fde4ddeadd099bf9fbb9ccbee8e1b5c20d530a2d]
stable/4.19: [f1af11edd08dd8376f7a84487cbb0ea8203e3a1d]
stable/4.9: [175db196e45d6f0e6047eccd09c8ba55465eb131]
stable/5.10: [3c7e5943553594f68bbc070683db6bb6f6e9e78e]
stable/5.15: [1f1788616157b0222b0c2153828b475d95e374a7]
stable/5.16: [59ff7514f8c56f166aadca49bcecfa028e0ad50f]
stable/5.4: [d692e3406e052dbf9f6d9da0cba36cb763272529]

CVE-2022-0516: KVM: s390: Return error on SIDA memop on normal guest

CVSS v3 score is not provided

This issue is s390 architecture specific. It was introduced at commit
19e12277("KVM: S390: protvirt: Introduce instruction data area bounce
buffer") which was merged in 5.7-rc1. All kernels were already fixed.

Fixed status

mainline: [2c212e1baedcd782b2535a3f86bc491977677c0e]
stable/5.10: [b62267b8b06e9b8bb429ae8f962ee431e6535d60]
stable/5.15: [14f880ea779e11a6c162f122c1199e3578e6e3f3]
stable/5.16: [8c68c50109c22502b647f4e86ec74400c7a3f6e0]

CVE-2022-24958: drivers/usb/gadget/legacy/inode.c mishandles dev->buf release

CVSS v3 score is not provided

The drivers/usb/gadget/legacy/inode.c in the Linux kernel through
5.16.8 mishandles dev->buf release. This bug will cause an UAF.

for 4.4, commit 501e38a("usb: gadget: clear related members when goto
fail") has merge conflict, but it is easy to fix.

Fixed status

mainline: [89f3594d0de58e8a57d92d497dea9fee3d4b9cda,
501e38a5531efbd77d5c73c0ba838a889bfc1d74]

CVE-2022-24959: yam: fix a memory leak in yam_siocdevprivate()

CVSS v3 score is not provided

An issue was discovered in the Linux kernel before 5.16.5. There is a
memory leak in yam_siocdevprivate in drivers/net/hamradio/yam.c.

This bug was introduced by commit 0781168("yam: fix a missing-check
bug") that was introduced at 4.19-rc7.
Stable 4.9 and 4.4 kernels were not affected.

Fixed status

mainline: [29eb31542787e1019208a2e1047bb7c76c069536]
stable/4.14: [4bbdfb71d2898a9d6e777a948a7484903a4ad2c3]
stable/4.19: [4bd197ce18329e3725fe3af5bd27daa4256d3ac7]
stable/5.10: [729e54636b3ebefb77796702a5b1f1ed5586895e]
stable/5.15: [0690c3943ed0fa76654e600eca38cde6a13c87ac]
stable/5.16: [deb0f02d08276d87212c1f19d9d919b13dc4c033]
stable/5.4: [7afc09c8915b0735203ebcb8d766d7db37b794c0]

CVE-2021-33061: Insufficient control flow management for the Intel(R)
82599 Ethernet Controllers and Adapters may allow an authenticated
user to potentially enable denial of service via local access.

CVSS v3 score is 5.5 MEDIUM

This bug let DoS attack. It was fixed and released at 2021/10/05.

Fixed status

Fixed in Intel® 82599 Ethernet Series Controllers and associated
Adapters Kernel-mode Driver versions to 5.13.4 or higher.

CVE-2021-33096: Improper isolation of shared resources in network on
chip for the Intel(R) 82599 Ethernet Controllers and Adapters may
allow an authenticated user to potentially enable denial of service
via local access.

CVSS v3 score is 5.5 MEDIUM

This bug let DoS attack.Intel recommended that "Consult the
Direct-Assignment Networking Fault Isolation in a Data Center
Environment Prescriptive Guidance Addressing INTEL-SA-00571
Application Note. " in their Security Advisory(INTEL-SA-00571), so
that there is no patches for CVE-2021-33096.

Fixed status

Security Advisory INTEL-SA-00571 gives recommendations.

CVE-2021-45402: The check_alu_op() allows local users to obtain
potentially sensitive address information because it mishandles mov32
instruction.

CVSS v3 score is not provided

This bug was introduced by commit 3f50f13("bpf: Verifier, do explicit
ALU32 bounds tracking") which was merged at 5.7-rc1, so that before
5.7-rc1 kernels are not affected by this issue. It was fixed in
5.16-rc6 in the mainline and backported to stable kernels.

Fixed status

mainline: [3cf2b61eb06765e27fec6799292d9fb46d0b7e60,
e572ff80f05c33cd0cb4860f864f5c9c044280b6]
stable/5.10: [e2aad0b5f2cbf71a31d00ce7bb4dee948adff5a9,
279e0bf80d95184666c9d41361b1625c045d1dcb]
stable/5.15: [f77d7a35d4913e4ab27abb36016fbfc1e882a654,
dbda060d50abbe91ca76010078742ca53264bfa6]

CVE-2022-0617: Null pointer dereference can be triggered when write to
an ICB inode

CVSS v3 score is not provided

Null pointer dereference bug was bound in the UDF file system.
The mainline, stable kernels, and cip/4.4 kernel are already fixed.

Fixed status

cip/4.4: [0f28e1a57baf48a583093e350ea2bd3e4c09b8ea,
f25e032aa6e5cb2a22879759e4b08e4cd1c84e95]
mainline: [7fc3b7c2981bbd1047916ade327beccb90994eee,
ea8569194b43f0f01f0a84c689388542c7254a1f]
stable/4.14: [a312cbdb9045a52e5c1fec4ac7b86895f508dc76,
3fdf975173dc5acbd6e25b451bcbd558ba9d839a]
stable/4.19: [a23a59717f9f01a49394488f515550f9382fbada,
3740d41e7363374182a42f1621e06d5029c837d5]
stable/4.9: [f24454e42b5a58267928b0de53b0dd9b43e4dd46,
de10d14ce3aacba73c835cb979a85ef9683c193f]
stable/5.10: [de7cc8bcca90a9d77c915ee1d922dbd670c47d84,
0a3cfd258923aee63e7f144f134d42e205421848]
stable/5.15: [cbf96c58e28b1fece9630102781a93ff32c347f7,
2ea17d25be51ed8ea9fa59a66c9152d3c5ba0c7a]
stable/5.16: [620e8243cf5389e706c1c8f66ffacb3c84308a9e,
8baf0dbef73e1d1ad41f5db77bf20234fb7a7773]
stable/5.4: [31136e5467f381cf18e2cfd467207dda7678c7a2,
86bcc670d3000095bdb70342cf4d3fb6f3fc0a1a]

* Updated CVEs

CVE-2021-3894: sctp: local DoS: unprivileged user can cause BUG()

A local unprivileged user can cause local DoS by sctp subsystem. This
issue was introduced by commit cc16f00 (" sctp: add support for
generating stream reconf ssn reset request chunk") which was merged at
4.11-rc1. It was fixed in 5.15-rc6.

Fixed status

mainline: [a2d859e3fc97e79d907761550dbc03ff1b36479c]
stable/4.19: [c57fdeff69b152185fafabd37e6bfecfce51efda]
stable/5.10: [d84a69ac410f6228873d05d35120f6bdddab7fc3]

CVE-2022-0487: Use after free in moxart_remove

UAF bug was found in moxart_remove() in drivers/mmc/host/moxart-mmc.c.
All stable kernels were fixed this week.

Apply patch bd2db32 ("moxart: fix potential use-after-free on remove
path") to 4.4 needs to a bit modify code. However, it seems no CIP
member enables CONFIG_MMC_MOXART.

Fixed status

mainline: [bd2db32e7c3e35bd4d9b8bbff689434a50893546]
stable/4.14: [e6f580d0b3349646d4ee1ce0057eb273e8fb7e2e]
stable/4.19: [9c25d5ff1856b91bd4365e813f566cb59aaa9552]
stable/4.9: [f5dc193167591e88797262ec78515a0cbe79ff5f]
stable/5.10: [be93028d306dac9f5b59ebebd9ec7abcfc69c156]
stable/5.15: [af0e6c49438b1596e4be8a267d218a0c88a42323]
stable/5.16: [7f901d53f120d1921f84f7b9b118e87e94b403c5]
stable/5.4: [3a0a7ec5574b510b067cfc734b8bdb6564b31d4e]

CVE-2022-0492: cgroup-v1: Require capabilities to set release_agent

There was a bug in cgroups v1 release_agent feature to escalate
privilege and bypass namespace isolation.
4.X series were fixed this week.

Fixed status

mainline: [24f6008564183aa120d07c03d9289519c2fe02af]
stable/4.14: [b391bb3554dd6e04b7a8ede975dbd3342526a045]
stable/4.19: [939f8b491887c27585933ea7dc5ad4123de58ff3]
stable/4.9: [7e33a0ad792f04bad920c7197bda8cc2ea08d304]
stable/5.10: [1fc3444cda9a78c65b769e3fa93455e09ff7a0d3]
stable/5.15: [4b1c32bfaa02255a5df602b41587174004996477]
stable/5.16: [9c9dbb954e618e3d9110f13cc02c5db1fb73ea5d]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi!

It's this week's CVE report.

This week reported 8 new CVEs.

* New CVEs

CVE-2022-22942: drm/vmwgfx: Fix stale file descriptors on failed usercopy

CVSS v3 score is not provided

A local attacker who is able to access to /dev/dri/card0 or
/dev/dri/rendererD128 will be able to gain access to files opened by
other processes on the system.
This issue was introduced by commit c906965 ("drm/vmwgfx: Add export
fence to file descriptor support") which was merged at 4.14-rc1.

Fixed status

mainline: [a0f90c8815706981c483a652a6aefca51a5e191c]

CVE-2021-4159: bpf: Verifer, adjust_scalar_min_max_vals to always call
update_reg_bounds()

CVSS v3 score is not provided

Kernel pointer leak vulnerability in eBPF. If a user have a permission
to insert eBPF code, user will be able to expose internal kernel
memory details.

Fixed status

mainline: [294f2fc6da27620a506e6c050241655459ccd6bd]

CVE-2022-0382: net ticp:fix a kernel-infoleak in __tipc_sendmsg()

CVSS v3 score is not provided

An infoleak vulnerability was found in __tipc_sendmsg(). A local user
can read some kernel memory (no more than 7 bytes and cannot control
what is read).

Fixed status

mainline: [d6d86830705f173fca6087a3e67ceaf68db80523]
stable/5.15: [d57da5185defccf383be53f41604fd5f006aba8c]

CVE-2022-24122: ucount:  Make get_ucount a safe get_user replacement

CVSS v3 score is not provided

A use-after-free vulnerability was found. This bug was introduced by
following commits.

- d646969 ("Reimplement RLIMIT_SIGPENDING on top of ucounts")
- 6e52a9f ("Reimplement RLIMIT_MSGQUEUE on top of ucounts")
- d7c9e99 ("Reimplement RLIMIT_MEMLOCK on top of ucounts")

These commits were merged since 5.14-rc1. so before 5.14 kernels were
not affected.

Fixed status

mainline: [f9d87929d451d3e649699d0f1d74f71f77ad38f5]
stable/5.15: [348a8501e6029f9308ea7675edfa645b5e669c9e]
stable/5.16: [aec8904396dc6c34a104f42b02d50ca9de58ab13]

CVE-2022-0286: bonding: fix null dereference in bond_ipsec_add_sa()

CVSS v3 score is not provided

A flaw was found in the Linux kernel. A null pointer dereference in
bond_ipsec_add_sa() may lead to local denial of service.
This issue was intoduced by 18cb261 ("bonding: support hardware
encryption offload to slaves") which was merged at 5.9-rc1.

Fixed status

mainline: [105cd17a866017b45f3c45901b394c711c97bf40]
stable/5.10: [ba7bfcdff1ad4ea475395079add1cd7b79f81684]

CVE-2022-0400: Out of bounds read in the smc protocol stack

CVSS v3 score is not provided

There is no information as of 2022/02/03.

Fixed status

Not fixed yet.

CVE-2022-0433: bpf: Add missing map_get_next_key method to bloom filter map.

CVSS v3 score is not provided

A NULL pointer dereference bug was found in map_get_next_key() in the
BPF subsystem. A local attacker will be able to crash the system.
This issues was introduced with 9330986c0300 ("bpf: Add bloom filter
map implementation") in 5.16-rc1.

Fixed status

mainline: [3ccdcee28415c4226de05438b4d89eb5514edf73]
stable/5.16: [f7a6dd58e0817b063252d7c5bec88e588df34b31]

CVE-2021-4218: sysctl: pass kernel pointers to ->proc_handler

CVSS v3 score is not provided

This issue allows a local user with local access to cause a DoS while
the system reboot.
It was fixed in 5.8-rc1.

Fixed status

mainline: [32927393dc1ccd60fb2bdc05b9e8e88753761469]

* Updated CVEs

CVE-2020-29374: gup: document and work around "COW can break either way" issue

4.14 and 4.19 were added following patches to fix bug in
get_user_pages_fast(), which need to fix CVE-2020-29374 correctly.

4.14: 70b5928 ("mips,s390,sh,sparc: gup: Work around the "COW can
break either way" issue")
4.19: 294c7a9 ("mips,s390,sh,sparc: gup: Work around the "COW can
break either way" issue")

It seems that 4.4.y also needs this patch too.

Fixed status

mainline: [17839856fd588f4ab6b789f482ed3ffd7c403e1f]
stable/4.14: [407faed92b4a4e2ad900d61ea3831dd597640f29,
70b5928f5cd289b2ccf34384ca83b1d9ee7a0fad]
stable/4.19: [5e24029791e809d641e9ea46a1f99806484e53fc,
294c7a9fb608c29a9e49010b515228e20ccbec8f]
stable/4.4: [58facc9c7ae307be5ecffc1697552550fedb55bd]
stable/4.9: [9bbd42e79720122334226afad9ddcac1c3e6d373]
stable/5.4: [1027dc04f557328eb7b7b7eea48698377a959157]

CVE-2020-36322: fuse: fix bad inode

4.14, 4.19, and 4.9 were fixed this week.

Fixed status

mainline: [5d069dbe8aaf2a197142558b6fb2978189ba3454]
stable/4.14: [2cd45139c0f28ebfa7604866faee00c99231a62b]
stable/4.19: [1e1bb4933f1faafc68db8e0ecd5838a65dd1aae9]
stable/4.9: [3a2f8823aa565cc67bdd00c4cd5e1d8ad81e8436]
stable/5.10: [36cf9ae54b0ead0daab7701a994de3dcd9ef605d]
stable/5.4: [732251cabeb3bfd917d453a42274d769d6883fc4]

CVE-2021-20292: drm/ttm/nouveau: don''t call tt destroy callback on
alloc failure.

4.14 and 4.9 were fixed this week.

Fixed status

mainline: [5de5b6ecf97a021f29403aa272cb4e03318ef586]
stable/4.14: [4a2cec066dc8d099d30c649ae7ed26771029e0b5]
stable/4.19: [10c8a526b2db1fcdf9e2d59d4885377b91939c55]
stable/4.9: [70f44dfbde027f444412cfb4ea9b485a4c1dec0e]
stable/5.4: [c6d2ddf1a30d524106265ad2c48b907cd7a083d4]

CVE-2021-20317: lib/timerqueue: Rely on rbtree semantics for next timer

4.9 was fixed this week.

Fixed status

mainline: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
stable/4.14: [0135fcb86a0bc9e4484f7e1228cadcc343c5edef]
stable/4.19: [b9a1ac8e7c03fd09992352c7fb1a61cbbb9ad52b]
stable/4.9: [ef2e64035f074bfeef14c28347aaec0b486a9e9f]
stable/5.10: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
stable/5.14: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
stable/5.4: [511885d7061eda3eb1faf3f57dcc936ff75863f1]

CVE-2021-22543: KVM through Improper handling of VM_IO|VM_PFNMAP vmas
in KVM can bypass RO checks and can lead to pages being freed while
still accessible by the VMM and guest

4.9 was fixed this week.

Fixed status

mainline: [f8be156be163a052a067306417cd0ff679068c97]
stable/4.14: [46d75ff2c1beebe90e7af8887256d8f0323679e4]
stable/4.19: [117777467bc015f0dc5fc079eeba0fa80c965149]
stable/4.9: [f4b2bfed80e8d0e91b431dd1c21bc3c2c4d5f07e]
stable/5.10: [dd8ed6c9bc2224c1ace5292d01089d3feb7ebbc3]
stable/5.12: [c36fbd888dcc27d365c865e6c959d7f7802a207c]
stable/5.4: [bb85717e3797123ae7724751af21d0c9d605d61e]

CVE-2021-28950: fuse: fix live lock in fuse_iget()

4.14, 4.19, and 4.9 were fixed this week.

Fixed status

mainline: [775c5033a0d164622d9d10dd0f0a5531639ed3ed]
stable/4.14: [f78d626801194ffac2c140de72e5b7937fac33f6]
stable/4.19: [8a8908cb82568c71b672e83d834e8b59ccf75f8e]
stable/4.9: [fde32bbe9a540af28579da6480fc55cc50099ece]
stable/5.10: [d955f13ea2120269319d6133d0dd82b66d1eeca3]
stable/5.11: [5676df54d7d44f497b8dbf7bff04f2f1b165da93]
stable/5.4: [187ae04636531065cdb4d0f15deac1fe0e812104]

CVE-2021-29264: gianfar: fix jumbo packets+napi+rx overrun crash

4.14 and 4.9 were fixed this week.

Fixed status

mainline: [d8861bab48b6c1fc3cdbcab8ff9d1eaea43afe7f]
stable/4.14: [93e83b226a16bcc800013c6e02c98eef7ba9868c]
stable/4.19: [9943741c2792a7f1d091aad38f496ed6eb7681c4]
stable/4.9: [2cf34285e6eac396a180762c5504e2911df88c9a]
stable/5.10: [b8bfda6e08b8a419097eea5a8e57671bc36f9939]
stable/5.11: [5b54b18449d8f7302bc2e16d52121f6f87a81c3c]
stable/5.4: [ec7ce1e337ec2b5641dcc639396e04a28454f21a]

CVE-2021-33033: cipso,calipso: resolve a number of problems with the
DOI refcounts

4.9 was fixed this week.

Fixed status

mainline: [ad5d07f4a9cd671233ae20983848874731102c08]
stable/4.14: [ab44f7317c16ddcf9ee12ba2aca60771266c2dc6]
stable/4.19: [a44af1c69737f9e64d5134c34eb9d5c4c2e04da1]
stable/4.9: [f49f0e65a95664b648e058aa923f651ec08dfeb7]
stable/5.10: [85178d76febd30a745b7d947dbd9751919d0fa5b]
stable/5.11: [00d566df2cceb8591913b3ea3b43d2918915f7e3]
stable/5.4: [b4800e7a1c9f80a1a0e417ab36a1da4959f8b399]

CVE-2021-38199: NFSv4: Initialise connection to the server in
nfs4_alloc_client()

4.14 was fixed this week.

Fixed status

mainline: [dd99e9f98fbf423ff6d365b37a98e8879170f17c]
stable/4.14: [d5e6dff8c92943a2719fa5415cc3d333e57d5d90]
stable/4.19: [743f6b973c8ba8a0a5ed15ab11e1d07fa00d5368]
stable/5.10: [ff4023d0194263a0827c954f623c314978cf7ddd]
stable/5.13: [b0bfac939030181177373f549398ba94c384713d]
stable/5.4: [81e03fe5bf8f5f66b8a62429fb4832b11ec6b272]

CVE-2021-43976: mwifiex_usb: Fix skb_over_panic in mwifiex_usb_recv

All stable kernels were fixed this week.

Fixed status

mainline: [04d80663f67ccef893061b49ec8a42ff7045ae84]
stable/4.14: [8c9261b84c9b90d130d97fc7d13727706253af87]
stable/4.19: [2f4b037bf6e8c663a593b8149263c5b6940c7afd]
stable/4.4: [7d5e12e452771509d94db391a3b5e428325ed268]
stable/4.9: [b233d7395cd104398dd83f130df5f0d57036c95e]
stable/5.10: [6036500fdf77caaca9333003f78d25a3d61c4e40]
stable/5.15: [b2762757f4e484f8a164546f93aca82568d87649]
stable/5.16: [9d3989c5050f10ae9bbec9f32492b500420d04a1]
stable/5.4: [ae56c5524a750fd8cf32565cb3902ce5baaeb4e6]

CVE-2021-45469: f2fs: fix to do sanity check on last xattr entry in
__f2fs_setxattr()

5.16 was fixed this week.

Fixed status

mainline: [645a3c40ca3d40cc32b4b5972bf2620f2eb5dba6]
stable/4.14: [88dedecc24763c2e0bc1e8eeb35f9f2cd785a7e5]
stable/4.19: [f9dfa44be0fb5e8426183a70f69a246cf5827f49]
stable/5.10: [fffb6581a23add416239dfcf7e7f3980c6b913da]
stable/5.15: [a8a9d753edd7f71e6a2edaa580d8182530b68791]
stable/5.16: [258b26a34778cde43f228a392e242d3d0420624a]
stable/5.4: [b0406b5ef4e2c4fb21d9e7d5c36a0453b4279e9b]

CVE-2021-38198: KVM: X86: MMU: Use the correct inherited permissions
to get shadow page

4.9 was fixed this week.

Fixed status

mainline: [b1bd5cba3306691c771d558e94baa73e8b0b96b7]
stable/4.14: [cea9e8ee3b8059bd2b36d68f1f428d165e5d13ce]
stable/4.19: [4c07e70141eebd3db64297515a427deea4822957]
stable/4.9: [e262acbda232b6a2a9adb53f5d2b2065f7626625]
stable/5.10: [6b6ff4d1f349cb35a7c7d2057819af1b14f80437]
stable/5.4: [d28adaabbbf4a6949d0f6f71daca6744979174e2]

CVE-2021-38199: NFSv4: Initialise connection to the server in
nfs4_alloc_client()

4.9 was fixed this week.

mainline: [dd99e9f98fbf423ff6d365b37a98e8879170f17c]
stable/4.14: [d5e6dff8c92943a2719fa5415cc3d333e57d5d90]
stable/4.19: [743f6b973c8ba8a0a5ed15ab11e1d07fa00d5368]
stable/4.9: [993892ed82350d0b4eb7d321d2bb225219bd1cfc]
stable/5.10: [ff4023d0194263a0827c954f623c314978cf7ddd]
stable/5.13: [b0bfac939030181177373f549398ba94c384713d]
stable/5.4: [81e03fe5bf8f5f66b8a62429fb4832b11ec6b272]

CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in
avc_ca_pmt()

4.9 was fixed this week.

Fixed status

mainline: [35d2969ea3c7d32aee78066b1f3cf61a0d935a4e]
stable/4.14: [8d6c05da808f8351db844b69a9d6ce7f295214bb]
stable/4.19: [53ec9dab4eb0a8140fc85760fb50effb526fe219]
stable/4.9: [1795af6435fa5f17ced2d34854fd4871e0780092]
stable/5.10: [d7fc85f6104259541ec136199d3bf7c8a736613d]
stable/5.14: [02a476ca886dc8155025fe99cbbad4121d029fa7]
stable/5.15: [cb667140875a3b1db92e4c50b4617a7cbf84659b]
stable/5.4: [2461f38384d50dd966e1db44fe165b1896f5df5a]

CVE-2022-0330: drm/i915: Flush TLBs before releasing backing store

All stable kernels were fixed this week.

Fixed status

mainline: [7938d61591d33394a21bdd7797a245b65428f44c]
stable/4.14: [eed39c1918f1803948d736c444bfacba2a482ad0]
stable/4.19: [b188780649081782e341e52223db47c49f172712]
stable/4.4: [db6a2082d5a2ebc5ffa41f7213a544d55f73793a]
stable/4.9: [84f4ab5b47d955ad2bb30115d7841d3e8f0994f4]
stable/5.10: [6a6acf927895c38bdd9f3cd76b8dbfc25ac03e88]
stable/5.15: [8a17a077e7e9ecce25c95dbdb27843d2d6c2f0f7]
stable/5.16: [ec1b6497a2bc0293c064337e981ea1f6cbe57930]
stable/5.4: [1b5553c79d52f17e735cd924ff2178a2409e6d0b]

CVE-2022-22942: drm/vmwgfx: Fix stale file descriptors on failed usercopy

stable kernels were fixed this week. 4.4 and 4.9 are not affected this issue.

Fixed status

mainline: [a0f90c8815706981c483a652a6aefca51a5e191c]
stable/4.14: [e8d092a62449dcfc73517ca43963d2b8f44d0516]
stable/4.19: [0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d]
stable/5.10: [ae2b20f27732fe92055d9e7b350abc5cdf3e2414]
stable/5.15: [6066977961fc6f437bc064f628cf9b0e4571c56c]
stable/5.16: [1d833b27fb708d6fdf5de9f6b3a8be4bd4321565]
stable/5.4: [84b1259fe36ae0915f3d6ddcea6377779de48b82]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week.

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 1 new CVE.

* New CVEs

CVE-2021-4197: cgroup: Use open-time creds and namespace for migration
perm checks

CVSS v3 score is not provided

A local attacker could escalate privileges for the containers or other
processes that uses cgroups
Patch series is available
(https://lore.kernel.org/lkml/20211209214707.805617-1-tj@kernel.org/T/)
but it hasn't been merged into the mainline yet.

Fixed status

Not fixed yet.

* Updated CVEs

CVE-2021-44733: tee: handle lookup of shm with reference count 0

This CVE was introduced by commit 967c9cc ("tee: generic TEE
subsystem") at 4.12-rc1. so 4.4 isn't affected this issue.

Fixed status

mainline: [dfd0743f1d9ea76931510ed150334d571fbab49d]
stable/4.14: [3d556a28bbfe34a80b014db49908b0f1bcb1ae80]
stable/4.19: [b4a661b4212b8fac8853ec3b68e4a909dccc88a1]
stable/5.10: [c05d8f66ec3470e5212c4d08c46d6cb5738d600d]
stable/5.15: [492eb7afe858d60408b2da09adc78540c4d16543]
stable/5.4: [940e68e57ab69248fabba5889e615305789db8a7]

CVE-2021-45100: ksmbd: disable SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1

This CVE was introduced by commit e2f3448 ("cifsd: add server-side
procedures for SMB3") which was merged at 5.15-rc1. so before 5.15
kernels are not affected.

Fixed status

mainline: [83912d6d55be10d65b5268d1871168b9ebe1ec4b]
stable/5.15: [a2c144d17623984fdafa4634ecf4ab64580d29bb]

CVE-2021-45469: f2fs: fix to do sanity check on last xattr entry in
__f2fs_setxattr()

The mainline hasn't been fixed yet.

Fixed status

stable/4.14: [88dedecc24763c2e0bc1e8eeb35f9f2cd785a7e5]
stable/4.19: [f9dfa44be0fb5e8426183a70f69a246cf5827f49]
stable/5.10: [fffb6581a23add416239dfcf7e7f3980c6b913da]
stable/5.15: [a8a9d753edd7f71e6a2edaa580d8182530b68791]
stable/5.4: [b0406b5ef4e2c4fb21d9e7d5c36a0453b4279e9b]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

New CVE entries this week

[Masami Ichikawa]

Hi !

It's this week's CVE report.

This week reported 3 new CVEs. These CVEs are already fixed.

* New CVEs

CVE-2021-3896: isdn: cpai: check ctr->cnr to avoid array index out of bound

According to the cip-kernel-config, no CIP member enables CONFIG_ISDN
so CIP member won't affect this vulnerability.

CVSS v3 score is not provided.

Fixed in 5.15-rc6. All stable kernels are fixed.

Fixed status

mainline: [1f3e2e97c003f80c4b087092b225c8787ff91e4d]
stable/4.14: [9b6b2db77bc3121fe435f1d4b56e34de443bec75]
stable/4.19: [7d91adc0ccb060ce564103315189466eb822cc6a]
stable/4.4: [e8b8de17e164c9f1b7777f1c6f99d05539000036]
stable/4.9: [24219a977bfe3d658687e45615c70998acdbac5a]
stable/5.10: [7f221ccbee4ec662e2292d490a43ce6c314c4594]
stable/5.14: [cc20226e218a2375d50dd9ac14fb4121b43375ff]
stable/5.4: [285e9210b1fab96a11c0be3ed5cea9dd48b6ac54]

CVE-2021-3760: nfc: nci: fix the UAF of rf_conn_info object

CVSS v3 score is not provided.

Fixed in 5.15-rc6. All stable kernels are fixed.

Fixed status

mainline: [1b1499a817c90fd1ce9453a2c98d2a01cca0e775]
stable/4.14: [a2efe3df65359add2164740a5777c26e64dd594b]
stable/4.19: [1ac0d736c8ae9b59ab44e4e80ad73c8fba5c6132]
stable/4.4: [1d5e0107bfdbef6cc140fb5d7a1a817a40948528]
stable/4.9: [8a44904ce83ebcb1281b04c8d37ad7f8ab537a3d]
stable/5.10: [77c0ef979e32b8bc22f36a013bab77cd37e31530]
stable/5.14: [6197eb050cfab2c124cd592594a1d73883d7f9e8]
stable/5.4: [1f75f8883b4fe9fe1856d71f055120315e758188]

CVE-XXXX-XXXXX: KVM: PPC: Book3S HV: Make idle_kvm_start_guest()
return 0 if it went to guest

CVE number hasn't been assigned yet.

This vulnerability has been introduced since 5.2-rc1 so before 5.2
kernels aren't affected this issue. also it's only affected powerpc
architecture.

Fixed status

mainline: [cdeb5d7d890e14f3b70e8087e745c4a6a7d9f337]
stable/5.10: [197ec50b2df12dbfb17929eda643b16117b6f0ca]
stable/5.14: [5a8c22e7fb66260c9182ee3a3085c2046503c54b]
stable/5.4: [d0148cfaf89ce2af0d76e39943e200365e7fc99a]

* Updated CVEs

CVE-2021-20321: ovl: fix missing negative dentry check in ovl_rename()

stable/4.4 has been fixed this week. All stable kernels are fixed.

Fixed status

mainline: [a295aef603e109a47af355477326bd41151765b6]
stable/4.14: [1caaa820915d802328bc72e4de0d5b1629eab5da]
stable/4.19: [9d4969d8b5073d02059bae3f1b8d9a20cf023c55]
stable/4.4: [a4f281ffc1d128d7ea693cbc3a796e56e919fd7c]
stable/4.9: [286f94453fb34f7bd6b696861c89f9a13f498721]
stable/5.10: [9763ffd4da217adfcbdcd519e9f434dfa3952fc3]
stable/5.14: [71b8b36187af58f9e67b25021f5debbc04a18a5d]
stable/5.4: [fab338f33c25c4816ca0b2d83a04a0097c2c4aaf]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

Fixed in bluetooth-next tree.

https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/net/bluetooth/sco.c?id=99c23da0eed4fd20cae8243f2b51e10e66aa0951

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com