Hi, > CVE-2021-39648: usb: gadget: configfs: Fix use-after-free issue with udc_name > > CVSS v3 score is not provided > > 4.4 kernel gadget_dev_desc_UDC_show() is bit different from later > kernel versions. However, it looks 4.4 also has same issue. > > Fixed status > > mainline: [64e6bbfff52db4bf6785fab9cffab850b2de6870] > stable/4.14: [6766064c794afeacc29b21fc09ea4dbe3cae1af3] > stable/4.19: [83b74059fdf1c4fa6ed261725e6f301552ad23f7] > stable/4.9: [225330e682fa9aaa152287b49dea1ce50fbe0a92] > stable/5.10: [a4b202cba3ab1a7a8b1ca92603931fba5e2032c3] > stable/5.4: [bcffe2de9dde74174805d5f56a990353e33b8072] I created a patch which revise this issue. I attached this mail. Best regards, Nobuhiro ________________________________________ 差出人: cip-dev@lists.cip-project.org が Masami Ichikawa の代理で送信 送信日時: 2021年12月16日 8:49 宛先: cip-dev 件名: [cip-dev] New CVE entries in this week Hi ! It's this week's CVE report. This week reported ten new CVEs and two of them aren't fixed in the mainline yet. * New CVEs CVE-2021-0961: In quota_proc_write of xt_quota2.c, there is a possible way to read kernel memory due to uninitialized data CVSS v3 score is not provided This bug is fixed in Android kernel. There is three commits to fix this bug. https://android.googlesource.com/kernel/common/+/e113eb454e92 https://android.googlesource.com/kernel/common/+/60a4c35570d9 https://android.googlesource.com/kernel/common/+/4b05a506bda0 These commit modified net/netfilter/xt_quota2.c which is Android specific source. So this CVE is Android specific bug. The mainline and stable kernels aren't affected. Fixed status The mainline and stable kernels aren't affected. CVE-2021-39648: usb: gadget: configfs: Fix use-after-free issue with udc_name CVSS v3 score is not provided 4.4 kernel gadget_dev_desc_UDC_show() is bit different from later kernel versions. However, it looks 4.4 also has same issue. Fixed status mainline: [64e6bbfff52db4bf6785fab9cffab850b2de6870] stable/4.14: [6766064c794afeacc29b21fc09ea4dbe3cae1af3] stable/4.19: [83b74059fdf1c4fa6ed261725e6f301552ad23f7] stable/4.9: [225330e682fa9aaa152287b49dea1ce50fbe0a92] stable/5.10: [a4b202cba3ab1a7a8b1ca92603931fba5e2032c3] stable/5.4: [bcffe2de9dde74174805d5f56a990353e33b8072] CVE-2021-39656: configfs: fix a use-after-free in __configfs_open_file Bug introduced commit b0841ee was merged in 5.3-rc8. This commit isn't backported to 4.4 so 4.4 isn't affected. Fixed status mainline: [14fbbc8297728e880070f7b077b3301a8c698ef9] stable/4.14: [4769013f841ed35bdce3b11b64349d0c166ee0a2] stable/4.19: [9123463620132ada85caf5dc664b168f480b0cc4] stable/4.9: [6f5c47f0faed69f2e78e733fb18261854979e79f] stable/5.10: [109720342efd6ace3d2e8f34a25ea65036bb1d3b] stable/5.4: [73aa6f93e1e980f392b3da4fee830b0e0a4a40ff] CVE-2021-39657: scsi: ufs: Correct the LUN used in eh_device_reset_handler() callback CVSS v3 score is not provided Bug was fixed in 5.11-rc4. so mainline and stable kernels are already fixed. Fixed status mainline: [35fc4cd34426c242ab015ef280853b7bff101f48] stable/4.14: [30f2a89f9481f851bc68e51a1e7114392b052231] stable/4.19: [b397fcae2207963747c6f947ef4d06575553eaef] stable/4.4: [a4cdbf4805bfed8f39e6b25f113588064d9a6ac5] stable/4.9: [7bbac19e604b2443c93f01c3259734d53f776dbf] stable/5.10: [2536194bb3b099cc9a9037009b86e7ccfb81461c] stable/5.4: [97853a7eae80a695a18ce432524eaa7432199a41] CVE-2021-4090: kernel: Overflow of bmval[bmlen-1] in nfsd4_decode_bitmap function CVSS v3 score is not provided OOB write bug in nsfd. This bug was introduced by commit d1c263a ("NFSD: Replace READ* macros in nfsd4_decode_fattr() ") since 5.11-rc1 and fixed in 5.16-rc2. Before 5.11 kernels aren't affected this issue. Fixed status mainline: [c0019b7db1d7ac62c711cda6b357a659d46428fe] stable/5.15: [10c22d9519f3f5939de61a1500aa3a926b778d3a] CVE-2021-4093: KVM: SVM: out-of-bounds read/write in sev_es_string_io CVSS v3 score is not provided OOB read/write bug in AMD SVM mode. This bug was introduced by commit 7ed9abf ("KVM: SVM: Support string IO operations for an SEV-ES guest") which is merged since 5.11-rc1. Before 5.11 kernels aren't affected this issue. Fixed status mainline: [95e16b4792b0429f1933872f743410f00e590c55] CVE-2021-4095: KVM: NULL pointer dereference in kvm_dirty_ring_get() in virt/kvm/dirty_ring.c CVSS v3 score is not provided This issues was introduced by commit 629b534 ("KVM: x86/xen: update wallclock region") which is merged in 5.12-rc1-dontuse. Before 5.12-rc1-dontuse kernels aren't affectd this issue. Patch is being reviewed. Fixed status Not fixed yet. CVE-2021-3864: descendant's dumpable setting with certain SUID binaries CVSS v3 score is not provided This bug is able to write coredump file anyware. However, abusing this bug, such as arbitrary code execution is required some program. The PoC(https://www.openwall.com/lists/oss-security/2021/10/20/2). There is two mitigation techniques are suggested. So, users follow these mitigation technique is recommended. Fixed status Not fixed yet. CVE-2021-4083: fget: check that the fd still exists after getting a ref to it CVSS v3 score is not provided UAF bug in fs/file.c it causes system crash, priviledge escalation. The mainline and all stable kernels are aready fixed. Fixed status mainline: [054aa8d439b9185d4f5eb9a90282d1ce74772969] stable/4.14: [98548c3a9882a1ea993a103be7c1b499f3b88202] stable/4.19: [8bf31f9d9395b71af3ed33166a057cd3ec0c59da] stable/4.4: [8afa4ef999191477506b396fae518338b8996fec] stable/4.9: [a043f5a600052dc93bc3d7a6a2c1592b6ee77482] stable/5.10: [4baba6ba56eb91a735a027f783cc4b9276b48d5b] stable/5.15: [6fe4eadd54da3040cf6f6579ae157ae1395dc0f8] stable/5.4: [03d4462ba3bc8f830d9807e3c3fde54fad06e2e2] CVE-2021-39685: Linux Kernel USB Gadget buffer overflow CVSS v3 score is not provided Buffer overflow bug in USB gadget devices. An attacker can read and/or write up to 65k of kernel memory. It already fixed in mainline and all stable kernels. Fixed status mainline: [153a2d7e3350cc89d406ba2d35be8793a64c2038, 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3] stable/4.14: [e7c8afee149134b438df153b09af7fd928a8bc24, d8cd524ae4ec788011a14be17503fc224f260fe3] stable/4.19: [13e45e7a262dd96e8161823314679543048709b9, 32de5efd483db68f12233fbf63743a2d92f20ae4] stable/4.4: [93cd7100fe471c5f76fb942358de4ed70dbcaf35, af21211c327c4703c7681fa7286c4d660682e413] stable/4.9: [d2ca6859ea96c6d4c6ad3d6873a308a004882419, e4de8ca013f06ad4a0bf40420a291c23990e4131] stable/5.10: [7193ad3e50e596ac2192531c58ba83b9e6d2444b, e4de8ca013f06ad4a0bf40420a291c23990e4131] stable/5.15: [36dfdf11af49d3c009c711fb16f5c6e7a274505d, 6eea4ace62fa6414432692ee44f0c0a3d541d97a] stable/5.4: [fd6de5a0cd42fc43810bd74ad129d98ab962ec6b, 9978777c5409d6c856cac1adf5930e3c84f057be] * Updated CVEs no updated CVEs. Currently tracking CVEs CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core Specifications 4.0 through 5.2 There is no fix information. CVE-2020-26555: BR/EDR pin code pairing broken No fix information CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning No fix information. CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh Provisioning Leads to MITM No fix information. CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning No fix information. CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning No fix information. Regards, -- Masami Ichikawa Cybertrust Japan Co., Ltd. Email :masami.ichikawa@cybertrust.co.jp :masami.ichikawa@miraclelinux.com