CIP-dev Archive on lore.kernel.org
 help / color / Atom feed
* [cip-dev] Bluetooth CVEs deciphered?
@ 2020-10-15 18:06 Pavel Machek
  2020-10-15 18:09 ` [cip-dev] CVE-2020-24490: backporting a2ec905d to 4.4 Pavel Machek
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Pavel Machek @ 2020-10-15 18:06 UTC (permalink / raw)
  To: cip-dev, wens

[-- Attachment #1.1: Type: text/plain, Size: 9451 bytes --]

Hi!

I believe Google has good information which CVE corresponds to which
patch, and I used that to improve cip-kernel-sec. Result is here. Can
you take a look before I start fighting yml?

Best regards,
								Pavel

diff --git a/issues/CVE-2020-12351.yml b/issues/CVE-2020-12351.yml
index 63f8b60..b7f519b 100644
--- a/issues/CVE-2020-12351.yml
+++ b/issues/CVE-2020-12351.yml
@@ -1,37 +1,9 @@
-description: INTEL-SA-00435
+description: |
+  A heap-based type confusion affecting Linux kernel 4.8 and higher was discovered in net/bluetooth/l2cap_core.c.
+advisory: |
 references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
-comments:
-  debian/carnil: |-
-    CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
-    issues covered by a set of commits/patches sent upstream but
-    there is no clear association from the CVEs to the commits. So
-    duplicate this entry for now to all three CVEs.
-    The commits are:
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
-    which are not yet in mainline, and
-    a2ec905d1e16 ("Bluetooth: fix kernel oops in
-    store_pending_adv_report") which is in 5.8 (and which was
-    backported to 5.7.13, 5.4.56 and 4.19.137).
-    The "fixed version" information in INTEL-SA-00435 is thus as
-    well contradictory as it mentions the issue to be fixed in 5.9
-    or later.
-  wens: |-
-    The four patches are already in net-next as of 2020-10-14 and should hit
-    mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
-    initializing all members") fixes commits going all the way back to
-    3.6, when A2MP was added.
-    Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
-    ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
-    nine are the various "not fully initialized stack variables"; the last
-    two are the sk_filter and BT_HS ones, respectfully.
+  https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq
+aliases:
+  GHSA-h637-c88j-47wq
 introduced-by:
-  mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
-    a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
-    6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
-    aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
-    8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
-    dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+  mainline: dbb50887c8f619fc5c3489783ebc3122bc134a31
diff --git a/issues/CVE-2020-12352.yml b/issues/CVE-2020-12352.yml
index 63f8b60..372e3ce 100644
--- a/issues/CVE-2020-12352.yml
+++ b/issues/CVE-2020-12352.yml
@@ -1,37 +1,13 @@
-description: INTEL-SA-00435
+description: |
+  BadChoice: Stack-Based Information Leak (BleedingTooth)
+  A stack-based information leak affecting Linux kernel 3.6 and higher was discovered in net/bluetooth/a2mp.c.
+advisory: |
 references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
-comments:
-  debian/carnil: |-
-    CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
-    issues covered by a set of commits/patches sent upstream but
-    there is no clear association from the CVEs to the commits. So
-    duplicate this entry for now to all three CVEs.
-    The commits are:
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
-    which are not yet in mainline, and
-    a2ec905d1e16 ("Bluetooth: fix kernel oops in
-    store_pending_adv_report") which is in 5.8 (and which was
-    backported to 5.7.13, 5.4.56 and 4.19.137).
-    The "fixed version" information in INTEL-SA-00435 is thus as
-    well contradictory as it mentions the issue to be fixed in 5.9
-    or later.
-  wens: |-
-    The four patches are already in net-next as of 2020-10-14 and should hit
-    mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
-    initializing all members") fixes commits going all the way back to
-    3.6, when A2MP was added.
-    Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
-    ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
-    nine are the various "not fully initialized stack variables"; the last
-    two are the sk_filter and BT_HS ones, respectfully.
+  https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq
+aliases:
+  GHSA-7mh3-gq28-gfrq
 introduced-by:
-  mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
-    a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
-    6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
-    aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
-    8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
-    dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+  mainline:
+    47f2d97d38816aaca94c9b6961c6eff1cfcd0bd6
+    8e2a0d92c56ec6955526a8b60838c9b00f70540d
+fixed-by:
\ No newline at end of file
diff --git a/issues/CVE-2020-24490.yml b/issues/CVE-2020-24490.yml
index 63f8b60..8fe3617 100644
--- a/issues/CVE-2020-24490.yml
+++ b/issues/CVE-2020-24490.yml
@@ -1,37 +1,25 @@
-description: INTEL-SA-00435
+description: |
+  BadVibes: Heap-Based Buffer Overflow (BleedingTooth)
+  A heap-based buffer overflow affecting Linux kernel 4.19 and higher was discovered in net/bluetooth/hci_event.c.  
+advisory: |
+  
 references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
+  https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649
+aliases:
+  GHSA-ccx2-w2r4-x649
 comments:
-  debian/carnil: |-
-    CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
-    issues covered by a set of commits/patches sent upstream but
-    there is no clear association from the CVEs to the commits. So
-    duplicate this entry for now to all three CVEs.
-    The commits are:
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
-    which are not yet in mainline, and
-    a2ec905d1e16 ("Bluetooth: fix kernel oops in
-    store_pending_adv_report") which is in 5.8 (and which was
-    backported to 5.7.13, 5.4.56 and 4.19.137).
-    The "fixed version" information in INTEL-SA-00435 is thus as
-    well contradictory as it mentions the issue to be fixed in 5.9
-    or later.
-  wens: |-
-    The four patches are already in net-next as of 2020-10-14 and should hit
-    mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
-    initializing all members") fixes commits going all the way back to
-    3.6, when A2MP was added.
-    Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
-    ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
-    nine are the various "not fully initialized stack variables"; the last
-    two are the sk_filter and BT_HS ones, respectfully.
+  Pavel Machek:
+    This actually looks like most severe from the recent bluetooth stuff.
+
+    Fix is not one-liner but also not scary. Adds checking at expected places.
 introduced-by:
-  mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
-    a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
-    6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
-    aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
-    8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
-    dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+  mainline: 
+    c215e9397b00b3045a668120ed7dbd89f2866e74
+    b2cc9761f144e8ef714be8c590603073b80ddc13
+fixed-by:
+  mainline:
+    a2ec905d1e160a33b2e210e45ad30445ef26ce0e
+  4.19:
+    5df9e5613d1c51e16b1501a4c75e139fbbe0fb6c
+    -- needs to be backported to 4.4?
+    
\ No newline at end of file

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5584): https://lists.cip-project.org/g/cip-dev/message/5584
Mute This Topic: https://lists.cip-project.org/mt/77534365/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [cip-dev] CVE-2020-24490: backporting a2ec905d to 4.4.
  2020-10-15 18:06 [cip-dev] Bluetooth CVEs deciphered? Pavel Machek
@ 2020-10-15 18:09 ` Pavel Machek
  2020-10-15 18:13 ` [cip-dev] Backport c797110d for CVE-2020-25645 [net: geneve] Pavel Machek
  2020-10-15 20:30 ` [cip-dev] Bluetooth CVEs deciphered? Pavel Machek
  2 siblings, 0 replies; 4+ messages in thread
From: Pavel Machek @ 2020-10-15 18:09 UTC (permalink / raw)
  To: cip-dev, wens

[-- Attachment #1.1: Type: text/plain, Size: 3499 bytes --]


    CVE-2020-24490: backporting a2ec905d to 4.4.

Yes, "ext_adv" is always false here, so code could be simplified, but
I believe this is good enough for -stable.

Best regards,
								Pavel



diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 03319ab8a7c6..3794616cd87b 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1133,6 +1133,9 @@ static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
 {
 	struct discovery_state *d = &hdev->discovery;
 
+	if (len > HCI_MAX_AD_LENGTH)
+		return;
+
 	bacpy(&d->last_adv_addr, bdaddr);
 	d->last_adv_addr_type = bdaddr_type;
 	d->last_adv_rssi = rssi;
@@ -4743,7 +4746,8 @@ static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
 
 static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
 			       u8 bdaddr_type, bdaddr_t *direct_addr,
-			       u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
+			       u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
+			       bool ext_adv)
 {
 	struct discovery_state *d = &hdev->discovery;
 	struct smp_irk *irk;
@@ -4752,6 +4756,11 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
 	u32 flags;
 	u8 *ptr, real_len;
 
+	if (!ext_adv && len > HCI_MAX_AD_LENGTH) {
+		BT_ERR_RATELIMITED("legacy adv larger than 31 bytes");
+		return;
+	}
+
 	/* Find the end of the data in case the report contains padded zero
 	 * bytes at the end causing an invalid length value.
 	 *
@@ -4812,7 +4821,7 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
 	 */
 	conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
 								direct_addr);
-	if (conn && type == LE_ADV_IND) {
+	if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) {
 		/* Store report for later inclusion by
 		 * mgmt_device_connected
 		 */
@@ -4866,7 +4875,7 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
 	 * event or send an immediate device found event if the data
 	 * should not be stored for later.
 	 */
-	if (!has_pending_adv_report(hdev)) {
+	if (!ext_adv &&	!has_pending_adv_report(hdev)) {
 		/* If the report will trigger a SCAN_REQ store it for
 		 * later merging.
 		 */
@@ -4901,7 +4910,8 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
 		/* If the new report will trigger a SCAN_REQ store it for
 		 * later merging.
 		 */
-		if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
+		if (!ext_adv && (type == LE_ADV_IND ||
+				 type == LE_ADV_SCAN_IND)) {
 			store_pending_adv_report(hdev, bdaddr, bdaddr_type,
 						 rssi, flags, data, len);
 			return;
@@ -4940,7 +4950,7 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
 		rssi = ev->data[ev->length];
 		process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
 				   ev->bdaddr_type, NULL, 0, rssi,
-				   ev->data, ev->length);
+				   ev->data, ev->length, false);
 
 		ptr += sizeof(*ev) + ev->length + 1;
 	}
@@ -5137,7 +5147,8 @@ static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
 
 		process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
 				   ev->bdaddr_type, &ev->direct_addr,
-				   ev->direct_addr_type, ev->rssi, NULL, 0);
+				   ev->direct_addr_type, ev->rssi, NULL, 0,
+				   false);
 
 		ptr += sizeof(*ev);
 	}


-- 
http://www.livejournal.com/~pavelmachek

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5585): https://lists.cip-project.org/g/cip-dev/message/5585
Mute This Topic: https://lists.cip-project.org/mt/77534428/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [cip-dev] Backport c797110d for CVE-2020-25645 [net: geneve]
  2020-10-15 18:06 [cip-dev] Bluetooth CVEs deciphered? Pavel Machek
  2020-10-15 18:09 ` [cip-dev] CVE-2020-24490: backporting a2ec905d to 4.4 Pavel Machek
@ 2020-10-15 18:13 ` Pavel Machek
  2020-10-15 20:30 ` [cip-dev] Bluetooth CVEs deciphered? Pavel Machek
  2 siblings, 0 replies; 4+ messages in thread
From: Pavel Machek @ 2020-10-15 18:13 UTC (permalink / raw)
  To: cip-dev, wens

[-- Attachment #1.1: Type: text/plain, Size: 4053 bytes --]


    Backport c797110d for CVE-2020-25645.

This ... builds. I would not mind getting some testing here.

Best regards,
							Pavel

diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
index ec13e2ae6d16..840ad2e29dbb 100644
--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -711,7 +711,8 @@ free_dst:
 static struct rtable *geneve_get_v4_rt(struct sk_buff *skb,
 				       struct net_device *dev,
 				       struct flowi4 *fl4,
-				       struct ip_tunnel_info *info)
+				       struct ip_tunnel_info *info,
+				       __be16 dport, __be16 sport)
 {
 	struct geneve_dev *geneve = netdev_priv(dev);
 	struct rtable *rt = NULL;
@@ -720,6 +721,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb,
 	memset(fl4, 0, sizeof(*fl4));
 	fl4->flowi4_mark = skb->mark;
 	fl4->flowi4_proto = IPPROTO_UDP;
+	fl4->fl4_dport = dport;
+	fl4->fl4_sport = sport;
 
 	if (info) {
 		fl4->daddr = info->key.u.ipv4.dst;
@@ -754,7 +757,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb,
 static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb,
 					   struct net_device *dev,
 					   struct flowi6 *fl6,
-					   struct ip_tunnel_info *info)
+					   struct ip_tunnel_info *info,
+					   __be16 dport, __be16 sport)
 {
 	struct geneve_dev *geneve = netdev_priv(dev);
 	struct geneve_sock *gs6 = geneve->sock6;
@@ -764,6 +768,8 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb,
 	memset(fl6, 0, sizeof(*fl6));
 	fl6->flowi6_mark = skb->mark;
 	fl6->flowi6_proto = IPPROTO_UDP;
+	fl6->fl6_dport = dport;
+	fl6->fl6_sport = sport;
 
 	if (info) {
 		fl6->daddr = info->key.u.ipv6.dst;
@@ -834,13 +840,14 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev,
 			goto tx_error;
 	}
 
-	rt = geneve_get_v4_rt(skb, dev, &fl4, info);
+	sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
+	rt = geneve_get_v4_rt(skb, dev, &fl4, info,
+			      info->key.tp_dst, sport);
 	if (IS_ERR(rt)) {
 		err = PTR_ERR(rt);
 		goto tx_error;
 	}
 
-	sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
 	skb_reset_mac_header(skb);
 
 	if (info) {
@@ -916,13 +923,14 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev,
 		}
 	}
 
-	dst = geneve_get_v6_dst(skb, dev, &fl6, info);
+	sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
+	dst = geneve_get_v6_dst(skb, dev, &fl6, info,
+				info->key.tp_dst, sport);
 	if (IS_ERR(dst)) {
 		err = PTR_ERR(dst);
 		goto tx_error;
 	}
 
-	sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
 	skb_reset_mac_header(skb);
 
 	if (info) {
@@ -1011,9 +1019,14 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb)
 	struct dst_entry *dst;
 	struct flowi6 fl6;
 #endif
+	__be16 sport;
 
 	if (ip_tunnel_info_af(info) == AF_INET) {
-		rt = geneve_get_v4_rt(skb, dev, &fl4, info);
+		sport = udp_flow_src_port(geneve->net, skb,
+					  1, USHRT_MAX, true);
+	  
+		rt = geneve_get_v4_rt(skb, dev, &fl4, info,
+				      info->key.tp_dst, sport);
 		if (IS_ERR(rt))
 			return PTR_ERR(rt);
 
@@ -1021,7 +1034,11 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb)
 		info->key.u.ipv4.src = fl4.saddr;
 #if IS_ENABLED(CONFIG_IPV6)
 	} else if (ip_tunnel_info_af(info) == AF_INET6) {
-		dst = geneve_get_v6_dst(skb, dev, &fl6, info);
+		sport = udp_flow_src_port(geneve->net, skb,
+					  1, USHRT_MAX, true);
+  
+		dst = geneve_get_v6_dst(skb, dev, &fl6, info,
+					info->key.tp_dst, sport);
 		if (IS_ERR(dst))
 			return PTR_ERR(dst);
 
@@ -1032,8 +1049,7 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb)
 		return -EINVAL;
 	}
 
-	info->key.tp_src = udp_flow_src_port(geneve->net, skb,
-					     1, USHRT_MAX, true);
+	info->key.tp_src = sport;
 	info->key.tp_dst = geneve->dst_port;
 	return 0;
 }


-- 
http://www.livejournal.com/~pavelmachek

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5586): https://lists.cip-project.org/g/cip-dev/message/5586
Mute This Topic: https://lists.cip-project.org/mt/77534528/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [cip-dev] Bluetooth CVEs deciphered?
  2020-10-15 18:06 [cip-dev] Bluetooth CVEs deciphered? Pavel Machek
  2020-10-15 18:09 ` [cip-dev] CVE-2020-24490: backporting a2ec905d to 4.4 Pavel Machek
  2020-10-15 18:13 ` [cip-dev] Backport c797110d for CVE-2020-25645 [net: geneve] Pavel Machek
@ 2020-10-15 20:30 ` Pavel Machek
  2 siblings, 0 replies; 4+ messages in thread
From: Pavel Machek @ 2020-10-15 20:30 UTC (permalink / raw)
  To: cip-dev, wens

[-- Attachment #1.1: Type: text/plain, Size: 9766 bytes --]

Hi!

> I believe Google has good information which CVE corresponds to which
> patch, and I used that to improve cip-kernel-sec. Result is here. Can
> you take a look before I start fighting yml?

I believe I indentified the other 2 fixes, too. Here's updated diff.

Best regards,
								Pavel

diff --git a/issues/CVE-2020-12351.yml b/issues/CVE-2020-12351.yml
index 63f8b60..a28487e 100644
--- a/issues/CVE-2020-12351.yml
+++ b/issues/CVE-2020-12351.yml
@@ -1,37 +1,14 @@
-description: INTEL-SA-00435
+description: |
+  A heap-based type confusion affecting Linux kernel 4.8 and higher was discovered in net/bluetooth/l2cap_core.c.
+advisory: |
 references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
-comments:
-  debian/carnil: |-
-    CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
-    issues covered by a set of commits/patches sent upstream but
-    there is no clear association from the CVEs to the commits. So
-    duplicate this entry for now to all three CVEs.
-    The commits are:
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
-    which are not yet in mainline, and
-    a2ec905d1e16 ("Bluetooth: fix kernel oops in
-    store_pending_adv_report") which is in 5.8 (and which was
-    backported to 5.7.13, 5.4.56 and 4.19.137).
-    The "fixed version" information in INTEL-SA-00435 is thus as
-    well contradictory as it mentions the issue to be fixed in 5.9
-    or later.
-  wens: |-
-    The four patches are already in net-next as of 2020-10-14 and should hit
-    mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
-    initializing all members") fixes commits going all the way back to
-    3.6, when A2MP was added.
-    Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
-    ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
-    nine are the various "not fully initialized stack variables"; the last
-    two are the sk_filter and BT_HS ones, respectfully.
+  https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq
+aliases:
+  GHSA-h637-c88j-47wq
 introduced-by:
-  mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
-    a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
-    6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
-    aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
-    8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
-    dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+  mainline: dbb50887c8f619fc5c3489783ebc3122bc134a31
+
+  (no Fixed: tag matching dbb50887c8 in -next).
+
+Probably this fixes it?
+  f19425641cb2572a33cb074d5e30283720bd4d22 .. yep.
\ No newline at end of file
diff --git a/issues/CVE-2020-12352.yml b/issues/CVE-2020-12352.yml
index 63f8b60..64b731d 100644
--- a/issues/CVE-2020-12352.yml
+++ b/issues/CVE-2020-12352.yml
@@ -1,37 +1,19 @@
-description: INTEL-SA-00435
+description: |
+  BadChoice: Stack-Based Information Leak (BleedingTooth)
+  A stack-based information leak affecting Linux kernel 3.6 and higher was discovered in net/bluetooth/a2mp.c.
+advisory: |
 references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
-comments:
-  debian/carnil: |-
-    CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
-    issues covered by a set of commits/patches sent upstream but
-    there is no clear association from the CVEs to the commits. So
-    duplicate this entry for now to all three CVEs.
-    The commits are:
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
-    which are not yet in mainline, and
-    a2ec905d1e16 ("Bluetooth: fix kernel oops in
-    store_pending_adv_report") which is in 5.8 (and which was
-    backported to 5.7.13, 5.4.56 and 4.19.137).
-    The "fixed version" information in INTEL-SA-00435 is thus as
-    well contradictory as it mentions the issue to be fixed in 5.9
-    or later.
-  wens: |-
-    The four patches are already in net-next as of 2020-10-14 and should hit
-    mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
-    initializing all members") fixes commits going all the way back to
-    3.6, when A2MP was added.
-    Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
-    ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
-    nine are the various "not fully initialized stack variables"; the last
-    two are the sk_filter and BT_HS ones, respectfully.
+  https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq
+aliases:
+  GHSA-7mh3-gq28-gfrq
 introduced-by:
-  mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
-    a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
-    6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
-    aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
-    8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
-    dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+  mainline:
+    47f2d97d38816aaca94c9b6961c6eff1cfcd0bd6
+    8e2a0d92c56ec6955526a8b60838c9b00f70540d ?
+fixed-by:
+  probably this: eddb7732119d53400f48a02536a84c509692faa8
+
+Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date:   Thu Aug 6 11:17:11 2020 -0700
+
+  
\ No newline at end of file
diff --git a/issues/CVE-2020-24490.yml b/issues/CVE-2020-24490.yml
index 63f8b60..8fe3617 100644
--- a/issues/CVE-2020-24490.yml
+++ b/issues/CVE-2020-24490.yml
@@ -1,37 +1,25 @@
-description: INTEL-SA-00435
+description: |
+  BadVibes: Heap-Based Buffer Overflow (BleedingTooth)
+  A heap-based buffer overflow affecting Linux kernel 4.19 and higher was discovered in net/bluetooth/hci_event.c.  
+advisory: |
+  
 references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
+  https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649
+aliases:
+  GHSA-ccx2-w2r4-x649
 comments:
-  debian/carnil: |-
-    CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
-    issues covered by a set of commits/patches sent upstream but
-    there is no clear association from the CVEs to the commits. So
-    duplicate this entry for now to all three CVEs.
-    The commits are:
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
-    which are not yet in mainline, and
-    a2ec905d1e16 ("Bluetooth: fix kernel oops in
-    store_pending_adv_report") which is in 5.8 (and which was
-    backported to 5.7.13, 5.4.56 and 4.19.137).
-    The "fixed version" information in INTEL-SA-00435 is thus as
-    well contradictory as it mentions the issue to be fixed in 5.9
-    or later.
-  wens: |-
-    The four patches are already in net-next as of 2020-10-14 and should hit
-    mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
-    initializing all members") fixes commits going all the way back to
-    3.6, when A2MP was added.
-    Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
-    ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
-    nine are the various "not fully initialized stack variables"; the last
-    two are the sk_filter and BT_HS ones, respectfully.
+  Pavel Machek:
+    This actually looks like most severe from the recent bluetooth stuff.
+
+    Fix is not one-liner but also not scary. Adds checking at expected places.
 introduced-by:
-  mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
-    a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
-    6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
-    aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
-    8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
-    dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+  mainline: 
+    c215e9397b00b3045a668120ed7dbd89f2866e74
+    b2cc9761f144e8ef714be8c590603073b80ddc13
+fixed-by:
+  mainline:
+    a2ec905d1e160a33b2e210e45ad30445ef26ce0e
+  4.19:
+    5df9e5613d1c51e16b1501a4c75e139fbbe0fb6c
+    -- needs to be backported to 4.4?
+    
\ No newline at end of file

-- 
http://www.livejournal.com/~pavelmachek

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5587): https://lists.cip-project.org/g/cip-dev/message/5587
Mute This Topic: https://lists.cip-project.org/mt/77534365/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-15 18:06 [cip-dev] Bluetooth CVEs deciphered? Pavel Machek
2020-10-15 18:09 ` [cip-dev] CVE-2020-24490: backporting a2ec905d to 4.4 Pavel Machek
2020-10-15 18:13 ` [cip-dev] Backport c797110d for CVE-2020-25645 [net: geneve] Pavel Machek
2020-10-15 20:30 ` [cip-dev] Bluetooth CVEs deciphered? Pavel Machek

CIP-dev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/cip-dev/0 cip-dev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 cip-dev cip-dev/ https://lore.kernel.org/cip-dev \
		cip-dev@lists.cip-project.org
	public-inbox-index cip-dev

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.cip-project.lists.cip-dev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git