From: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
To: cip-dev <cip-dev@lists.cip-project.org>
Subject: New CVE entries this week
Date: Thu, 22 Sep 2022 09:06:09 +0900 [thread overview]
Message-ID: <CAODzB9pM64A8SzV-=AAFUcsRa-GDo6JcMi8wVZTQFbqTnEjKqQ@mail.gmail.com> (raw)
Hi !
It's this week's CVE report.
This week reported 5 new CVEs and 4 updated CVEs.
* New CVEs
CVE-2022-40476: io_uring: use original request task for inflight tracking
CVSS v3 score is 5.5 MEDIUM.
A null pointer dereference issue was discovered in fs/io_uring.c in
the Linux kernel before 5.15.62. A local user could use this flaw to
crash the system or potentially cause a denial of service.
This vulnerability was introduced by commit d536123 ("io_uring: drop
the old style inflight file tracking") which was merged in 5.19-rc1.
Kernel 5.4 and 5.10 doesn't have commit d536123.
Fixed status
mainline: [386e4fb6962b9f248a80f8870aea0870ca603e89]
stable/5.15: [3746d62ecf1c872a520c4866118edccb121c44fd]
CVE-2022-3176: io_uring: disable polling pollfree files
CVSS v3 score is 7.8 HIGH.
There exists a use-after-free in io_uring in the Linux kernel.
Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is
the current task. It will send a POLLFREE notification to all waiters
before the queue is freed. Unfortunately, the io_uring poll doesn't
handle POLLFREE. This allows a use-after-free to occur if a signalfd
or binder fd is polled with io_uring poll, and the waitqueue gets
freed.
Fixed status
mainline: [791f3465c4afde02d7f16cf7424ca87070b69396]
stable/5.10: [28d8d2737e82fc29ff9e788597661abecc7f7994]
stable/5.15: [e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5]
stable/5.4: [fc78b2fc21f10c4c9c4d5d659a685710ffa63659]
CVE-2022-40768: scsi: stex: properly zero out the passthrough command structure
CVSS v3 score is 5.5 MEDIUM.
drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local
users to obtain sensitive information from kernel memory because
stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.
Fixed status
Patch is available at
lore.kernel.org/all/20220908145154.2284098-1-gregkh@linuxfoundation.org
but it has not been merged yet as of 2022-09-19.
CVE-2022-41218: media: dvb-core: Fix UAF due to refcount races at releasing
CVSS v3 score is not assigned.
In drivers/media/dvb-core/dmxdev.c in the Linux kernel through
5.19.10, there is a use-after-free caused by refcount races, affecting
dvb_demux_open and dvb_dmxdev_release.
It looks as if kernel 4.4 is affected too.
Fixed status
Patch is available on
https://lore.kernel.org/all/20220908132754.30532-1-tiwai@suse.de/ but
it hasn't been merged into the mainline yet.
CVE-2022-41222: mm/mremap: hold the rmap lock in write mode when
moving page table entries
CVSS v3 score is not assigned.
mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via
a stale TLB because an rmap lock is not held during a PUD move.
kernel 4.x doesn't have 2c91bd4 ("mm: speed up mremap by 20x on large
regions") and c49dd34 ("mm: speedup mremap on 1GB or larger regions")
so that these kernels won't be affected.
mainline: [97113eb39fa7972722ff490b947d8af023e1f6a2]
stable/5.10: [2613baa3ab2153cc45b175c58700d93f72ef36c4]
stable/5.4: [79e522101cf40735f1936a10312e17f937b8dcad]
* Updated CVEs
CVE-2021-4159: bpf: Verifer, adjust_scalar_min_max_vals to always call
update_reg_bounds()
4.14 was fixed this week.
Fixed status
mainline: [294f2fc6da27620a506e6c050241655459ccd6bd]
stable/4.14: [a7cf53f9ebcd887c19588c0c1b4b8260f41a3faa]
stable/4.19: [6c6b84ef5ea8dc0ca3559ccf69810960e348c555]
stable/5.4: [7c1134c7da997523e2834dd516e2ddc51920699a]
CVE-2022-40307: efi: capsule-loader: Fix use-after-free in efi_capsule_write
Stable kernels except 4.9 were fixed this week. Applying the patch to
4.9 was failed (https://lore.kernel.org/stable/166265645917687@kroah.com/).
Fixed status
mainline: [9cb636b5f6a8cc6d1b50809ec8f8d33ae0c84c95]
stable/4.14: [233d5c4d18971feee5fc2f33f00b63d8205cfc67]
stable/4.19: [021805af5bedeafc76c117fc771c100b358ab419]
stable/5.10: [918d9c4a4bdf5205f2fb3f64dddfb56c9a1d01d6]
stable/5.15: [dd291e070be0eca8807476b022bda00c891d9066]
stable/5.19: [d46815a8f26ca6db2336106a148265239f73b0af]
stable/5.4: [8028ff4cdbb3f20d3c1c04be33a83bab0cb94997]
CVE-2022-39188: unmap_mapping_range() race with munmap() on VM_PFNMAP
mappings leads to stale TLB entry
stable/4.19 56fa5f3 ("mm: Fix TLB flush for not-first PFNMAP mappings
in unmap_region()") and stable 5.10 891f03f ("mm: Fix TLB flush for
not-first PFNMAP mappings in unmap_region()") have been added.
These commits are stable specific patches which fix an issue when
backporting the upstream commit b67fbeb ("mmu_gather: Force tlb-flush
VM_PFNMAP vmas"). This fix has been sent to 5.4 and 5.15.
Fixed status
mainline: [b67fbebd4cf980aecbcc750e1462128bffe8ae15]
stable/4.14: [b8a54a2a45feacbc96065e5d6b9a1cbee2aa1e9d]
stable/4.19: [c3b1e88f14e7f442e2ddcbec94527eec84ac0ca3,
56fa5f3dd44a05a5eacd75ae9d00c5415046d371]
stable/4.9: [390f33a95419f7fa1254ba6b6feeabde480732f9]
stable/5.10: [895428ee124ad70b9763259308354877b725c31d,
891f03f688de8418f44b32b88f6b4faed5b2aa81]
stable/5.15: [3ffb97fce282df03723995f5eed6a559d008078e]
stable/5.4: [c9c5501e815132530d741ec9fdd22657f91656bc]
CVE-2022-2663: netfilter: nf_conntrack_irc: Tighten matching on DCC message
mainline and stable kernels were fixed. Commit 0efe125 ("netfilter:
nf_conntrack_irc: Fix forged IP logic") can be applied to 4.4.y-st
without any modification.
Fixed status
mainline: [0efe125cfb99e6773a7434f3463f7c2fa28f3a43]
stable/4.14: [6ce66e3442a5989cbe56a6884384bf0b7d1d0725]
stable/4.19: [3275f7804f40de3c578d2253232349b07c25f146]
stable/4.9: [eb4d8d6b44a23ff2b6e2af06c8240de73dff8a7d]
stable/5.10: [e12ce30fe593dd438c5b392290ad7316befc11ca]
stable/5.15: [451c9ce1e2fc9b9e40303bef8e5a0dca1a923cc4]
stable/5.19: [6cf0609154b2ce8d3ae160e7506ab316400a8d3d]
stable/5.4: [36f7b71f8ad8e4d224b45f7d6ecfeff63b091547]
Currently tracking CVEs
CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2
There is no fix information.
CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning
No fix information.
CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM
No fix information.
CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning
No fix information.
CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning
No fix information.
Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.
Email :masami.ichikawa@cybertrust.co.jp
:masami.ichikawa@miraclelinux.com
next reply other threads:[~2022-09-22 0:06 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-22 0:06 Masami Ichikawa [this message]
-- strict thread matches above, loose matches on Subject: below --
2023-09-13 22:34 New CVE entries this week Masami Ichikawa
2023-09-06 23:22 Masami Ichikawa
2023-08-30 23:08 Masami Ichikawa
2023-08-23 22:47 Masami Ichikawa
2023-08-16 23:04 Masami Ichikawa
2023-08-10 0:04 Masami Ichikawa
2023-08-02 23:38 Masami Ichikawa
2023-07-26 23:15 Masami Ichikawa
2023-07-20 0:25 Masami Ichikawa
2023-07-12 23:24 Masami Ichikawa
2023-07-06 0:35 Masami Ichikawa
2023-06-29 0:26 Masami Ichikawa
2023-06-21 23:07 Masami Ichikawa
2023-06-14 22:43 Masami Ichikawa
2023-06-07 22:19 Masami Ichikawa
2023-05-31 23:54 Masami Ichikawa
2023-05-24 22:50 Masami Ichikawa
2023-05-17 23:10 Masami Ichikawa
2023-05-10 23:47 Masami Ichikawa
2023-05-03 22:53 Masami Ichikawa
2023-04-26 23:10 Masami Ichikawa
2023-04-19 23:49 Masami Ichikawa
2023-04-13 0:19 Masami Ichikawa
2023-04-06 0:19 Masami Ichikawa
2023-03-29 23:52 Masami Ichikawa
2023-03-22 23:10 Masami Ichikawa
2023-03-16 0:03 Masami Ichikawa
2023-03-08 23:53 Masami Ichikawa
2023-03-02 1:40 Masami Ichikawa
2023-02-22 23:33 Masami Ichikawa
2023-02-15 23:19 Masami Ichikawa
2023-02-08 23:44 Masami Ichikawa
2023-02-02 0:55 Masami Ichikawa
2023-01-25 23:59 Masami Ichikawa
2023-01-19 0:14 Masami Ichikawa
2023-03-03 14:08 ` Dan Carpenter
2023-01-12 0:21 Masami Ichikawa
2023-01-05 1:04 Masami Ichikawa
2022-12-29 0:00 Masami Ichikawa
2022-12-21 22:58 Masami Ichikawa
2023-02-01 8:09 ` Dan Carpenter
2023-02-01 13:59 ` Dan Carpenter
2022-12-15 3:25 Masami Ichikawa
2023-01-19 7:51 ` Dan Carpenter
2023-01-19 13:56 ` Masami Ichikawa
2023-01-19 15:24 ` Dan Carpenter
2022-12-07 23:25 Masami Ichikawa
2022-11-30 23:26 Masami Ichikawa
2022-11-24 1:24 Masami Ichikawa
2022-11-17 0:11 Masami Ichikawa
2022-11-09 23:02 Masami Ichikawa
2022-11-02 23:20 Masami Ichikawa
2022-10-27 0:55 Masami Ichikawa
2022-10-20 0:48 Masami Ichikawa
2022-10-12 23:43 Masami Ichikawa
2022-10-05 23:53 Masami Ichikawa
2022-09-28 23:42 Masami Ichikawa
2022-09-14 23:53 Masami Ichikawa
2022-09-07 23:07 Masami Ichikawa
2022-09-01 0:12 Masami Ichikawa
2022-08-25 1:18 Masami Ichikawa
2022-08-17 23:23 Masami Ichikawa
2022-08-10 23:20 Masami Ichikawa
2022-08-04 0:29 Masami Ichikawa
2022-07-27 23:45 Masami Ichikawa
2022-07-21 0:01 Masami Ichikawa
2022-07-14 0:54 Masami Ichikawa
2022-07-06 23:21 Masami Ichikawa
2022-06-29 22:50 Masami Ichikawa
2022-06-22 23:47 Masami Ichikawa
2022-06-15 23:44 Masami Ichikawa
2022-06-08 23:44 Masami Ichikawa
2022-06-02 0:14 Masami Ichikawa
2022-05-25 23:12 Masami Ichikawa
2022-05-19 0:21 Masami Ichikawa
2022-05-12 0:15 Masami Ichikawa
2022-05-04 22:53 Masami Ichikawa
2022-04-27 23:03 Masami Ichikawa
2022-04-21 0:00 Masami Ichikawa
2022-04-14 0:10 Masami Ichikawa
2022-04-06 23:50 Masami Ichikawa
2022-03-30 23:22 Masami Ichikawa
2022-03-24 0:42 Masami Ichikawa
2022-03-16 23:34 Masami Ichikawa
2022-03-09 23:55 Masami Ichikawa
2022-03-02 23:50 Masami Ichikawa
2022-02-23 23:41 Masami Ichikawa
2022-02-17 0:09 Masami Ichikawa
2022-02-10 1:35 Masami Ichikawa
2022-02-03 0:28 Masami Ichikawa
2022-01-05 23:31 Masami Ichikawa
2021-10-28 0:05 Masami Ichikawa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAODzB9pM64A8SzV-=AAFUcsRa-GDo6JcMi8wVZTQFbqTnEjKqQ@mail.gmail.com' \
--to=masami.ichikawa@miraclelinux.com \
--cc=cip-dev@lists.cip-project.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).