From: "Pavel Machek" <pavel@ucw.cz>
To: cip-dev@lists.cip-project.org, wens@csie.org
Subject: [cip-dev] Bluetooth CVEs deciphered?
Date: Thu, 15 Oct 2020 20:06:28 +0200 [thread overview]
Message-ID: <20201015180628.GB14732@duo.ucw.cz> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 9451 bytes --]
Hi!
I believe Google has good information which CVE corresponds to which
patch, and I used that to improve cip-kernel-sec. Result is here. Can
you take a look before I start fighting yml?
Best regards,
Pavel
diff --git a/issues/CVE-2020-12351.yml b/issues/CVE-2020-12351.yml
index 63f8b60..b7f519b 100644
--- a/issues/CVE-2020-12351.yml
+++ b/issues/CVE-2020-12351.yml
@@ -1,37 +1,9 @@
-description: INTEL-SA-00435
+description: |
+ A heap-based type confusion affecting Linux kernel 4.8 and higher was discovered in net/bluetooth/l2cap_core.c.
+advisory: |
references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
-comments:
- debian/carnil: |-
- CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
- issues covered by a set of commits/patches sent upstream but
- there is no clear association from the CVEs to the commits. So
- duplicate this entry for now to all three CVEs.
- The commits are:
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
- which are not yet in mainline, and
- a2ec905d1e16 ("Bluetooth: fix kernel oops in
- store_pending_adv_report") which is in 5.8 (and which was
- backported to 5.7.13, 5.4.56 and 4.19.137).
- The "fixed version" information in INTEL-SA-00435 is thus as
- well contradictory as it mentions the issue to be fixed in 5.9
- or later.
- wens: |-
- The four patches are already in net-next as of 2020-10-14 and should hit
- mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
- initializing all members") fixes commits going all the way back to
- 3.6, when A2MP was added.
- Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
- ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
- nine are the various "not fully initialized stack variables"; the last
- two are the sk_filter and BT_HS ones, respectfully.
+ https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq
+aliases:
+ GHSA-h637-c88j-47wq
introduced-by:
- mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
- a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
- 6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
- aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
- 8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
- dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+ mainline: dbb50887c8f619fc5c3489783ebc3122bc134a31
diff --git a/issues/CVE-2020-12352.yml b/issues/CVE-2020-12352.yml
index 63f8b60..372e3ce 100644
--- a/issues/CVE-2020-12352.yml
+++ b/issues/CVE-2020-12352.yml
@@ -1,37 +1,13 @@
-description: INTEL-SA-00435
+description: |
+ BadChoice: Stack-Based Information Leak (BleedingTooth)
+ A stack-based information leak affecting Linux kernel 3.6 and higher was discovered in net/bluetooth/a2mp.c.
+advisory: |
references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
-comments:
- debian/carnil: |-
- CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
- issues covered by a set of commits/patches sent upstream but
- there is no clear association from the CVEs to the commits. So
- duplicate this entry for now to all three CVEs.
- The commits are:
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
- which are not yet in mainline, and
- a2ec905d1e16 ("Bluetooth: fix kernel oops in
- store_pending_adv_report") which is in 5.8 (and which was
- backported to 5.7.13, 5.4.56 and 4.19.137).
- The "fixed version" information in INTEL-SA-00435 is thus as
- well contradictory as it mentions the issue to be fixed in 5.9
- or later.
- wens: |-
- The four patches are already in net-next as of 2020-10-14 and should hit
- mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
- initializing all members") fixes commits going all the way back to
- 3.6, when A2MP was added.
- Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
- ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
- nine are the various "not fully initialized stack variables"; the last
- two are the sk_filter and BT_HS ones, respectfully.
+ https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq
+aliases:
+ GHSA-7mh3-gq28-gfrq
introduced-by:
- mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
- a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
- 6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
- aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
- 8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
- dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+ mainline:
+ 47f2d97d38816aaca94c9b6961c6eff1cfcd0bd6
+ 8e2a0d92c56ec6955526a8b60838c9b00f70540d
+fixed-by:
\ No newline at end of file
diff --git a/issues/CVE-2020-24490.yml b/issues/CVE-2020-24490.yml
index 63f8b60..8fe3617 100644
--- a/issues/CVE-2020-24490.yml
+++ b/issues/CVE-2020-24490.yml
@@ -1,37 +1,25 @@
-description: INTEL-SA-00435
+description: |
+ BadVibes: Heap-Based Buffer Overflow (BleedingTooth)
+ A heap-based buffer overflow affecting Linux kernel 4.19 and higher was discovered in net/bluetooth/hci_event.c.
+advisory: |
+
references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
+ https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649
+aliases:
+ GHSA-ccx2-w2r4-x649
comments:
- debian/carnil: |-
- CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
- issues covered by a set of commits/patches sent upstream but
- there is no clear association from the CVEs to the commits. So
- duplicate this entry for now to all three CVEs.
- The commits are:
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
- https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
- which are not yet in mainline, and
- a2ec905d1e16 ("Bluetooth: fix kernel oops in
- store_pending_adv_report") which is in 5.8 (and which was
- backported to 5.7.13, 5.4.56 and 4.19.137).
- The "fixed version" information in INTEL-SA-00435 is thus as
- well contradictory as it mentions the issue to be fixed in 5.9
- or later.
- wens: |-
- The four patches are already in net-next as of 2020-10-14 and should hit
- mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
- initializing all members") fixes commits going all the way back to
- 3.6, when A2MP was added.
- Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
- ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
- nine are the various "not fully initialized stack variables"; the last
- two are the sk_filter and BT_HS ones, respectfully.
+ Pavel Machek:
+ This actually looks like most severe from the recent bluetooth stuff.
+
+ Fix is not one-liner but also not scary. Adds checking at expected places.
introduced-by:
- mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
- a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
- 6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
- aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
- 8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
- dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+ mainline:
+ c215e9397b00b3045a668120ed7dbd89f2866e74
+ b2cc9761f144e8ef714be8c590603073b80ddc13
+fixed-by:
+ mainline:
+ a2ec905d1e160a33b2e210e45ad30445ef26ce0e
+ 4.19:
+ 5df9e5613d1c51e16b1501a4c75e139fbbe0fb6c
+ -- needs to be backported to 4.4?
+
\ No newline at end of file
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 420 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5584): https://lists.cip-project.org/g/cip-dev/message/5584
Mute This Topic: https://lists.cip-project.org/mt/77534365/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
next reply other threads:[~2020-10-15 18:06 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-15 18:06 Pavel Machek [this message]
2020-10-15 18:09 ` [cip-dev] CVE-2020-24490: backporting a2ec905d to 4.4 Pavel Machek
2020-10-15 18:13 ` [cip-dev] Backport c797110d for CVE-2020-25645 [net: geneve] Pavel Machek
2020-10-15 20:30 ` [cip-dev] Bluetooth CVEs deciphered? Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201015180628.GB14732@duo.ucw.cz \
--to=pavel@ucw.cz \
--cc=cip-dev@lists.cip-project.org \
--cc=wens@csie.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).