From: <nobuhiro1.iwamatsu@toshiba.co.jp>
To: <cip-dev@lists.cip-project.org>
Subject: Re: [cip-dev] New CVE entries in this week
Date: Thu, 16 Dec 2021 05:26:59 +0000 [thread overview]
Message-ID: <TYAPR01MB62525566919A2925279299FD92779@TYAPR01MB6252.jpnprd01.prod.outlook.com> (raw)
In-Reply-To: <CAODzB9rdc7X0n9nEi9JKzQmjuVbreaosKpHcn7YYpyGPSWkPQg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 7960 bytes --]
Hi,
> CVE-2021-39648: usb: gadget: configfs: Fix use-after-free issue with udc_name
>
> CVSS v3 score is not provided
>
> 4.4 kernel gadget_dev_desc_UDC_show() is bit different from later
> kernel versions. However, it looks 4.4 also has same issue.
>
> Fixed status
>
> mainline: [64e6bbfff52db4bf6785fab9cffab850b2de6870]
> stable/4.14: [6766064c794afeacc29b21fc09ea4dbe3cae1af3]
> stable/4.19: [83b74059fdf1c4fa6ed261725e6f301552ad23f7]
> stable/4.9: [225330e682fa9aaa152287b49dea1ce50fbe0a92]
> stable/5.10: [a4b202cba3ab1a7a8b1ca92603931fba5e2032c3]
> stable/5.4: [bcffe2de9dde74174805d5f56a990353e33b8072]
I created a patch which revise this issue. I attached this mail.
Best regards,
Nobuhiro
________________________________________
差出人: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> が Masami Ichikawa <masami.ichikawa@miraclelinux.com> の代理で送信
送信日時: 2021年12月16日 8:49
宛先: cip-dev
件名: [cip-dev] New CVE entries in this week
Hi !
It's this week's CVE report.
This week reported ten new CVEs and two of them aren't fixed in the
mainline yet.
* New CVEs
CVE-2021-0961: In quota_proc_write of xt_quota2.c, there is a possible
way to read kernel memory due to uninitialized data
CVSS v3 score is not provided
This bug is fixed in Android kernel. There is three commits to fix this bug.
https://android.googlesource.com/kernel/common/+/e113eb454e92
https://android.googlesource.com/kernel/common/+/60a4c35570d9
https://android.googlesource.com/kernel/common/+/4b05a506bda0
These commit modified net/netfilter/xt_quota2.c which is Android
specific source. So this CVE is Android specific bug. The mainline and
stable kernels aren't affected.
Fixed status
The mainline and stable kernels aren't affected.
CVE-2021-39648: usb: gadget: configfs: Fix use-after-free issue with udc_name
CVSS v3 score is not provided
4.4 kernel gadget_dev_desc_UDC_show() is bit different from later
kernel versions. However, it looks 4.4 also has same issue.
Fixed status
mainline: [64e6bbfff52db4bf6785fab9cffab850b2de6870]
stable/4.14: [6766064c794afeacc29b21fc09ea4dbe3cae1af3]
stable/4.19: [83b74059fdf1c4fa6ed261725e6f301552ad23f7]
stable/4.9: [225330e682fa9aaa152287b49dea1ce50fbe0a92]
stable/5.10: [a4b202cba3ab1a7a8b1ca92603931fba5e2032c3]
stable/5.4: [bcffe2de9dde74174805d5f56a990353e33b8072]
CVE-2021-39656: configfs: fix a use-after-free in __configfs_open_file
Bug introduced commit b0841ee was merged in 5.3-rc8. This commit isn't
backported to 4.4 so 4.4 isn't affected.
Fixed status
mainline: [14fbbc8297728e880070f7b077b3301a8c698ef9]
stable/4.14: [4769013f841ed35bdce3b11b64349d0c166ee0a2]
stable/4.19: [9123463620132ada85caf5dc664b168f480b0cc4]
stable/4.9: [6f5c47f0faed69f2e78e733fb18261854979e79f]
stable/5.10: [109720342efd6ace3d2e8f34a25ea65036bb1d3b]
stable/5.4: [73aa6f93e1e980f392b3da4fee830b0e0a4a40ff]
CVE-2021-39657: scsi: ufs: Correct the LUN used in
eh_device_reset_handler() callback
CVSS v3 score is not provided
Bug was fixed in 5.11-rc4. so mainline and stable kernels are already fixed.
Fixed status
mainline: [35fc4cd34426c242ab015ef280853b7bff101f48]
stable/4.14: [30f2a89f9481f851bc68e51a1e7114392b052231]
stable/4.19: [b397fcae2207963747c6f947ef4d06575553eaef]
stable/4.4: [a4cdbf4805bfed8f39e6b25f113588064d9a6ac5]
stable/4.9: [7bbac19e604b2443c93f01c3259734d53f776dbf]
stable/5.10: [2536194bb3b099cc9a9037009b86e7ccfb81461c]
stable/5.4: [97853a7eae80a695a18ce432524eaa7432199a41]
CVE-2021-4090: kernel: Overflow of bmval[bmlen-1] in
nfsd4_decode_bitmap function
CVSS v3 score is not provided
OOB write bug in nsfd. This bug was introduced by commit d1c263a
("NFSD: Replace READ* macros in nfsd4_decode_fattr()
") since 5.11-rc1 and fixed in 5.16-rc2. Before 5.11 kernels aren't
affected this issue.
Fixed status
mainline: [c0019b7db1d7ac62c711cda6b357a659d46428fe]
stable/5.15: [10c22d9519f3f5939de61a1500aa3a926b778d3a]
CVE-2021-4093: KVM: SVM: out-of-bounds read/write in sev_es_string_io
CVSS v3 score is not provided
OOB read/write bug in AMD SVM mode. This bug was introduced by commit
7ed9abf ("KVM: SVM: Support string IO operations for an SEV-ES guest")
which is merged since 5.11-rc1. Before 5.11 kernels aren't affected
this issue.
Fixed status
mainline: [95e16b4792b0429f1933872f743410f00e590c55]
CVE-2021-4095: KVM: NULL pointer dereference in kvm_dirty_ring_get()
in virt/kvm/dirty_ring.c
CVSS v3 score is not provided
This issues was introduced by commit 629b534 ("KVM: x86/xen: update
wallclock region") which is merged in 5.12-rc1-dontuse. Before
5.12-rc1-dontuse kernels aren't affectd this issue.
Patch is being reviewed.
Fixed status
Not fixed yet.
CVE-2021-3864: descendant's dumpable setting with certain SUID binaries
CVSS v3 score is not provided
This bug is able to write coredump file anyware. However, abusing this
bug, such as arbitrary code execution is required some program. The
PoC(https://www.openwall.com/lists/oss-security/2021/10/20/2).
There is two mitigation techniques are suggested. So, users follow
these mitigation technique is recommended.
Fixed status
Not fixed yet.
CVE-2021-4083: fget: check that the fd still exists after getting a ref to it
CVSS v3 score is not provided
UAF bug in fs/file.c it causes system crash, priviledge escalation.
The mainline and all stable kernels are aready fixed.
Fixed status
mainline: [054aa8d439b9185d4f5eb9a90282d1ce74772969]
stable/4.14: [98548c3a9882a1ea993a103be7c1b499f3b88202]
stable/4.19: [8bf31f9d9395b71af3ed33166a057cd3ec0c59da]
stable/4.4: [8afa4ef999191477506b396fae518338b8996fec]
stable/4.9: [a043f5a600052dc93bc3d7a6a2c1592b6ee77482]
stable/5.10: [4baba6ba56eb91a735a027f783cc4b9276b48d5b]
stable/5.15: [6fe4eadd54da3040cf6f6579ae157ae1395dc0f8]
stable/5.4: [03d4462ba3bc8f830d9807e3c3fde54fad06e2e2]
CVE-2021-39685: Linux Kernel USB Gadget buffer overflow
CVSS v3 score is not provided
Buffer overflow bug in USB gadget devices. An attacker can read and/or
write up to 65k of kernel memory.
It already fixed in mainline and all stable kernels.
Fixed status
mainline: [153a2d7e3350cc89d406ba2d35be8793a64c2038,
86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3]
stable/4.14: [e7c8afee149134b438df153b09af7fd928a8bc24,
d8cd524ae4ec788011a14be17503fc224f260fe3]
stable/4.19: [13e45e7a262dd96e8161823314679543048709b9,
32de5efd483db68f12233fbf63743a2d92f20ae4]
stable/4.4: [93cd7100fe471c5f76fb942358de4ed70dbcaf35,
af21211c327c4703c7681fa7286c4d660682e413]
stable/4.9: [d2ca6859ea96c6d4c6ad3d6873a308a004882419,
e4de8ca013f06ad4a0bf40420a291c23990e4131]
stable/5.10: [7193ad3e50e596ac2192531c58ba83b9e6d2444b,
e4de8ca013f06ad4a0bf40420a291c23990e4131]
stable/5.15: [36dfdf11af49d3c009c711fb16f5c6e7a274505d,
6eea4ace62fa6414432692ee44f0c0a3d541d97a]
stable/5.4: [fd6de5a0cd42fc43810bd74ad129d98ab962ec6b,
9978777c5409d6c856cac1adf5930e3c84f057be]
* Updated CVEs
no updated CVEs.
Currently tracking CVEs
CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2
There is no fix information.
CVE-2020-26555: BR/EDR pin code pairing broken
No fix information
CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning
No fix information.
CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM
No fix information.
CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning
No fix information.
CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning
No fix information.
Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.
Email :masami.ichikawa@cybertrust.co.jp
:masami.ichikawa@miraclelinux.com
[-- Attachment #2: 0001-usb-gadget-configfs-Fix-use-after-free-issue-with-ud.patch --]
[-- Type: application/octet-stream, Size: 2459 bytes --]
From 8d34956ed2c9247f1bbbf63fd1b0000afd1faaee Mon Sep 17 00:00:00 2001
From: Eddie Hung <eddie.hung@mediatek.com>
Date: Tue, 29 Dec 2020 18:53:35 +0800
Subject: [PATCH] usb: gadget: configfs: Fix use-after-free issue with udc_name
commit 64e6bbfff52db4bf6785fab9cffab850b2de6870 upstream.
There is a use-after-free issue, if access udc_name
in function gadget_dev_desc_UDC_store after another context
free udc_name in function unregister_gadget.
Context 1:
gadget_dev_desc_UDC_store()->unregister_gadget()->
free udc_name->set udc_name to NULL
Context 2:
gadget_dev_desc_UDC_show()-> access udc_name
Call trace:
dump_backtrace+0x0/0x340
show_stack+0x14/0x1c
dump_stack+0xe4/0x134
print_address_description+0x78/0x478
__kasan_report+0x270/0x2ec
kasan_report+0x10/0x18
__asan_report_load1_noabort+0x18/0x20
string+0xf4/0x138
vsnprintf+0x428/0x14d0
sprintf+0xe4/0x12c
gadget_dev_desc_UDC_show+0x54/0x64
configfs_read_file+0x210/0x3a0
__vfs_read+0xf0/0x49c
vfs_read+0x130/0x2b4
SyS_read+0x114/0x208
el0_svc_naked+0x34/0x38
Add mutex_lock to protect this kind of scenario.
Signed-off-by: Eddie Hung <eddie.hung@mediatek.com>
Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
Reviewed-by: Peter Chen <peter.chen@nxp.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/1609239215-21819-1-git-send-email-macpaul.lin@mediatek.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Reference: CVE-2021-39648]
[iwamatsu: struct usb_gadget_driver does not have udc_name variable.
Change struct gadget_info's udc_name.]
Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
---
drivers/usb/gadget/configfs.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
index 0ef3f4e452428c..6e1172450c7345 100644
--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c
@@ -241,7 +241,16 @@ static ssize_t gadget_dev_desc_bcdUSB_store(struct config_item *item,
static ssize_t gadget_dev_desc_UDC_show(struct config_item *item, char *page)
{
- return sprintf(page, "%s\n", to_gadget_info(item)->udc_name ?: "");
+ struct gadget_info *gi = to_gadget_info(item);
+ char *udc_name;
+ int ret;
+
+ mutex_lock(&gi->lock);
+ udc_name = gi->udc_name;
+ ret = sprintf(page, "%s\n", udc_name ?: "");
+ mutex_unlock(&gi->lock);
+
+ return ret;
}
static int unregister_gadget(struct gadget_info *gi)
--
2.34.1
next prev parent reply other threads:[~2021-12-16 5:27 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-15 23:49 New CVE entries in this week Masami Ichikawa
2021-12-16 5:26 ` nobuhiro1.iwamatsu [this message]
2021-12-16 5:58 ` [cip-dev] " Masami Ichikawa
2021-12-16 8:49 ` Pavel Machek
-- strict thread matches above, loose matches on Subject: below --
2022-01-26 23:51 Masami Ichikawa
2022-01-27 8:21 ` [cip-dev] " nobuhiro1.iwamatsu
2022-01-28 6:18 ` Masami Ichikawa
2022-01-29 21:03 ` Pavel Machek
2022-01-31 0:00 ` Masami Ichikawa
2022-01-12 23:39 Masami Ichikawa
2022-01-13 8:07 ` [cip-dev] " Pavel Machek
2022-01-13 12:41 ` Masami Ichikawa
2021-12-29 23:29 Masami Ichikawa
2021-12-30 10:20 ` [cip-dev] " Pavel Machek
2021-12-30 23:05 ` Masami Ichikawa
2021-12-23 0:48 Masami Ichikawa
2021-12-23 17:11 ` [cip-dev] " Pavel Machek
2021-12-08 23:44 Masami Ichikawa
2021-12-09 9:20 ` [cip-dev] " Pavel Machek
2021-12-09 14:12 ` Masami Ichikawa
[not found] <16BAA9D56D09F20A.23256@lists.cip-project.org>
2021-11-25 5:16 ` Masami Ichikawa
2021-11-25 8:00 ` nobuhiro1.iwamatsu
2021-11-25 12:00 ` Masami Ichikawa
2021-11-25 9:09 ` Pavel Machek
2021-11-25 12:01 ` Masami Ichikawa
2021-11-25 2:41 Masami Ichikawa
2021-11-25 9:14 ` [cip-dev] " Pavel Machek
2021-11-10 23:52 Masami Ichikawa
2021-11-11 9:21 ` [cip-dev] " Pavel Machek
2021-11-11 12:47 ` Masami Ichikawa
2021-11-04 1:11 New CVE Entries " Masami Ichikawa
2021-11-04 9:57 ` [cip-dev] " Pavel Machek
2021-11-04 13:04 ` Masami Ichikawa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=TYAPR01MB62525566919A2925279299FD92779@TYAPR01MB6252.jpnprd01.prod.outlook.com \
--to=nobuhiro1.iwamatsu@toshiba.co.jp \
--cc=cip-dev@lists.cip-project.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.