Hi !

On Thu, Oct 7, 2021 at 4:31 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > It's this week's CVE report.
> >
> > This week reported  new CVEs.
> >
> > * New CVEs
> >
> > CVE-2021-41864: bpf: Fix integer overflow in prealloc_elems_and_freelist()
> >
> > CVSS v3 score is not provided.
> >
> > Patch 30e29a9a2bc6 (bpf: Fix integer overflow in
> > prealloc_elems_and_freelist()
> ...
> > Fixed status
> >
> > Fix patch has been merged into bpf tree, but not in the mainline yet.
>
> I guess we can wait for this to be merged through normal channels.
>

Yes. I'll track the patch goes into the mainline.

> > * Updated CVEs
> >
> > CVE-2019-19449: mounting a crafted f2fs filesystem image can lead to
> > slab-out-of-bounds read access in f2fs_build_segment_manager in
> > fs/f2fs/segment.c
> >
> > This patch has been merged since 5.10-rc1.
> > For 5.4, patch can be applied via git-am. For 4.4 and 4.19, patch can
> > be applied via git-am with -3 option.
> >
> > Fixed status
> >
> > mainline: [3a22e9ac71585bcb7667e44641f1bbb25295f0ce]
> > stable/5.10: [3a22e9ac71585bcb7667e44641f1bbb25295f0ce]
>
> It may make sense to help with this backport.
>
> > CVE-2021-37159: net: hso: do not call unregister if not registered
> >
> > 4.14, 4.19, and 5.4 have been fixed. 4.4 and 4.9 haven't been fixed
> > yet. However, patch can be applied to 4.4 and 4.9 without any
> > modification. According to cip-kernel-config, no CIP member use HSO
> > module.
>
> Not sure why this has CVE number. We probably need not care.

I agree.

>
> > CVE-2021-38300: bpf, mips: Validate conditional branch offsets
> >
> > This vulnerability is only affected to MIPS architecture. No cip
> > member use MIPS architecture.
> >
> > 5.10 has been fixed. Applying this fix to 4.4, 4.9, 4.19, and 5.4, it
> > needs to modify the patch.
> >
> > Fixed status
> >
> > mainline: [37cb28ec7d3a36a5bace7063a3dba633ab110f8b]
> > stable/5.10: [c61736a994fe68b0e5498e4e84e1c9108dc41075]
>
> I guess we don't care about MIPS.
>

I see. We don't have to track this CVE.

> Best regards,
>                                                                 Pavel
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> 
>

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com