[cip-dev] New CVE entry this week

[cip-dev] New CVE entry this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 6613 bytes --]

Hi !

It's this week's CVE report.

* CVE short summary

** New CVEs

CVE-2021-3739: mainline is fixed. before 4.20-rc1 kernels aren't affected.

CVE-2021-3743: mainline is fixed. before 4.15-rc1 kernels aren't affected.

CVE-2021-3753: mainline is fixed. 4.4 and 4.19 kernels are affected.

** Updated CVEs

CVE-2020-3702: 4.14, 4.19, 5.10, 5.4 kernels are fixed

CVE-2021-3653:stable kernels are fixed.

CVE-2021-3656: stable are fixed. 4.4 is not affected.

CVE-2021-3600: Patches for 4.19 exist in stable-rc tree as of 2021/09/02.

** Tracking CVEs

CVE-2021-31615: No fix information as of 2021/09/02.

CVE-2021-3640: No fix information as of 2021/09/02.

CVE-2020-26555: No fix information as of 2021/09/02.

CVE-2020-26556: No fix information as of 2021/09/02.

CVE-2020-26557: No fix information as of 2021/09/02.

CVE-2020-26559: No fix information as of 2021/09/02.

CVE-2020-26560: No fix information as of 2021/09/02.

CVE-2021-3600: mainline, 5.10, 5.4 are fixed. 4.4 isn't affected. 4.19
will be fixed in stable tree.

* CVE detail

New CVEs

CVE-2021-3739: btrfs: fix NULL pointer dereference when deleting
device by invalid id

Fixed in btrfs tree but not fixed in mainline yet.
This vulnerability has been introduced since 4.20-rc1 so before 4.20
kernel aren't affected this vulnerability.

Fixed status

mainline: [e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091]

CVE-2021-3743: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c

The Qualcomm's IPC router protocol(qrtr) has been introduced since
4.15-rc1 so before 4.15 kernels aren't affected.
Checked on cip-kernel-config, it looks like no CIP member enables QRTR.

Fixed status

mainline: [7e78c597c3ebfd0cb329aa09a838734147e4f117]

CVE-2021-3753: A out-of-bounds caused by the race of KDSETMODE in vt

Commit ffb324e6f874121f7dce5bdae5e05d02baae7269 introduced race
condition and oob bug. The commit ffb324e6f874 have been backported to
4.4 and 4.19.

Fixed status

mainline: [2287a51ba822384834dafc1c798453375d1107c7]

Updated CVEs

CVE-2020-3702: Specifically timed and handcrafted traffic can cause
internal errors in a WLAN device that lead to improper layer 2 Wi-Fi
encryption with a consequent possibility of information disclosure
over the air for a discrete set of traffic

Vulnerability in ath9k driver. 4.4.y-cip/arm/siemens_imx6_defconfig
and 4.4.y-cip/arm/moxa_mxc_defconfig use ath9k.

Fixed status

mainline: [56c5485c9e444c2e85e11694b6c44f1338fc20fd,
73488cb2fa3bb1ef9f6cf0d757f76958bd4deaca,
  d2d3e36498dd8e0c83ea99861fac5cf9e8671226,
144cd24dbc36650a51f7fe3bf1424a1432f1f480,
  ca2848022c12789685d3fab3227df02b863f9696]
stable/4.14: [2cbb22fd4b4fb4d0822d185bf5bd6d027107bfda,
20e7de09cbdb76a38f28fb71709fae347123ddb7,
  995586a56748c532850870523d3a9080492b3433,
f4d4f4473129e9ee55b8562250adc53217bad529,
  61b014a8f8de02bedc56f76620170437f5638588]
stable/4.19: [dd5815f023b89c9a28325d8a2a5f0779b57b7190,
d2fd9d34210f34cd0ff5b33fa94e9fcc2a513cea,
  fb924bfcecc90ca63ca76b5a10f192bd0e1bb35d,
7c5a966edd3c6eec4a9bdf698c1f27712d1781f0,
  08c613a2cb06c68ef4e7733e052af067b21e5dbb]
stable/5.10: [8f05076983ddeaae1165457b6aa4eca9fe0e5498,
6566c207e5767deb37d283ed9f77b98439a1de4e,
  2925a8385ec746bf09c11dcadb9af13c26091a4d,
609c0cfd07f0ae6c444e064a59b46c5f3090b705,
  e2036bc3fc7daa03c15fda27e1818192da817cea]
stable/5.4: [0c049ce432b37a51a0da005314ac32e5d9324ccf,
add283e2517a90468ce223465e0f4360128bb650,
  b7d593705eb4f0655a70f0207f573fb1edb80bda,
c6feaf806da6a0deecc2fe41adb3443cdecba347,
  23f77ad13f8176314b7c51f71b9ac7c5c6d10b7b]

CVE-2021-3653: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl

Fixed status

mainline: [0f923e07124df069ba68d8bb12324398f4b6b709]
stable/4.14: [26af47bdc45e454877f15fa7658a167bb9799681]
stable/4.19: [42f4312c0e8a225b5f1e3ed029509ef514f2157a]
stable/4.4: [53723b7be26ef31ad642ce5ffa8b42dec16db40e]
stable/4.9: [29c4f674715ba8fe7a391473313e8c71f98799c4]
stable/5.10: [c0883f693187c646c0972d73e525523f9486c2e3]
stable/5.13: [a0949ee63cf95408870a564ccad163018b1a9e6b]
stable/5.4: [7c1c96ffb658fbfe66c5ebed6bcb5909837bc267]


CVE-2021-3656: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested

Fixed status

mainline: [c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc]
stable/4.14: [6ed198381ed2496fbc82214108e56a441d3b0213]
stable/4.19: [119d547cbf7c055ba8100309ad71910478092f24]
stable/5.10: [3dc5666baf2a135f250e4101d41d5959ac2c2e1f]
stable/5.13: [639a033fd765ed473dfee27028df5ccbe1038a2e]
stable/5.4: [a17f2f2c89494c0974529579f3552ecbd1bc2d52]
stable/4.4: Not affected

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information as of 2021/08/26.

CVE-2021-3640: UAF in sco_send_frame function

There is no fix information as of 2021/08/26.

CVE-2020-26555: BR/EDR pin code pairing broken

There is no fix information as of 2021/08/26.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information as of 2021/08/26.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information as of 2021/08/26.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information as of 2021/08/26.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information as of 2021/08/26.

CVE-2021-3600: eBPF 32-bit source register truncation on div/mod

The vulnerability has been introduced since 4.15-rc9. 4.4 is not
affected. 4.19 is not fixed yet as of 2021/08/26.
Patches have been sent to stable
kernel(https://lore.kernel.org/stable/YSj43Lpw9bilHuIn@kroah.com/T/#t).
Then these have been included in stable-rc tree. These patch set
addressed to fix CVE-2021-3444 and CVE-2021-3600.

Discussion: https://lore.kernel.org/stable/YSd1q9Llm1vsWbXT@mussarela/T/#t

Patches in stable-rc tree.

bpf: Do not use ax register in interpreter on div/mod:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=queue/4.19&id=5179c6c58d0a2a05eeadd1bc0431bee01609d5b2
bpf: Fix 32 bit src register truncation on div/mod:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=queue/4.19&id=ca13f215fc36e37cf46d624b8c0ee71c10e231b1
bpf: Fix truncation handling for mod32 dst reg wrt zero:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=queue/4.19&id=a84037fcded8a9513f4838079cef85c516036f23


mainline: [e88b2c6e5a4d9ce30d75391e4d950da74bb2bd90]
stable/5.10: [1d16cc210fabd0a7ebf52d3025f81c2bde054a90]
stable/5.4: [78e2f71b89b22222583f74803d14f3d90cdf9d12]

Regards,

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6713): https://lists.cip-project.org/g/cip-dev/message/6713
Mute This Topic: https://lists.cip-project.org/mt/85318439/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entry this week

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 2922 bytes --]

Hi!

> * CVE short summary

These summaries are not so short; I simply skip them and go to full
list. Perhaps they don't need to be included, or could include only
CVEs where we need to take an action?

> * CVE detail
> 
> New CVEs
> 
> CVE-2021-3739: btrfs: fix NULL pointer dereference when deleting
> device by invalid id
> 
> Fixed in btrfs tree but not fixed in mainline yet.
> This vulnerability has been introduced since 4.20-rc1 so before 4.20
> kernel aren't affected this vulnerability.
> 
> Fixed status
> 
> mainline: [e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091]

This one is queued for 5.10.62, so this is getting fixed for us.

> CVE-2021-3743: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c
> 
> The Qualcomm's IPC router protocol(qrtr) has been introduced since
> 4.15-rc1 so before 4.15 kernels aren't affected.
> Checked on cip-kernel-config, it looks like no CIP member enables QRTR.
> 
> Fixed status
> 
> mainline: [7e78c597c3ebfd0cb329aa09a838734147e4f117]

Fixes are queued for 4.19 and 5.10.62, so this is getting fixed for us.

> CVE-2021-3753: A out-of-bounds caused by the race of KDSETMODE in vt
> 
> Commit ffb324e6f874121f7dce5bdae5e05d02baae7269 introduced race
> condition and oob bug. The commit ffb324e6f874 have been backported to
> 4.4 and 4.19.

Agreed, fixed in 4.19.192 and 4.4.270. Nothing for us to do there.

> Updated CVEs
> 
> CVE-2020-3702: Specifically timed and handcrafted traffic can cause
> internal errors in a WLAN device that lead to improper layer 2 Wi-Fi
> encryption with a consequent possibility of information disclosure
> over the air for a discrete set of traffic
> 
> Vulnerability in ath9k driver. 4.4.y-cip/arm/siemens_imx6_defconfig
> and 4.4.y-cip/arm/moxa_mxc_defconfig use ath9k.

Fixed in 4.14 but not 4.4.

> stable/4.14: [2cbb22fd4b4fb4d0822d185bf5bd6d027107bfda,
> 20e7de09cbdb76a38f28fb71709fae347123ddb7,
>   995586a56748c532850870523d3a9080492b3433,
> f4d4f4473129e9ee55b8562250adc53217bad529,
>   61b014a8f8de02bedc56f76620170437f5638588]

Diffstat looks like this:

 key.c |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)
 main.c |    5 +++++
 1 file changed, 5 insertions(+)
 ath.h |    1 +
 key.c |    4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)
 ath.h                |    2 +-
 ath5k/mac80211-ops.c |    2 +-
 ath9k/htc_drv_main.c |    2 +-
 ath9k/main.c         |    5 ++---
 key.c                |   34 +++++++++++++++++-----------------
 5 files changed, 22 insertions(+), 23 deletions(-)
 hw.h   |    1 
 main.c |   87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 87 insertions(+), 1 deletion(-)

Best regards,
								Pavel

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6715): https://lists.cip-project.org/g/cip-dev/message/6715
Mute This Topic: https://lists.cip-project.org/mt/85318439/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entry this week

[Nobuhiro Iwamatsu]

[-- Attachment #1: Type: text/plain, Size: 3365 bytes --]

Hi,

> -----Original Message-----
> From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Pavel Machek
> Sent: Thursday, September 2, 2021 3:28 PM
> To: cip-dev@lists.cip-project.org
> Subject: Re: [cip-dev] New CVE entry this week
> 
> Hi!
> 
> > * CVE short summary
> 
> These summaries are not so short; I simply skip them and go to full
> list. Perhaps they don't need to be included, or could include only
> CVEs where we need to take an action?
> 
> > * CVE detail
> >
> > New CVEs
> >
> > CVE-2021-3739: btrfs: fix NULL pointer dereference when deleting
> > device by invalid id
> >
> > Fixed in btrfs tree but not fixed in mainline yet.
> > This vulnerability has been introduced since 4.20-rc1 so before 4.20
> > kernel aren't affected this vulnerability.
> >
> > Fixed status
> >
> > mainline: [e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091]
> 
> This one is queued for 5.10.62, so this is getting fixed for us.
> 
> > CVE-2021-3743: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c
> >
> > The Qualcomm's IPC router protocol(qrtr) has been introduced since
> > 4.15-rc1 so before 4.15 kernels aren't affected.
> > Checked on cip-kernel-config, it looks like no CIP member enables QRTR.
> >
> > Fixed status
> >
> > mainline: [7e78c597c3ebfd0cb329aa09a838734147e4f117]
> 
> Fixes are queued for 4.19 and 5.10.62, so this is getting fixed for us.
> 
> > CVE-2021-3753: A out-of-bounds caused by the race of KDSETMODE in vt
> >
> > Commit ffb324e6f874121f7dce5bdae5e05d02baae7269 introduced race
> > condition and oob bug. The commit ffb324e6f874 have been backported to
> > 4.4 and 4.19.
> 
> Agreed, fixed in 4.19.192 and 4.4.270. Nothing for us to do there.
> 
> > Updated CVEs
> >
> > CVE-2020-3702: Specifically timed and handcrafted traffic can cause
> > internal errors in a WLAN device that lead to improper layer 2 Wi-Fi
> > encryption with a consequent possibility of information disclosure
> > over the air for a discrete set of traffic
> >
> > Vulnerability in ath9k driver. 4.4.y-cip/arm/siemens_imx6_defconfig
> > and 4.4.y-cip/arm/moxa_mxc_defconfig use ath9k.
> 
> Fixed in 4.14 but not 4.4.
> 
> > stable/4.14: [2cbb22fd4b4fb4d0822d185bf5bd6d027107bfda,
> > 20e7de09cbdb76a38f28fb71709fae347123ddb7,
> >   995586a56748c532850870523d3a9080492b3433,
> > f4d4f4473129e9ee55b8562250adc53217bad529,
> >   61b014a8f8de02bedc56f76620170437f5638588]
> 
> Diffstat looks like this:
> 
>  key.c |   11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
>  main.c |    5 +++++
>  1 file changed, 5 insertions(+)
>  ath.h |    1 +
>  key.c |    4 ++--
>  2 files changed, 3 insertions(+), 2 deletions(-)
>  ath.h                |    2 +-
>  ath5k/mac80211-ops.c |    2 +-
>  ath9k/htc_drv_main.c |    2 +-
>  ath9k/main.c         |    5 ++---
>  key.c                |   34 +++++++++++++++++-----------------
>  5 files changed, 22 insertions(+), 23 deletions(-)
>  hw.h   |    1
>  main.c |   87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
>  2 files changed, 87 insertions(+), 1 deletion(-)

I checked the patch application and build at hand.
We can backport without any changes to 4.4 tree. But I don't have this device, so I can't confirm the working.


Best regards,
  Nobuhiro

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6716): https://lists.cip-project.org/g/cip-dev/message/6716
Mute This Topic: https://lists.cip-project.org/mt/85318439/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entry this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 3531 bytes --]

Hi !

On Thu, Sep 2, 2021 at 3:28 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > * CVE short summary
>
> These summaries are not so short; I simply skip them and go to full
> list. Perhaps they don't need to be included, or could include only
> CVEs where we need to take an action?
>

Thank you for the comment.
This weekly report mail contains full list which are new CVEs, updated
CVEs, and currently tracking CVEs, so summary can be removed or make
it simple I think.
I'll write a new summary style that includes CVEs which we need to take care of.

> > * CVE detail
> >
> > New CVEs
> >
> > CVE-2021-3739: btrfs: fix NULL pointer dereference when deleting
> > device by invalid id
> >
> > Fixed in btrfs tree but not fixed in mainline yet.
> > This vulnerability has been introduced since 4.20-rc1 so before 4.20
> > kernel aren't affected this vulnerability.
> >
> > Fixed status
> >
> > mainline: [e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091]
>
> This one is queued for 5.10.62, so this is getting fixed for us.
>
> > CVE-2021-3743: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c
> >
> > The Qualcomm's IPC router protocol(qrtr) has been introduced since
> > 4.15-rc1 so before 4.15 kernels aren't affected.
> > Checked on cip-kernel-config, it looks like no CIP member enables QRTR.
> >
> > Fixed status
> >
> > mainline: [7e78c597c3ebfd0cb329aa09a838734147e4f117]
>
> Fixes are queued for 4.19 and 5.10.62, so this is getting fixed for us.
>
> > CVE-2021-3753: A out-of-bounds caused by the race of KDSETMODE in vt
> >
> > Commit ffb324e6f874121f7dce5bdae5e05d02baae7269 introduced race
> > condition and oob bug. The commit ffb324e6f874 have been backported to
> > 4.4 and 4.19.
>
> Agreed, fixed in 4.19.192 and 4.4.270. Nothing for us to do there.
>
> > Updated CVEs
> >
> > CVE-2020-3702: Specifically timed and handcrafted traffic can cause
> > internal errors in a WLAN device that lead to improper layer 2 Wi-Fi
> > encryption with a consequent possibility of information disclosure
> > over the air for a discrete set of traffic
> >
> > Vulnerability in ath9k driver. 4.4.y-cip/arm/siemens_imx6_defconfig
> > and 4.4.y-cip/arm/moxa_mxc_defconfig use ath9k.
>
> Fixed in 4.14 but not 4.4.
>
> > stable/4.14: [2cbb22fd4b4fb4d0822d185bf5bd6d027107bfda,
> > 20e7de09cbdb76a38f28fb71709fae347123ddb7,
> >   995586a56748c532850870523d3a9080492b3433,
> > f4d4f4473129e9ee55b8562250adc53217bad529,
> >   61b014a8f8de02bedc56f76620170437f5638588]
>
> Diffstat looks like this:
>
>  key.c |   11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
>  main.c |    5 +++++
>  1 file changed, 5 insertions(+)
>  ath.h |    1 +
>  key.c |    4 ++--
>  2 files changed, 3 insertions(+), 2 deletions(-)
>  ath.h                |    2 +-
>  ath5k/mac80211-ops.c |    2 +-
>  ath9k/htc_drv_main.c |    2 +-
>  ath9k/main.c         |    5 ++---
>  key.c                |   34 +++++++++++++++++-----------------
>  5 files changed, 22 insertions(+), 23 deletions(-)
>  hw.h   |    1
>  main.c |   87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
>  2 files changed, 87 insertions(+), 1 deletion(-)
>
> Best regards,
>                                                                 Pavel
>
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> 
>

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6717): https://lists.cip-project.org/g/cip-dev/message/6717
Mute This Topic: https://lists.cip-project.org/mt/85318439/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entry this week

[Masami Ichikawa]

Hi !

On Thu, Oct 21, 2021 at 5:42 PM Nobuhiro Iwamatsu
<nobuhiro1.iwamatsu@toshiba.co.jp> wrote:
>
> Hi,
>
> > -----Original Message-----
> > From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Masami Ichikawa
> > Sent: Thursday, October 21, 2021 10:21 AM
> > To: cip-dev <cip-dev@lists.cip-project.org>
> > Subject: [cip-dev] New CVE entry this week
> >
> > Hi !
> >
> > It's this week's CVE report.
> >
> > This week reported 7 new CVEs.
> >
> > * New CVEs
> >
> > CVE-2021-20320: kernel: s390 eBPF JIT miscompilation issues fixes.
> >
> > This bug is in BPF subsystem and s390 architecture specific. Patches
> > haven't been backported to 4.4 kernel. However, according to the
> > cip-kernel-config, it looks like no one uses s390, so can it ignore it
> > until someone backport patches?
> >
> > CVSS v3 score is not provided.
> >
> > Fixed status
> >
> > mainline: [db7bee653859ef7179be933e7d1384644f795f26,
> > 6e61dc9da0b7a0d91d57c2e20b5ea4fd2d4e7e53,
> >   1511df6f5e9ef32826f20db2ee81f8527154dc14]
> > stable/4.19: [ddf58efd05b5d16d86ea4638675e8bd397320930]
> > stable/4.9: [c22cf38428cb910f1996839c917e9238d2e44d4b,
> > 8a09222a512bf7b32e55bb89a033e08522798299]
> > stable/5.10: [d92d3a9c2b6541f29f800fc2bd44620578b8f8a6,
> > 4320c222c2ffe778a8aff5b8bc4ac33af6d54eba,
> >   ab7cf225016159bc2c3590be6fa12965565d903b]
> > stable/5.14: [7a31ec4d215a800b504de74b248795f8be666f8e,
> > 6a8787093b04057d855822094d63d04a2506444a,
> >   a7593244dc31ad0eea70319f6110975f9c738dca]
> >
> > CVE-2021-20321: kernel: In Overlayfs missing a check for a negative
> > dentry before calling vfs_rename()
> >
> > CVSS v3 score is not provided.
> >
> > A local attacker can escalate their privileges up to root via
> > overlayfs vulnerability.
> > Patch for 4.4 is applied
> > failed(https://lore.kernel.org/stable/163378772914820@kroah.com/). It
> > needs to modify the patch. I attached a patch, if it looks good, I'll
> > send it to the stable mailing list.
>
> Thanks, I checked your patch. LGTM.
>

Thanks !

> Best regards,
>   Nobuhiro
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#6834): https://lists.cip-project.org/g/cip-dev/message/6834
> Mute This Topic: https://lists.cip-project.org/mt/86480633/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

RE: [cip-dev] New CVE entry this week

[nobuhiro1.iwamatsu]

Hi,

> -----Original Message-----
> From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Masami Ichikawa
> Sent: Thursday, October 21, 2021 10:21 AM
> To: cip-dev <cip-dev@lists.cip-project.org>
> Subject: [cip-dev] New CVE entry this week
> 
> Hi !
> 
> It's this week's CVE report.
> 
> This week reported 7 new CVEs.
> 
> * New CVEs
> 
> CVE-2021-20320: kernel: s390 eBPF JIT miscompilation issues fixes.
> 
> This bug is in BPF subsystem and s390 architecture specific. Patches
> haven't been backported to 4.4 kernel. However, according to the
> cip-kernel-config, it looks like no one uses s390, so can it ignore it
> until someone backport patches?
> 
> CVSS v3 score is not provided.
> 
> Fixed status
> 
> mainline: [db7bee653859ef7179be933e7d1384644f795f26,
> 6e61dc9da0b7a0d91d57c2e20b5ea4fd2d4e7e53,
>   1511df6f5e9ef32826f20db2ee81f8527154dc14]
> stable/4.19: [ddf58efd05b5d16d86ea4638675e8bd397320930]
> stable/4.9: [c22cf38428cb910f1996839c917e9238d2e44d4b,
> 8a09222a512bf7b32e55bb89a033e08522798299]
> stable/5.10: [d92d3a9c2b6541f29f800fc2bd44620578b8f8a6,
> 4320c222c2ffe778a8aff5b8bc4ac33af6d54eba,
>   ab7cf225016159bc2c3590be6fa12965565d903b]
> stable/5.14: [7a31ec4d215a800b504de74b248795f8be666f8e,
> 6a8787093b04057d855822094d63d04a2506444a,
>   a7593244dc31ad0eea70319f6110975f9c738dca]
> 
> CVE-2021-20321: kernel: In Overlayfs missing a check for a negative
> dentry before calling vfs_rename()
> 
> CVSS v3 score is not provided.
> 
> A local attacker can escalate their privileges up to root via
> overlayfs vulnerability.
> Patch for 4.4 is applied
> failed(https://lore.kernel.org/stable/163378772914820@kroah.com/). It
> needs to modify the patch. I attached a patch, if it looks good, I'll
> send it to the stable mailing list.

Thanks, I checked your patch. LGTM.

Best regards,
  Nobuhiro

Re: [cip-dev] New CVE entry this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 1244 bytes --]

Hi!

> * New CVEs
> 
> CVE-2021-0935: bug is in ipv6 and l2tp code.
> 
> This CVE addresses two commits, one in the ipv6 stack and the other in l2tp.
> There is two introduced commits one is 85cb73f ("net: ipv6: reset
> daddr and dport in sk if connect() fails") was merged in 4.12 and the
> other commit 3557baa ("[L2TP]: PPP over L2TP driver core") was merged
> in 2.6.23-rc1.
> 
> Fixed commits have been merged since 4.16-rc7 so 4.16 or later kernels
> don't affect this vulnerability.
> 
> Commit 2f987a76("net: ipv6: keep sk status consistent after datagram
> connect failure") fixes 85cb73f and commit b954f940("l2tp: fix races
> with ipv4-mapped ipv6 addresses") fixes commit 3557baa.
> 
> To apply patches to 4.4, it needs to fix conflicts.
> 
> CVSS v3 score is not provided.
> 
> Fixed status
> 
> mainline: [2f987a76a97773beafbc615b9c4d8fe79129a7f4,
> b954f94023dcc61388c8384f0f14eb8e42c863c5]
> stable/4.4: not fixed yet

Others are fixed, but this one may be worth watching. Fortunately it
is not remote attack, AFAICT.

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [cip-dev] New CVE entry this week

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 1244 bytes --]

Hi!

> * New CVEs
> 
> CVE-2021-0935: bug is in ipv6 and l2tp code.
> 
> This CVE addresses two commits, one in the ipv6 stack and the other in l2tp.
> There is two introduced commits one is 85cb73f ("net: ipv6: reset
> daddr and dport in sk if connect() fails") was merged in 4.12 and the
> other commit 3557baa ("[L2TP]: PPP over L2TP driver core") was merged
> in 2.6.23-rc1.
> 
> Fixed commits have been merged since 4.16-rc7 so 4.16 or later kernels
> don't affect this vulnerability.
> 
> Commit 2f987a76("net: ipv6: keep sk status consistent after datagram
> connect failure") fixes 85cb73f and commit b954f940("l2tp: fix races
> with ipv4-mapped ipv6 addresses") fixes commit 3557baa.
> 
> To apply patches to 4.4, it needs to fix conflicts.
> 
> CVSS v3 score is not provided.
> 
> Fixed status
> 
> mainline: [2f987a76a97773beafbc615b9c4d8fe79129a7f4,
> b954f94023dcc61388c8384f0f14eb8e42c863c5]
> stable/4.4: not fixed yet

Others are fixed, but this one may be worth watching. Fortunately it
is not remote attack, AFAICT.

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6824): https://lists.cip-project.org/g/cip-dev/message/6824
Mute This Topic: https://lists.cip-project.org/mt/86301612/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] New CVE entry this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 5787 bytes --]

Hi !

It's this week's CVE report.

This week reported 4 new CVEs.

* New CVEs

CVE-2021-0935: bug is in ipv6 and l2tp code.

This CVE addresses two commits, one in the ipv6 stack and the other in l2tp.
There is two introduced commits one is 85cb73f ("net: ipv6: reset
daddr and dport in sk if connect() fails") was merged in 4.12 and the
other commit 3557baa ("[L2TP]: PPP over L2TP driver core") was merged
in 2.6.23-rc1.

Fixed commits have been merged since 4.16-rc7 so 4.16 or later kernels
don't affect this vulnerability.

Commit 2f987a76("net: ipv6: keep sk status consistent after datagram
connect failure") fixes 85cb73f and commit b954f940("l2tp: fix races
with ipv4-mapped ipv6 addresses") fixes commit 3557baa.

To apply patches to 4.4, it needs to fix conflicts.

CVSS v3 score is not provided.

Fixed status

mainline: [2f987a76a97773beafbc615b9c4d8fe79129a7f4,
b954f94023dcc61388c8384f0f14eb8e42c863c5]
stable/4.14: [a8f02befc87d6f1a882c9b14a31bcfa1fbd3d430,
b0850604cc5dac60754cc2fcdf7d2ca97a68a4dc]
stable/4.19: [2f987a76a97773beafbc615b9c4d8fe79129a7f4,
b954f94023dcc61388c8384f0f14eb8e42c863c5]
stable/4.4: not fixed yet
stable/4.9: [c49f30b2979bfc8701620e598558f29a48e07234,
535ef684ec6079bccc2037c76bc607d29dca05dc]
stable/5.10: [2f987a76a97773beafbc615b9c4d8fe79129a7f4,
b954f94023dcc61388c8384f0f14eb8e42c863c5]
stable/5.4: [2f987a76a97773beafbc615b9c4d8fe79129a7f4,
b954f94023dcc61388c8384f0f14eb8e42c863c5]

CVE-2021-0937: netfilter: x_tables: fix compat match/target pad
out-of-bound write

This vulnerability was introduced since 4.6.19-rc1 and fixed in
5.12-rc8. All stable kernels are already fixed.

CVSS v3 score is not provided.

Fixed status

mainline: [b29c457a6511435960115c0f548c4360d5f4801d]
stable/4.14: [522a0191944e3db9c30ade5fa6b6ec0d7c42f40d]
stable/4.19: [12ec80252edefff00809d473a47e5f89c7485499]
stable/4.4: [b0d98b2193a38ef93c92e5e1953d134d0f426531]
stable/4.9: [0c58c9f9c5c5326320bbe0429a0f45fc1b92024b]
stable/5.10: [1f3b9000cb44318b0de40a0f495a5a708cd9be6e]
stable/5.4: [cc59b872f2e1995b8cc819b9445c1198bfe83b2d]


CVE-2021-0938: compiler.h: fix barrier_data() on clang

This bug was introduced in 4.19-rc1 and fixed in 5.10-rc4. so all
stable kernels are fixed.
If kernel was built from clang, this bug will be affected.

CVSS v3 score is not provided.

Fixed status

mainline: [3347acc6fcd4ee71ad18a9ff9d9dac176b517329]
stable/4.14: not affect
stable/4.19: [b207caff4176e3a6ba273243da2db2e595e4aad2]
stable/4.4: not affect
stable/4.9: not affect
stable/5.10: not affect
stable/5.4: [c2c5dc84ac51da90cadcb12554c69bdd5ac7aeeb]

CVE-2021-0941: bpf: Remove MTU check in __bpf_skb_max_len

CVSS v3 score is not provided.

This bug is fixed in v5.12-rc1-dontuse. The kernel 4.4 doesn't contain
__bpf_skb_max_len() so 4.4 may not affect this vulnerability. The
__bpf_skb_max_len() was introduced since 4.13-rc1 commit
2be7e212("bpf: add bpf_skb_adjust_room helper
").

Fixed status.

mainline: [6306c1189e77a513bf02720450bb43bd4ba5d8ae]
stable/4.14: [64cf6c3156a5cbd9c29f54370b801b336d2f7894]
stable/4.19: [8c1a77ae15ce70a72f26f4bb83c50f769011220c]
stable/4.4: not affect
stable/4.9: [1636af9e8a8840f5696ad2c01130832411986af4]
stable/5.10: [fd38d4e6757b6b99f60314f67f44a286f0ab7fc0]
stable/5.4: [42c83e3bca434d9f63c58f9cbf2881e635679fee]

* Updated CVEs

CVE-2021-3744: crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
CVE-2021-3764: DoS in ccp_run_aes_gcm_cmd() function

CVE-2021-3744 and CVE-2021-3764 are fixed by commit 505d9dcb("crypto:
ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
"). Both vulnerabilities were in ccp_run_aes_gcm_cmd() which has been
introduced since 4.12-rc1. Therefore before 4.12 kernels aren't
affected this vulnerability.

Fixed status

mainline: [505d9dcb0f7ddf9d075e729523a33d38642ae680]
stable/4.14: [3707e37b3fcef4d5e9a81b9c2c48ba7248051c2a]
stable/4.19: [710be7c42d2f724869e5b18b21998ceddaffc4a9]
stable/4.4: not affect
stable/4.9: not affect
stable/5.10: [17ccc64e4fa5d3673528474bfeda814d95dc600a]
stable/5.14: [e450c422aa233e9f80515f2ee9164e33f158a472]
stable/5.4: [24f3d2609114f1e1f6b487b511ce5fa36f21e0ae]

CVE-2021-41864: bpf: Fix integer overflow in prealloc_elems_and_freelist()

This bug was introduced in 4.6-rc1 so that 4.4 isn't affected this bug.
4.19, 5.10, 5.14, and 5.4 have been fixed this week.
Patch to 4.14 can be applied by git am without any modification. Patch
to 4.9 can be applied by 3-way merge.

Fixed status

mainline: [30e29a9a2bc6a4888335a6ede968b75cd329657a]
stable/4.14: not fixed yet
stable/4.19: [078cdd572408176a3900a6eb5a403db0da22f8e0]
stable/4.4: not affect
stable/4.14: not fixed yet
stable/5.10: [064faa8e8a9b50f5010c5aa5740e06d477677a89]
stable/5.14: [3a1ac1e368bedae2777d9a7cfdc65df4859f7e71]
stable/5.4: [b14f28126c51533bb329379f65de5b0dd689b13a]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

Fixed in bluetooth-next tree.

https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/net/bluetooth/sco.c?id=99c23da0eed4fd20cae8243f2b51e10e66aa0951

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6822): https://lists.cip-project.org/g/cip-dev/message/6822
Mute This Topic: https://lists.cip-project.org/mt/86301612/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entry this week

[Masami Ichikawa]

Hi !

On Thu, Oct 7, 2021 at 4:31 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > It's this week's CVE report.
> >
> > This week reported  new CVEs.
> >
> > * New CVEs
> >
> > CVE-2021-41864: bpf: Fix integer overflow in prealloc_elems_and_freelist()
> >
> > CVSS v3 score is not provided.
> >
> > Patch 30e29a9a2bc6 (bpf: Fix integer overflow in
> > prealloc_elems_and_freelist()
> ...
> > Fixed status
> >
> > Fix patch has been merged into bpf tree, but not in the mainline yet.
>
> I guess we can wait for this to be merged through normal channels.
>

Yes. I'll track the patch goes into the mainline.

> > * Updated CVEs
> >
> > CVE-2019-19449: mounting a crafted f2fs filesystem image can lead to
> > slab-out-of-bounds read access in f2fs_build_segment_manager in
> > fs/f2fs/segment.c
> >
> > This patch has been merged since 5.10-rc1.
> > For 5.4, patch can be applied via git-am. For 4.4 and 4.19, patch can
> > be applied via git-am with -3 option.
> >
> > Fixed status
> >
> > mainline: [3a22e9ac71585bcb7667e44641f1bbb25295f0ce]
> > stable/5.10: [3a22e9ac71585bcb7667e44641f1bbb25295f0ce]
>
> It may make sense to help with this backport.
>
> > CVE-2021-37159: net: hso: do not call unregister if not registered
> >
> > 4.14, 4.19, and 5.4 have been fixed. 4.4 and 4.9 haven't been fixed
> > yet. However, patch can be applied to 4.4 and 4.9 without any
> > modification. According to cip-kernel-config, no CIP member use HSO
> > module.
>
> Not sure why this has CVE number. We probably need not care.

I agree.

>
> > CVE-2021-38300: bpf, mips: Validate conditional branch offsets
> >
> > This vulnerability is only affected to MIPS architecture. No cip
> > member use MIPS architecture.
> >
> > 5.10 has been fixed. Applying this fix to 4.4, 4.9, 4.19, and 5.4, it
> > needs to modify the patch.
> >
> > Fixed status
> >
> > mainline: [37cb28ec7d3a36a5bace7063a3dba633ab110f8b]
> > stable/5.10: [c61736a994fe68b0e5498e4e84e1c9108dc41075]
>
> I guess we don't care about MIPS.
>

I see. We don't have to track this CVE.

> Best regards,
>                                                                 Pavel
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#6802): https://lists.cip-project.org/g/cip-dev/message/6802
> Mute This Topic: https://lists.cip-project.org/mt/86134956/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: [cip-dev] New CVE entry this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 2428 bytes --]

Hi !

On Thu, Oct 7, 2021 at 4:31 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > It's this week's CVE report.
> >
> > This week reported  new CVEs.
> >
> > * New CVEs
> >
> > CVE-2021-41864: bpf: Fix integer overflow in prealloc_elems_and_freelist()
> >
> > CVSS v3 score is not provided.
> >
> > Patch 30e29a9a2bc6 (bpf: Fix integer overflow in
> > prealloc_elems_and_freelist()
> ...
> > Fixed status
> >
> > Fix patch has been merged into bpf tree, but not in the mainline yet.
>
> I guess we can wait for this to be merged through normal channels.
>

Yes. I'll track the patch goes into the mainline.

> > * Updated CVEs
> >
> > CVE-2019-19449: mounting a crafted f2fs filesystem image can lead to
> > slab-out-of-bounds read access in f2fs_build_segment_manager in
> > fs/f2fs/segment.c
> >
> > This patch has been merged since 5.10-rc1.
> > For 5.4, patch can be applied via git-am. For 4.4 and 4.19, patch can
> > be applied via git-am with -3 option.
> >
> > Fixed status
> >
> > mainline: [3a22e9ac71585bcb7667e44641f1bbb25295f0ce]
> > stable/5.10: [3a22e9ac71585bcb7667e44641f1bbb25295f0ce]
>
> It may make sense to help with this backport.
>
> > CVE-2021-37159: net: hso: do not call unregister if not registered
> >
> > 4.14, 4.19, and 5.4 have been fixed. 4.4 and 4.9 haven't been fixed
> > yet. However, patch can be applied to 4.4 and 4.9 without any
> > modification. According to cip-kernel-config, no CIP member use HSO
> > module.
>
> Not sure why this has CVE number. We probably need not care.

I agree.

>
> > CVE-2021-38300: bpf, mips: Validate conditional branch offsets
> >
> > This vulnerability is only affected to MIPS architecture. No cip
> > member use MIPS architecture.
> >
> > 5.10 has been fixed. Applying this fix to 4.4, 4.9, 4.19, and 5.4, it
> > needs to modify the patch.
> >
> > Fixed status
> >
> > mainline: [37cb28ec7d3a36a5bace7063a3dba633ab110f8b]
> > stable/5.10: [c61736a994fe68b0e5498e4e84e1c9108dc41075]
>
> I guess we don't care about MIPS.
>

I see. We don't have to track this CVE.

> Best regards,
>                                                                 Pavel
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> 
>

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6804): https://lists.cip-project.org/g/cip-dev/message/6804
Mute This Topic: https://lists.cip-project.org/mt/86134956/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entry this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 2000 bytes --]

Hi!

> It's this week's CVE report.
> 
> This week reported  new CVEs.
> 
> * New CVEs
> 
> CVE-2021-41864: bpf: Fix integer overflow in prealloc_elems_and_freelist()
> 
> CVSS v3 score is not provided.
> 
> Patch 30e29a9a2bc6 (bpf: Fix integer overflow in
> prealloc_elems_and_freelist()
...
> Fixed status
> 
> Fix patch has been merged into bpf tree, but not in the mainline yet.

I guess we can wait for this to be merged through normal channels.

> * Updated CVEs
> 
> CVE-2019-19449: mounting a crafted f2fs filesystem image can lead to
> slab-out-of-bounds read access in f2fs_build_segment_manager in
> fs/f2fs/segment.c
> 
> This patch has been merged since 5.10-rc1.
> For 5.4, patch can be applied via git-am. For 4.4 and 4.19, patch can
> be applied via git-am with -3 option.
> 
> Fixed status
> 
> mainline: [3a22e9ac71585bcb7667e44641f1bbb25295f0ce]
> stable/5.10: [3a22e9ac71585bcb7667e44641f1bbb25295f0ce]

It may make sense to help with this backport.

> CVE-2021-37159: net: hso: do not call unregister if not registered
> 
> 4.14, 4.19, and 5.4 have been fixed. 4.4 and 4.9 haven't been fixed
> yet. However, patch can be applied to 4.4 and 4.9 without any
> modification. According to cip-kernel-config, no CIP member use HSO
> module.

Not sure why this has CVE number. We probably need not care.

> CVE-2021-38300: bpf, mips: Validate conditional branch offsets
> 
> This vulnerability is only affected to MIPS architecture. No cip
> member use MIPS architecture.
> 
> 5.10 has been fixed. Applying this fix to 4.4, 4.9, 4.19, and 5.4, it
> needs to modify the patch.
> 
> Fixed status
> 
> mainline: [37cb28ec7d3a36a5bace7063a3dba633ab110f8b]
> stable/5.10: [c61736a994fe68b0e5498e4e84e1c9108dc41075]

I guess we don't care about MIPS.

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [cip-dev] New CVE entry this week

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 2000 bytes --]

Hi!

> It's this week's CVE report.
> 
> This week reported  new CVEs.
> 
> * New CVEs
> 
> CVE-2021-41864: bpf: Fix integer overflow in prealloc_elems_and_freelist()
> 
> CVSS v3 score is not provided.
> 
> Patch 30e29a9a2bc6 (bpf: Fix integer overflow in
> prealloc_elems_and_freelist()
...
> Fixed status
> 
> Fix patch has been merged into bpf tree, but not in the mainline yet.

I guess we can wait for this to be merged through normal channels.

> * Updated CVEs
> 
> CVE-2019-19449: mounting a crafted f2fs filesystem image can lead to
> slab-out-of-bounds read access in f2fs_build_segment_manager in
> fs/f2fs/segment.c
> 
> This patch has been merged since 5.10-rc1.
> For 5.4, patch can be applied via git-am. For 4.4 and 4.19, patch can
> be applied via git-am with -3 option.
> 
> Fixed status
> 
> mainline: [3a22e9ac71585bcb7667e44641f1bbb25295f0ce]
> stable/5.10: [3a22e9ac71585bcb7667e44641f1bbb25295f0ce]

It may make sense to help with this backport.

> CVE-2021-37159: net: hso: do not call unregister if not registered
> 
> 4.14, 4.19, and 5.4 have been fixed. 4.4 and 4.9 haven't been fixed
> yet. However, patch can be applied to 4.4 and 4.9 without any
> modification. According to cip-kernel-config, no CIP member use HSO
> module.

Not sure why this has CVE number. We probably need not care.

> CVE-2021-38300: bpf, mips: Validate conditional branch offsets
> 
> This vulnerability is only affected to MIPS architecture. No cip
> member use MIPS architecture.
> 
> 5.10 has been fixed. Applying this fix to 4.4, 4.9, 4.19, and 5.4, it
> needs to modify the patch.
> 
> Fixed status
> 
> mainline: [37cb28ec7d3a36a5bace7063a3dba633ab110f8b]
> stable/5.10: [c61736a994fe68b0e5498e4e84e1c9108dc41075]

I guess we don't care about MIPS.

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6802): https://lists.cip-project.org/g/cip-dev/message/6802
Mute This Topic: https://lists.cip-project.org/mt/86134956/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] New CVE entry this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 3957 bytes --]

Hi !

It's this week's CVE report.

This week reported  new CVEs.

* New CVEs

CVE-2021-41864: bpf: Fix integer overflow in prealloc_elems_and_freelist()

CVSS v3 score is not provided.

Patch 30e29a9a2bc6 (bpf: Fix integer overflow in prealloc_elems_and_freelist()
) fixes commit 557c0c6e7df8 ("bpf: convert stackmap to
pre-allocation") which has been introduced in 4.6-rc1. Therefore 4.4
kernel isn't affected this issue.

For 4.19 and 5.4, patch can be applied by "git am". For 4.9, patch can
be applied by "git am -3".

Fixed status

Fix patch has been merged into bpf tree, but not in the mainline yet.

CVE-2021-42008: net: 6pack: fix slab-out-of-bounds in decode_data

The 6pack module has slab out-of-bounds vulnerability in decode_data()
which allow local attacker can gain their privileges.
This bug has been fixed since 5.14-rc7. All stable kernels have
already been fixed.

Fixed status

cip/4.19: [4e370cc081a78ee23528311ca58fd98a06768ec7]
cip/4.19-rt: [4e370cc081a78ee23528311ca58fd98a06768ec7]
cip/4.4: [d66736076bd84742c18397785476e9a84d5b54ef]
cip/4.4-rt: [d66736076bd84742c18397785476e9a84d5b54ef]
mainline: [19d1532a187669ce86d5a2696eb7275310070793]
stable/4.14: [5e0e782874ad03ae6d47d3e55aff378da0b51104]
stable/4.19: [4e370cc081a78ee23528311ca58fd98a06768ec7]
stable/4.4: [d66736076bd84742c18397785476e9a84d5b54ef]
stable/4.9: [de9171c1d9a5c2c4c5ec5e64f420681f178152fa]
stable/5.10: [85e0518f181a0ff060f5543d2655fb841a83d653]
stable/5.4: [a73b9aa142691c2ae313980a8734997a78f74b22]

* Updated CVEs

CVE-2019-19449: mounting a crafted f2fs filesystem image can lead to
slab-out-of-bounds read access in f2fs_build_segment_manager in
fs/f2fs/segment.c

This patch has been merged since 5.10-rc1.
For 5.4, patch can be applied via git-am. For 4.4 and 4.19, patch can
be applied via git-am with -3 option.

Fixed status

mainline: [3a22e9ac71585bcb7667e44641f1bbb25295f0ce]
stable/5.10: [3a22e9ac71585bcb7667e44641f1bbb25295f0ce]

CVE-2021-37159: net: hso: do not call unregister if not registered

4.14, 4.19, and 5.4 have been fixed. 4.4 and 4.9 haven't been fixed
yet. However, patch can be applied to 4.4 and 4.9 without any
modification. According to cip-kernel-config, no CIP member use HSO
module.

Fixed status

mainline: [a6ecfb39ba9d7316057cea823b196b734f6b18ca]
stable/4.14: [4c0db9c4b3701c29f47bac0721e2f7d2b15d8edb]
stable/4.19: [f6cf22a1ef49f8e131f99c3f5fd80ab6b23a2d21]
stable/5.10: [115e4f5b64ae8d9dd933167cafe2070aaac45849]
stable/5.13: [eeaa4b8d1e2e6f10362673d283a97dccc7275afa]
stable/5.4: [fe57d53dd91d7823f1ceef5ea8e9458a4aeb47fa]

CVE-2021-38300: bpf, mips: Validate conditional branch offsets

This vulnerability is only affected to MIPS architecture. No cip
member use MIPS architecture.

5.10 has been fixed. Applying this fix to 4.4, 4.9, 4.19, and 5.4, it
needs to modify the patch.

Fixed status

mainline: [37cb28ec7d3a36a5bace7063a3dba633ab110f8b]
stable/5.10: [c61736a994fe68b0e5498e4e84e1c9108dc41075]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

Fixed in bluetooth-next tree.

https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/net/bluetooth/sco.c?id=99c23da0eed4fd20cae8243f2b51e10e66aa0951

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,


-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6798): https://lists.cip-project.org/g/cip-dev/message/6798
Mute This Topic: https://lists.cip-project.org/mt/86134956/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entry this week

[Masami Ichikawa]

Hi !

On Thu, Sep 30, 2021 at 3:33 PM Nobuhiro Iwamatsu
<nobuhiro1.iwamatsu@toshiba.co.jp> wrote:
>
> Hi,
>
>
> > -----Original Message-----
> > From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Masami Ichikawa
> > Sent: Thursday, September 30, 2021 9:12 AM
> > To: cip-dev <cip-dev@lists.cip-project.org>
> > Subject: [cip-dev] New CVE entry this week
> >
> > Hi !
> >
> > It's this week's CVE report.
> >
> > This week reported one new CVE.
> >
> > * New CVEs
> >
> > CVE-2021-20317: lib/timerqueue: Rely on rbtree semantics for next timer
> >
> > This bug has been fixed in 5.4-rc1 so that before 5.4 kernels are
> > affected. For 4.19, patch can be applied without any modification. For
> > 4.4, it needs to modify patch to apply it.
> > According to the description in
> > cve.mitre.org(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20317),
> > it describes "This flaw allows a local attacker with special user
> > privileges to cause a denial of service" so I think this vulnerability
> > severity may be low.
> >
> > CVSS v3 score is not provided.
> >
> > Fixed status
> >
> > mainline: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> > stable/5.10: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> > stable/5.14: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> > stable/5.4: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
>
> This commit can be applied directly to 4.14 and 4.19.
> However, other LTSs need to be other commit or fixes.
>
> I attached a patch for 4.14 and 4.19.
>

Thank you for the patch!
It looks good to me.

> Best regards,
>   Nobuhiro
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#6764): https://lists.cip-project.org/g/cip-dev/message/6764
> Mute This Topic: https://lists.cip-project.org/mt/85963258/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: [cip-dev] New CVE entry this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 1749 bytes --]

Hi !

On Thu, Sep 30, 2021 at 3:33 PM Nobuhiro Iwamatsu
<nobuhiro1.iwamatsu@toshiba.co.jp> wrote:
>
> Hi,
>
>
> > -----Original Message-----
> > From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Masami Ichikawa
> > Sent: Thursday, September 30, 2021 9:12 AM
> > To: cip-dev <cip-dev@lists.cip-project.org>
> > Subject: [cip-dev] New CVE entry this week
> >
> > Hi !
> >
> > It's this week's CVE report.
> >
> > This week reported one new CVE.
> >
> > * New CVEs
> >
> > CVE-2021-20317: lib/timerqueue: Rely on rbtree semantics for next timer
> >
> > This bug has been fixed in 5.4-rc1 so that before 5.4 kernels are
> > affected. For 4.19, patch can be applied without any modification. For
> > 4.4, it needs to modify patch to apply it.
> > According to the description in
> > cve.mitre.org(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20317),
> > it describes "This flaw allows a local attacker with special user
> > privileges to cause a denial of service" so I think this vulnerability
> > severity may be low.
> >
> > CVSS v3 score is not provided.
> >
> > Fixed status
> >
> > mainline: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> > stable/5.10: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> > stable/5.14: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> > stable/5.4: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
>
> This commit can be applied directly to 4.14 and 4.19.
> However, other LTSs need to be other commit or fixes.
>
> I attached a patch for 4.14 and 4.19.
>

Thank you for the patch!
It looks good to me.

> Best regards,
>   Nobuhiro
>
> 
>

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6765): https://lists.cip-project.org/g/cip-dev/message/6765
Mute This Topic: https://lists.cip-project.org/mt/85963258/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

RE: [cip-dev] New CVE entry this week

[nobuhiro1.iwamatsu]

[-- Attachment #1: Type: text/plain, Size: 1421 bytes --]

Hi,


> -----Original Message-----
> From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Masami Ichikawa
> Sent: Thursday, September 30, 2021 9:12 AM
> To: cip-dev <cip-dev@lists.cip-project.org>
> Subject: [cip-dev] New CVE entry this week
> 
> Hi !
> 
> It's this week's CVE report.
> 
> This week reported one new CVE.
> 
> * New CVEs
> 
> CVE-2021-20317: lib/timerqueue: Rely on rbtree semantics for next timer
> 
> This bug has been fixed in 5.4-rc1 so that before 5.4 kernels are
> affected. For 4.19, patch can be applied without any modification. For
> 4.4, it needs to modify patch to apply it.
> According to the description in
> cve.mitre.org(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20317),
> it describes "This flaw allows a local attacker with special user
> privileges to cause a denial of service" so I think this vulnerability
> severity may be low.
> 
> CVSS v3 score is not provided.
> 
> Fixed status
> 
> mainline: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> stable/5.10: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> stable/5.14: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> stable/5.4: [511885d7061eda3eb1faf3f57dcc936ff75863f1]

This commit can be applied directly to 4.14 and 4.19.
However, other LTSs need to be other commit or fixes.

I attached a patch for 4.14 and 4.19.

Best regards,
  Nobuhiro

[-- Attachment #2: 0001-lib-timerqueue-Rely-on-rbtree-semantics-for-next-tim.patch --]
[-- Type: application/octet-stream, Size: 4443 bytes --]

From eb343c7e4acbcd79517015b4ae992aa7b0e345cd Mon Sep 17 00:00:00 2001
From: Davidlohr Bueso <dave@stgolabs.net>
Date: Wed, 24 Jul 2019 08:23:23 -0700
Subject: [PATCH for 4.14 and 4.19] lib/timerqueue: Rely on rbtree semantics for next timer

commit 511885d7061eda3eb1faf3f57dcc936ff75863f1 upstream.

Simplify the timerqueue code by using cached rbtrees and rely on the tree
leftmost node semantics to get the timer with earliest expiration time.
This is a drop in conversion, and therefore semantics remain untouched.

The runtime overhead of cached rbtrees is be pretty much the same as the
current head->next method, noting that when removing the leftmost node,
a common operation for the timerqueue, the rb_next(leftmost) is O(1) as
well, so the next timer will either be the right node or its parent.
Therefore no extra pointer chasing. Finally, the size of the struct
timerqueue_head remains the same.

Passes several hours of rcutorture.

Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20190724152323.bojciei3muvfxalm@linux-r8p5
Reference: CVE-2021-20317
Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
---
 include/linux/timerqueue.h | 13 ++++++-------
 lib/timerqueue.c           | 30 ++++++++++++------------------
 2 files changed, 18 insertions(+), 25 deletions(-)

diff --git a/include/linux/timerqueue.h b/include/linux/timerqueue.h
index 78b8cc73f12fc9..aff122f1062a83 100644
--- a/include/linux/timerqueue.h
+++ b/include/linux/timerqueue.h
@@ -12,8 +12,7 @@ struct timerqueue_node {
 };
 
 struct timerqueue_head {
-	struct rb_root head;
-	struct timerqueue_node *next;
+	struct rb_root_cached rb_root;
 };
 
 
@@ -29,13 +28,14 @@ extern struct timerqueue_node *timerqueue_iterate_next(
  *
  * @head: head of timerqueue
  *
- * Returns a pointer to the timer node that has the
- * earliest expiration time.
+ * Returns a pointer to the timer node that has the earliest expiration time.
  */
 static inline
 struct timerqueue_node *timerqueue_getnext(struct timerqueue_head *head)
 {
-	return head->next;
+	struct rb_node *leftmost = rb_first_cached(&head->rb_root);
+
+	return rb_entry(leftmost, struct timerqueue_node, node);
 }
 
 static inline void timerqueue_init(struct timerqueue_node *node)
@@ -45,7 +45,6 @@ static inline void timerqueue_init(struct timerqueue_node *node)
 
 static inline void timerqueue_init_head(struct timerqueue_head *head)
 {
-	head->head = RB_ROOT;
-	head->next = NULL;
+	head->rb_root = RB_ROOT_CACHED;
 }
 #endif /* _LINUX_TIMERQUEUE_H */
diff --git a/lib/timerqueue.c b/lib/timerqueue.c
index 0d54bcbc8170c7..7a8ae3d5fd4057 100644
--- a/lib/timerqueue.c
+++ b/lib/timerqueue.c
@@ -39,9 +39,10 @@
  */
 bool timerqueue_add(struct timerqueue_head *head, struct timerqueue_node *node)
 {
-	struct rb_node **p = &head->head.rb_node;
+	struct rb_node **p = &head->rb_root.rb_root.rb_node;
 	struct rb_node *parent = NULL;
-	struct timerqueue_node  *ptr;
+	struct timerqueue_node *ptr;
+	bool leftmost = true;
 
 	/* Make sure we don't add nodes that are already added */
 	WARN_ON_ONCE(!RB_EMPTY_NODE(&node->node));
@@ -49,19 +50,17 @@ bool timerqueue_add(struct timerqueue_head *head, struct timerqueue_node *node)
 	while (*p) {
 		parent = *p;
 		ptr = rb_entry(parent, struct timerqueue_node, node);
-		if (node->expires < ptr->expires)
+		if (node->expires < ptr->expires) {
 			p = &(*p)->rb_left;
-		else
+		} else {
 			p = &(*p)->rb_right;
+			leftmost = false;
+		}
 	}
 	rb_link_node(&node->node, parent, p);
-	rb_insert_color(&node->node, &head->head);
+	rb_insert_color_cached(&node->node, &head->rb_root, leftmost);
 
-	if (!head->next || node->expires < head->next->expires) {
-		head->next = node;
-		return true;
-	}
-	return false;
+	return leftmost;
 }
 EXPORT_SYMBOL_GPL(timerqueue_add);
 
@@ -78,15 +77,10 @@ bool timerqueue_del(struct timerqueue_head *head, struct timerqueue_node *node)
 {
 	WARN_ON_ONCE(RB_EMPTY_NODE(&node->node));
 
-	/* update next pointer */
-	if (head->next == node) {
-		struct rb_node *rbn = rb_next(&node->node);
-
-		head->next = rb_entry_safe(rbn, struct timerqueue_node, node);
-	}
-	rb_erase(&node->node, &head->head);
+	rb_erase_cached(&node->node, &head->rb_root);
 	RB_CLEAR_NODE(&node->node);
-	return head->next != NULL;
+
+	return !RB_EMPTY_ROOT(&head->rb_root.rb_root);
 }
 EXPORT_SYMBOL_GPL(timerqueue_del);
 
-- 
2.33.0

Re: [cip-dev] New CVE entry this week

[Nobuhiro Iwamatsu]

[-- Attachment #1: Type: text/plain, Size: 1421 bytes --]

Hi,


> -----Original Message-----
> From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Masami Ichikawa
> Sent: Thursday, September 30, 2021 9:12 AM
> To: cip-dev <cip-dev@lists.cip-project.org>
> Subject: [cip-dev] New CVE entry this week
> 
> Hi !
> 
> It's this week's CVE report.
> 
> This week reported one new CVE.
> 
> * New CVEs
> 
> CVE-2021-20317: lib/timerqueue: Rely on rbtree semantics for next timer
> 
> This bug has been fixed in 5.4-rc1 so that before 5.4 kernels are
> affected. For 4.19, patch can be applied without any modification. For
> 4.4, it needs to modify patch to apply it.
> According to the description in
> cve.mitre.org(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20317),
> it describes "This flaw allows a local attacker with special user
> privileges to cause a denial of service" so I think this vulnerability
> severity may be low.
> 
> CVSS v3 score is not provided.
> 
> Fixed status
> 
> mainline: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> stable/5.10: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> stable/5.14: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
> stable/5.4: [511885d7061eda3eb1faf3f57dcc936ff75863f1]

This commit can be applied directly to 4.14 and 4.19.
However, other LTSs need to be other commit or fixes.

I attached a patch for 4.14 and 4.19.

Best regards,
  Nobuhiro

[-- Attachment #2: 0001-lib-timerqueue-Rely-on-rbtree-semantics-for-next-tim.patch --]
[-- Type: application/octet-stream, Size: 4443 bytes --]

From eb343c7e4acbcd79517015b4ae992aa7b0e345cd Mon Sep 17 00:00:00 2001
From: Davidlohr Bueso <dave@stgolabs.net>
Date: Wed, 24 Jul 2019 08:23:23 -0700
Subject: [PATCH for 4.14 and 4.19] lib/timerqueue: Rely on rbtree semantics for next timer

commit 511885d7061eda3eb1faf3f57dcc936ff75863f1 upstream.

Simplify the timerqueue code by using cached rbtrees and rely on the tree
leftmost node semantics to get the timer with earliest expiration time.
This is a drop in conversion, and therefore semantics remain untouched.

The runtime overhead of cached rbtrees is be pretty much the same as the
current head->next method, noting that when removing the leftmost node,
a common operation for the timerqueue, the rb_next(leftmost) is O(1) as
well, so the next timer will either be the right node or its parent.
Therefore no extra pointer chasing. Finally, the size of the struct
timerqueue_head remains the same.

Passes several hours of rcutorture.

Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20190724152323.bojciei3muvfxalm@linux-r8p5
Reference: CVE-2021-20317
Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
---
 include/linux/timerqueue.h | 13 ++++++-------
 lib/timerqueue.c           | 30 ++++++++++++------------------
 2 files changed, 18 insertions(+), 25 deletions(-)

diff --git a/include/linux/timerqueue.h b/include/linux/timerqueue.h
index 78b8cc73f12fc9..aff122f1062a83 100644
--- a/include/linux/timerqueue.h
+++ b/include/linux/timerqueue.h
@@ -12,8 +12,7 @@ struct timerqueue_node {
 };
 
 struct timerqueue_head {
-	struct rb_root head;
-	struct timerqueue_node *next;
+	struct rb_root_cached rb_root;
 };
 
 
@@ -29,13 +28,14 @@ extern struct timerqueue_node *timerqueue_iterate_next(
  *
  * @head: head of timerqueue
  *
- * Returns a pointer to the timer node that has the
- * earliest expiration time.
+ * Returns a pointer to the timer node that has the earliest expiration time.
  */
 static inline
 struct timerqueue_node *timerqueue_getnext(struct timerqueue_head *head)
 {
-	return head->next;
+	struct rb_node *leftmost = rb_first_cached(&head->rb_root);
+
+	return rb_entry(leftmost, struct timerqueue_node, node);
 }
 
 static inline void timerqueue_init(struct timerqueue_node *node)
@@ -45,7 +45,6 @@ static inline void timerqueue_init(struct timerqueue_node *node)
 
 static inline void timerqueue_init_head(struct timerqueue_head *head)
 {
-	head->head = RB_ROOT;
-	head->next = NULL;
+	head->rb_root = RB_ROOT_CACHED;
 }
 #endif /* _LINUX_TIMERQUEUE_H */
diff --git a/lib/timerqueue.c b/lib/timerqueue.c
index 0d54bcbc8170c7..7a8ae3d5fd4057 100644
--- a/lib/timerqueue.c
+++ b/lib/timerqueue.c
@@ -39,9 +39,10 @@
  */
 bool timerqueue_add(struct timerqueue_head *head, struct timerqueue_node *node)
 {
-	struct rb_node **p = &head->head.rb_node;
+	struct rb_node **p = &head->rb_root.rb_root.rb_node;
 	struct rb_node *parent = NULL;
-	struct timerqueue_node  *ptr;
+	struct timerqueue_node *ptr;
+	bool leftmost = true;
 
 	/* Make sure we don't add nodes that are already added */
 	WARN_ON_ONCE(!RB_EMPTY_NODE(&node->node));
@@ -49,19 +50,17 @@ bool timerqueue_add(struct timerqueue_head *head, struct timerqueue_node *node)
 	while (*p) {
 		parent = *p;
 		ptr = rb_entry(parent, struct timerqueue_node, node);
-		if (node->expires < ptr->expires)
+		if (node->expires < ptr->expires) {
 			p = &(*p)->rb_left;
-		else
+		} else {
 			p = &(*p)->rb_right;
+			leftmost = false;
+		}
 	}
 	rb_link_node(&node->node, parent, p);
-	rb_insert_color(&node->node, &head->head);
+	rb_insert_color_cached(&node->node, &head->rb_root, leftmost);
 
-	if (!head->next || node->expires < head->next->expires) {
-		head->next = node;
-		return true;
-	}
-	return false;
+	return leftmost;
 }
 EXPORT_SYMBOL_GPL(timerqueue_add);
 
@@ -78,15 +77,10 @@ bool timerqueue_del(struct timerqueue_head *head, struct timerqueue_node *node)
 {
 	WARN_ON_ONCE(RB_EMPTY_NODE(&node->node));
 
-	/* update next pointer */
-	if (head->next == node) {
-		struct rb_node *rbn = rb_next(&node->node);
-
-		head->next = rb_entry_safe(rbn, struct timerqueue_node, node);
-	}
-	rb_erase(&node->node, &head->head);
+	rb_erase_cached(&node->node, &head->rb_root);
 	RB_CLEAR_NODE(&node->node);
-	return head->next != NULL;
+
+	return !RB_EMPTY_ROOT(&head->rb_root.rb_root);
 }
 EXPORT_SYMBOL_GPL(timerqueue_del);
 
-- 
2.33.0


[-- Attachment #3: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6764): https://lists.cip-project.org/g/cip-dev/message/6764
Mute This Topic: https://lists.cip-project.org/mt/85963258/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] New CVE entry this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 1769 bytes --]

Hi !

It's this week's CVE report.

This week reported one new CVE.

* New CVEs

CVE-2021-20317: lib/timerqueue: Rely on rbtree semantics for next timer

This bug has been fixed in 5.4-rc1 so that before 5.4 kernels are
affected. For 4.19, patch can be applied without any modification. For
4.4, it needs to modify patch to apply it.
According to the description in
cve.mitre.org(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20317),
it describes "This flaw allows a local attacker with special user
privileges to cause a denial of service" so I think this vulnerability
severity may be low.

CVSS v3 score is not provided.

Fixed status

mainline: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
stable/5.10: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
stable/5.14: [511885d7061eda3eb1faf3f57dcc936ff75863f1]
stable/5.4: [511885d7061eda3eb1faf3f57dcc936ff75863f1]

* Updated CVEs

No updated CVEs  this week.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6762): https://lists.cip-project.org/g/cip-dev/message/6762
Mute This Topic: https://lists.cip-project.org/mt/85963258/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] New CVE entry this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 4935 bytes --]

Hi !

It's this week's CVE report.

This week reported 2 new CVEs.

* New CVEs

CVE-2021-41073: io_uring: ensure symmetry in handling iter types in
loop_rw_iter()

CVSS v3 score is not provided.

This CVE is affected from 5.10-rc1 to 5.15-rc2. All stable kernels are fixed.

Fixed status

mainline: [16c8d2df7ec0eed31b7d3b61cb13206a7fb930cc]
stable/5.10: [ce8f81b76d3bef7b9fe6c8f84d029ab898b19469]
stable/5.14: [71e32edd2210d0304e93ac110814b5a4b3a81dc0]

CVE-2021-3773: lack of port sanity checking in natd and netfilter
leads to exploit of OpenVPN clients

CVSS v3 score is not provided.

The details of the vulnerability has been published on
https://breakpointingbad.com/2021/09/08/Port-Shadows-via-Network-Alchemy.html
.

Fixed status

Not fixed yet.

* Updated CVEs

CVE-2020-16119:  net: dccp: fix structure use-after-free

stable kernels have been fixed this week. All stable kernels are fixed.

Fixed status

mainline: [d9ea761fdd197351890418acd462c51f241014a7]
stable/4.14: [a1bb3c064bf5f2d8c3e9368a9152b1224a9dd64a]
stable/4.19: [dfec82f3e5b8bd93ab65b7417a64886ec8c42f14]
stable/4.4: [1969452d411a73a3125c326c6db0c8433f31dfd5]
stable/4.9: [40ea36ffa7207456c3f155bbab76754d3f37ce04]
stable/5.10: [6c3cb65d561e76fd0398026c023e587fec70e188]
stable/5.14: [51f7b364a2d120cea956b2bb5ccaad29bbf8abce]
stable/5.4: [5ab04a4ffed02f66e8e6310ba8261a43d1572343]

CVE-2020-3702: Specifically timed and handcrafted traffic can cause
internal errors in a WLAN device that lead to improper layer 2 Wi-Fi
encryption with a consequent possibility of information disclosure
over the air for a discrete set of traffic

stable kernel 4.4 and 4.9 have been fixed this week. This
vulnerability has been fixed since 5.12-rc1-dontuse.
All stable kernels are fixed.

Fixed status

mainline: [56c5485c9e444c2e85e11694b6c44f1338fc20fd,
73488cb2fa3bb1ef9f6cf0d757f76958bd4deaca,
    d2d3e36498dd8e0c83ea99861fac5cf9e8671226,
144cd24dbc36650a51f7fe3bf1424a1432f1f480,
    ca2848022c12789685d3fab3227df02b863f9696]
stable/4.14: [2cbb22fd4b4fb4d0822d185bf5bd6d027107bfda,
20e7de09cbdb76a38f28fb71709fae347123ddb7,
    995586a56748c532850870523d3a9080492b3433,
f4d4f4473129e9ee55b8562250adc53217bad529,
    61b014a8f8de02bedc56f76620170437f5638588]
stable/4.19: [dd5815f023b89c9a28325d8a2a5f0779b57b7190,
d2fd9d34210f34cd0ff5b33fa94e9fcc2a513cea,
    fb924bfcecc90ca63ca76b5a10f192bd0e1bb35d,
7c5a966edd3c6eec4a9bdf698c1f27712d1781f0,
    08c613a2cb06c68ef4e7733e052af067b21e5dbb]
stable/4.4: [4d6b4335838fd89419212e1e486c415ec36fb610,
5d97f20dc21f3f4b14105590f729e513b0c4921d,
    85d371eb7259c2e6aecd0b77c3f8c193c9593624,
1c8e25862a00a539803fa60eb7a907143688b178,
    3fd07178fbf012db0b38488ea2e0069412250dd2]
stable/4.9: [ea3f7df20fc8e0b82ec0e065b0b0d38e55fd7775,
74adc24d162e67d8862edaf701de620f36f98215,
    d7d4c3c60342deba706fd76ef09d8af68b9a64d8,
13c51682b07a5db4d9efb514e700407c6da22ff9,
    7afed8faf42d8358a165ba554891085e10b1f7a0]
stable/5.10: [8f05076983ddeaae1165457b6aa4eca9fe0e5498,
6566c207e5767deb37d283ed9f77b98439a1de4e,
    2925a8385ec746bf09c11dcadb9af13c26091a4d,
609c0cfd07f0ae6c444e064a59b46c5f3090b705,
    e2036bc3fc7daa03c15fda27e1818192da817cea]
stable/5.4: [0c049ce432b37a51a0da005314ac32e5d9324ccf,
add283e2517a90468ce223465e0f4360128bb650,
    b7d593705eb4f0655a70f0207f573fb1edb80bda,
c6feaf806da6a0deecc2fe41adb3443cdecba347,
    23f77ad13f8176314b7c51f71b9ac7c5c6d10b7b]

CVE-2021-40490: ext4: fix race writing to an inline_data file while
its xattrs are changing

4.4, 4.9, 4.14, and 4.19 kernels have been fixed this week. All stable
kernels are fixed.

Fixed status

mainline: [a54c4613dac1500b40e4ab55199f7c51f028e848]
stable/4.14: [9569234645f102025aaf0fc83d3dcbf1b8cbf2dc]
stable/4.19: [c481607ba522e31e6ed01efefc19cc1d0e0a46fa]
stable/4.4: [69d82df68fbc5e368820123200d7b88f6c058350]
stable/4.9: [7067b09fe587cbd47544a3047a40c64e4d636fff]
stable/5.10: [09a379549620f122de3aa4e65df9329976e4cdf5]
stable/5.13: [c764e8fa4491da66780fcb30a0d43bfd3fccd12c]
stable/5.14: [f8ea208b3fbbc0546d71b47e8abaf98b0961dec1]
stable/5.4: [9b3849ba667af99ee99a7853a021a7786851b9fd]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6744): https://lists.cip-project.org/g/cip-dev/message/6744
Mute This Topic: https://lists.cip-project.org/mt/85805475/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entry this week

[Nobuhiro Iwamatsu]

[-- Attachment #1: Type: text/plain, Size: 3926 bytes --]

Hi all,

> -----Original Message-----
> From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Masami Ichikawa
> Sent: Thursday, September 16, 2021 9:44 AM
> To: cip-dev <cip-dev@lists.cip-project.org>
> Subject: [cip-dev] New CVE entry this week
> 
> Hi !
> 
> It's this week's CVE report.
> 
> This week reported 4 new CVEs.
> 
> * New CVEs
> 
> CVE-2021-3744: crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
> 
> This bug is in the AMD Cryptographic Coprocessor (CCP) driver. This
> bug is related to CVE-2021-3744.
> 
> In the cip-kernel-config directory, 4.4 kernel uses this driver.
> 
> $ find . -type f | xargs grep -n "ccp-ops.c"
> ./4.4.y-cip-rt/x86/siemens_i386-rt.sources:1716:drivers/crypto/ccp/ccp-ops.c
> ./4.4.y-cip-rt/all.sources:3665:drivers/crypto/ccp/ccp-ops.c
> 
> Fixed status
> 
> Patch is available but it hasn't been merged yet.
> 
> CVE-2021-3764: DoS in ccp_run_aes_gcm_cmd() function
> 
> This vulnerability is a memory leak which will cause Dos attack.
> This bug is in the AMD Cryptographic Coprocessor (CCP) driver. This
> bug is related to CVE-2021-3764.
> 
> Fixed status
> 
> Patch is available but it hasn't been merged yet.
> 
> CVE-2021-3752: UAF in bluetooth
> 
> There is a use after free bug in bluetooth module.
> 
> Fixed status
> 
> This CVE hasn't been fixed in the mainline yet.
> 
> CVE-2021-38300: bpf, mips: Validate conditional branch offsets
> 
> This bug only affects bpf in mips architecture.  Patch is available,
> but hasn't been merged yet.
> 
> Fixed status:
> 
> Not yet.
> 
> * Updated CVEs
> 
> CVE-2021-40490:  A race condition was discovered in
> ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem
> in the Linux kernel through 5.13.13
> 
> kernel 5.4 has been fixed.
> 
> Fixed status
> 
> mainline: [a54c4613dac1500b40e4ab55199f7c51f028e848]
> stable/5.10: [09a379549620f122de3aa4e65df9329976e4cdf5]
> stable/5.13: [c764e8fa4491da66780fcb30a0d43bfd3fccd12c]
> stable/5.14: [f8ea208b3fbbc0546d71b47e8abaf98b0961dec1]
> stable/5.4: [9b3849ba667af99ee99a7853a021a7786851b9fd]

Note: This is included in the -rc release of other trees.
  4.4.y-rc: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=linux-4.4.y&id=bfba6dcbeba21e153f80b203cdf95e19fbf6b094
  4.19.y-rc: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=linux-4.19.y&id=05738f962071285a60b92d30fd4bbc5375d67df7

> 
> CVE-2021-3635: flowtable list del corruption with kernel BUG at
> lib/list_debug.c:50
> 
> This vulnerability has been affected from 4.16-rc1 to 5.5-rc7.
> Therefore 4.4 kernel, and above 5.5 kernels aren't affected.
> 
> Fixed status
> 
> cip/4.19: [8260ce5aeee4d7c4a6305e469edeae1066de2800]
> cip/4.19-rt: [8260ce5aeee4d7c4a6305e469edeae1066de2800]
> mainline: [335178d5429c4cee61b58f4ac80688f556630818]
> stable/4.19: [8260ce5aeee4d7c4a6305e469edeae1066de2800]
> stable/5.4: [8f4dc50b5c12e159ac846fdc00702c547fdf2e95]
> 
> Currently tracking CVEs
> 
> CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
> Bluetooth Core Specifications 4.0 through 5.2
> 
> There is no fix information.
> 
> CVE-2021-3640: UAF in sco_send_frame function
> 
> There is no fix information.
> 
> CVE-2020-26555: BR/EDR pin code pairing broken
> 
> No fix information
> 
> CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning
> 
> No fix information.
> 
> CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
> Provisioning Leads to MITM
> 
> No fix information.
> 
> CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning
> 
> No fix information.
> 
> CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning
> 
> No fix information.
> 
> 
Best regards,
  Nobuhiro

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6740): https://lists.cip-project.org/g/cip-dev/message/6740
Mute This Topic: https://lists.cip-project.org/mt/85642333/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] New CVE entry this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 3038 bytes --]

Hi !

It's this week's CVE report.

This week reported 4 new CVEs.

* New CVEs

CVE-2021-3744: crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()

This bug is in the AMD Cryptographic Coprocessor (CCP) driver. This
bug is related to CVE-2021-3744.

In the cip-kernel-config directory, 4.4 kernel uses this driver.

$ find . -type f | xargs grep -n "ccp-ops.c"
./4.4.y-cip-rt/x86/siemens_i386-rt.sources:1716:drivers/crypto/ccp/ccp-ops.c
./4.4.y-cip-rt/all.sources:3665:drivers/crypto/ccp/ccp-ops.c

Fixed status

Patch is available but it hasn't been merged yet.

CVE-2021-3764: DoS in ccp_run_aes_gcm_cmd() function

This vulnerability is a memory leak which will cause Dos attack.
This bug is in the AMD Cryptographic Coprocessor (CCP) driver. This
bug is related to CVE-2021-3764.

Fixed status

Patch is available but it hasn't been merged yet.

CVE-2021-3752: UAF in bluetooth

There is a use after free bug in bluetooth module.

Fixed status

This CVE hasn't been fixed in the mainline yet.

CVE-2021-38300: bpf, mips: Validate conditional branch offsets

This bug only affects bpf in mips architecture.  Patch is available,
but hasn't been merged yet.

Fixed status:

Not yet.

* Updated CVEs

CVE-2021-40490:  A race condition was discovered in
ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem
in the Linux kernel through 5.13.13

kernel 5.4 has been fixed.

Fixed status

mainline: [a54c4613dac1500b40e4ab55199f7c51f028e848]
stable/5.10: [09a379549620f122de3aa4e65df9329976e4cdf5]
stable/5.13: [c764e8fa4491da66780fcb30a0d43bfd3fccd12c]
stable/5.14: [f8ea208b3fbbc0546d71b47e8abaf98b0961dec1]
stable/5.4: [9b3849ba667af99ee99a7853a021a7786851b9fd]

CVE-2021-3635: flowtable list del corruption with kernel BUG at
lib/list_debug.c:50

This vulnerability has been affected from 4.16-rc1 to 5.5-rc7.
Therefore 4.4 kernel, and above 5.5 kernels aren't affected.

Fixed status

cip/4.19: [8260ce5aeee4d7c4a6305e469edeae1066de2800]
cip/4.19-rt: [8260ce5aeee4d7c4a6305e469edeae1066de2800]
mainline: [335178d5429c4cee61b58f4ac80688f556630818]
stable/4.19: [8260ce5aeee4d7c4a6305e469edeae1066de2800]
stable/5.4: [8f4dc50b5c12e159ac846fdc00702c547fdf2e95]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6739): https://lists.cip-project.org/g/cip-dev/message/6739
Mute This Topic: https://lists.cip-project.org/mt/85642333/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entry this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 9895 bytes --]

Hi !

(added cip-dev list)

On Thu, Sep 9, 2021 at 10:43 PM Derek Weeks <dweeks@linuxfoundation.org> wrote:
>
> Thanks for sharing this insight.  Do you know if any of these CVE's have CVSS ratings?  If so, what were the ratings?
>
>
>

Following list is CVSS scores. Unfortunately some CVEs haven't been
assigned score yet.

CVE Number : CVSS v3 Base Score
CVE-2021-3715: not provided
CVE-2021-3759: not provided
CVE-2021-40490: not provided
CVE-2021-3542: not provided
CVE-2021-3640: not provided
CVE-2021-3739: not provided
CVE-2021-3753: not provided
CVE-2021-3743: not provided
CVE-2021-38198: 5.5(Medium)
CVE-2021-3444: 7.8(High)
CVE-2021-3600: not provided
CVE-2021-3655: 3.3(Low)
CVE-2021-31615: 5.3(Medium)
CVE-2021-3640: not provided
CVE-2020-26555: 5.4(Medium)
CVE-2020-26556: 7.5(High)
CVE-2020-26557: 7.5(High)
CVE-2020-26559: 8.8(High)
CVE-2020-26560: 8.1(High)

> On Wed, Sep 8, 2021 at 10:40 PM Masami Ichikawa <masami.ichikawa@miraclelinux.com> wrote:
>>
>> Hi !
>>
>> It's this week's CVE report.
>>
>> This week reported 3 new CVEs. These CVEs have been fixed in mainline
>> and some stable kernels.
>>
>> * New CVEs
>>
>> CVE-2021-3715: kernel: use-after-free in route4_change() in
>> net/sched/cls_route.c
>>
>> This vulnerability was introduced in 3.18-rc1 and fixed in 5.6.
>> Therefore 5.6 or later kernels aren't affect this vulnerability.
>>
>> Fixed status
>>
>> cip/4.19: [ea3d6652c240978736a91b9e85fde9fee9359be4]
>> cip/4.19-rt: [ea3d6652c240978736a91b9e85fde9fee9359be4]
>> cip/4.4: [7518af6464b47a0d775173570c3d25f699da2a5e]
>> cip/4.4-rt: [7518af6464b47a0d775173570c3d25f699da2a5e]
>> mainline: [ef299cc3fa1a9e1288665a9fdc8bff55629fd359]
>> stable/4.14: [f0c92f59cf528bc1b872f2ca91b01e128a2af3e6]
>> stable/4.19: [ea3d6652c240978736a91b9e85fde9fee9359be4]
>> stable/4.4: [7518af6464b47a0d775173570c3d25f699da2a5e]
>> stable/4.9: [97a8e7afaee8fc4f08662cf8e4f495b87874aa91]
>> stable/5.4: [ff28c6195814bdbd4038b08d39e40f8d65d2025e]
>>
>> CVE-2021-3759: memcg: charge semaphores and sem_undo objects
>>
>> This causes DoS attack. Patch was merged into mainline this week.
>>
>> for 4.19, it needs modify or apply following patches to apply commit
>> 18319498fdd4.
>>
>> 4a2ae92993be24ba727faa733e99d7980d389ec0: ipc/sem.c: replace
>> kvmalloc/memset with kvzalloc and use struct_size
>> bc8136a543aa839a848b49af5e101ac6de5f6b27: ipc: use kmalloc for
>> msg_queue and shmid_kernel
>> fc37a3b8b4388e73e8e3525556d9f1feeb232bb9: ipc sem: use kvmalloc for
>> sem_undo allocation
>>
>> for 4.4, need to modify the patch.
>>
>> Fixed status
>>
>> mainline: [18319498fdd4cdf8c1c2c48cd432863b1f915d6f]
>>
>> CVE-2021-40490: A race condition was discovered in
>> ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem
>> in the Linux kernel through 5.13.13.
>>
>> Commit a54c4613dac1 fixes f19d5870cbf72d4cb2a8e1f749dff97af99b071e
>> which has been merged into 3.8-rc1.
>>
>> Fixed status
>>
>> mainline: [a54c4613dac1500b40e4ab55199f7c51f028e848]
>> stable/5.10: [09a379549620f122de3aa4e65df9329976e4cdf5]
>> stable/5.13: [c764e8fa4491da66780fcb30a0d43bfd3fccd12c]
>> stable/5.14: [f8ea208b3fbbc0546d71b47e8abaf98b0961dec1]
>>
>> * Updated CVEs
>>
>> CVE-2021-3542: media: firewire: firedtv-avc: fix a buffer overflow in
>> avc_ca_pmt()
>>
>> Patch has been sent to linux-media list
>> (https://lore.kernel.org/linux-media/20210816072721.GA10534@kili/).
>> btw, no cip member enables DVB_FIREDTV.
>>
>> Fixed status
>>
>> Not fixed in mainline yet.
>>
>> CVE-2021-3640: UAF in sco_send_frame function
>>
>> According to the SUSE
>> bugzilla(https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=99c23da0eed4fd20cae8243f2b51e10e66aa0951
>> ), patch has been merged into bluetooth-next tree as of 2021/09/03.
>>
>> Fixed status
>>
>> Not fixed in mainline yet.
>>
>>
>> CVE-2021-3739: btrfs: fix NULL pointer dereference when deleting
>> device by invalid id
>>
>> This vulnerability is not affected before 4.20-rc1.
>>
>> Fixed status
>>
>> mainline: [e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091]
>> stable/5.10: [c43add24dffdbac269d5610465ced70cfc1bad9e]
>> stable/5.13: [301aabe0239f227818622096be7e180fcdbedf80]
>> stable/5.14: [734dabfb6918d399024063c9db9093a83f804ce5]
>> stable/5.4: [d7f7eca72ecc08f0bb6897fda2290293fca63068]
>>
>>
>> CVE-2021-3753: vt_kdsetmode: extend console locking
>>
>> A out-of-bounds caused by the race of KDSETMODE in VT.
>>
>> Fixed status
>>
>> mainline: [2287a51ba822384834dafc1c798453375d1107c7]
>> stable/4.14: [3f488313d96fc6512a4a0fe3ed56cce92cbeec94]
>> stable/4.19: [0776c1a20babb4ad0b7ce7f2f4e0806a97663187]
>> stable/4.4: [01da584f08cbb1e04f22796cc49b10d570cd5ec1]
>> stable/4.9: [755a2f40dda2d6b2e3b8624cb052e68947ee4d1f]
>> stable/5.10: [60d69cb4e60de0067e5d8aecacd86dfe92a5384a]
>> stable/5.13: [a5dfcf3d8ecc549f8dc324ab6caf9dd14de87986]
>> stable/5.14: [acf3c7b4fae092e7f5c170bc8a0fe2ead9b2a320]
>> stable/5.4: [f4418015201bdca0cd4e28b363d88096206e4ad0]
>>
>>
>> CVE-2021-3743: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c
>>
>> The Qualcomm's IPC router protocol(qrtr) has been introduced since
>> 4.15-rc1 so before 4.15 kernels aren't affected.
>>
>> Fixed status
>>
>> mainline: [7e78c597c3ebfd0cb329aa09a838734147e4f117]
>> stable/4.19: [ce7d8be2eaa4cab3032e256d154d1c33843d2367]
>> stable/5.10: [ad41706c771a038e9a334fa55216abd69b32bfdf]
>> stable/5.13: [d6060df9b53ab8098c954aac9acbacef6915e42a]
>> stable/5.4: [a6b049aeefa880a8bd7b1ae3a8804bda1e8b077e]
>>
>> CVE-2021-38198: KVM: X86: MMU: Use the correct inherited permissions
>> to get shadow page
>>
>> 4.14 has been fixed this week.
>>
>> mainline: [b1bd5cba3306691c771d558e94baa73e8b0b96b7]
>> stable/4.14: [cea9e8ee3b8059bd2b36d68f1f428d165e5d13ce]
>> stable/4.19: [4c07e70141eebd3db64297515a427deea4822957]
>> stable/5.10: [6b6ff4d1f349cb35a7c7d2057819af1b14f80437]
>> stable/5.4: [d28adaabbbf4a6949d0f6f71daca6744979174e2]
>>
>> CVE-2021-3444: bpf: Fix truncation handling for mod32 dst reg wrt zero
>>
>> The vulnerability has been introduced since 4.15-rc9. 4.4 is not affected.
>> 4.19 has been fixed in this week.
>>
>> Fixed status
>>
>> mainline: [9b00f1b78809309163dda2d044d9e94a3c0248a3]
>> stable/4.19: [39f74b7c81cca139c05757d9c8f9d1e35fbbf56b]
>> stable/5.10: [3320bae8c115863b6f17993c2b7970f7f419da57]
>> stable/5.11: [55c262ea5d0f754648cd25aa73de081adaab07d9]
>> stable/5.4: [185c2266c1df80bec001c987d64cae2d9cd13816]
>>
>> CVE-2021-3600: eBPF 32-bit source register truncation on div/mod
>>
>> The vulnerability has been introduced since 4.15-rc9. 4.4 is not affected.
>> 4.19 has been fixed in this week.We have been tracking this
>> vulnerability since Aug to watch 4.19 to be fixed, and now it is
>> finally fixed.
>>
>> Fixed status
>>
>> mainline: [e88b2c6e5a4d9ce30d75391e4d950da74bb2bd90]
>> stable/4.19: [1d16cc210fabd0a7ebf52d3025f81c2bde054a90]
>> stable/5.10: [1d16cc210fabd0a7ebf52d3025f81c2bde054a90]
>> stable/5.4: [78e2f71b89b22222583f74803d14f3d90cdf9d12]
>>
>> CVE-2021-3655: missing size validations on inbound SCTP packets
>>
>> cip/4.4, cip/4.19, cip/4.4-rt, cip/4.19-rt, stable/4.14, and
>> stable/5.4 have been fixed this week.
>>
>> Fixed status
>>
>>   mainline: [0c5dc070ff3d6246d22ddd931f23a6266249e3db,
>> 50619dbf8db77e98d821d615af4f634d08e22698,
>>     b6ffe7671b24689c09faa5675dd58f93758a97ae,
>> ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9]
>>   stable/4.19: [c7a03ebace4f9cd40d9cd9dd5fb2af558025583c,
>> dd16e38e1531258d332b0fc7c247367f60c6c381]
>>   cip/4.19: [c7a03ebace4f9cd40d9cd9dd5fb2af558025583c,
>> dd16e38e1531258d332b0fc7c247367f60c6c381]
>>   cip/4.19-rt: [c7a03ebace4f9cd40d9cd9dd5fb2af558025583c,
>> dd16e38e1531258d332b0fc7c247367f60c6c381]
>>   stable/4.4: [48cd035cad5b5fad0648aa8294c4223bedb166dd]
>>   cip/4.4: [48cd035cad5b5fad0648aa8294c4223bedb166dd]
>>   cip/4.4-rt: [48cd035cad5b5fad0648aa8294c4223bedb166dd]
>>   stable/4.9: [c7da1d1ed43a6c2bece0d287e2415adf2868697e]
>>   stable/5.10: [d4dbef7046e24669278eba4455e9e8053ead6ba0,
>> 6ef81a5c0e22233e13c748e813c54d3bf0145782]
>>   stable/4.14: [f01bfaea62d14938ff2fbeaf67f0afec2ec64ab9,
>> d890768c1ed6688ca5cd54ee37a69d90ea8c422f]
>>   stable/5.4: [03a5e454614dc095a70d88c85ac45ba799c79971,
>> a01745edc1c95ff53e261c493f15bb43b1338003]
>>
>> Currently tracking CVEs
>>
>> CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
>> Bluetooth Core Specifications 4.0 through 5.2
>>
>> There is no fix information.
>>
>> CVE-2021-3640: UAF in sco_send_frame function
>>
>> There is no fix information.
>>
>> CVE-2020-26555: BR/EDR pin code pairing broken
>>
>> There is no fix information
>>
>> CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning
>>
>> No fix information.
>>
>> CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
>> Provisioning Leads to MITM
>>
>> No fix information.
>>
>> CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning
>>
>> No fix information.
>>
>> CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning
>>
>> No fix information.
>>
>> Other topics.
>>
>> About cve.mitre.org
>>
>> CVE Website Transitioning to New Web Address – “CVE.ORG”
>> https://cve.mitre.org/news/archives/2021/news.html#September022021_CVE_Website_Transitioning_to_New_Web_Address_-_CVE.ORG
>>
>> Regards,
>>
>> --
>> Masami Ichikawa
>> Cybertrust Japan Co., Ltd.
>>
>> Email :masami.ichikawa@cybertrust.co.jp
>>           :masami.ichikawa@miraclelinux.com
>>
>> 
>>

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6723): https://lists.cip-project.org/g/cip-dev/message/6723
Mute This Topic: https://lists.cip-project.org/mt/85476557/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entry this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 1576 bytes --]

Hi !

On Thu, Sep 9, 2021 at 3:42 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > CVE-2021-3759: memcg: charge semaphores and sem_undo objects
> >
> > This causes DoS attack. Patch was merged into mainline this week.
> >
> > for 4.19, it needs modify or apply following patches to apply commit
> > 18319498fdd4.
>
> I don't think we need to care about this one. Embedded systems don't
> usually run untrusted code...
>

I think so too. maybe we don't have to track this CVE.

> > CVE-2021-40490: A race condition was discovered in
> > ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem
> > in the Linux kernel through 5.13.13.
>
> This is already queued to 4.4 and 4.19; we can simply wait.
>

Thanks. I overlooked it.

> > CVE-2021-38198: KVM: X86: MMU: Use the correct inherited permissions
> > to get shadow page
> >
> > 4.14 has been fixed this week.
> >
> > mainline: [b1bd5cba3306691c771d558e94baa73e8b0b96b7]
> > stable/4.14: [cea9e8ee3b8059bd2b36d68f1f428d165e5d13ce]
>
> KVM. Tricky code and not exactly focus on CIP code. But perhaps
> someone fixes it for us :-).
>

I see.  We don't have to track it. I'll update information when there
is a new update .

> Best regards,
>                                                                 Pavel
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> 
>

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6722): https://lists.cip-project.org/g/cip-dev/message/6722
Mute This Topic: https://lists.cip-project.org/mt/85476557/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entry this week

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 1100 bytes --]

Hi!

> CVE-2021-3759: memcg: charge semaphores and sem_undo objects
> 
> This causes DoS attack. Patch was merged into mainline this week.
> 
> for 4.19, it needs modify or apply following patches to apply commit
> 18319498fdd4.

I don't think we need to care about this one. Embedded systems don't
usually run untrusted code...

> CVE-2021-40490: A race condition was discovered in
> ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem
> in the Linux kernel through 5.13.13.

This is already queued to 4.4 and 4.19; we can simply wait.

> CVE-2021-38198: KVM: X86: MMU: Use the correct inherited permissions
> to get shadow page
> 
> 4.14 has been fixed this week.
> 
> mainline: [b1bd5cba3306691c771d558e94baa73e8b0b96b7]
> stable/4.14: [cea9e8ee3b8059bd2b36d68f1f428d165e5d13ce]

KVM. Tricky code and not exactly focus on CIP code. But perhaps
someone fixes it for us :-).

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6720): https://lists.cip-project.org/g/cip-dev/message/6720
Mute This Topic: https://lists.cip-project.org/mt/85476557/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] New CVE entry this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 8073 bytes --]

Hi !

It's this week's CVE report.

This week reported 3 new CVEs. These CVEs have been fixed in mainline
and some stable kernels.

* New CVEs

CVE-2021-3715: kernel: use-after-free in route4_change() in
net/sched/cls_route.c

This vulnerability was introduced in 3.18-rc1 and fixed in 5.6.
Therefore 5.6 or later kernels aren't affect this vulnerability.

Fixed status

cip/4.19: [ea3d6652c240978736a91b9e85fde9fee9359be4]
cip/4.19-rt: [ea3d6652c240978736a91b9e85fde9fee9359be4]
cip/4.4: [7518af6464b47a0d775173570c3d25f699da2a5e]
cip/4.4-rt: [7518af6464b47a0d775173570c3d25f699da2a5e]
mainline: [ef299cc3fa1a9e1288665a9fdc8bff55629fd359]
stable/4.14: [f0c92f59cf528bc1b872f2ca91b01e128a2af3e6]
stable/4.19: [ea3d6652c240978736a91b9e85fde9fee9359be4]
stable/4.4: [7518af6464b47a0d775173570c3d25f699da2a5e]
stable/4.9: [97a8e7afaee8fc4f08662cf8e4f495b87874aa91]
stable/5.4: [ff28c6195814bdbd4038b08d39e40f8d65d2025e]

CVE-2021-3759: memcg: charge semaphores and sem_undo objects

This causes DoS attack. Patch was merged into mainline this week.

for 4.19, it needs modify or apply following patches to apply commit
18319498fdd4.

4a2ae92993be24ba727faa733e99d7980d389ec0: ipc/sem.c: replace
kvmalloc/memset with kvzalloc and use struct_size
bc8136a543aa839a848b49af5e101ac6de5f6b27: ipc: use kmalloc for
msg_queue and shmid_kernel
fc37a3b8b4388e73e8e3525556d9f1feeb232bb9: ipc sem: use kvmalloc for
sem_undo allocation

for 4.4, need to modify the patch.

Fixed status

mainline: [18319498fdd4cdf8c1c2c48cd432863b1f915d6f]

CVE-2021-40490: A race condition was discovered in
ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem
in the Linux kernel through 5.13.13.

Commit a54c4613dac1 fixes f19d5870cbf72d4cb2a8e1f749dff97af99b071e
which has been merged into 3.8-rc1.

Fixed status

mainline: [a54c4613dac1500b40e4ab55199f7c51f028e848]
stable/5.10: [09a379549620f122de3aa4e65df9329976e4cdf5]
stable/5.13: [c764e8fa4491da66780fcb30a0d43bfd3fccd12c]
stable/5.14: [f8ea208b3fbbc0546d71b47e8abaf98b0961dec1]

* Updated CVEs

CVE-2021-3542: media: firewire: firedtv-avc: fix a buffer overflow in
avc_ca_pmt()

Patch has been sent to linux-media list
(https://lore.kernel.org/linux-media/20210816072721.GA10534@kili/).
btw, no cip member enables DVB_FIREDTV.

Fixed status

Not fixed in mainline yet.

CVE-2021-3640: UAF in sco_send_frame function

According to the SUSE
bugzilla(https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=99c23da0eed4fd20cae8243f2b51e10e66aa0951
), patch has been merged into bluetooth-next tree as of 2021/09/03.

Fixed status

Not fixed in mainline yet.


CVE-2021-3739: btrfs: fix NULL pointer dereference when deleting
device by invalid id

This vulnerability is not affected before 4.20-rc1.

Fixed status

mainline: [e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091]
stable/5.10: [c43add24dffdbac269d5610465ced70cfc1bad9e]
stable/5.13: [301aabe0239f227818622096be7e180fcdbedf80]
stable/5.14: [734dabfb6918d399024063c9db9093a83f804ce5]
stable/5.4: [d7f7eca72ecc08f0bb6897fda2290293fca63068]


CVE-2021-3753: vt_kdsetmode: extend console locking

A out-of-bounds caused by the race of KDSETMODE in VT.

Fixed status

mainline: [2287a51ba822384834dafc1c798453375d1107c7]
stable/4.14: [3f488313d96fc6512a4a0fe3ed56cce92cbeec94]
stable/4.19: [0776c1a20babb4ad0b7ce7f2f4e0806a97663187]
stable/4.4: [01da584f08cbb1e04f22796cc49b10d570cd5ec1]
stable/4.9: [755a2f40dda2d6b2e3b8624cb052e68947ee4d1f]
stable/5.10: [60d69cb4e60de0067e5d8aecacd86dfe92a5384a]
stable/5.13: [a5dfcf3d8ecc549f8dc324ab6caf9dd14de87986]
stable/5.14: [acf3c7b4fae092e7f5c170bc8a0fe2ead9b2a320]
stable/5.4: [f4418015201bdca0cd4e28b363d88096206e4ad0]


CVE-2021-3743: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c

The Qualcomm's IPC router protocol(qrtr) has been introduced since
4.15-rc1 so before 4.15 kernels aren't affected.

Fixed status

mainline: [7e78c597c3ebfd0cb329aa09a838734147e4f117]
stable/4.19: [ce7d8be2eaa4cab3032e256d154d1c33843d2367]
stable/5.10: [ad41706c771a038e9a334fa55216abd69b32bfdf]
stable/5.13: [d6060df9b53ab8098c954aac9acbacef6915e42a]
stable/5.4: [a6b049aeefa880a8bd7b1ae3a8804bda1e8b077e]

CVE-2021-38198: KVM: X86: MMU: Use the correct inherited permissions
to get shadow page

4.14 has been fixed this week.

mainline: [b1bd5cba3306691c771d558e94baa73e8b0b96b7]
stable/4.14: [cea9e8ee3b8059bd2b36d68f1f428d165e5d13ce]
stable/4.19: [4c07e70141eebd3db64297515a427deea4822957]
stable/5.10: [6b6ff4d1f349cb35a7c7d2057819af1b14f80437]
stable/5.4: [d28adaabbbf4a6949d0f6f71daca6744979174e2]

CVE-2021-3444: bpf: Fix truncation handling for mod32 dst reg wrt zero

The vulnerability has been introduced since 4.15-rc9. 4.4 is not affected.
4.19 has been fixed in this week.

Fixed status

mainline: [9b00f1b78809309163dda2d044d9e94a3c0248a3]
stable/4.19: [39f74b7c81cca139c05757d9c8f9d1e35fbbf56b]
stable/5.10: [3320bae8c115863b6f17993c2b7970f7f419da57]
stable/5.11: [55c262ea5d0f754648cd25aa73de081adaab07d9]
stable/5.4: [185c2266c1df80bec001c987d64cae2d9cd13816]

CVE-2021-3600: eBPF 32-bit source register truncation on div/mod

The vulnerability has been introduced since 4.15-rc9. 4.4 is not affected.
4.19 has been fixed in this week.We have been tracking this
vulnerability since Aug to watch 4.19 to be fixed, and now it is
finally fixed.

Fixed status

mainline: [e88b2c6e5a4d9ce30d75391e4d950da74bb2bd90]
stable/4.19: [1d16cc210fabd0a7ebf52d3025f81c2bde054a90]
stable/5.10: [1d16cc210fabd0a7ebf52d3025f81c2bde054a90]
stable/5.4: [78e2f71b89b22222583f74803d14f3d90cdf9d12]

CVE-2021-3655: missing size validations on inbound SCTP packets

cip/4.4, cip/4.19, cip/4.4-rt, cip/4.19-rt, stable/4.14, and
stable/5.4 have been fixed this week.

Fixed status

  mainline: [0c5dc070ff3d6246d22ddd931f23a6266249e3db,
50619dbf8db77e98d821d615af4f634d08e22698,
    b6ffe7671b24689c09faa5675dd58f93758a97ae,
ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9]
  stable/4.19: [c7a03ebace4f9cd40d9cd9dd5fb2af558025583c,
dd16e38e1531258d332b0fc7c247367f60c6c381]
  cip/4.19: [c7a03ebace4f9cd40d9cd9dd5fb2af558025583c,
dd16e38e1531258d332b0fc7c247367f60c6c381]
  cip/4.19-rt: [c7a03ebace4f9cd40d9cd9dd5fb2af558025583c,
dd16e38e1531258d332b0fc7c247367f60c6c381]
  stable/4.4: [48cd035cad5b5fad0648aa8294c4223bedb166dd]
  cip/4.4: [48cd035cad5b5fad0648aa8294c4223bedb166dd]
  cip/4.4-rt: [48cd035cad5b5fad0648aa8294c4223bedb166dd]
  stable/4.9: [c7da1d1ed43a6c2bece0d287e2415adf2868697e]
  stable/5.10: [d4dbef7046e24669278eba4455e9e8053ead6ba0,
6ef81a5c0e22233e13c748e813c54d3bf0145782]
  stable/4.14: [f01bfaea62d14938ff2fbeaf67f0afec2ec64ab9,
d890768c1ed6688ca5cd54ee37a69d90ea8c422f]
  stable/5.4: [03a5e454614dc095a70d88c85ac45ba799c79971,
a01745edc1c95ff53e261c493f15bb43b1338003]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2021-3640: UAF in sco_send_frame function

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

There is no fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Other topics.

About cve.mitre.org

CVE Website Transitioning to New Web Address – “CVE.ORG”
https://cve.mitre.org/news/archives/2021/news.html#September022021_CVE_Website_Transitioning_to_New_Web_Address_-_CVE.ORG

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6719): https://lists.cip-project.org/g/cip-dev/message/6719
Mute This Topic: https://lists.cip-project.org/mt/85476557/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-