All of lore.kernel.org
 help / color / mirror / Atom feed
* New CVE entry this week
@ 2021-09-30  0:12 ` Masami Ichikawa
  0 siblings, 0 replies; 9+ messages in thread
From: Masami Ichikawa @ 2021-09-30  0:12 UTC (permalink / raw)
  To: cip-dev

Hi !

It's this week's CVE report.

This week reported one new CVE.

* New CVEs

CVE-2021-20317: lib/timerqueue: Rely on rbtree semantics for next timer

This bug has been fixed in 5.4-rc1 so that before 5.4 kernels are
affected. For 4.19, patch can be applied without any modification. For
4.4, it needs to modify patch to apply it.
According to the description in
cve.mitre.org(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20317),
it describes "This flaw allows a local attacker with special user
privileges to cause a denial of service" so I think this vulnerability
severity may be low.

CVSS v3 score is not provided.

Fixed status

mainline: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
stable/5.10: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
stable/5.14: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
stable/5.4: [511885d7061eda3eb1faf3f57dcc936ff75863f1]

* Updated CVEs

No updated CVEs  this week.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com


^ permalink raw reply	[flat|nested] 9+ messages in thread

* [cip-dev] New CVE entry this week
@ 2021-09-30  0:12 ` Masami Ichikawa
  0 siblings, 0 replies; 9+ messages in thread
From: Masami Ichikawa @ 2021-09-30  0:12 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 1769 bytes --]

Hi !

It's this week's CVE report.

This week reported one new CVE.

* New CVEs

CVE-2021-20317: lib/timerqueue: Rely on rbtree semantics for next timer

This bug has been fixed in 5.4-rc1 so that before 5.4 kernels are
affected. For 4.19, patch can be applied without any modification. For
4.4, it needs to modify patch to apply it.
According to the description in
cve.mitre.org(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20317),
it describes "This flaw allows a local attacker with special user
privileges to cause a denial of service" so I think this vulnerability
severity may be low.

CVSS v3 score is not provided.

Fixed status

mainline: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
stable/5.10: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
stable/5.14: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
stable/5.4: [511885d7061eda3eb1faf3f57dcc936ff75863f1]

* Updated CVEs

No updated CVEs  this week.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6762): https://lists.cip-project.org/g/cip-dev/message/6762
Mute This Topic: https://lists.cip-project.org/mt/85963258/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 9+ messages in thread

* RE: [cip-dev] New CVE entry this week
@ 2021-09-30  6:33   ` Nobuhiro Iwamatsu
  0 siblings, 0 replies; 9+ messages in thread
From: nobuhiro1.iwamatsu @ 2021-09-30  6:33 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 1421 bytes --]

Hi,


> -----Original Message-----
> From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Masami Ichikawa
> Sent: Thursday, September 30, 2021 9:12 AM
> To: cip-dev <cip-dev@lists.cip-project.org>
> Subject: [cip-dev] New CVE entry this week
> 
> Hi !
> 
> It's this week's CVE report.
> 
> This week reported one new CVE.
> 
> * New CVEs
> 
> CVE-2021-20317: lib/timerqueue: Rely on rbtree semantics for next timer
> 
> This bug has been fixed in 5.4-rc1 so that before 5.4 kernels are
> affected. For 4.19, patch can be applied without any modification. For
> 4.4, it needs to modify patch to apply it.
> According to the description in
> cve.mitre.org(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20317),
> it describes "This flaw allows a local attacker with special user
> privileges to cause a denial of service" so I think this vulnerability
> severity may be low.
> 
> CVSS v3 score is not provided.
> 
> Fixed status
> 
> mainline: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> stable/5.10: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> stable/5.14: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> stable/5.4: [511885d7061eda3eb1faf3f57dcc936ff75863f1]

This commit can be applied directly to 4.14 and 4.19.
However, other LTSs need to be other commit or fixes.

I attached a patch for 4.14 and 4.19.

Best regards,
  Nobuhiro

[-- Attachment #2: 0001-lib-timerqueue-Rely-on-rbtree-semantics-for-next-tim.patch --]
[-- Type: application/octet-stream, Size: 4443 bytes --]

From eb343c7e4acbcd79517015b4ae992aa7b0e345cd Mon Sep 17 00:00:00 2001
From: Davidlohr Bueso <dave@stgolabs.net>
Date: Wed, 24 Jul 2019 08:23:23 -0700
Subject: [PATCH for 4.14 and 4.19] lib/timerqueue: Rely on rbtree semantics for next timer

commit 511885d7061eda3eb1faf3f57dcc936ff75863f1 upstream.

Simplify the timerqueue code by using cached rbtrees and rely on the tree
leftmost node semantics to get the timer with earliest expiration time.
This is a drop in conversion, and therefore semantics remain untouched.

The runtime overhead of cached rbtrees is be pretty much the same as the
current head->next method, noting that when removing the leftmost node,
a common operation for the timerqueue, the rb_next(leftmost) is O(1) as
well, so the next timer will either be the right node or its parent.
Therefore no extra pointer chasing. Finally, the size of the struct
timerqueue_head remains the same.

Passes several hours of rcutorture.

Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20190724152323.bojciei3muvfxalm@linux-r8p5
Reference: CVE-2021-20317
Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
---
 include/linux/timerqueue.h | 13 ++++++-------
 lib/timerqueue.c           | 30 ++++++++++++------------------
 2 files changed, 18 insertions(+), 25 deletions(-)

diff --git a/include/linux/timerqueue.h b/include/linux/timerqueue.h
index 78b8cc73f12fc9..aff122f1062a83 100644
--- a/include/linux/timerqueue.h
+++ b/include/linux/timerqueue.h
@@ -12,8 +12,7 @@ struct timerqueue_node {
 };
 
 struct timerqueue_head {
-	struct rb_root head;
-	struct timerqueue_node *next;
+	struct rb_root_cached rb_root;
 };
 
 
@@ -29,13 +28,14 @@ extern struct timerqueue_node *timerqueue_iterate_next(
  *
  * @head: head of timerqueue
  *
- * Returns a pointer to the timer node that has the
- * earliest expiration time.
+ * Returns a pointer to the timer node that has the earliest expiration time.
  */
 static inline
 struct timerqueue_node *timerqueue_getnext(struct timerqueue_head *head)
 {
-	return head->next;
+	struct rb_node *leftmost = rb_first_cached(&head->rb_root);
+
+	return rb_entry(leftmost, struct timerqueue_node, node);
 }
 
 static inline void timerqueue_init(struct timerqueue_node *node)
@@ -45,7 +45,6 @@ static inline void timerqueue_init(struct timerqueue_node *node)
 
 static inline void timerqueue_init_head(struct timerqueue_head *head)
 {
-	head->head = RB_ROOT;
-	head->next = NULL;
+	head->rb_root = RB_ROOT_CACHED;
 }
 #endif /* _LINUX_TIMERQUEUE_H */
diff --git a/lib/timerqueue.c b/lib/timerqueue.c
index 0d54bcbc8170c7..7a8ae3d5fd4057 100644
--- a/lib/timerqueue.c
+++ b/lib/timerqueue.c
@@ -39,9 +39,10 @@
  */
 bool timerqueue_add(struct timerqueue_head *head, struct timerqueue_node *node)
 {
-	struct rb_node **p = &head->head.rb_node;
+	struct rb_node **p = &head->rb_root.rb_root.rb_node;
 	struct rb_node *parent = NULL;
-	struct timerqueue_node  *ptr;
+	struct timerqueue_node *ptr;
+	bool leftmost = true;
 
 	/* Make sure we don't add nodes that are already added */
 	WARN_ON_ONCE(!RB_EMPTY_NODE(&node->node));
@@ -49,19 +50,17 @@ bool timerqueue_add(struct timerqueue_head *head, struct timerqueue_node *node)
 	while (*p) {
 		parent = *p;
 		ptr = rb_entry(parent, struct timerqueue_node, node);
-		if (node->expires < ptr->expires)
+		if (node->expires < ptr->expires) {
 			p = &(*p)->rb_left;
-		else
+		} else {
 			p = &(*p)->rb_right;
+			leftmost = false;
+		}
 	}
 	rb_link_node(&node->node, parent, p);
-	rb_insert_color(&node->node, &head->head);
+	rb_insert_color_cached(&node->node, &head->rb_root, leftmost);
 
-	if (!head->next || node->expires < head->next->expires) {
-		head->next = node;
-		return true;
-	}
-	return false;
+	return leftmost;
 }
 EXPORT_SYMBOL_GPL(timerqueue_add);
 
@@ -78,15 +77,10 @@ bool timerqueue_del(struct timerqueue_head *head, struct timerqueue_node *node)
 {
 	WARN_ON_ONCE(RB_EMPTY_NODE(&node->node));
 
-	/* update next pointer */
-	if (head->next == node) {
-		struct rb_node *rbn = rb_next(&node->node);
-
-		head->next = rb_entry_safe(rbn, struct timerqueue_node, node);
-	}
-	rb_erase(&node->node, &head->head);
+	rb_erase_cached(&node->node, &head->rb_root);
 	RB_CLEAR_NODE(&node->node);
-	return head->next != NULL;
+
+	return !RB_EMPTY_ROOT(&head->rb_root.rb_root);
 }
 EXPORT_SYMBOL_GPL(timerqueue_del);
 
-- 
2.33.0


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [cip-dev] New CVE entry this week
@ 2021-09-30  6:33   ` Nobuhiro Iwamatsu
  0 siblings, 0 replies; 9+ messages in thread
From: Nobuhiro Iwamatsu @ 2021-09-30  6:33 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 1421 bytes --]

Hi,


> -----Original Message-----
> From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Masami Ichikawa
> Sent: Thursday, September 30, 2021 9:12 AM
> To: cip-dev <cip-dev@lists.cip-project.org>
> Subject: [cip-dev] New CVE entry this week
> 
> Hi !
> 
> It's this week's CVE report.
> 
> This week reported one new CVE.
> 
> * New CVEs
> 
> CVE-2021-20317: lib/timerqueue: Rely on rbtree semantics for next timer
> 
> This bug has been fixed in 5.4-rc1 so that before 5.4 kernels are
> affected. For 4.19, patch can be applied without any modification. For
> 4.4, it needs to modify patch to apply it.
> According to the description in
> cve.mitre.org(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20317),
> it describes "This flaw allows a local attacker with special user
> privileges to cause a denial of service" so I think this vulnerability
> severity may be low.
> 
> CVSS v3 score is not provided.
> 
> Fixed status
> 
> mainline: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> stable/5.10: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> stable/5.14: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> stable/5.4: [511885d7061eda3eb1faf3f57dcc936ff75863f1]

This commit can be applied directly to 4.14 and 4.19.
However, other LTSs need to be other commit or fixes.

I attached a patch for 4.14 and 4.19.

Best regards,
  Nobuhiro

[-- Attachment #2: 0001-lib-timerqueue-Rely-on-rbtree-semantics-for-next-tim.patch --]
[-- Type: application/octet-stream, Size: 4443 bytes --]

From eb343c7e4acbcd79517015b4ae992aa7b0e345cd Mon Sep 17 00:00:00 2001
From: Davidlohr Bueso <dave@stgolabs.net>
Date: Wed, 24 Jul 2019 08:23:23 -0700
Subject: [PATCH for 4.14 and 4.19] lib/timerqueue: Rely on rbtree semantics for next timer

commit 511885d7061eda3eb1faf3f57dcc936ff75863f1 upstream.

Simplify the timerqueue code by using cached rbtrees and rely on the tree
leftmost node semantics to get the timer with earliest expiration time.
This is a drop in conversion, and therefore semantics remain untouched.

The runtime overhead of cached rbtrees is be pretty much the same as the
current head->next method, noting that when removing the leftmost node,
a common operation for the timerqueue, the rb_next(leftmost) is O(1) as
well, so the next timer will either be the right node or its parent.
Therefore no extra pointer chasing. Finally, the size of the struct
timerqueue_head remains the same.

Passes several hours of rcutorture.

Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20190724152323.bojciei3muvfxalm@linux-r8p5
Reference: CVE-2021-20317
Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
---
 include/linux/timerqueue.h | 13 ++++++-------
 lib/timerqueue.c           | 30 ++++++++++++------------------
 2 files changed, 18 insertions(+), 25 deletions(-)

diff --git a/include/linux/timerqueue.h b/include/linux/timerqueue.h
index 78b8cc73f12fc9..aff122f1062a83 100644
--- a/include/linux/timerqueue.h
+++ b/include/linux/timerqueue.h
@@ -12,8 +12,7 @@ struct timerqueue_node {
 };
 
 struct timerqueue_head {
-	struct rb_root head;
-	struct timerqueue_node *next;
+	struct rb_root_cached rb_root;
 };
 
 
@@ -29,13 +28,14 @@ extern struct timerqueue_node *timerqueue_iterate_next(
  *
  * @head: head of timerqueue
  *
- * Returns a pointer to the timer node that has the
- * earliest expiration time.
+ * Returns a pointer to the timer node that has the earliest expiration time.
  */
 static inline
 struct timerqueue_node *timerqueue_getnext(struct timerqueue_head *head)
 {
-	return head->next;
+	struct rb_node *leftmost = rb_first_cached(&head->rb_root);
+
+	return rb_entry(leftmost, struct timerqueue_node, node);
 }
 
 static inline void timerqueue_init(struct timerqueue_node *node)
@@ -45,7 +45,6 @@ static inline void timerqueue_init(struct timerqueue_node *node)
 
 static inline void timerqueue_init_head(struct timerqueue_head *head)
 {
-	head->head = RB_ROOT;
-	head->next = NULL;
+	head->rb_root = RB_ROOT_CACHED;
 }
 #endif /* _LINUX_TIMERQUEUE_H */
diff --git a/lib/timerqueue.c b/lib/timerqueue.c
index 0d54bcbc8170c7..7a8ae3d5fd4057 100644
--- a/lib/timerqueue.c
+++ b/lib/timerqueue.c
@@ -39,9 +39,10 @@
  */
 bool timerqueue_add(struct timerqueue_head *head, struct timerqueue_node *node)
 {
-	struct rb_node **p = &head->head.rb_node;
+	struct rb_node **p = &head->rb_root.rb_root.rb_node;
 	struct rb_node *parent = NULL;
-	struct timerqueue_node  *ptr;
+	struct timerqueue_node *ptr;
+	bool leftmost = true;
 
 	/* Make sure we don't add nodes that are already added */
 	WARN_ON_ONCE(!RB_EMPTY_NODE(&node->node));
@@ -49,19 +50,17 @@ bool timerqueue_add(struct timerqueue_head *head, struct timerqueue_node *node)
 	while (*p) {
 		parent = *p;
 		ptr = rb_entry(parent, struct timerqueue_node, node);
-		if (node->expires < ptr->expires)
+		if (node->expires < ptr->expires) {
 			p = &(*p)->rb_left;
-		else
+		} else {
 			p = &(*p)->rb_right;
+			leftmost = false;
+		}
 	}
 	rb_link_node(&node->node, parent, p);
-	rb_insert_color(&node->node, &head->head);
+	rb_insert_color_cached(&node->node, &head->rb_root, leftmost);
 
-	if (!head->next || node->expires < head->next->expires) {
-		head->next = node;
-		return true;
-	}
-	return false;
+	return leftmost;
 }
 EXPORT_SYMBOL_GPL(timerqueue_add);
 
@@ -78,15 +77,10 @@ bool timerqueue_del(struct timerqueue_head *head, struct timerqueue_node *node)
 {
 	WARN_ON_ONCE(RB_EMPTY_NODE(&node->node));
 
-	/* update next pointer */
-	if (head->next == node) {
-		struct rb_node *rbn = rb_next(&node->node);
-
-		head->next = rb_entry_safe(rbn, struct timerqueue_node, node);
-	}
-	rb_erase(&node->node, &head->head);
+	rb_erase_cached(&node->node, &head->rb_root);
 	RB_CLEAR_NODE(&node->node);
-	return head->next != NULL;
+
+	return !RB_EMPTY_ROOT(&head->rb_root.rb_root);
 }
 EXPORT_SYMBOL_GPL(timerqueue_del);
 
-- 
2.33.0


[-- Attachment #3: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6764): https://lists.cip-project.org/g/cip-dev/message/6764
Mute This Topic: https://lists.cip-project.org/mt/85963258/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [cip-dev] New CVE entry this week
@ 2021-09-30 12:11     ` Masami Ichikawa
  0 siblings, 0 replies; 9+ messages in thread
From: Masami Ichikawa @ 2021-09-30 12:11 UTC (permalink / raw)
  To: cip-dev

Hi !

On Thu, Sep 30, 2021 at 3:33 PM Nobuhiro Iwamatsu
<nobuhiro1.iwamatsu@toshiba.co.jp> wrote:
>
> Hi,
>
>
> > -----Original Message-----
> > From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Masami Ichikawa
> > Sent: Thursday, September 30, 2021 9:12 AM
> > To: cip-dev <cip-dev@lists.cip-project.org>
> > Subject: [cip-dev] New CVE entry this week
> >
> > Hi !
> >
> > It's this week's CVE report.
> >
> > This week reported one new CVE.
> >
> > * New CVEs
> >
> > CVE-2021-20317: lib/timerqueue: Rely on rbtree semantics for next timer
> >
> > This bug has been fixed in 5.4-rc1 so that before 5.4 kernels are
> > affected. For 4.19, patch can be applied without any modification. For
> > 4.4, it needs to modify patch to apply it.
> > According to the description in
> > cve.mitre.org(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20317),
> > it describes "This flaw allows a local attacker with special user
> > privileges to cause a denial of service" so I think this vulnerability
> > severity may be low.
> >
> > CVSS v3 score is not provided.
> >
> > Fixed status
> >
> > mainline: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> > stable/5.10: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> > stable/5.14: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> > stable/5.4: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
>
> This commit can be applied directly to 4.14 and 4.19.
> However, other LTSs need to be other commit or fixes.
>
> I attached a patch for 4.14 and 4.19.
>

Thank you for the patch!
It looks good to me.

> Best regards,
>   Nobuhiro
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#6764): https://lists.cip-project.org/g/cip-dev/message/6764
> Mute This Topic: https://lists.cip-project.org/mt/85963258/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [cip-dev] New CVE entry this week
@ 2021-09-30 12:11     ` Masami Ichikawa
  0 siblings, 0 replies; 9+ messages in thread
From: Masami Ichikawa @ 2021-09-30 12:11 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 1749 bytes --]

Hi !

On Thu, Sep 30, 2021 at 3:33 PM Nobuhiro Iwamatsu
<nobuhiro1.iwamatsu@toshiba.co.jp> wrote:
>
> Hi,
>
>
> > -----Original Message-----
> > From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Masami Ichikawa
> > Sent: Thursday, September 30, 2021 9:12 AM
> > To: cip-dev <cip-dev@lists.cip-project.org>
> > Subject: [cip-dev] New CVE entry this week
> >
> > Hi !
> >
> > It's this week's CVE report.
> >
> > This week reported one new CVE.
> >
> > * New CVEs
> >
> > CVE-2021-20317: lib/timerqueue: Rely on rbtree semantics for next timer
> >
> > This bug has been fixed in 5.4-rc1 so that before 5.4 kernels are
> > affected. For 4.19, patch can be applied without any modification. For
> > 4.4, it needs to modify patch to apply it.
> > According to the description in
> > cve.mitre.org(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20317),
> > it describes "This flaw allows a local attacker with special user
> > privileges to cause a denial of service" so I think this vulnerability
> > severity may be low.
> >
> > CVSS v3 score is not provided.
> >
> > Fixed status
> >
> > mainline: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> > stable/5.10: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> > stable/5.14: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> > stable/5.4: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
>
> This commit can be applied directly to 4.14 and 4.19.
> However, other LTSs need to be other commit or fixes.
>
> I attached a patch for 4.14 and 4.19.
>

Thank you for the patch!
It looks good to me.

> Best regards,
>   Nobuhiro
>
> 
>

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6765): https://lists.cip-project.org/g/cip-dev/message/6765
Mute This Topic: https://lists.cip-project.org/mt/85963258/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 9+ messages in thread

* New CVE entry this week
@ 2021-10-21  1:21 Masami Ichikawa
  0 siblings, 0 replies; 9+ messages in thread
From: Masami Ichikawa @ 2021-10-21  1:21 UTC (permalink / raw)
  To: cip-dev

[-- Attachment #1: Type: text/plain, Size: 7968 bytes --]

Hi !

It's this week's CVE report.

This week reported 7 new CVEs.

* New CVEs

CVE-2021-20320: kernel: s390 eBPF JIT miscompilation issues fixes.

This bug is in BPF subsystem and s390 architecture specific. Patches
haven't been backported to 4.4 kernel. However, according to the
cip-kernel-config, it looks like no one uses s390, so can it ignore it
until someone backport patches?

CVSS v3 score is not provided.

Fixed status

mainline: [db7bee653859ef7179be933e7d1384644f795f26,
6e61dc9da0b7a0d91d57c2e20b5ea4fd2d4e7e53,
  1511df6f5e9ef32826f20db2ee81f8527154dc14]
stable/4.19: [ddf58efd05b5d16d86ea4638675e8bd397320930]
stable/4.9: [c22cf38428cb910f1996839c917e9238d2e44d4b,
8a09222a512bf7b32e55bb89a033e08522798299]
stable/5.10: [d92d3a9c2b6541f29f800fc2bd44620578b8f8a6,
4320c222c2ffe778a8aff5b8bc4ac33af6d54eba,
  ab7cf225016159bc2c3590be6fa12965565d903b]
stable/5.14: [7a31ec4d215a800b504de74b248795f8be666f8e,
6a8787093b04057d855822094d63d04a2506444a,
  a7593244dc31ad0eea70319f6110975f9c738dca]

CVE-2021-20321: kernel: In Overlayfs missing a check for a negative
dentry before calling vfs_rename()

CVSS v3 score is not provided.

A local attacker can escalate their privileges up to root via
overlayfs vulnerability.
Patch for 4.4 is applied
failed(https://lore.kernel.org/stable/163378772914820@kroah.com/). It
needs to modify the patch. I attached a patch, if it looks good, I'll
send it to the stable mailing list.

Fixed status

mainline: [a295aef603e109a47af355477326bd41151765b6]
stable/4.14: [1caaa820915d802328bc72e4de0d5b1629eab5da]
stable/4.19: [9d4969d8b5073d02059bae3f1b8d9a20cf023c55]
stable/4.9: [286f94453fb34f7bd6b696861c89f9a13f498721]
stable/5.10: [9763ffd4da217adfcbdcd519e9f434dfa3952fc3]
stable/5.14: [71b8b36187af58f9e67b25021f5debbc04a18a5d]
stable/5.4: [fab338f33c25c4816ca0b2d83a04a0097c2c4aaf]

CVE-2021-3847: low-privileged user privileges escalation

CVSS v3 score is not provided.

A Local attacker can escalate their privileges up to root by overlay
fs's vulnerability
(https://www.openwall.com/lists/oss-security/2021/10/14/3).

Fixed status

Not fixed yet.

CVE-2021-42252: soc: aspeed: lpc-ctrl: Fix boundary check for mmap

CVSS v3 score is not provided.

This bug has been introduced since 4.12-rc1. so all stable kernels are fixed.

Fixed status

mainline: [b49a0e69a7b1a68c8d3f64097d06dabb770fec96]
stable/4.14: [b1b55e4073d3da6119ecc41636a2994b67a2be37]
stable/4.19: [9c8891b638319ddba9cfa330247922cd960c95b0]
stable/5.10: [3fdf2feb6cbe76c6867224ed8527b356e805352c]
stable/5.14: [865f5ba9fdfc3ac6acabcac9630056ce99db600d]
stable/5.4: [2712f29c44f18db826c7e093915a727b6f3a20e4]

CVE-2021-20322: new DNS Cache Poisoning Attack based on ICMP fragment
needed packets replies

CVSS v3 score is not provided.

A flaw in the processing of the received ICMP errors (ICMP fragment
needed and ICMP redirect) in the Linux kernel functionality was found
that allows to quickly scan open UDP ports. This flaw allows an
off-path remote user to effectively bypassing source port UDP
randomization.
This flaw is similar to the previous CVE-2020-25705 (both DNS
poisoning attack based on ICMP replies for open ports scanning, but
other type of ICMP packets).

Commit 4785305c ("ipv6: use siphash in rt6_exception_hash()") fixes
35732d01 ("ipv6: introduce a hash table to store dst cache") which was
merged in 4.15-rc1.
stable/4.4 doesn't contain upstream commit 35732d01. stable/4.19
contains upstream commit 35732d01.

Commit 6457378f ("ipv4: use siphash instead of Jenkins in
fnhe_hashfun()") fixes d546c621 ("ipv4: harden fnhe_hashfun()") which
was merged in 3.18-rc1
stable/4.4 and stable/4.19 contain upstream commit d546c621.

Commit a00df2ca ("ipv6: make exception cache less predictible") fixes
35732d01 ("ipv6: introduce a hash table to store dst cache") which was
merged in 4.15-rc1.
stable/4.4 doesn't contain upstream commit 35732d01. stable/4.19
contains upstream commit 35732d01.

Commit 67d6d681 ("ipv4: make exception cache less predictible") fixes
4895c771 ("ipv4: Add FIB nexthop exceptions.") which was merged in
3.6-rc1.
stable/4.19 applied this patch at commit 3e6bd2b5. stable/4.4 applied
this patch at commit bed8941f.

Fixed status

mainline: [4785305c05b25a242e5314cc821f54ade4c18810,
6457378fe796815c973f631a1904e147d6ee33b1,
  a00df2caffed3883c341d5685f830434312e4a43,
67d6d681e15b578c1725bad8ad079e05d1c48a8e]
stable/4.19: [3e6bd2b583f18da9856fc9741ffa200a74a52cba]
stable/4.4: [bed8941fbdb72a61f6348c4deb0db69c4de87aca]
stable/4.9: [f10ce783bcc4d8ea454563a7d56ae781640e7dcb]
stable/5.10: [8692f0bb29927d13a871b198adff1d336a8d2d00,
5867e20e1808acd0c832ddea2587e5ee49813874,
  dced8347a727528b388f04820f48166f1e651af6,
beefd5f0c63a31a83bc5a99e6888af884745684b]
stable/5.14: [4785305c05b25a242e5314cc821f54ade4c18810,
6457378fe796815c973f631a1904e147d6ee33b1,
  55938482a1461a35087c6f3051f8447662889ea8,
4589a12dcf80af31137ef202be1ff4a321707a73]

CVE-2021-42739: A buffer overflow bug is found in the firewire subsystem

CVSS v3 score is not provided.

Patches have been sent to Linux Media mailing list but it hasn't been
merged in linux-media tree nor mainline yet. According to the
cip-kernel-config repo, no CIP member uses firewire driver.

Fixed status

Not fixed yet.

CVE-2021-34866: Linux Kernel eBPF Type Confusion Privilege Escalation
Vulnerability

CVSS v3 score is not provided.

A type confusion bug is found in eBPF subsystem which can leads a
local attacker escalates their privileges via this bug.
This bug was introduced in commit 457f44363a88 ("bpf: Implement BPF
ring buffer and verifier support for it") that has been merged since
5.8-rc1. so before 5.8 kernels aren't affected by this CVE.

Fixed status

mainline: [5b029a32cfe4600f5e10e36b41778506b90fd4de]
stable/5.10: [9dd6f6d89693d8f09af53d2488afad22a8a44a57]

* Updated CVEs

CVE-2020-29374: gup: document and work around "COW can break either way" issue

This bug has been fixed since 5.8-rc1. 4.4 and 4.9 have been fixed this week.
All stable kernels are fixed.

Fixed status

mainline: [17839856fd588f4ab6b789f482ed3ffd7c403e1f]
stable/4.14: [407faed92b4a4e2ad900d61ea3831dd597640f29]
stable/4.19: [5e24029791e809d641e9ea46a1f99806484e53fc]
stable/4.4: [58facc9c7ae307be5ecffc1697552550fedb55bd]
stable/4.9: [9bbd42e79720122334226afad9ddcac1c3e6d373]
stable/5.4: [1027dc04f557328eb7b7b7eea48698377a959157]

CVE-2021-41864: bpf: Fix integer overflow in prealloc_elems_and_freelist()

4.9 and 4.19 have been fixed this week. This bug was introduced in
4.6-rc1 therefore 4.4 doesn't affect.
All stable kernels are fixed.

Fixed status

mainline: [30e29a9a2bc6a4888335a6ede968b75cd329657a]
stable/4.14: [f34bcd10c4832d491049905d25ea3f46a410c426]
stable/4.19: [078cdd572408176a3900a6eb5a403db0da22f8e0]
stable/4.9: [4fd6663eb01bc3c73143cd27fefd7b8351bc6aa6]
stable/5.10: [064faa8e8a9b50f5010c5aa5740e06d477677a89]
stable/5.14: [3a1ac1e368bedae2777d9a7cfdc65df4859f7e71]
stable/5.4: [b14f28126c51533bb329379f65de5b0dd689b13a]


Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

Fixed in bluetooth-next tree.

https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/net/bluetooth/sco.c?id=99c23da0eed4fd20cae8243f2b51e10e66aa0951

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: 0001-ovl-fix-missing-negative-dentry-check-in-ovl_rename.patch --]
[-- Type: text/x-patch, Size: 1913 bytes --]

From 1e43a0933de1ab853f171de45a17b5f9c43b110e Mon Sep 17 00:00:00 2001
From: Zheng Liang <zhengliang6@huawei.com>
Date: Fri, 24 Sep 2021 09:16:27 +0800
Subject: [PATCH] ovl: fix missing negative dentry check in ovl_rename()

From: Zheng Liang <zhengliang6@huawei.com>

commit a295aef603e109a47af355477326bd41151765b6 upstream.

The following reproducer

  mkdir lower upper work merge
  touch lower/old
  touch lower/new
  mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merge
  rm merge/new
  mv merge/old merge/new & unlink upper/new

may result in this race:

PROCESS A:
  rename("merge/old", "merge/new");
  overwrite=true,ovl_lower_positive(old)=true,
  ovl_dentry_is_whiteout(new)=true -> flags |= RENAME_EXCHANGE

PROCESS B:
  unlink("upper/new");

PROCESS A:
  lookup newdentry in new_upperdir
  call vfs_rename() with negative newdentry and RENAME_EXCHANGE

Fix by adding the missing check for negative newdentry.

Signed-off-by: Zheng Liang <zhengliang6@huawei.com>
Fixes: e9be9d5e76e3 ("overlay filesystem")
Cc: <stable@vger.kernel.org> # v3.18
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Reference: CVE-2021-20321
Signed-off-by: Masami Ichikawa(CIP) <masami.ichikawa@cybertrust.co.jp>
---
 fs/overlayfs/dir.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index eedacae889b9..80bf0ab52e81 100644
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -824,9 +824,13 @@ static int ovl_rename2(struct inode *olddir, struct dentry *old,
 		}
 	} else {
 		new_create = true;
-		if (!d_is_negative(newdentry) &&
-		    (!new_opaque || !ovl_is_whiteout(newdentry)))
-			goto out_dput;
+		if (!d_is_negative(newdentry)) {
+			if (!new_opaque || !ovl_is_whiteout(newdentry))
+				goto out_dput;
+		} else {
+			if (flags & RENAME_EXCHANGE)
+				goto out_dput;
+		}
 	}
 
 	if (olddentry == trap)
-- 
2.33.0


^ permalink raw reply	[flat|nested] 9+ messages in thread

* New CVE entry this week
@ 2021-10-13 23:54 Masami Ichikawa
  0 siblings, 0 replies; 9+ messages in thread
From: Masami Ichikawa @ 2021-10-13 23:54 UTC (permalink / raw)
  To: cip-dev

Hi !

It's this week's CVE report.

This week reported 4 new CVEs.

* New CVEs

CVE-2021-0935: bug is in ipv6 and l2tp code.

This CVE addresses two commits, one in the ipv6 stack and the other in l2tp.
There is two introduced commits one is 85cb73f ("net: ipv6: reset
daddr and dport in sk if connect() fails") was merged in 4.12 and the
other commit 3557baa ("[L2TP]: PPP over L2TP driver core") was merged
in 2.6.23-rc1.

Fixed commits have been merged since 4.16-rc7 so 4.16 or later kernels
don't affect this vulnerability.

Commit 2f987a76("net: ipv6: keep sk status consistent after datagram
connect failure") fixes 85cb73f and commit b954f940("l2tp: fix races
with ipv4-mapped ipv6 addresses") fixes commit 3557baa.

To apply patches to 4.4, it needs to fix conflicts.

CVSS v3 score is not provided.

Fixed status

mainline: [2f987a76a97773beafbc615b9c4d8fe79129a7f4,
b954f94023dcc61388c8384f0f14eb8e42c863c5]
stable/4.14: [a8f02befc87d6f1a882c9b14a31bcfa1fbd3d430,
b0850604cc5dac60754cc2fcdf7d2ca97a68a4dc]
stable/4.19: [2f987a76a97773beafbc615b9c4d8fe79129a7f4,
b954f94023dcc61388c8384f0f14eb8e42c863c5]
stable/4.4: not fixed yet
stable/4.9: [c49f30b2979bfc8701620e598558f29a48e07234,
535ef684ec6079bccc2037c76bc607d29dca05dc]
stable/5.10: [2f987a76a97773beafbc615b9c4d8fe79129a7f4,
b954f94023dcc61388c8384f0f14eb8e42c863c5]
stable/5.4: [2f987a76a97773beafbc615b9c4d8fe79129a7f4,
b954f94023dcc61388c8384f0f14eb8e42c863c5]

CVE-2021-0937: netfilter: x_tables: fix compat match/target pad
out-of-bound write

This vulnerability was introduced since 4.6.19-rc1 and fixed in
5.12-rc8. All stable kernels are already fixed.

CVSS v3 score is not provided.

Fixed status

mainline: [b29c457a6511435960115c0f548c4360d5f4801d]
stable/4.14: [522a0191944e3db9c30ade5fa6b6ec0d7c42f40d]
stable/4.19: [12ec80252edefff00809d473a47e5f89c7485499]
stable/4.4: [b0d98b2193a38ef93c92e5e1953d134d0f426531]
stable/4.9: [0c58c9f9c5c5326320bbe0429a0f45fc1b92024b]
stable/5.10: [1f3b9000cb44318b0de40a0f495a5a708cd9be6e]
stable/5.4: [cc59b872f2e1995b8cc819b9445c1198bfe83b2d]


CVE-2021-0938: compiler.h: fix barrier_data() on clang

This bug was introduced in 4.19-rc1 and fixed in 5.10-rc4. so all
stable kernels are fixed.
If kernel was built from clang, this bug will be affected.

CVSS v3 score is not provided.

Fixed status

mainline: [3347acc6fcd4ee71ad18a9ff9d9dac176b517329]
stable/4.14: not affect
stable/4.19: [b207caff4176e3a6ba273243da2db2e595e4aad2]
stable/4.4: not affect
stable/4.9: not affect
stable/5.10: not affect
stable/5.4: [c2c5dc84ac51da90cadcb12554c69bdd5ac7aeeb]

CVE-2021-0941: bpf: Remove MTU check in __bpf_skb_max_len

CVSS v3 score is not provided.

This bug is fixed in v5.12-rc1-dontuse. The kernel 4.4 doesn't contain
__bpf_skb_max_len() so 4.4 may not affect this vulnerability. The
__bpf_skb_max_len() was introduced since 4.13-rc1 commit
2be7e212("bpf: add bpf_skb_adjust_room helper
").

Fixed status.

mainline: [6306c1189e77a513bf02720450bb43bd4ba5d8ae]
stable/4.14: [64cf6c3156a5cbd9c29f54370b801b336d2f7894]
stable/4.19: [8c1a77ae15ce70a72f26f4bb83c50f769011220c]
stable/4.4: not affect
stable/4.9: [1636af9e8a8840f5696ad2c01130832411986af4]
stable/5.10: [fd38d4e6757b6b99f60314f67f44a286f0ab7fc0]
stable/5.4: [42c83e3bca434d9f63c58f9cbf2881e635679fee]

* Updated CVEs

CVE-2021-3744: crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
CVE-2021-3764: DoS in ccp_run_aes_gcm_cmd() function

CVE-2021-3744 and CVE-2021-3764 are fixed by commit 505d9dcb("crypto:
ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
"). Both vulnerabilities were in ccp_run_aes_gcm_cmd() which has been
introduced since 4.12-rc1. Therefore before 4.12 kernels aren't
affected this vulnerability.

Fixed status

mainline: [505d9dcb0f7ddf9d075e729523a33d38642ae680]
stable/4.14: [3707e37b3fcef4d5e9a81b9c2c48ba7248051c2a]
stable/4.19: [710be7c42d2f724869e5b18b21998ceddaffc4a9]
stable/4.4: not affect
stable/4.9: not affect
stable/5.10: [17ccc64e4fa5d3673528474bfeda814d95dc600a]
stable/5.14: [e450c422aa233e9f80515f2ee9164e33f158a472]
stable/5.4: [24f3d2609114f1e1f6b487b511ce5fa36f21e0ae]

CVE-2021-41864: bpf: Fix integer overflow in prealloc_elems_and_freelist()

This bug was introduced in 4.6-rc1 so that 4.4 isn't affected this bug.
4.19, 5.10, 5.14, and 5.4 have been fixed this week.
Patch to 4.14 can be applied by git am without any modification. Patch
to 4.9 can be applied by 3-way merge.

Fixed status

mainline: [30e29a9a2bc6a4888335a6ede968b75cd329657a]
stable/4.14: not fixed yet
stable/4.19: [078cdd572408176a3900a6eb5a403db0da22f8e0]
stable/4.4: not affect
stable/4.14: not fixed yet
stable/5.10: [064faa8e8a9b50f5010c5aa5740e06d477677a89]
stable/5.14: [3a1ac1e368bedae2777d9a7cfdc65df4859f7e71]
stable/5.4: [b14f28126c51533bb329379f65de5b0dd689b13a]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

Fixed in bluetooth-next tree.

https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/net/bluetooth/sco.c?id=99c23da0eed4fd20cae8243f2b51e10e66aa0951

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com


^ permalink raw reply	[flat|nested] 9+ messages in thread

* New CVE entry this week
@ 2021-10-07  0:59 Masami Ichikawa
  0 siblings, 0 replies; 9+ messages in thread
From: Masami Ichikawa @ 2021-10-07  0:59 UTC (permalink / raw)
  To: cip-dev

Hi !

It's this week's CVE report.

This week reported  new CVEs.

* New CVEs

CVE-2021-41864: bpf: Fix integer overflow in prealloc_elems_and_freelist()

CVSS v3 score is not provided.

Patch 30e29a9a2bc6 (bpf: Fix integer overflow in prealloc_elems_and_freelist()
) fixes commit 557c0c6e7df8 ("bpf: convert stackmap to
pre-allocation") which has been introduced in 4.6-rc1. Therefore 4.4
kernel isn't affected this issue.

For 4.19 and 5.4, patch can be applied by "git am". For 4.9, patch can
be applied by "git am -3".

Fixed status

Fix patch has been merged into bpf tree, but not in the mainline yet.

CVE-2021-42008: net: 6pack: fix slab-out-of-bounds in decode_data

The 6pack module has slab out-of-bounds vulnerability in decode_data()
which allow local attacker can gain their privileges.
This bug has been fixed since 5.14-rc7. All stable kernels have
already been fixed.

Fixed status

cip/4.19: [4e370cc081a78ee23528311ca58fd98a06768ec7]
cip/4.19-rt: [4e370cc081a78ee23528311ca58fd98a06768ec7]
cip/4.4: [d66736076bd84742c18397785476e9a84d5b54ef]
cip/4.4-rt: [d66736076bd84742c18397785476e9a84d5b54ef]
mainline: [19d1532a187669ce86d5a2696eb7275310070793]
stable/4.14: [5e0e782874ad03ae6d47d3e55aff378da0b51104]
stable/4.19: [4e370cc081a78ee23528311ca58fd98a06768ec7]
stable/4.4: [d66736076bd84742c18397785476e9a84d5b54ef]
stable/4.9: [de9171c1d9a5c2c4c5ec5e64f420681f178152fa]
stable/5.10: [85e0518f181a0ff060f5543d2655fb841a83d653]
stable/5.4: [a73b9aa142691c2ae313980a8734997a78f74b22]

* Updated CVEs

CVE-2019-19449: mounting a crafted f2fs filesystem image can lead to
slab-out-of-bounds read access in f2fs_build_segment_manager in
fs/f2fs/segment.c

This patch has been merged since 5.10-rc1.
For 5.4, patch can be applied via git-am. For 4.4 and 4.19, patch can
be applied via git-am with -3 option.

Fixed status

mainline: [3a22e9ac71585bcb7667e44641f1bbb25295f0ce]
stable/5.10: [3a22e9ac71585bcb7667e44641f1bbb25295f0ce]

CVE-2021-37159: net: hso: do not call unregister if not registered

4.14, 4.19, and 5.4 have been fixed. 4.4 and 4.9 haven't been fixed
yet. However, patch can be applied to 4.4 and 4.9 without any
modification. According to cip-kernel-config, no CIP member use HSO
module.

Fixed status

mainline: [a6ecfb39ba9d7316057cea823b196b734f6b18ca]
stable/4.14: [4c0db9c4b3701c29f47bac0721e2f7d2b15d8edb]
stable/4.19: [f6cf22a1ef49f8e131f99c3f5fd80ab6b23a2d21]
stable/5.10: [115e4f5b64ae8d9dd933167cafe2070aaac45849]
stable/5.13: [eeaa4b8d1e2e6f10362673d283a97dccc7275afa]
stable/5.4: [fe57d53dd91d7823f1ceef5ea8e9458a4aeb47fa]

CVE-2021-38300: bpf, mips: Validate conditional branch offsets

This vulnerability is only affected to MIPS architecture. No cip
member use MIPS architecture.

5.10 has been fixed. Applying this fix to 4.4, 4.9, 4.19, and 5.4, it
needs to modify the patch.

Fixed status

mainline: [37cb28ec7d3a36a5bace7063a3dba633ab110f8b]
stable/5.10: [c61736a994fe68b0e5498e4e84e1c9108dc41075]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

Fixed in bluetooth-next tree.

https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/net/bluetooth/sco.c?id=99c23da0eed4fd20cae8243f2b51e10e66aa0951

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,


-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com


^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2021-10-21  1:21 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-30  0:12 New CVE entry this week Masami Ichikawa
2021-09-30  0:12 ` [cip-dev] " Masami Ichikawa
2021-09-30  6:33 ` nobuhiro1.iwamatsu
2021-09-30  6:33   ` Nobuhiro Iwamatsu
2021-09-30 12:11   ` Masami Ichikawa
2021-09-30 12:11     ` Masami Ichikawa
2021-10-07  0:59 Masami Ichikawa
2021-10-13 23:54 Masami Ichikawa
2021-10-21  1:21 Masami Ichikawa

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.