[cip-dev] New CVE entries this week

[cip-dev] New CVE entries this week

[市川正美]

[-- Attachment #1: Type: text/plain, Size: 4432 bytes --]

Hi !

Here is this week's CVE report.

* CVE short summary

** New CVEs

CVE-2021-3640: there is no fixed information as of 2021/07/29.

CVE-2021-37576: mainline and stable kernels are fixed. This CVE only
affects powerpc architecture.

** Updated CVEs

CVE-2021-31829: I fixed wrong security information.

CVE-2021-22543: added stable/4.19 fixed commit.

** Traking CVEs

CVE-2021-29256: not fiexd in mainline yet

CVE-2021-31615: not fiexd in mainline yet

CVE-2021-21781: v4.4 is not fixed as of 2021/07/29

CVE-2021-3655: v4.4 is not fixed as of 2021/07/29

CVE-2021-37159: mainline is not fixed as of 2021/07/29

* CVE detail

New CVEs

- CVE-2021-3640: Linux kernel: UAF in sco_send_frame function

Not fixed in mainline.

From email(https://www.openwall.com/lists/oss-security/2021/07/22/1)

-------------
2021-07-08: Bug reported to security@...nel.org and
linux-distros@...openwall.org
2021-07-09: CVE-2021-3640 is assigned
2021-07-22: 14 days of the embargo is over

One sad thing is that the bluez team is currently focused on fixing up the
CVE-2021-3573, which I failed to properly patched, and the patch for this
new is not yet fully discussed.
I hope the patch will be settled down and merged to the mainline in the
near future.
-------------

CVE-2021-37576: KVM guest to host memory corruption

This vulnerability only affects PowerPC architecture.

No CIP memeber uses PPC architecture.

Fixed status
mainline: [f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a]
stable/4.19: [0493b10c06021796ba80cbe53c961defd5aca6e5]
stable/4.4: [1e90a673f6ee09c668fe01aa1b94924f972c9811]
stable/5.10: [c1fbdf0f3c26004a2803282fdc1c35086908a99e]

 Updated CVEs

CVE-2021-22543: KVM through Improper handling of VM_IO|VM_PFNMAP vmas
in KVM can bypass RO checks and can lead to pages being freed while
still accessible by the VMM and guest

Added stable/4.19 fixed commit.

v4.4 kernel gets pfn following way in hva_to_pfn(). It not uses
kvm_get_pfn(). hva_to_pfn_remapped() doesn't exist in v4.4 kernel.

            else if ((vma->vm_flags & VM_PFNMAP)) {
                    pfn = ((addr - vma->vm_start) >> PAGE_SHIFT) +
                            vma->vm_pgoff;


If v4.4 has same vulnerability, it'll need to write a patch by own.

CVE-2021-31829: Linux kernel protection of stack pointer against
speculative pointer arithmetic can be bypassed to leak content of
kernel memory

Fixed status
mainline: [f8be156be163a052a067306417cd0ff679068c97]
stable/4.19: [117777467bc015f0dc5fc079eeba0fa80c965149]
stable/5.10: [dd8ed6c9bc2224c1ace5292d01089d3feb7ebbc3]

There was wrong informaition so I updated it.
stable/5.10 is fixed but cip/5.10 is not fixed yet.

Currenty traking CVEs

CVE-2021-29256: The Arm Mali GPU kernel driver allows an unprivileged
user to achieve access to freed memory

Not fiexd in mainline yet

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

Not fiexd in mainline yet

CVE-2021-21781: Arm SIGPAGE information disclosure vulnerability

v4.4 is not fixed as of 2021/07/29

Fixed status
mainline: [9c698bff66ab4914bb3d71da7dc6112519bde23e]
stable/4.19: [80ef523d2cb719c3de66787e922a96b5099d2fbb]
stable/5.10: [7913ec05fc02ccd7df83280451504b0a3e543097]

CVE-2021-3655: missing size validations on inbound SCTP packets

According to cip-kernel-sec's scripts v4.4 is not fixed as of 2021/07/29

One of a patch 50619dbf8db77e98d821d615af4f634d08e22698 is included.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/sctp?h=linux-4.4.y&id=48cd035cad5b5fad0648aa8294c4223bedb166dd

Fixed status
mainline: [0c5dc070ff3d6246d22ddd931f23a6266249e3db,
50619dbf8db77e98d821d615af4f634d08e22698,b6ffe7671b24689c09faa5675dd58f93758a97ae,
ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9]
stable/4.19: [c7a03ebace4f9cd40d9cd9dd5fb2af558025583c,
dd16e38e1531258d332b0fc7c247367f60c6c381]
stable/4.9: [c7da1d1ed43a6c2bece0d287e2415adf2868697e]
stable/5.10: [d4dbef7046e24669278eba4455e9e8053ead6ba0,
6ef81a5c0e22233e13c748e813c54d3bf0145782]


CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c in the
Linux kernel through 5.13.4 calls unregister_netdev without checking
for the NETREG_REGISTERED state, leading to a use-after-free and a
double free.

The mainline is not fixed as of 2021/07/29

Regards,


-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6637): https://lists.cip-project.org/g/cip-dev/message/6637
Mute This Topic: https://lists.cip-project.org/mt/84519830/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 1501 bytes --]

Hi!

> ** Traking CVEs
> 
> CVE-2021-21781: v4.4 is not fixed as of 2021/07/29

This is basically missing memset. Does not look evil to backport.

> CVE-2021-3655: v4.4 is not fixed as of 2021/07/29

This may need more careful look. There are 4 patches fixing this in
mainline, but only two in
5.10. c7da1d1ed43a6c2bece0d287e2415adf2868697e should be easy to
backport to 4.4.

> CVE-2021-31829: Linux kernel protection of stack pointer against
> speculative pointer arithmetic can be bypassed to leak content of
> kernel memory
> 
> Fixed status
> mainline: [f8be156be163a052a067306417cd0ff679068c97]
> stable/4.19: [117777467bc015f0dc5fc079eeba0fa80c965149]

Strange, this talks about CVE-2021-22543 in the changelog.

> CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
> Bluetooth Core Specifications 4.0 through 5.2
> 
> Not fiexd in mainline yet

> CVE-2021-3655: missing size validations on inbound SCTP packets
> 
> According to cip-kernel-sec's scripts v4.4 is not fixed as of 2021/07/29
> 
> One of a patch 50619dbf8db77e98d821d615af4f634d08e22698 is included.
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/sctp?h=linux-4.4.y&id=48cd035cad5b5fad0648aa8294c4223bedb166dd

I guess this should be listed in stable/4.4: ... then?

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6639): https://lists.cip-project.org/g/cip-dev/message/6639
Mute This Topic: https://lists.cip-project.org/mt/84519830/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[Nobuhiro Iwamatsu]

[-- Attachment #1: Type: text/plain, Size: 1138 bytes --]

Hi,

> -----Original Message-----
> From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of 市川正美
> Sent: Thursday, July 29, 2021 10:19 AM
> To: cip-dev <cip-dev@lists.cip-project.org>
> Subject: [cip-dev] New CVE entries this week
> 
> Hi !
> 
> Here is this week's CVE report.
> 
> * CVE short summary
> 
> ** New CVEs
> 
> CVE-2021-3640: there is no fixed information as of 2021/07/29.
> 
> CVE-2021-37576: mainline and stable kernels are fixed. This CVE only
> affects powerpc architecture.
> 
> ** Updated CVEs
> 
> CVE-2021-31829: I fixed wrong security information.
> 
> CVE-2021-22543: added stable/4.19 fixed commit.
> 
> ** Traking CVEs
> 
> CVE-2021-29256: not fiexd in mainline yet
> 
> CVE-2021-31615: not fiexd in mainline yet
> 
> CVE-2021-21781: v4.4 is not fixed as of 2021/07/29
> 
> CVE-2021-3655: v4.4 is not fixed as of 2021/07/29

This has been fixed with the following commit.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.4.y&id=48cd035cad5b5fad0648aa8294c4223bedb166dd

Best regards,
  Nobuhiro

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6640): https://lists.cip-project.org/g/cip-dev/message/6640
Mute This Topic: https://lists.cip-project.org/mt/84519830/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[市川正美]

[-- Attachment #1: Type: text/plain, Size: 1904 bytes --]

Hi !

On Thu, Jul 29, 2021 at 4:47 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > ** Traking CVEs
> >
> > CVE-2021-21781: v4.4 is not fixed as of 2021/07/29
>
> This is basically missing memset. Does not look evil to backport.
>

Thanks.

> > CVE-2021-3655: v4.4 is not fixed as of 2021/07/29
>
> This may need more careful look. There are 4 patches fixing this in
> mainline, but only two in
> 5.10. c7da1d1ed43a6c2bece0d287e2415adf2868697e should be easy to
> backport to 4.4.
>

Okay. I'll take another look.

> > CVE-2021-31829: Linux kernel protection of stack pointer against
> > speculative pointer arithmetic can be bypassed to leak content of
> > kernel memory
> >
> > Fixed status
> > mainline: [f8be156be163a052a067306417cd0ff679068c97]
> > stable/4.19: [117777467bc015f0dc5fc079eeba0fa80c965149]
>
> Strange, this talks about CVE-2021-22543 in the changelog.
>

ok, I'll check again.

> > CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
> > Bluetooth Core Specifications 4.0 through 5.2
> >
> > Not fiexd in mainline yet
>
> > CVE-2021-3655: missing size validations on inbound SCTP packets
> >
> > According to cip-kernel-sec's scripts v4.4 is not fixed as of 2021/07/29
> >
> > One of a patch 50619dbf8db77e98d821d615af4f634d08e22698 is included.
> > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/sctp?h=linux-4.4.y&id=48cd035cad5b5fad0648aa8294c4223bedb166dd
>
> I guess this should be listed in stable/4.4: ... then?
>

Yes, it is. I'll add it.

> Best regards,
>                                                                 Pavel
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> 
>

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6641): https://lists.cip-project.org/g/cip-dev/message/6641
Mute This Topic: https://lists.cip-project.org/mt/84519830/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[市川正美]

[-- Attachment #1: Type: text/plain, Size: 1514 bytes --]

Hi !

On Thu, Jul 29, 2021 at 4:50 PM Nobuhiro Iwamatsu
<nobuhiro1.iwamatsu@toshiba.co.jp> wrote:
>
> Hi,
>
> > -----Original Message-----
> > From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of 市川正美
> > Sent: Thursday, July 29, 2021 10:19 AM
> > To: cip-dev <cip-dev@lists.cip-project.org>
> > Subject: [cip-dev] New CVE entries this week
> >
> > Hi !
> >
> > Here is this week's CVE report.
> >
> > * CVE short summary
> >
> > ** New CVEs
> >
> > CVE-2021-3640: there is no fixed information as of 2021/07/29.
> >
> > CVE-2021-37576: mainline and stable kernels are fixed. This CVE only
> > affects powerpc architecture.
> >
> > ** Updated CVEs
> >
> > CVE-2021-31829: I fixed wrong security information.
> >
> > CVE-2021-22543: added stable/4.19 fixed commit.
> >
> > ** Traking CVEs
> >
> > CVE-2021-29256: not fiexd in mainline yet
> >
> > CVE-2021-31615: not fiexd in mainline yet
> >
> > CVE-2021-21781: v4.4 is not fixed as of 2021/07/29
> >
> > CVE-2021-3655: v4.4 is not fixed as of 2021/07/29
>
> This has been fixed with the following commit.
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.4.y&id=48cd035cad5b5fad0648aa8294c4223bedb166dd
>

Thank you! I'll add this one to fixed-by list.

> Best regards,
>   Nobuhiro
>
> 
>


-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6642): https://lists.cip-project.org/g/cip-dev/message/6642
Mute This Topic: https://lists.cip-project.org/mt/84519830/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 617 bytes --]

Hi!

> > > CVE-2021-3655: v4.4 is not fixed as of 2021/07/29
> >
> > This may need more careful look. There are 4 patches fixing this in
> > mainline, but only two in
> > 5.10. c7da1d1ed43a6c2bece0d287e2415adf2868697e should be easy to
> > backport to 4.4.
> >
> 
> Okay. I'll take another look.

Thank you.

Note that I pushed my comments into the repository, so you may want to
do the pull before doing changes there.

Best regards,
								Pavel

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6643): https://lists.cip-project.org/g/cip-dev/message/6643
Mute This Topic: https://lists.cip-project.org/mt/84519830/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[Masami Ichikawa]

On Thu, Jul 27, 2023 at 6:26 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > It's this week's CVE report.
> >
> > This week reported 8 new CVEs and 5 updated CVEs.
> >
> > CVE-2023-20593 is the Zenbleed vulnerability which is not a kernel
> > vulnerability.  However, the Linux kernel added mitigation code.
> > CVE-2023-2640 and CVE-2023-32629 are Ubuntu kernel specific
> > vulnerabilities, so mainline/stable/cip kernels aren't affected.
>
> Thank you for the report.
>
> > * New CVEs
> >
> > CVE-2023-3611: net/sched: sch_qfq: account for stab overhead in qfq_enqueue
> >
> > CVSS v3 score is not provided(NVD).
> > CVSS v3 score is not 7.8 HIGH(CNA).
>
> I'm a bit confused. Is this trying to say that score _is_ 7.8?
>
oops. Sorry for that.
"CVSS v3 score is 7.8 HIGH(CNA)." is correct.

> Best regards,
>                                                                 Pavel
> --
> DENX Software Engineering GmbH,        Managing Director: Erika Unter
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#12507): https://lists.cip-project.org/g/cip-dev/message/12507
> Mute This Topic: https://lists.cip-project.org/mt/100381501/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: [cip-dev] New CVE entries this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 824 bytes --]

Hi!

> It's this week's CVE report.
> 
> This week reported 8 new CVEs and 5 updated CVEs.
> 
> CVE-2023-20593 is the Zenbleed vulnerability which is not a kernel
> vulnerability.  However, the Linux kernel added mitigation code.
> CVE-2023-2640 and CVE-2023-32629 are Ubuntu kernel specific
> vulnerabilities, so mainline/stable/cip kernels aren't affected.

Thank you for the report.

> * New CVEs
> 
> CVE-2023-3611: net/sched: sch_qfq: account for stab overhead in qfq_enqueue
> 
> CVSS v3 score is not provided(NVD).
> CVSS v3 score is not 7.8 HIGH(CNA).

I'm a bit confused. Is this trying to say that score _is_ 7.8?

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,        Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [cip-dev] New CVE entries this week

[Masami Ichikawa]

Hi.

On Thu, Jun 15, 2023 at 5:41 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > This week reported 4 new CVEs and 7 updated CVEs.
> >
> > * New CVEs
> >
> > CVE-2023-3141: memstick: r592: Fix UAF bug in r592_remove due to race condition
> >
> > CVSS v3 score is 5.9 MEDIUM.
> >
> > The client side in OpenSSH 5.7 through 8.4 has an Observable
> > Discrepancy leading to an information leak in the algorithm
> > negotiation. This allows man-in-the-middle attackers to target initial
> > connection attempts (where no host key for the server has been cached
> > by the client).
>
> Description seems wrong here. Here's better one:
>
> https://nvd.nist.gov/vuln/detail/CVE-2023-3141
>
> A use-after-free flaw was found in r592_remove in
> drivers/memstick/host/r592.c in media access in the Linux Kernel. This
> flaw allows a local attacker to crash the system at device disconnect,
> possibly leading to a kernel information leak.
>

Thank you for correcting this one.
CVE-2023-3141.yml in cip-kernel-sec contains the correct link to this CVE.
I may paste the wrong description.

> Best regards,
>                                                         Pavel
> --
> DENX Software Engineering GmbH,        Managing Director: Erika Unter
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#12044): https://lists.cip-project.org/g/cip-dev/message/12044
> Mute This Topic: https://lists.cip-project.org/mt/99538378/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: [cip-dev] New CVE entries this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 1023 bytes --]

Hi!

> This week reported 4 new CVEs and 7 updated CVEs.
> 
> * New CVEs
> 
> CVE-2023-3141: memstick: r592: Fix UAF bug in r592_remove due to race condition
> 
> CVSS v3 score is 5.9 MEDIUM.
> 
> The client side in OpenSSH 5.7 through 8.4 has an Observable
> Discrepancy leading to an information leak in the algorithm
> negotiation. This allows man-in-the-middle attackers to target initial
> connection attempts (where no host key for the server has been cached
> by the client).

Description seems wrong here. Here's better one:

https://nvd.nist.gov/vuln/detail/CVE-2023-3141

A use-after-free flaw was found in r592_remove in
drivers/memstick/host/r592.c in media access in the Linux Kernel. This
flaw allows a local attacker to crash the system at device disconnect,
possibly leading to a kernel information leak.

Best regards,
							Pavel
-- 
DENX Software Engineering GmbH,        Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [cip-dev] New CVE entries this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 3703 bytes --]

Hi!

> * New CVEs
> 
> CVE-2022-42895: Bluetooth: L2CAP: Fix attempting to access uninitialized memory
> 
> CVSS v3 score is not provided.
> 
> An accessing uninitialized variable bug was found in
> l2cap_parse_conf_req() in net/bluetooth/l2cap_core.c
> The efs variable is on the stack. It is initialized when the type
> variable is L2CAP_CONF_EFS.
> So, if type isn't L2CAP_CONF_EFS and rfc.mode is L2CAP_MODE_ERTM, then
> accessing uninitialized variable bug occurs.
> 
> It looks 4.4 is affected by this issue too.
> 
> Fixed status
> mainline: [b1a2cd50c0357f243b7435a732b4e62ba3157a2e]

Fix is queued for 5.10.154 and corresponding 4.9 kernel.

> CVE-2022-43945: A buffer overflow bug was found in nfsd
> 
> CVSS v3 score is 7.5 HIGH.
> 
> The Linux kernel NFSD implementation prior to versions 5.19.17 and
> 6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of
> pages held by each NFSD thread by combining the receive and send
> buffers of a remote procedure call (RPC) into a single array of pages.
> A client can force the send buffer to shrink by sending an RPC message
> over TCP with garbage data added at the end of the message. The RPC
> message with garbage data is still correctly formed according to the
> specification and is passed forward to handlers. Vulnerable code in
> NFSD is not expecting the oversized request and writes beyond the
> allocated buffer space.
> 
> nfsd3_proc_read() and nfsd_proc_read() changed to set argp->count
> value adding an extra min_t() macro.
> nfsd_init_dirlist_pages() and nfsd3_init_dirlist_pages() changed the
> process of setting buf->buflen value.
> However, 4.4, 4.19, 5.10 use different ways to set these values. So,
> even if these kernels are vulnerable, it needs a different way to fix
> them.
> 
> Fixed status
> mainline: [00b4492686e0497fdb924a9d4c8f6f99377e176c,
> 640f87c190e0d1b2a0fcb2ecf6d2cd53b1c41991,
>   401bc1f90874280a80b93f23be33a0e7e2d1f912,
> fa6be9cc6e80ec79892ddf08a8c10cabab9baf38]
> stable/5.15: [dc7f225090c29a5f3b9419b1af32846a201555e7,
> 071a076fd1b763aa6fe478efa047e0a549ba9c22,
>   2be9331ca6061bc6ea32247266f45b8b21030244,
> 75d9de25a6f833dd0701ca546ac926cabff2b5af]
> stable/6.0: [f59c74df82f6ac9d2ea4e01aa3ae7c6c4481652d,
> 279274e31270c28b86feffe5e166d4088f22317b,
>   1868332032eccbab8c1878a0d918193058c0a905,
> 309f29361b6bfae96936317376f1114568c5de19]

Hmm. I don't see these  queued for 5.10. OTOH embedded systems are
normally NFS clients (and only during development), not NFS servers.

In 5.10.152, we fixed buffer overrun in nfsd, but that may be
different one:

 |0b06ecf29 788f71 o: 5.10| NFSD: Add common helpers to decode void args and encode void results
 |78ad3a430 ebcd8e o: 5.10| NFSD: Update the NFSv2 GETATTR argument decoder to use struct xdr_stream
 |8505cb6e4 8c293e o: 5.10| NFSD: Update the NFSv2 READ argument decoder to use struct xdr_stream
 |827277f03 401bc1 o: 5.10| NFSD: Protect against send buffer overflow in NFSv2 READ
 |4204e1a23 c1346a o: 5.10| NFSD: Replace the internals of the READ_BUF() macro
 |8bda97f4a cbd9ab o: 5.10| NFSD: Replace READ* macros in nfsd4_decode_commit()
 |21b51f620 957536 o: 5.10| NFSD: Update GETATTR3args decoder to use struct xdr_stream
 |fea1935a8 be63bd o: 5.10| NFSD: Update READ3arg decoder to use struct xdr_stream
 |fb4bb09fc 0cb4d2 o: 5.10| NFSD: Fix the behavior of READ near OFFSET_MAX
 |9748f4210 fa6be9 o: 5.10| NFSD: Protect against send buffer overflow in NFSv3 READ

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [cip-dev] New CVE entries this week

[Masami Ichikawa]

Hi.

On Thu, Oct 20, 2022 at 4:58 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > CVE-2022-3523: mm/memory.c: fix race when faulting a device private page
> >
> > CVSS v3 score is not provided(NIST).
> > CVSS v3 score is 5.3 MEDIUM(VulDB).
> >
> > A vulnerability was found in Linux Kernel. It has been classified as
> > problematic. Affected is an unknown function of the file mm/memory.c
> > of the component Driver Handler. The manipulation leads to use after
> > free.
> ...
> > This fix is based on Memory folios feature so that it cannot apply to
> > older kernels straightly.
>
> Sounds like fun, but changelog also says:
>
>     During normal usage it is unlikely these will cause any problems.
>     However
>         without these fixes it is possible to crash the kernel from
>     userspace.
>         These crashes can be triggered either by unloading the kernel
>     module or
>         unbinding the device from the driver prior to a userspace task
>     exiting.
>
> Yeah, so.. don't let untrusted users play with modules / device
> bindings. We don't do that by default.
>
> > CVE-2022-3524: tcp/udp: Fix memory leak in ipv6_renew_options().
> >
> > A vulnerability was found in Linux Kernel. It has been declared as
> > problematic. Affected by this vulnerability is the function
> > ipv6_renew_options of the component IPv6 Handler. The manipulation
> > leads to memory leak. The attack can be launched remotely.
> >
> > CVSS v3 score is 7.5 HIGH(NIST).
> > CVSS v3 score is 4.3 MEDIUM(VulDB).
> >
> > Kernel 4.4 is also affected by this issue. applying this fix needs to
> > modify the patch.
> >
> > Fixed status
> > mainline: [3c52c6bb831f6335c176a0fc7214e26f43adbd11]
>
> Sounds like more fun.
>
> > CVE-2022-3535: net: mvpp2: fix mvpp2 debugfs leak
> >
> > CVSS v3 score is not provided(NIST).
> > CVSS v3 score is 3.5 LOW(VulDB).
> >
> > A vulnerability classified as problematic was found in Linux Kernel.
> > Affected by this vulnerability is the function mvpp2_dbgfs_port_init
> > of the file drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c of the
> > component mvpp2. The manipulation leads to memory leak.
> >
> > Introduced by commit 21da57a ("net: mvpp2: add a debugfs interface for
> > the Header Parser") in 4.19-rc1.
> > 4.4, 4.9, 4.10, and 4.19 kernels are not affected by this issue.
>
> 4.19-rc1 means that 4.19 is affected, and indeed that commit is in
> 4.19-stable. Due to severity of the vulnerability (very low), I don't
> think we care much.
>

oops, you're right. 4.19 is affected.
4.19 is not listed in the ignore section in CVE-2022-3535.yml. so I
made a mistake when writing this report.

> > CVE-2022-3565: mISDN: fix use-after-free bugs in l1oip timer handlers
> >
> > CVSS v3 score is not provided(NIST).
> > CVSS v3 score is 4.6 MEDIUM(VulDB).
> >
> > A vulnerability, which was classified as critical, has been found in
> > Linux Kernel. Affected by this issue is the function del_timer of the
> > file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The
> > manipulation leads to use after free.
>
> "Critial" -- really? mISDN does not have much to do with bluetooth. i
> don't think we care.
>

I think it is not a critical vulnerability. Sometimes NVD's
description is exaggerated :(

> > CVE-2022-3566: tcp: Fix data races around icsk->icsk_af_ops.
> >
> > CVSS v3 score is not provided(NIST).
> > CVSS v3 score is 4.6 MEDIUM(VulDB).
> >
> > A vulnerability, which was classified as problematic, was found in
> > Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt
> > of the component TCP Handler. The manipulation leads to race
> > conditions.
>
> There's no race in the compile code assuming sane compiler; this is
> just READ_ONCE() annotation for the tools.
>
> I wonder if we should simply ignore anything that is "medium" or
> lower? This is not too useful. There are _lot_ of READ_ONCE
> annotations:
>

I think it is okay to ignore low score vulnerabilities.
I think it is okay to ignore low score vulnerabilities. I think if
vulnerability to local privilege escalation/remote code
execution/remote DoS, the score will get high or at least medium.

> rc-v5.10.132.list:a just a READ_ONCE annotation |dd36fc0e5 1f1be0 o: 5.10| sysctl: Fix data races in proc_dointvec().
> rc-v5.10.132.list:a just a READ_ONCE annotation |3c353ca70 4762b5 o: 5.10| sysctl: Fix data races in proc_douintvec().
> rc-v5.10.132.list:a just a READ_ONCE annotation |2d706aadb f613d8 o: 5.10| sysctl: Fix data races in proc_dointvec_minmax().
> rc-v5.10.132.list:a just a READ_ONCE annotation |23f9db9f8 2d3b55 o: 5.10| sysctl: Fix data races in proc_douintvec_minmax().
> rc-v5.10.132.list:a just a READ_ONCE annotation |3b18d2877 c31bcc o: 5.10| sysctl: Fix data races in proc_doulongvec_minmax().
> rc-v5.10.132.list:a just a READ_ONCE annotation |fbb481c6c e87782 o: 5.10| sysctl: Fix data races in proc_dointvec_jiffies().
> rc-v5.10.132.list:a just a READ_ONCE annotation |569565b31 47e6ab o: 5.10| tcp: Fix a data-race around sysctl_tcp_max_orphans.
> rc-v5.10.132.list:a just a READ_ONCE annotation |1ffd2f3ca 3d32ed o: 4.19| inetpeer: Fix data-races around sysctl.
> rc-v5.10.132.list:a just a READ_ONCE annotation |759957e29 310731 o: 4.19| net: Fix data-races around sysctl_mem.
> rc-v5.10.132.list:a not a minimum fix, just a READ_ONCE annotation |2afb079f1 dd44f0 o: 4.9| cipso: Fix data-races around sysctl.
> rc-v5.10.132.list:a just a READ_ONCE annotation |cc7dc7f73 48d7ee o: 4.9| icmp: Fix data-races around sysctl.
> rc-v5.10.132.list:a just a READ_ONCE annotation |ecc3b5b6d 73318c o: 5.10| ipv4: Fix a data-race around sysctl_fib_sync_mem.
> rc-v5.10.132.list:a just a READ_ONCE annotation |8c0062e3d 2a4eb7 o: 4.19| icmp: Fix a data-race around sysctl_icmp_ratelimit.
> rc-v5.10.132.list:a just a READ_ONCE annotation |abf7c1c68 1ebcb2 o: 4.19| icmp: Fix a data-race around sysctl_icmp_ratemask.
> rc-v5.10.132.list:a not a minimum fix, just a READ_ONCE annotation |66a01e657 e49e4a o: 4.9| ipv4: Fix data-races around sysctl_ip_dynaddr.
> rc-v5.10.132.list:a just a READ_ONCE annotation |a9f8eb955 bdf00b o: 5.10| nexthop: Fix data-races around nexthop_compat_mode.
> rc-v5.10.137.list:a just a READ_ONCE annotation |6a5c5b381 4915d5 o: 5.10| inet: add READ_ONCE(sk->sk_bound_dev_if) in INET_MATCH()
> rc-v5.10.137.list:a just a READ_ONCE annotation, not a minimum fix |8d69424fb 5d368f o: 5.10| ipv6: add READ_ONCE(sk->sk_bound_dev_if) in INET6_MATCH()
> rc-v5.10.137.list:a just a READ_ONCE annotation |1651eed8e 08a75f o: 5.10| tcp: Fix data-races around sysctl_tcp_l3mdev_accept.
> rc-v5.10.140.list:a just a READ_ONCE annotation |1cf035989 027395 o: 5.10| net: Fix data-races around sysctl_[rw]mem(_offset)?.
> rc-v5.10.140.list:a just a READ_ONCE annotation |c430cce0f 1227c1 o: 5.10| net: Fix data-races around sysctl_[rw]mem_(max|default).
> rc-v5.10.140.list:a just a READ_ONCE annotation |0ca09591c 5dcd08 o: 5.10| net: Fix data-races around netdev_max_backlog.
> rc-v5.10.140.list:a just a READ_ONCE annotation |c9a25e523 61adf4 o: 4.19| net: Fix data-races around netdev_tstamp_prequeue.
> rc-v5.10.140.list:a just a READ_ONCE annotation |33a56c470 7de6d0 o: 5.10| net: Fix data-races around sysctl_optmem_max.
> rc-v5.10.140.list:a just a READ_ONCE annotation |b88a8545b d2154b o: 4.9| net: Fix a data-race around sysctl_tstamp_allow_data.
> rc-v5.10.140.list:a just a READ_ONCE annotation |ff5a88e37 c42b7c o: 4.9| net: Fix a data-race around sysctl_net_busy_poll.
> rc-v5.10.140.list:a just a READ_ONCE annotation |b99764a7c e59ef3 o: 4.9| net: Fix a data-race around sysctl_net_busy_read.
> rc-v5.10.140.list:a just a READ_ONCE annotation |6d73091c1 fa45d4 o: 4.19| net: Fix a data-race around netdev_budget_usecs.
> rc-v5.10.140.list:a just a READ_ONCE annotation |99e03c89b 3c9ba8 o: 4.9| net: Fix a data-race around sysctl_somaxconn.
> rc-v5.10.140-sep7.list:a just a READ_ONCE annotation |b88a8545b d2154b o: 4.9| net: Fix a data-race around sysctl_tstamp_allow_data.
> rc-v5.10.140-sep7.list:a just a READ_ONCE annotation |ff5a88e37 c42b7c o: 4.9| net: Fix a data-race around sysctl_net_busy_poll.
> rc-v5.10.140-sep7.list:a just a READ_ONCE annotation |b99764a7c e59ef3 o: 4.9| net: Fix a data-race around sysctl_net_busy_read.
> rc-v5.10.140-sep7.list:a just a READ_ONCE annotation |99e03c89b 3c9ba8 o: 4.9| net: Fix a data-race around sysctl_somaxconn.
> rc-v5.10.14X-pre.list:a just a READ_ONCE annotation 5.10 05/16] cgroup: Remove data-race around cgrp_dfl_visible
> rc-v5.10.150.list:a just a READ_ONCE annotation |1b3ae95b2 aacd46 o: 4.9| tcp: annotate data-race around tcp_md5sig_pool_populated
>
> > CVE-2022-3567: ipv6: Fix data races around sk->sk_prot.
> >
> > CVSS v3 score is not provided(NIST).
> > CVSS v3 score is 4.6 MEDIUM(VulDB).
> >
> > A vulnerability has been found in Linux Kernel and classified as
> > problematic. This vulnerability affects the function
> > inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The
> > manipulation leads to race conditions.
> >
> > According to the commit log, commit 086d490 ("ipv6: annotate some
> > data-races around sk->sk_prot") fixes a race condition bug but it was
> > not enough.
> > Therefore it seems that both commit 086d490 and 364f997 need to fix
> > this issue.
>
> This is a tiny bit more serious than usual READ_ONCE annotations,
> but...
>
> > CVE-2022-3541: eth: sp7021: fix use after free bug in
> > spl2sw_nvmem_get_mac_address
> >
> > CVSS v3 score is 7.8 HIGH(NIST).
> > CVSS v3 score is 5.5 MEDIUM(VulDB).
> >
> > A vulnerability classified as critical has been found in Linux Kernel.
> > This affects the function spl2sw_nvmem_get_mac_address of the file
> > drivers/net/ethernet/sunplus/spl2sw_driver.c of the component BPF. The
> > manipulation leads to use after free.
>
> Component BPF?
>
> > CVE-2022-3594: r8152: Rate limit overflow messages
> >
> > CVSS v3 score is not provided(NIST).
> > CVSS v3 score is 5.3 MEDIUM(VulDB).
> >
> > A vulnerability was found in Linux Kernel. It has been declared as
> > problematic. Affected by this vulnerability is the function
> > intr_callback of the file drivers/net/usb/r8152.c of the component
> > BPF. The manipulation leads to logging of excessive data. The attack
> > can be launched remotely.
> >
> > Fixed status
> > mainline: [93e2be344a7db169b7119de21ac1bf253b8c6907]
>
> The "attack" is writing line to syslog. Seems like every bug can get a
> CVE if someone tries.
>

yeah, even though remote user could write lots of data in the syslog
with this issue, it seems to be a normal bug.

> Best regards,
>                                                                 Pavel
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9795): https://lists.cip-project.org/g/cip-dev/message/9795
> Mute This Topic: https://lists.cip-project.org/mt/94444803/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: [cip-dev] New CVE entries this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 9920 bytes --]

Hi!

> CVE-2022-3523: mm/memory.c: fix race when faulting a device private page
> 
> CVSS v3 score is not provided(NIST).
> CVSS v3 score is 5.3 MEDIUM(VulDB).
> 
> A vulnerability was found in Linux Kernel. It has been classified as
> problematic. Affected is an unknown function of the file mm/memory.c
> of the component Driver Handler. The manipulation leads to use after
> free.
...
> This fix is based on Memory folios feature so that it cannot apply to
> older kernels straightly.

Sounds like fun, but changelog also says:

    During normal usage it is unlikely these will cause any problems.
    However
        without these fixes it is possible to crash the kernel from
    userspace.
        These crashes can be triggered either by unloading the kernel
    module or
        unbinding the device from the driver prior to a userspace task
    exiting.

Yeah, so.. don't let untrusted users play with modules / device
bindings. We don't do that by default.

> CVE-2022-3524: tcp/udp: Fix memory leak in ipv6_renew_options().
> 
> A vulnerability was found in Linux Kernel. It has been declared as
> problematic. Affected by this vulnerability is the function
> ipv6_renew_options of the component IPv6 Handler. The manipulation
> leads to memory leak. The attack can be launched remotely.
> 
> CVSS v3 score is 7.5 HIGH(NIST).
> CVSS v3 score is 4.3 MEDIUM(VulDB).
> 
> Kernel 4.4 is also affected by this issue. applying this fix needs to
> modify the patch.
> 
> Fixed status
> mainline: [3c52c6bb831f6335c176a0fc7214e26f43adbd11]

Sounds like more fun.

> CVE-2022-3535: net: mvpp2: fix mvpp2 debugfs leak
> 
> CVSS v3 score is not provided(NIST).
> CVSS v3 score is 3.5 LOW(VulDB).
> 
> A vulnerability classified as problematic was found in Linux Kernel.
> Affected by this vulnerability is the function mvpp2_dbgfs_port_init
> of the file drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c of the
> component mvpp2. The manipulation leads to memory leak.
> 
> Introduced by commit 21da57a ("net: mvpp2: add a debugfs interface for
> the Header Parser") in 4.19-rc1.
> 4.4, 4.9, 4.10, and 4.19 kernels are not affected by this issue.

4.19-rc1 means that 4.19 is affected, and indeed that commit is in
4.19-stable. Due to severity of the vulnerability (very low), I don't
think we care much.

> CVE-2022-3565: mISDN: fix use-after-free bugs in l1oip timer handlers
> 
> CVSS v3 score is not provided(NIST).
> CVSS v3 score is 4.6 MEDIUM(VulDB).
> 
> A vulnerability, which was classified as critical, has been found in
> Linux Kernel. Affected by this issue is the function del_timer of the
> file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The
> manipulation leads to use after free.

"Critial" -- really? mISDN does not have much to do with bluetooth. i
don't think we care.

> CVE-2022-3566: tcp: Fix data races around icsk->icsk_af_ops.
> 
> CVSS v3 score is not provided(NIST).
> CVSS v3 score is 4.6 MEDIUM(VulDB).
> 
> A vulnerability, which was classified as problematic, was found in
> Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt
> of the component TCP Handler. The manipulation leads to race
> conditions.

There's no race in the compile code assuming sane compiler; this is
just READ_ONCE() annotation for the tools.

I wonder if we should simply ignore anything that is "medium" or
lower? This is not too useful. There are _lot_ of READ_ONCE
annotations:

rc-v5.10.132.list:a just a READ_ONCE annotation |dd36fc0e5 1f1be0 o: 5.10| sysctl: Fix data races in proc_dointvec().
rc-v5.10.132.list:a just a READ_ONCE annotation |3c353ca70 4762b5 o: 5.10| sysctl: Fix data races in proc_douintvec().
rc-v5.10.132.list:a just a READ_ONCE annotation |2d706aadb f613d8 o: 5.10| sysctl: Fix data races in proc_dointvec_minmax().
rc-v5.10.132.list:a just a READ_ONCE annotation |23f9db9f8 2d3b55 o: 5.10| sysctl: Fix data races in proc_douintvec_minmax().
rc-v5.10.132.list:a just a READ_ONCE annotation |3b18d2877 c31bcc o: 5.10| sysctl: Fix data races in proc_doulongvec_minmax().
rc-v5.10.132.list:a just a READ_ONCE annotation |fbb481c6c e87782 o: 5.10| sysctl: Fix data races in proc_dointvec_jiffies().
rc-v5.10.132.list:a just a READ_ONCE annotation |569565b31 47e6ab o: 5.10| tcp: Fix a data-race around sysctl_tcp_max_orphans.
rc-v5.10.132.list:a just a READ_ONCE annotation |1ffd2f3ca 3d32ed o: 4.19| inetpeer: Fix data-races around sysctl.
rc-v5.10.132.list:a just a READ_ONCE annotation |759957e29 310731 o: 4.19| net: Fix data-races around sysctl_mem.
rc-v5.10.132.list:a not a minimum fix, just a READ_ONCE annotation |2afb079f1 dd44f0 o: 4.9| cipso: Fix data-races around sysctl.
rc-v5.10.132.list:a just a READ_ONCE annotation |cc7dc7f73 48d7ee o: 4.9| icmp: Fix data-races around sysctl.
rc-v5.10.132.list:a just a READ_ONCE annotation |ecc3b5b6d 73318c o: 5.10| ipv4: Fix a data-race around sysctl_fib_sync_mem.
rc-v5.10.132.list:a just a READ_ONCE annotation |8c0062e3d 2a4eb7 o: 4.19| icmp: Fix a data-race around sysctl_icmp_ratelimit.
rc-v5.10.132.list:a just a READ_ONCE annotation |abf7c1c68 1ebcb2 o: 4.19| icmp: Fix a data-race around sysctl_icmp_ratemask.
rc-v5.10.132.list:a not a minimum fix, just a READ_ONCE annotation |66a01e657 e49e4a o: 4.9| ipv4: Fix data-races around sysctl_ip_dynaddr.
rc-v5.10.132.list:a just a READ_ONCE annotation |a9f8eb955 bdf00b o: 5.10| nexthop: Fix data-races around nexthop_compat_mode.
rc-v5.10.137.list:a just a READ_ONCE annotation |6a5c5b381 4915d5 o: 5.10| inet: add READ_ONCE(sk->sk_bound_dev_if) in INET_MATCH()
rc-v5.10.137.list:a just a READ_ONCE annotation, not a minimum fix |8d69424fb 5d368f o: 5.10| ipv6: add READ_ONCE(sk->sk_bound_dev_if) in INET6_MATCH()
rc-v5.10.137.list:a just a READ_ONCE annotation |1651eed8e 08a75f o: 5.10| tcp: Fix data-races around sysctl_tcp_l3mdev_accept.
rc-v5.10.140.list:a just a READ_ONCE annotation |1cf035989 027395 o: 5.10| net: Fix data-races around sysctl_[rw]mem(_offset)?.
rc-v5.10.140.list:a just a READ_ONCE annotation |c430cce0f 1227c1 o: 5.10| net: Fix data-races around sysctl_[rw]mem_(max|default).
rc-v5.10.140.list:a just a READ_ONCE annotation |0ca09591c 5dcd08 o: 5.10| net: Fix data-races around netdev_max_backlog.
rc-v5.10.140.list:a just a READ_ONCE annotation |c9a25e523 61adf4 o: 4.19| net: Fix data-races around netdev_tstamp_prequeue.
rc-v5.10.140.list:a just a READ_ONCE annotation |33a56c470 7de6d0 o: 5.10| net: Fix data-races around sysctl_optmem_max.
rc-v5.10.140.list:a just a READ_ONCE annotation |b88a8545b d2154b o: 4.9| net: Fix a data-race around sysctl_tstamp_allow_data.
rc-v5.10.140.list:a just a READ_ONCE annotation |ff5a88e37 c42b7c o: 4.9| net: Fix a data-race around sysctl_net_busy_poll.
rc-v5.10.140.list:a just a READ_ONCE annotation |b99764a7c e59ef3 o: 4.9| net: Fix a data-race around sysctl_net_busy_read.
rc-v5.10.140.list:a just a READ_ONCE annotation |6d73091c1 fa45d4 o: 4.19| net: Fix a data-race around netdev_budget_usecs.
rc-v5.10.140.list:a just a READ_ONCE annotation |99e03c89b 3c9ba8 o: 4.9| net: Fix a data-race around sysctl_somaxconn.
rc-v5.10.140-sep7.list:a just a READ_ONCE annotation |b88a8545b d2154b o: 4.9| net: Fix a data-race around sysctl_tstamp_allow_data.
rc-v5.10.140-sep7.list:a just a READ_ONCE annotation |ff5a88e37 c42b7c o: 4.9| net: Fix a data-race around sysctl_net_busy_poll.
rc-v5.10.140-sep7.list:a just a READ_ONCE annotation |b99764a7c e59ef3 o: 4.9| net: Fix a data-race around sysctl_net_busy_read.
rc-v5.10.140-sep7.list:a just a READ_ONCE annotation |99e03c89b 3c9ba8 o: 4.9| net: Fix a data-race around sysctl_somaxconn.
rc-v5.10.14X-pre.list:a just a READ_ONCE annotation 5.10 05/16] cgroup: Remove data-race around cgrp_dfl_visible
rc-v5.10.150.list:a just a READ_ONCE annotation |1b3ae95b2 aacd46 o: 4.9| tcp: annotate data-race around tcp_md5sig_pool_populated

> CVE-2022-3567: ipv6: Fix data races around sk->sk_prot.
> 
> CVSS v3 score is not provided(NIST).
> CVSS v3 score is 4.6 MEDIUM(VulDB).
> 
> A vulnerability has been found in Linux Kernel and classified as
> problematic. This vulnerability affects the function
> inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The
> manipulation leads to race conditions.
> 
> According to the commit log, commit 086d490 ("ipv6: annotate some
> data-races around sk->sk_prot") fixes a race condition bug but it was
> not enough.
> Therefore it seems that both commit 086d490 and 364f997 need to fix
> this issue.

This is a tiny bit more serious than usual READ_ONCE annotations,
but...

> CVE-2022-3541: eth: sp7021: fix use after free bug in
> spl2sw_nvmem_get_mac_address
> 
> CVSS v3 score is 7.8 HIGH(NIST).
> CVSS v3 score is 5.5 MEDIUM(VulDB).
> 
> A vulnerability classified as critical has been found in Linux Kernel.
> This affects the function spl2sw_nvmem_get_mac_address of the file
> drivers/net/ethernet/sunplus/spl2sw_driver.c of the component BPF. The
> manipulation leads to use after free.

Component BPF?

> CVE-2022-3594: r8152: Rate limit overflow messages
> 
> CVSS v3 score is not provided(NIST).
> CVSS v3 score is 5.3 MEDIUM(VulDB).
> 
> A vulnerability was found in Linux Kernel. It has been declared as
> problematic. Affected by this vulnerability is the function
> intr_callback of the file drivers/net/usb/r8152.c of the component
> BPF. The manipulation leads to logging of excessive data. The attack
> can be launched remotely.
> 
> Fixed status
> mainline: [93e2be344a7db169b7119de21ac1bf253b8c6907]

The "attack" is writing line to syslog. Seems like every bug can get a
CVE if someone tries.

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [cip-dev] New CVE entries this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 2462 bytes --]

Hi!


> It's this week's CVE report.
> 
> This week reported 3 new CVEs and 3 updated CVEs.
> 
> FYI: A new side-channel attack which is called "Hertzbleed Attack" has
> been published.
> This vulnerability has assigned to CVE-2022-23823 and CVE-2022-24436.
> Researchers confirmed Intel's 8th to the 11th generation Core
> microarchitecture and AMD Ryzen processors are affected but the
> haven't confirmed other processors(e.g. ARM) are affected or not.
> Intel and AMD provided guidance to mitigate the Heartbleed Attack.
> However, researchers said that Intel and AMD haven't planned to
> provide microcode patches.
> 
> https://www.hertzbleed.com/

They certainly have good marketing and clearly want attention. Whether
they deserve attention... is hard to tell. Maybe situation will be
more clear after reading the paper.

There are three more vulnerabilities from the "fast and secure CPUs
are hard, and consumers can't easily tell CPUs are not secure as our
designs are secret" family:

+Device Register Partial Write (DRPW) (CVE-2022-21166)
+-----------------------------------------------------
+Some endpoint MMIO registers incorrectly handle writes that are smaller than
+the register size. Instead of aborting the write or only copying the correct
+subset of bytes (for example, 2 bytes for a 2-byte write), more bytes than
+specified by the write transaction may be written to the register. On
+processors affected by FBSDP, this may expose stale data from the fill buffers
+of the core that created the write transaction.
+
+Shared Buffers Data Sampling (SBDS) (CVE-2022-21125)
+----------------------------------------------------
+After propagators may have moved data around the uncore and copied stale data
+into client core fill buffers, processors affected by MFBDS can leak data from
+the fill buffer. It is limited to the client (including Intel Xeon server E3)
+uncore implementation.
+
+Shared Buffers Data Read (SBDR) (CVE-2022-21123)
+------------------------------------------------
+It is similar to Shared Buffer Data Sampling (SBDS) except that the data is
+directly read into the architectural software-visible state. It is limited to
+the client (including Intel Xeon server E3) uncore implementation.

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [cip-dev] New CVE entries this week

[Masami Ichikawa]

On Thu, Jun 9, 2022 at 6:41 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > It's this week's CVE report.
> >
> > This week reported 12 new CVEs and 5 updated CVEs.
>
> Thanks for CVEs. I think there's another one we need to track --
> CVE-2021-4034 -- kernel vs pkexec API confusion leads to easy local
> root. I created an initial yml and pushed it to the repository.
>

Thank you for adding the CVE-2021-4034.yml.
I got it. The commit dcd46d8 ("exec: Force single empty string when
argv is empty") will prevent CVE-2021-4034 like attacks.

> Best regards,
>                                                         Pavel
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#8521): https://lists.cip-project.org/g/cip-dev/message/8521
> Mute This Topic: https://lists.cip-project.org/mt/91635778/4520416
> Group Owner: cip-dev+owner@lists.cip-project.org
> Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

Re: [cip-dev] New CVE entries this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 477 bytes --]

Hi!

> It's this week's CVE report.
> 
> This week reported 12 new CVEs and 5 updated CVEs.

Thanks for CVEs. I think there's another one we need to track --
CVE-2021-4034 -- kernel vs pkexec API confusion leads to easy local
root. I created an initial yml and pushed it to the repository.

Best regards,
							Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [cip-dev] New CVE entries this week

[Pavel Machek]

[-- Attachment #1: Type: text/plain, Size: 1026 bytes --]

Hi!

> CVE-2021-33096: Improper isolation of shared resources in network on
> chip for the Intel(R) 82599 Ethernet Controllers and Adapters may
> allow an authenticated user to potentially enable denial of service
> via local access.
> 
> CVSS v3 score is 5.5 MEDIUM
> 
> This bug let DoS attack.Intel recommended that "Consult the
> Direct-Assignment Networking Fault Isolation in a Data Center
> Environment Prescriptive Guidance Addressing INTEL-SA-00571
> Application Note. " in their Security Advisory(INTEL-SA-00571), so
> that there is no patches for CVE-2021-33096.
> 
> Fixed status
> 
> Security Advisory INTEL-SA-00571 gives recommendations.

Interesting. So Intel hardware is buggy, and it is unsuitable in
certain virtualization configurations. It is a hardware problem, and
there's little we could do about it.

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [cip-dev] New CVE entries this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 1609 bytes --]

Hi !

On Thu, Aug 26, 2021 at 8:51 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > > CVE-2021-3600: eBPF 32-bit source register truncation on div/mod
> > >
> > > The vulnerability has been introduced since 4.15-rc9. 4.4 is not
> > > affected. 4.19 is not fixed yet as of 2021/08/26.
> > >
> > > mainline: [e88b2c6e5a4d9ce30d75391e4d950da74bb2bd90]
> > > stable/5.10: [1d16cc210fabd0a7ebf52d3025f81c2bde054a90]
> > > stable/5.4: [78e2f71b89b22222583f74803d14f3d90cdf9d12]
> >
> > I took a look into this. Apparently 4.14 and 4.19 is affected. (
> > https://seclists.org/oss-sec/2021/q2/228 )
> >
> > Due to BPF 32-bit subregister requirements (see bpf_design_QA.rst)
> > top 32 bits should be always zero when the 32 bit registers are in
> > use. So it could be possible to use BPF_JMP instead of BPF_JMP32.
>
> Hmm, no; that is what original code did and what is known not to work
> for reasons I don't fully understand.
>
> Anyway, I asked on the lists, and according to Thadeu Lima de Souza
> Cascardo Ubuntu did some work on it and is likely to do some more.
>

Thank you for asking.

> Oh, and we may want watch CVE-2021-3444, it is apparently related and
> not yet fixed in 4.19.
>

I see. We keep track of it.

> Best regards,
>                                                                 Pavel
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> 
>

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6708): https://lists.cip-project.org/g/cip-dev/message/6708
Mute This Topic: https://lists.cip-project.org/mt/85151460/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 1251 bytes --]

Hi!

> > CVE-2021-3600: eBPF 32-bit source register truncation on div/mod
> > 
> > The vulnerability has been introduced since 4.15-rc9. 4.4 is not
> > affected. 4.19 is not fixed yet as of 2021/08/26.
> > 
> > mainline: [e88b2c6e5a4d9ce30d75391e4d950da74bb2bd90]
> > stable/5.10: [1d16cc210fabd0a7ebf52d3025f81c2bde054a90]
> > stable/5.4: [78e2f71b89b22222583f74803d14f3d90cdf9d12]
> 
> I took a look into this. Apparently 4.14 and 4.19 is affected. (
> https://seclists.org/oss-sec/2021/q2/228 )
> 
> Due to BPF 32-bit subregister requirements (see bpf_design_QA.rst)
> top 32 bits should be always zero when the 32 bit registers are in
> use. So it could be possible to use BPF_JMP instead of BPF_JMP32.

Hmm, no; that is what original code did and what is known not to work
for reasons I don't fully understand.

Anyway, I asked on the lists, and according to Thadeu Lima de Souza
Cascardo Ubuntu did some work on it and is likely to do some more.

Oh, and we may want watch CVE-2021-3444, it is apparently related and
not yet fixed in 4.19.

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6707): https://lists.cip-project.org/g/cip-dev/message/6707
Mute This Topic: https://lists.cip-project.org/mt/85151460/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 1553 bytes --]

Hi!

> New CVEs
> 
> CVE-2020-3702: Specifically timed and handcrafted traffic can cause
> internal errors in a WLAN device that lead to improper layer 2 Wi-Fi
> encryption with a consequent possibility of information disclosure
> over the air for a discrete set of traffic
> 
> This CVE affects ath9k driver.
> 
> Fixed status
> 
> mainline: [56c5485c9e444c2e85e11694b6c44f1338fc20fd,
> 73488cb2fa3bb1ef9f6cf0d757f76958bd4deaca,
>   d2d3e36498dd8e0c83ea99861fac5cf9e8671226,
> 144cd24dbc36650a51f7fe3bf1424a1432f1f480,
>   ca2848022c12789685d3fab3227df02b863f9696]

At least some of the relevant fixes are queued for
5.10.61/4.19. Likely this will resolve itself.

> CVE-2021-3600: eBPF 32-bit source register truncation on div/mod
> 
> The vulnerability has been introduced since 4.15-rc9. 4.4 is not
> affected. 4.19 is not fixed yet as of 2021/08/26.
> 
> mainline: [e88b2c6e5a4d9ce30d75391e4d950da74bb2bd90]
> stable/5.10: [1d16cc210fabd0a7ebf52d3025f81c2bde054a90]
> stable/5.4: [78e2f71b89b22222583f74803d14f3d90cdf9d12]

I took a look into this. Apparently 4.14 and 4.19 is affected. (
https://seclists.org/oss-sec/2021/q2/228 )

Due to BPF 32-bit subregister requirements (see bpf_design_QA.rst)
top 32 bits should be always zero when the 32 bit registers are in
use. So it could be possible to use BPF_JMP instead of BPF_JMP32.

Best regards,
							Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6706): https://lists.cip-project.org/g/cip-dev/message/6706
Mute This Topic: https://lists.cip-project.org/mt/85151460/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] New CVE entries this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 3243 bytes --]

Hi !

It's this week's CVE report.

* CVE short summary

** New CVEs

CVE-2020-3702: mainline is fixed

CVE-2021-3732: mainline and stable kernels are fixed

** Updated CVEs

There is no update.

** Tracking CVEs

CVE-2021-31615: No fix information as of 2021/08/26.

CVE-2021-3640: No fix information as of 2021/08/26.

CVE-2020-26555: No fix information as of 2021/08/26.

CVE-2020-26556: No fix information as of 2021/08/26.

CVE-2020-26557: No fix information as of 2021/08/26.

CVE-2020-26559: No fix information as of 2021/08/26.

CVE-2020-26560: No fix information as of 2021/08/26.

CVE-2021-3600: mainline, 5.10, 5.4 are fixed. 4.4 isn't affected. 4.19
isn't fixed.

* CVE detail

New CVEs

CVE-2020-3702: Specifically timed and handcrafted traffic can cause
internal errors in a WLAN device that lead to improper layer 2 Wi-Fi
encryption with a consequent possibility of information disclosure
over the air for a discrete set of traffic

This CVE affects ath9k driver.

Fixed status

mainline: [56c5485c9e444c2e85e11694b6c44f1338fc20fd,
73488cb2fa3bb1ef9f6cf0d757f76958bd4deaca,
  d2d3e36498dd8e0c83ea99861fac5cf9e8671226,
144cd24dbc36650a51f7fe3bf1424a1432f1f480,
  ca2848022c12789685d3fab3227df02b863f9696]

CVE-2021-3732: kernel: overlayfs: Mounting overlayfs inside an
unprivileged user namespace can reveal files

cip/4.19: [963d85d630dabe75a3cfde44a006fec3304d07b8]
cip/4.4: [c6e8810d25295acb40a7b69ed3962ff181919571]
mainline: [427215d85e8d1476da1a86b8d67aceb485eb3631]
stable/4.14: [517b875dfbf58f0c6c9e32dc90f5cf42d71a42ce]
stable/4.19: [963d85d630dabe75a3cfde44a006fec3304d07b8]
stable/4.4: [c6e8810d25295acb40a7b69ed3962ff181919571]
stable/4.9: [e3eee87c846dc47f6d8eb6d85e7271f24122a279]
stable/5.10: [6a002d48a66076524f67098132538bef17e8445e]
stable/5.13: [41812f4b84484530057513478c6770590347dc30]
stable/5.4: [812f39ed5b0b7f34868736de3055c92c7c4cf459]

Updated CVEs

There is no update.

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information as of 2021/08/26.

CVE-2021-3640: UAF in sco_send_frame function

There is no fix information as of 2021/08/26.

CVE-2020-26555: BR/EDR pin code pairing broken

There is no fix information as of 2021/08/26.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information as of 2021/08/26.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information as of 2021/08/26.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information as of 2021/08/26.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information as of 2021/08/26.

CVE-2021-3600: eBPF 32-bit source register truncation on div/mod

The vulnerability has been introduced since 4.15-rc9. 4.4 is not
affected. 4.19 is not fixed yet as of 2021/08/26.

mainline: [e88b2c6e5a4d9ce30d75391e4d950da74bb2bd90]
stable/5.10: [1d16cc210fabd0a7ebf52d3025f81c2bde054a90]
stable/5.4: [78e2f71b89b22222583f74803d14f3d90cdf9d12]

Regards,


-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6705): https://lists.cip-project.org/g/cip-dev/message/6705
Mute This Topic: https://lists.cip-project.org/mt/85151460/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[Nobuhiro Iwamatsu]

[-- Attachment #1: Type: text/plain, Size: 4467 bytes --]

Hi,

> -----Original Message-----
> From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Pavel Machek
> Sent: Thursday, August 19, 2021 4:10 PM
> To: cip-dev@lists.cip-project.org
> Subject: Re: [cip-dev] New CVE entries this week
> 
> Hi!
> 
> 
> > CVE-2021-38198: KVM: X86: MMU: Use the correct inherited permissions
> > to get shadow page
> >
> > This vulnerability has been introduced since 2.6.20-rc4 so 4.4 affects
> > this CVE but patch didn't apply to 4.4
> > (https://lore.kernel.org/stable/162358450944186@kroah.com/). 4.19 also
> > failed to apply this patch but backport patch has been merged
> > recently(https://lore.kernel.org/stable/20210812174140.2370680-1-ovidiu.panait@windriver.com/).
> >
> 
> I tried to look at this, and it is rather non-trivial. In particular,
> I'd not know how to test it. I ended up with this patch, but it is not
> even compile-tested.

Thanks for your work. I just checked this issue.

This probably won't compile because the walk_nx_mask variable isn't well defined.
I think we need to backport a patch for this variable or create another patch.

> 
> Best regards,
> 								Pavel

Best regards,
  Nobuhiro

> 
> diff --git a/Documentation/virtual/kvm/mmu.txt b/Documentation/virtual/kvm/mmu.txt
> index b653641d4261..ee5bd16a0856 100644
> --- a/Documentation/virtual/kvm/mmu.txt
> +++ b/Documentation/virtual/kvm/mmu.txt
> @@ -152,8 +152,8 @@ Shadow pages contain the following information:
>      shadow pages) so role.quadrant takes values in the range 0..3.  Each
>      quadrant maps 1GB virtual address space.
>    role.access:
> -    Inherited guest access permissions in the form uwx.  Note execute
> -    permission is positive, not negative.
> +    Inherited guest access permissions from the parent ptes in the form uwx.
> +    Note execute permission is positive, not negative.
>    role.invalid:
>      The page is invalid and should not be used.  It is a root page that is
>      currently pinned (by a cpu hardware register pointing to it); once it is
> diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
> index 7be8a251363e..cebcf7b29b15 100644
> --- a/arch/x86/kvm/paging_tmpl.h
> +++ b/arch/x86/kvm/paging_tmpl.h
> @@ -100,8 +100,8 @@ struct guest_walker {
>  	gpa_t pte_gpa[PT_MAX_FULL_LEVELS];
>  	pt_element_t __user *ptep_user[PT_MAX_FULL_LEVELS];
>  	bool pte_writable[PT_MAX_FULL_LEVELS];
> -	unsigned pt_access;
> -	unsigned pte_access;
> +	unsigned int pt_access[PT_MAX_FULL_LEVELS];
> +	unsigned int pte_access;
>  	gfn_t gfn;
>  	struct x86_exception fault;
>  };
> @@ -354,6 +354,9 @@ retry_walk:
>  		pte_access = pt_access & FNAME(gpte_access)(vcpu, pte);
> 
>  		walker->ptes[walker->level - 1] = pte;
> +
> +		/* Convert to ACC_*_MASK flags for struct guest_walker.  */
> +		walker->pt_access[walker->level - 1] = FNAME(gpte_access)(pt_access ^ walk_nx_mask);
>  	} while (!is_last_gpte(mmu, walker->level, pte));
> 
>  	if (unlikely(permission_fault(vcpu, mmu, pte_access, access))) {
> @@ -392,10 +395,11 @@ retry_walk:
>  			goto retry_walk;
>  	}
> 
> -	walker->pt_access = pt_access;
> -	walker->pte_access = pte_access;
> +	walker->pt_access = FNAME(gpte_access)(pt_access ^ walk_nx_mask);
> +	walker->pte_access = FNAME(gpte_access)(pte_access ^ walk_nx_mask);
>  	pgprintk("%s: pte %llx pte_access %x pt_access %x\n",
> -		 __func__, (u64)pte, pte_access, pt_access);
> +		 __func__, (u64)pte, walker->pte_access,
> +		 walker->pt_access[walker->level - 1]);
>  	return 1;
> 
>  error:
> @@ -555,7 +559,7 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
>  {
>  	struct kvm_mmu_page *sp = NULL;
>  	struct kvm_shadow_walk_iterator it;
> -	unsigned direct_access, access = gw->pt_access;
> +	unsigned int direct_access, access;
>  	int top_level, emulate = 0;
> 
>  	direct_access = gw->pte_access;
> @@ -586,6 +590,7 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
>  		sp = NULL;
>  		if (!is_shadow_present_pte(*it.sptep)) {
>  			table_gfn = gw->table_gfn[it.level - 2];
> +			access = gw->pt_access[it.level - 2];
>  			sp = kvm_mmu_get_page(vcpu, table_gfn, addr, it.level-1,
>  					      false, access, it.sptep);
>  		}
> 
> 
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6699): https://lists.cip-project.org/g/cip-dev/message/6699
Mute This Topic: https://lists.cip-project.org/mt/84986288/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 4643 bytes --]

Hi !

On Thu, Aug 19, 2021 at 4:10 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
>
> > CVE-2021-38198: KVM: X86: MMU: Use the correct inherited permissions
> > to get shadow page
> >
> > This vulnerability has been introduced since 2.6.20-rc4 so 4.4 affects
> > this CVE but patch didn't apply to 4.4
> > (https://lore.kernel.org/stable/162358450944186@kroah.com/). 4.19 also
> > failed to apply this patch but backport patch has been merged
> > recently(https://lore.kernel.org/stable/20210812174140.2370680-1-ovidiu.panait@windriver.com/).
> >
>
> I tried to look at this, and it is rather non-trivial. In particular,
> I'd not know how to test it. I ended up with this patch, but it is not
> even compile-tested.
>
> Best regards,
>                                                                 Pavel
>
> diff --git a/Documentation/virtual/kvm/mmu.txt b/Documentation/virtual/kvm/mmu.txt
> index b653641d4261..ee5bd16a0856 100644
> --- a/Documentation/virtual/kvm/mmu.txt
> +++ b/Documentation/virtual/kvm/mmu.txt
> @@ -152,8 +152,8 @@ Shadow pages contain the following information:
>      shadow pages) so role.quadrant takes values in the range 0..3.  Each
>      quadrant maps 1GB virtual address space.
>    role.access:
> -    Inherited guest access permissions in the form uwx.  Note execute
> -    permission is positive, not negative.
> +    Inherited guest access permissions from the parent ptes in the form uwx.
> +    Note execute permission is positive, not negative.
>    role.invalid:
>      The page is invalid and should not be used.  It is a root page that is
>      currently pinned (by a cpu hardware register pointing to it); once it is
> diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
> index 7be8a251363e..cebcf7b29b15 100644
> --- a/arch/x86/kvm/paging_tmpl.h
> +++ b/arch/x86/kvm/paging_tmpl.h
> @@ -100,8 +100,8 @@ struct guest_walker {
>         gpa_t pte_gpa[PT_MAX_FULL_LEVELS];
>         pt_element_t __user *ptep_user[PT_MAX_FULL_LEVELS];
>         bool pte_writable[PT_MAX_FULL_LEVELS];
> -       unsigned pt_access;
> -       unsigned pte_access;
> +       unsigned int pt_access[PT_MAX_FULL_LEVELS];
> +       unsigned int pte_access;
>         gfn_t gfn;
>         struct x86_exception fault;
>  };
> @@ -354,6 +354,9 @@ retry_walk:
>                 pte_access = pt_access & FNAME(gpte_access)(vcpu, pte);
>
>                 walker->ptes[walker->level - 1] = pte;
> +
> +               /* Convert to ACC_*_MASK flags for struct guest_walker.  */
> +               walker->pt_access[walker->level - 1] = FNAME(gpte_access)(pt_access ^ walk_nx_mask);
>         } while (!is_last_gpte(mmu, walker->level, pte));
>
>         if (unlikely(permission_fault(vcpu, mmu, pte_access, access))) {
> @@ -392,10 +395,11 @@ retry_walk:
>                         goto retry_walk;
>         }
>
> -       walker->pt_access = pt_access;
> -       walker->pte_access = pte_access;
> +       walker->pt_access = FNAME(gpte_access)(pt_access ^ walk_nx_mask);
> +       walker->pte_access = FNAME(gpte_access)(pte_access ^ walk_nx_mask);
>         pgprintk("%s: pte %llx pte_access %x pt_access %x\n",
> -                __func__, (u64)pte, pte_access, pt_access);
> +                __func__, (u64)pte, walker->pte_access,
> +                walker->pt_access[walker->level - 1]);
>         return 1;
>
>  error:
> @@ -555,7 +559,7 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
>  {
>         struct kvm_mmu_page *sp = NULL;
>         struct kvm_shadow_walk_iterator it;
> -       unsigned direct_access, access = gw->pt_access;
> +       unsigned int direct_access, access;
>         int top_level, emulate = 0;
>
>         direct_access = gw->pte_access;
> @@ -586,6 +590,7 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
>                 sp = NULL;
>                 if (!is_shadow_present_pte(*it.sptep)) {
>                         table_gfn = gw->table_gfn[it.level - 2];
> +                       access = gw->pt_access[it.level - 2];
>                         sp = kvm_mmu_get_page(vcpu, table_gfn, addr, it.level-1,
>                                               false, access, it.sptep);
>                 }
>
>

Thank you for the patch. I looked at both original
patch(b1bd5cba3306691c771d558e94baa73e8b0b96b7) and your's.
This patch looks good to me.

> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> 
>

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6698): https://lists.cip-project.org/g/cip-dev/message/6698
Mute This Topic: https://lists.cip-project.org/mt/84986288/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 3754 bytes --]

Hi!


> CVE-2021-38198: KVM: X86: MMU: Use the correct inherited permissions
> to get shadow page
> 
> This vulnerability has been introduced since 2.6.20-rc4 so 4.4 affects
> this CVE but patch didn't apply to 4.4
> (https://lore.kernel.org/stable/162358450944186@kroah.com/). 4.19 also
> failed to apply this patch but backport patch has been merged
> recently(https://lore.kernel.org/stable/20210812174140.2370680-1-ovidiu.panait@windriver.com/).
> 

I tried to look at this, and it is rather non-trivial. In particular,
I'd not know how to test it. I ended up with this patch, but it is not
even compile-tested.

Best regards,
								Pavel

diff --git a/Documentation/virtual/kvm/mmu.txt b/Documentation/virtual/kvm/mmu.txt
index b653641d4261..ee5bd16a0856 100644
--- a/Documentation/virtual/kvm/mmu.txt
+++ b/Documentation/virtual/kvm/mmu.txt
@@ -152,8 +152,8 @@ Shadow pages contain the following information:
     shadow pages) so role.quadrant takes values in the range 0..3.  Each
     quadrant maps 1GB virtual address space.
   role.access:
-    Inherited guest access permissions in the form uwx.  Note execute
-    permission is positive, not negative.
+    Inherited guest access permissions from the parent ptes in the form uwx.
+    Note execute permission is positive, not negative.
   role.invalid:
     The page is invalid and should not be used.  It is a root page that is
     currently pinned (by a cpu hardware register pointing to it); once it is
diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
index 7be8a251363e..cebcf7b29b15 100644
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -100,8 +100,8 @@ struct guest_walker {
 	gpa_t pte_gpa[PT_MAX_FULL_LEVELS];
 	pt_element_t __user *ptep_user[PT_MAX_FULL_LEVELS];
 	bool pte_writable[PT_MAX_FULL_LEVELS];
-	unsigned pt_access;
-	unsigned pte_access;
+	unsigned int pt_access[PT_MAX_FULL_LEVELS];
+	unsigned int pte_access;
 	gfn_t gfn;
 	struct x86_exception fault;
 };
@@ -354,6 +354,9 @@ retry_walk:
 		pte_access = pt_access & FNAME(gpte_access)(vcpu, pte);
 
 		walker->ptes[walker->level - 1] = pte;
+
+		/* Convert to ACC_*_MASK flags for struct guest_walker.  */
+		walker->pt_access[walker->level - 1] = FNAME(gpte_access)(pt_access ^ walk_nx_mask);
 	} while (!is_last_gpte(mmu, walker->level, pte));
 
 	if (unlikely(permission_fault(vcpu, mmu, pte_access, access))) {
@@ -392,10 +395,11 @@ retry_walk:
 			goto retry_walk;
 	}
 
-	walker->pt_access = pt_access;
-	walker->pte_access = pte_access;
+	walker->pt_access = FNAME(gpte_access)(pt_access ^ walk_nx_mask);
+	walker->pte_access = FNAME(gpte_access)(pte_access ^ walk_nx_mask);
 	pgprintk("%s: pte %llx pte_access %x pt_access %x\n",
-		 __func__, (u64)pte, pte_access, pt_access);
+		 __func__, (u64)pte, walker->pte_access,
+		 walker->pt_access[walker->level - 1]);
 	return 1;
 
 error:
@@ -555,7 +559,7 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
 {
 	struct kvm_mmu_page *sp = NULL;
 	struct kvm_shadow_walk_iterator it;
-	unsigned direct_access, access = gw->pt_access;
+	unsigned int direct_access, access;
 	int top_level, emulate = 0;
 
 	direct_access = gw->pte_access;
@@ -586,6 +590,7 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
 		sp = NULL;
 		if (!is_shadow_present_pte(*it.sptep)) {
 			table_gfn = gw->table_gfn[it.level - 2];
+			access = gw->pt_access[it.level - 2];
 			sp = kvm_mmu_get_page(vcpu, table_gfn, addr, it.level-1,
 					      false, access, it.sptep);
 		}


-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6696): https://lists.cip-project.org/g/cip-dev/message/6696
Mute This Topic: https://lists.cip-project.org/mt/84986288/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] New CVE entries this week

[市川正美]

[-- Attachment #1: Type: text/plain, Size: 4705 bytes --]

Hi !

It's this week's CVE report.

* CVE short summary

** New CVEs

CVE-2021-3653: mainline, 5.10, 5.13, 5.4 are fixed.

CVE-2021-3656: mainline, 5.10, 5.13, 5.4 are fixed. 4.4 is not affected.

** Updated CVEs

CVE-2021-33624: mainline, 4.19, 5.10, 5,12, 5.4 are fixed. 4.4 is not
affected by this vulnerability.

CVE-2021-38198: mainline, 4.19, 5.10, 5.4 are fixed. 4.4 affects this
vulnerability.

CVE-2021-38205: mainline and stable kernels are fixed.

** Tracking CVEs

CVE-2021-31615: there is no fixed information as of 2021/08/12

CVE-2021-3640: there is no fixed information as of 2021/08/12


* CVE detail

New CVEs

CVE-2021-3653: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl

CVE-2021-3653 and CVE-2021-3656 are vulnerable when nested kvm is enabled.

Patch for 4.19 is backported by
https://lore.kernel.org/stable/20210816140240.11399-2-pbonzini@redhat.com/
but not applyed yet.

Fixed status

mainline: [0f923e07124df069ba68d8bb12324398f4b6b709]
stable/5.10: [c0883f693187c646c0972d73e525523f9486c2e3]
stable/5.13: [a0949ee63cf95408870a564ccad163018b1a9e6b]
stable/5.4: [7c1c96ffb658fbfe66c5ebed6bcb5909837bc267]

CVE-2021-3656: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested

This vulnerability has been introduced since 4.13-rc1 so that 4.4
kernel is not affected.
CVE-2021-3653 and CVE-2021-3656 are vulnerable when nested kvm is enabled.

Patch for 4.19 is backported by
https://lore.kernel.org/stable/20210816140240.11399-9-pbonzini@redhat.com/
but not applyed yet.

Fixed status

mainline: [c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc]
stable/5.10: [3dc5666baf2a135f250e4101d41d5959ac2c2e1f]
stable/5.13: [639a033fd765ed473dfee27028df5ccbe1038a2e]
stable/5.4: [a17f2f2c89494c0974529579f3552ecbd1bc2d52]

Updated CVEs

CVE-2021-33624: Linux kernel BPF protection against speculative
execution attacks can be bypassed to read arbitrary kernel memory

The main patch 9183671af6dbf60a1219371d4ed73e23f43b49db fixes commit
b2157399cc9898260d6031c5bfe45fe137c1fbe7 which has been merged since
4.15-rc8 so 4.4 aren't affected this vulnerability.

Fixed status

mainline: [d203b0fd863a2261e5d00b97f3d060c4c2a6db71,
fe9a5ca7e370e613a9a75a13008a3845ea759d6e,
    9183671af6dbf60a1219371d4ed73e23f43b49db,
973377ffe8148180b2651825b92ae91988141b05]
stable/4.19: [0abc8c9754c953f5cd0ac7488c668ca8d53ffc90,
c510c1845f7b54214b4117272e0d87dff8732af6,
    9df311b2e743642c5427ecf563c5050ceb355d1d,
c15b387769446c37a892f958b169744dabf7ff23]
stable/5.10: [e9d271731d21647f8f9e9a261582cf47b868589a,
8c82c52d1de931532200b447df8b4fc92129cfd9,
    5fc6ed1831ca5a30fb0ceefd5e33c7c689e7627b]
stable/5.12: [408a4956acde24413f3c684912b1d3e404bed8e2,
68a1936e1812653b68c5b68e698d88fb35018835,
    4a99047ed51c98a09a537fe2c12420d815dfe296,
e5e2010ac3e27efa1e6e830b250f491da82d51b4]
stable/5.4: [283d742988f6b304f32110f39e189a00d4e52b92,
d2f790327f83b457db357e7c66f942bc00d43462,
    fd568de5806f8859190e6305a1792ba8cb20de61,
a0f66ddf05c2050e1b7f53256bd9c25c2bb3022b]

CVE-2021-38198: KVM: X86: MMU: Use the correct inherited permissions
to get shadow page

This vulnerability has been introduced since 2.6.20-rc4 so 4.4 affects
this CVE but patch didn't apply to 4.4
(https://lore.kernel.org/stable/162358450944186@kroah.com/). 4.19 also
failed to apply this patch but backport patch has been merged
recently(https://lore.kernel.org/stable/20210812174140.2370680-1-ovidiu.panait@windriver.com/).


Fixed status

mainline: [b1bd5cba3306691c771d558e94baa73e8b0b96b7]
stable/4.19: [4c07e70141eebd3db64297515a427deea4822957]
stable/5.10: [6b6ff4d1f349cb35a7c7d2057819af1b14f80437]
stable/5.4: [d28adaabbbf4a6949d0f6f71daca6744979174e2]

CVE-2021-38205: net: xilinx_emaclite: Do not print real IOMEM pointer

We talked about this CVE at previous weekly CVE report. Thank your for
Pavel to backport the patch.

Fixed status

mainline: [d0d62baa7f505bd4c59cd169692ff07ec49dde37]
stable/4.14: [1994eacac7af52da86e4b0cb6ae61621bef7393f]
stable/4.19: [9322401477a6d1f9de8f18e5d6eb43a68e0b113a]
stable/4.4: [3d4ba14fc5ffbe5712055af09a5c0cbab93c0f44]
stable/4.9: [ffdc1e312e2074875147c1df90764a9bae56f11f]
stable/5.10: [25cff25ec60690247db8138cd1af8b867df2c489]
stable/5.13: [8722275b41d5127048e1422a8a1b6370b4878533]
stable/5.4: [38b8485b72cbe4521fd2e0b8770e3d78f9b89e60]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fixed information as of 2021/08/19.

CVE-2021-3640: UAF in sco_send_frame function

There is no fixed information as of 2021/08/19.

Regards,


-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6694): https://lists.cip-project.org/g/cip-dev/message/6694
Mute This Topic: https://lists.cip-project.org/mt/84986288/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[市川正美]

[-- Attachment #1: Type: text/plain, Size: 1200 bytes --]

Hi !

On Thu, Aug 12, 2021 at 2:43 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > * CVE detail
> >
> > New CVEs
>
> > CVE-2021-38205: net: xilinx_emaclite: Do not print real IOMEM pointer
> >
> > xemaclite_of_probe() in drivers/net/ethernet/xilinx/xilinx_emaclite.c
> > leaks kernel memory layout.
> >
> > Fixed status
> >
> > mainline: [d0d62baa7f505bd4c59cd169692ff07ec49dde37]
> > stable/5.13: [8722275b41d5127048e1422a8a1b6370b4878533]
>
> This affects our kernels (I looked at 5.10.57 and 4.4.277). On one
> hand we could ask for backport, on the other... I'm not sure it is
> serious enough to warrant any action.
>

I think this vulnerability seems to be low priority because an
attacker needs another vulnerability to abuse this vulnerability.
However, it would be nice to backport the patch too.

> Best regards,
>                                                                 Pavel
>
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> 
>

Regards,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6675): https://lists.cip-project.org/g/cip-dev/message/6675
Mute This Topic: https://lists.cip-project.org/mt/84830495/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 719 bytes --]

Hi!

> * CVE detail
> 
> New CVEs

> CVE-2021-38205: net: xilinx_emaclite: Do not print real IOMEM pointer
> 
> xemaclite_of_probe() in drivers/net/ethernet/xilinx/xilinx_emaclite.c
> leaks kernel memory layout.
> 
> Fixed status
> 
> mainline: [d0d62baa7f505bd4c59cd169692ff07ec49dde37]
> stable/5.13: [8722275b41d5127048e1422a8a1b6370b4878533]

This affects our kernels (I looked at 5.10.57 and 4.4.277). On one
hand we could ask for backport, on the other... I'm not sure it is
serious enough to warrant any action.

Best regards,
								Pavel

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6674): https://lists.cip-project.org/g/cip-dev/message/6674
Mute This Topic: https://lists.cip-project.org/mt/84830495/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] New CVE entries this week

[市川正美]

[-- Attachment #1: Type: text/plain, Size: 8682 bytes --]

Hi !

It's this week's CVE report.

* CVE short summary

** New CVEs

CVE-2021-3635: There is no detailed information as of 2021/08/12

CVE-2021-38160: mainline and stable kernels are fixed.

CVE-2021-38166: Fixed in bfp tree. Not fixed in mainline as of 2021/08/12

CVE-2021-38198: mainline and v5.10 are fixed as of 2021/08/12

CVE-2021-38199: mainline, v4.19, and v5.X kernels are fixed. This CVE
introduced by commit 5c6e5b6 which is in since v4.8-rc1

CVE-2021-38200: This CVE only affects PowerPC architecture

CVE-2021-38201: This CVE is introduced since v5.11-rc1 so before 5.11
kernels aren't affected

CVE-2021-38202: This CVE is introduced since v5.13-rc1 so before 5.13
kernels aren't affected

CVE-2021-38203: This CVE is introduced since v5.13-rc1 so before 5.13
kernels aren't affected

CVE-2021-38204: mainline and stable kernels are fixed

CVE-2021-38205: mainline is fixed as of 2021/08/12

CVE-2021-38206: mainline and 5.10 are fixed. This CVE affects since v5.9

CVE-2021-38207: mainline and 5.10 are fixed. This CVE affects since v5.6-rc4

CVE-2021-38208: mainline and stable kernels are fixed as of 2021/08/21

CVE-2021-38209: mainline and 5.10 are fixed. This CVE is introduced
since 5.7-rc1 so before 5.7 kernels aren't affected this CVE.

** Updated CVEs

No update.

** Traking CVEs

CVE-2021-31615: there is no fixed information as of 2021/08/12

CVE-2021-3640: there is no fixed information as of 2021/08/12


* CVE detail

New CVEs

CVE-2021-3635: flowtable list del corruption with kernel BUG at
lib/list_debug.c:50

According to the redhat bugzilla, it said "A flaw was found in the
Linux kernels netfilter implementation. A missing generation check
during DELTABLE processing causes it to queue the DELFLOWTABLE
operation a second time possibly leading to data corruption and denial
of service.  An attacker must have either root or CAP_SYS_ADMIN
capabilities to exploit this flaw."  However, there is no more
detailed information as of 2021/08/12.

Fixed status

None

CVE-2021-38160: virtio_console: Assure used length from device is limited

Fixed status

mainline: [d00d8da5869a2608e97cfede094dfc5e11462a46]
stable/4.14: [56cf748562d3cbfd33d1ba2eb4a7603a5e20da88]
stable/4.19: [b5fba782ccd3d12a14f884cd20f255fc9c0eec0c]
stable/4.4: [187f14fb88a9e62d55924748a274816fe6f34de6]
stable/4.9: [9e2b8368b2079437c6840f3303cb0b7bc9b896ee]
stable/5.10: [f6ec306b93dc600a0ab3bb2693568ef1cc5f7f7a]
stable/5.13: [21a06a244d2576f93cbc9ce9bf95814c2810c36a]
stable/5.4: [52bd1bce8624acb861fa96b7c8fc2e75422dc8f7]

CVE-2021-38166: bpf: Fix integer overflow involving bucket_size

This CVE is introcued by commit 057996380a42 ("bpf: Add batch ops to
all htab bpf map") which was in since 5.6-rc1.

Fixed status

None

CVE-2021-38198: KVM: X86: MMU: Use the correct inherited permissions
to get shadow page

Fixed status

mainline: [b1bd5cba3306691c771d558e94baa73e8b0b96b7]
stable/5.10: [6b6ff4d1f349cb35a7c7d2057819af1b14f80437]

CVE-2021-38199: NFSv4: Initialise connection to the server in
nfs4_alloc_client()

This CVE is introduced by commit 5c6e5b6 ("NFS: Fix an Oops in the
pNFS files and flexfiles connection setup to the DS") which was in
v4.8-rc1. So, v4.4 is not affected this CVE.

Fixed status

mainline: [dd99e9f98fbf423ff6d365b37a98e8879170f17c]
stable/4.19: [743f6b973c8ba8a0a5ed15ab11e1d07fa00d5368]
stable/5.10: [ff4023d0194263a0827c954f623c314978cf7ddd]
stable/5.13: [b0bfac939030181177373f549398ba94c384713d]
stable/5.4: [81e03fe5bf8f5f66b8a62429fb4832b11ec6b272]

CVE-2021-38200: powerpc/perf: Fix crash with
'perf_instruction_pointer' when pmu is not set

This CVE only affects PowerPC architecture so we don't have to track it.

Fixed status

mainline: [60b7ed54a41b550d50caf7f2418db4a7e75b5bdc]

CVE-2021-38201: net/sunrpc/xdr.c in the Linux kernel before 5.13.4
allows remote attackers to cause a denial of service
(xdr_set_page_base slab-out-of-bounds access) by performing many NFS
4.2 READ_PLUS operations.

This CVE is introduced by commit 8d86e37 ("SUNRPC: Clean up helpers
xdr_set_iov() and xdr_set_page_base()") which is in since v5.11-rc1.
So, we don't have to track it.

Fixed status

mainline: [6d1c0f3d28f98ea2736128ed3e46821496dc3a8c]
stable/5.13: [a02357d7532b88e97329bd7786c7e72601109704]

CVE-2021-38202: fs/nfsd/trace.h in the Linux kernel before 5.13.4
might allow remote attackers to cause a denial of service
(out-of-bounds read in strlen) by sending NFS traffic when the trace
event framework is being used for nfsd.

This CVE is introduced by commit 6019ce0 ("NFSD: Add a tracepoint to
record directory entry encoding") which is in since v5.13-rc1.
We don't have to track it.

Fixed status

mainline: [7b08cf62b1239a4322427d677ea9363f0ab677c6]
stable/5.13: [7605bff387a9972038b217b6c60998778dbae931]

CVE-2021-38203: btrfs: fix deadlock with concurrent chunk allocations
involving system chunks

This CVE is introduced since v5.13-rc1 so 5.10, 4.19, 4.4 kernels
aren't affected. We don't have to track it.

Fixed status

mainline: [1cb3db1cf383a3c7dbda1aa0ce748b0958759947]
stable/5.13: [789b24d9950d3e67b227f81b3fab912a8fb257af]

CVE-2021-38204: usb: max-3421: Prevent corruption of freed memory

Fixed status

mainline: [b5fdf5c6e6bee35837e160c00ac89327bdad031b]
stable/4.14: [edddc79c4391f8001095320d3ca423214b9aa4bf]
stable/4.19: [51fc12f4d37622fa0c481604833f98f11b1cac4f]
stable/4.4: [fc2a7c2280fa2be8ff9b5af702368fcd49a0acdb]
stable/4.9: [ae3209b9fb086661ec1de4d8f4f0b951b272bbcd]
stable/5.10: [7af54a4e221e5619a87714567e2258445dc35435]
stable/5.13: [d4179cdb769a651f2ae89c325612a69bf6fbdf70]
stable/5.4: [863d071dbcd54dacf47192a1365faec46b7a68ca]

CVE-2021-38205: net: xilinx_emaclite: Do not print real IOMEM pointer

xemaclite_of_probe() in drivers/net/ethernet/xilinx/xilinx_emaclite.c
leaks kernel memory layout.

Fixed status

mainline: [d0d62baa7f505bd4c59cd169692ff07ec49dde37]
stable/5.13: [8722275b41d5127048e1422a8a1b6370b4878533]

CVE-2021-38206: mac80211: Fix NULL ptr deref for injected rate info

This CVE is introduced by commit cb17ed2 ("mac80211: parse radiotap
header when selecting Tx queue") which is in since 5.9-rc1.
Therefore before 5.9 kernels aren't affected.

Fixed status

mainline: [bddc0c411a45d3718ac535a070f349be8eca8d48]
stable/5.10: [f74df6e086083dc435f7500bdbc86b05277d17af]
stable/5.4: [b6c0ab11c88fb016bfc85fa4f6f878f5f4263646]

CVE-2021-38207: net: ll_temac: Fix TX BD buffer overwrite

This CVE is introduced by commit 84823ff ("net: ll_temac: Fix race
condition causing TX hang") which is in since v5.6-rc4. so before
5.6-rc kernels aren't affected.

Fixed status

mainline: [c364df2489b8ef2f5e3159b1dff1ff1fdb16040d]
stable/5.10: [cfe403f209b11fad123a882100f0822a52a7630f]
stable/5.4: [b6c0ab11c88fb016bfc85fa4f6f878f5f4263646]

CVE-2021-38208: net/nfc/llcp_sock.c in the Linux kernel before 5.12.10
allows local unprivileged users to cause a denial of service (NULL
pointer dereference and BUG) by making a getsockname call after a
certain type of failure of a bind call.

Fixed status

mainline: [4ac06a1e013cf5fdd963317ffd3b968560f33bba]
stable/4.14: [ffff05b9ee5c74c04bba2801c1f99b31975d74d9]
stable/4.19: [93e4ac2a9979a9a4ecc158409ed9c3044dc0ae1f]
stable/4.4: [eb6875d48590d8e564092e831ff07fa384d7e477]
stable/4.9: [39c15bd2e5d11bcf7f4c3dba2aad9e1e110a5d94]
stable/5.10: [48ee0db61c8299022ec88c79ad137f290196cac2]
stable/5.4: [5d4c4b06ed9fb7a69d0b2e2a73fc73226d25ab70]

CVE-2021-38209: net/netfilter/nf_conntrack_standalone.c in the Linux
kernel before 5.12.2 allows observation of changes in any net
namespace because these changes are leaked into all other net
namespaces. This is related to the NF_SYSCTL_CT_MAX,
NF_SYSCTL_CT_EXPECT_MAX, and NF_SYSCTL_CT_BUCKETS sysctls.

This CVE is introduced by commit d0febd8 ("netfilter: conntrack:
re-visit sysctls in unprivileged namespaces") which is in since
5.7-rc1. Therefore before 5.7 kernels aren't affected this CVE.

Fixed status

mainline: [2671fa4dc0109d3fb581bc3078fdf17b5d9080f6]
stable/4.14: [68122479c128a929f8f7bdd951cfdc8dd0e75b8f]
stable/4.19: [9b288479f7a901a14ce703938596438559d7df55]
stable/4.9: [da50f56e826e1db141693297afb99370ebc160dd]
stable/5.10: [d3598eb3915cc0c0d8cab42f4a6258ff44c4033e]
stable/5.4: [baea536cf51f8180ab993e374cb134b5edad25e2]

Updated CVEs

No update.

Currenty traking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fixed information as of 2021/08/12.

CVE-2021-3640: UAF in sco_send_frame function

There is no fixed information as of 2021/08/12.

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6673): https://lists.cip-project.org/g/cip-dev/message/6673
Mute This Topic: https://lists.cip-project.org/mt/84830495/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[市川正美]

[-- Attachment #1: Type: text/plain, Size: 3246 bytes --]

Hi!

On Thu, Aug 5, 2021 at 6:00 PM Pavel Machek <pavel@denx.de> wrote:
>
> Hi!
>
> > ** Updated CVEs
>
> > CVE-2021-22543: v4.19 and v5.10 are fixed. v4.4 uses another way to
> > get pfn. If v4.4 is vulnerable it needs to write its own patch.
>
> 4.4 is very different in that area, and KVM is not exactly our
> focus. A lot of research would be needed. I guess we can simply ignore
> this one.
>
> > * CVE detail
> >
> > CVE-2021-35477: unprivileged BPF program can obtain sensitive
> > information from kernel memory via a speculative store bypass
> > side-channel attack because the technique used by the BPF verifier to
> > manage speculation is unreliable
> >
> > CVE-2021-34556 and CVE-2021-35477 are fixed by the same commits.
> > commit 2039f26f3aca fixes af86ca4e3088(introduced by v4.17-rc7) and
> > f7cf25b2026d(introduced by v5.3-rc1).
> >
> > Fixed status
> > mainline: [f5e81d1117501546b7be050c5fbafa6efd2c722c,
> > 2039f26f3aca5b0e419b98f65dd36481337b86ee]
> > stable/5.10: [bea9e2fd180892eba2574711b05b794f1d0e7b73,
> > 0e9280654aa482088ee6ef3deadef331f5ac5fb0]
> > stable/5.13: [ddab060f996e17b38bb181c5fd11a83fd1bfa0df,
> > 0b27bdf02c400684225ee5ee99970bcbf5082282]
>
> Yes, speculation is huge problem, and getting BPF right with broken
> CPUs will be hard. I'd hope CIP people are not using untrusted BTF
> programs, and that we can ignore it.
>

I agree. Don't run untrusted programs on production system is most
important thing.
Ignore  both CVE-2021-34556 and CVE-2021-35477.

> > CVE-2021-3669: reading /proc/sysvipc/shm does not scale with large
> > shared memory segment counts
> >
> > According to redhat bugzilla, it said "Not reported upstream, patches
> > are being worked on.  It is not considered high impact because of the
> > requirements and need to have massive amount of shm (usually well
> > above ulimits) ".
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1986473#c10
>
> DoS only, and only in unusual configuration. I believe we can ignore
> this one.
>

I agree.

> > CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c in the
> > Linux kernel through 5.13.4 calls unregister_netdev without checking
> > for the NETREG_REGISTERED state, leading to a use-after-free and a
> > double free.
> >
> > The mainline, 5.10, 5.13 are fixed.
> >
> > Fixed status
> > mainline: [a6ecfb39ba9d7316057cea823b196b734f6b18ca]
> > stable/5.10: [115e4f5b64ae8d9dd933167cafe2070aaac45849]
> > stable/5.13: [eeaa4b8d1e2e6f10362673d283a97dccc7275afa]
>
> I guess we could try to rework the function in similar way 5.10 did,
> but... we are not using HSO in our configs, and I have hard time
> imagining how "attacker" would trigger it. So this is... just a
> bug. I'd suggest ignoring.
>

Thank you for checking the configuration. We don't use HSO configs so
that we don't have attack surface therefore we can ignore it.

> Best regards,
>                                                                 Pavel
>
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> 
>

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6658): https://lists.cip-project.org/g/cip-dev/message/6658
Mute This Topic: https://lists.cip-project.org/mt/84675707/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 2636 bytes --]

Hi!

> ** Updated CVEs

> CVE-2021-22543: v4.19 and v5.10 are fixed. v4.4 uses another way to
> get pfn. If v4.4 is vulnerable it needs to write its own patch.

4.4 is very different in that area, and KVM is not exactly our
focus. A lot of research would be needed. I guess we can simply ignore
this one.

> * CVE detail
> 
> CVE-2021-35477: unprivileged BPF program can obtain sensitive
> information from kernel memory via a speculative store bypass
> side-channel attack because the technique used by the BPF verifier to
> manage speculation is unreliable
> 
> CVE-2021-34556 and CVE-2021-35477 are fixed by the same commits.
> commit 2039f26f3aca fixes af86ca4e3088(introduced by v4.17-rc7) and
> f7cf25b2026d(introduced by v5.3-rc1).
> 
> Fixed status
> mainline: [f5e81d1117501546b7be050c5fbafa6efd2c722c,
> 2039f26f3aca5b0e419b98f65dd36481337b86ee]
> stable/5.10: [bea9e2fd180892eba2574711b05b794f1d0e7b73,
> 0e9280654aa482088ee6ef3deadef331f5ac5fb0]
> stable/5.13: [ddab060f996e17b38bb181c5fd11a83fd1bfa0df,
> 0b27bdf02c400684225ee5ee99970bcbf5082282]

Yes, speculation is huge problem, and getting BPF right with broken
CPUs will be hard. I'd hope CIP people are not using untrusted BTF
programs, and that we can ignore it.

> CVE-2021-3669: reading /proc/sysvipc/shm does not scale with large
> shared memory segment counts
> 
> According to redhat bugzilla, it said "Not reported upstream, patches
> are being worked on.  It is not considered high impact because of the
> requirements and need to have massive amount of shm (usually well
> above ulimits) ".
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1986473#c10

DoS only, and only in unusual configuration. I believe we can ignore
this one.

> CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c in the
> Linux kernel through 5.13.4 calls unregister_netdev without checking
> for the NETREG_REGISTERED state, leading to a use-after-free and a
> double free.
> 
> The mainline, 5.10, 5.13 are fixed.
> 
> Fixed status
> mainline: [a6ecfb39ba9d7316057cea823b196b734f6b18ca]
> stable/5.10: [115e4f5b64ae8d9dd933167cafe2070aaac45849]
> stable/5.13: [eeaa4b8d1e2e6f10362673d283a97dccc7275afa]

I guess we could try to rework the function in similar way 5.10 did,
but... we are not using HSO in our configs, and I have hard time
imagining how "attacker" would trigger it. So this is... just a
bug. I'd suggest ignoring.

Best regards,
								Pavel

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6657): https://lists.cip-project.org/g/cip-dev/message/6657
Mute This Topic: https://lists.cip-project.org/mt/84675707/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] New CVE entries this week

[市川正美]

[-- Attachment #1: Type: text/plain, Size: 7814 bytes --]

Hi !

It's this week's CVE report.

* CVE short summary

** New CVEs

CVE-2021-3659: stable kernels are fixed

CVE-2021-35477: mainline, v5.10, and v5.13 are fixed

CVE-2021-34556: mainline, v5.10, and v5.13 are fixed

CVE-2021-3669: According to redhat bugzilla, it said "Not reported
upstream, patches are being worked on."

CVE-2021-3679: mainline and stable kernels are fixed

** Updated CVEs

CVE-2021-29256: vulnerability is in 3rd party module.

CVE-2021-31829: v4.4 is not affected this vulnerability. other stable
kernels are fixed

CVE-2021-3655: Updated v4.4 fixed status. stable kernels are fixed.

CVE-2021-22543: v4.19 and v5.10 are fixed. v4.4 uses another way to
get pfn. If v4.4 is vulnerable it needs to write its own patch.

CVE-2021-21781: v4.4 and v4.9 are fixed. all stable kernels are fixed.

CVE-2021-37159: mainline, v5.10, v5.13 are fixed as of 2021/08/05


** Traking CVEs

CVE-2021-31615: there is no fixed information as of 2021/08/05

CVE-2021-3640: there is no fixed information as of 2021/08/05


* CVE detail

New CVEs

CVE-2021-3659: NULL pointer dereference in llsec_key_alloc() in
net/mac802154/llsec.c

Stable kernels are fixed.

Fixed status

mainline: [1165affd484889d4986cf3b724318935a0b120d8]
stable/4.14: [d103fd20f0539e2bd615ed6f6159537cb7e2c5ba]
stable/4.19: [c166c0f5311dc9de687b8985574a5ee5166d367e]
stable/4.4: [cd19d85e6d4a361beb11431af3d22248190f5b48]
stable/4.9: [c3883480ce4ebe5b13dbfdc9f2c6503bc9e8ab69]
stable/5.10: [38731bbcd9f0bb8228baaed5feb4a1f76530e49c]
stable/5.4: [38ea2b3ed00fb4632a706f2c796d6aa4a884f573]


CVE-2021-35477: unprivileged BPF program can obtain sensitive
information from kernel memory via a speculative store bypass
side-channel attack because the technique used by the BPF verifier to
manage speculation is unreliable

CVE-2021-34556 and CVE-2021-35477 are fixed by the same commits.
commit 2039f26f3aca fixes af86ca4e3088(introduced by v4.17-rc7) and
f7cf25b2026d(introduced by v5.3-rc1).

Fixed status
mainline: [f5e81d1117501546b7be050c5fbafa6efd2c722c,
2039f26f3aca5b0e419b98f65dd36481337b86ee]
stable/5.10: [bea9e2fd180892eba2574711b05b794f1d0e7b73,
0e9280654aa482088ee6ef3deadef331f5ac5fb0]
stable/5.13: [ddab060f996e17b38bb181c5fd11a83fd1bfa0df,
0b27bdf02c400684225ee5ee99970bcbf5082282]

CVE-2021-34556: unprivileged BPF program can obtain sensitive
information from kernel memory via a speculative store bypass
side-channel attack because of the possibility of uninitialized memory
locations on the BPF stack

CVE-2021-34556 and CVE-2021-35477 are fixed by same commits. commit
2039f26f3aca fixes af86ca4e3088(introduced by v4.17-rc7) and
f7cf25b2026d(introduced by v5.3-rc1).

Fixed status
mainline: [f5e81d1117501546b7be050c5fbafa6efd2c722c,
2039f26f3aca5b0e419b98f65dd36481337b86ee]
stable/5.10: [bea9e2fd180892eba2574711b05b794f1d0e7b73,
0e9280654aa482088ee6ef3deadef331f5ac5fb0]
stable/5.13: [ddab060f996e17b38bb181c5fd11a83fd1bfa0df,
0b27bdf02c400684225ee5ee99970bcbf5082282]

CVE-2021-3669: reading /proc/sysvipc/shm does not scale with large
shared memory segment counts

According to redhat bugzilla, it said "Not reported upstream, patches
are being worked on.  It is not considered high impact because of the
requirements and need to have massive amount of shm (usually well
above ulimits) ".

https://bugzilla.redhat.com/show_bug.cgi?id=1986473#c10

CVE-2021-3679: racing: Fix bug in rb_per_cpu_empty() that might cause deadloop

mainline and stable kernels are fixed.

Fixed status
mainline: [67f0d6d9883c13174669f88adac4f0ee656cc16a]
stable/4.14: [76598512d5d7fc407c319ca4448cf5348b65058a]
stable/4.19: [6a99bfee7f5625d2577a5c3b09a2bd2a845feb8a]
stable/4.4: [afa091792525dfa6c3c854069ec6b8a5ccc62c11]
stable/4.9: [7db12bae1a239d872d17e128fd5271da789bf99c]
stable/5.10: [757bdba8026be19b4f447487695cd0349a648d9e]
stable/5.13: [917a5bdd114a27c159796928cb3c09723a51d1c7]
stable/5.4: [f899f24d34d964593b16122a774c192a78e2ca56]

Updated CVEs

CVE-2021-29256: The Arm Mali GPU kernel driver allows an unprivileged
user to achieve access to freed memory, leading to information
disclosure or root privilege escalation

This driver is 3rd party module which is provided by ARM. Mainline
kernel doesn't provide driver code.
Bifrost and Valhall are fixed but Midgard driver is not fixed as of 2021/08/03.

CVE-2021-31829: kernel/bpf/verifier.c in the Linux kernel through
5.12.1 performs undesirable speculative loads, leading to disclosure
of stack content via side-channel attacks, aka CID-801c6058d14a

According to commit b9b34ddbe207, this CVE is introdueced by
979d63d50c0c. Also 979d63d50c0c fixes commit b215739 which was
released v4.15-rc8. so v4.4 is not affected this vulnerability.

Fixed status
mainline: [b9b34ddbe2076ade359cd5ce7537d5ed019e9807,
801c6058d14a82179a7ee17a4b532cac6fad067f]
stable/4.14: [4d542ddb88fb2f39bf7f14caa2902f3e8d06f6ba,
19e4f40ce75079b9532f35f92780db90104648f1]
stable/4.19: [0e2dfdc74a7f4036127356d42ea59388f153f42c,
bd9df99da9569befff2234b1201ac4e065e363d0]
stable/5.10: [2cfa537674cd1051a3b8111536d77d0558f33d5d,
2fa15d61e4cbaaa1d1250e67b251ff96952fa614]
stable/5.4: [53e0db429b37a32b8fc706d0d90eb4583ad13848,
8ba25a9ef9b9ca84d085aea4737e6c0852aa5bfd]

CVE-2021-3655: missing size validations on inbound SCTP packets

Update v4.4 fixed status. stable kernels are fixed.

Fixed status
mainline: [0c5dc070ff3d6246d22ddd931f23a6266249e3db,
50619dbf8db77e98d821d615af4f634d08e22698,
    b6ffe7671b24689c09faa5675dd58f93758a97ae,
ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9]
stable/4.19: [c7a03ebace4f9cd40d9cd9dd5fb2af558025583c,
dd16e38e1531258d332b0fc7c247367f60c6c381]
stable/4.4: [48cd035cad5b5fad0648aa8294c4223bedb166dd]
stable/4.9: [c7da1d1ed43a6c2bece0d287e2415adf2868697e]
stable/5.10: [d4dbef7046e24669278eba4455e9e8053ead6ba0,
6ef81a5c0e22233e13c748e813c54d3bf0145782]

CVE-2021-22543: An issue was discovered in the Linux: KVM through
Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks
and can lead to pages being freed while still accessible by the VMM
and guest

The hva_to_pfn_remapped() doesn't exist in v4.4 kernel and it use
different way to get pfn.
If v4.4 affects this CVE, it'll need to write a patch.

Fixed status
mainline: [f8be156be163a052a067306417cd0ff679068c97]
stable/4.19: [117777467bc015f0dc5fc079eeba0fa80c965149]
stable/5.10: [dd8ed6c9bc2224c1ace5292d01089d3feb7ebbc3]
stable/5.12: [c36fbd888dcc27d365c865e6c959d7f7802a207c]
stable/5.4: [bb85717e3797123ae7724751af21d0c9d605d61e]

CVE-2021-21781: Arm SIGPAGE information disclosure vulnerability

All stable kernels are fixed.

Fixed status
mainline: [9c698bff66ab4914bb3d71da7dc6112519bde23e]
stable/4.14: [b71cc506778eb283b752400e234784ee86b5891c]
stable/4.19: [80ef523d2cb719c3de66787e922a96b5099d2fbb]
stable/4.4: [8db77dca7e1d1d1d6aa9334207ead57853832bb7]
stable/4.9: [aa1b5f2fe4532e99986f1eee2c04bb7d314e3007]
stable/5.10: [7913ec05fc02ccd7df83280451504b0a3e543097]
stable/5.4: [f49bff85b6dbb60a410c7f7dc53b52ee1dc22470]

CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c in the
Linux kernel through 5.13.4 calls unregister_netdev without checking
for the NETREG_REGISTERED state, leading to a use-after-free and a
double free.

The mainline, 5.10, 5.13 are fixed.

Fixed status
mainline: [a6ecfb39ba9d7316057cea823b196b734f6b18ca]
stable/5.10: [115e4f5b64ae8d9dd933167cafe2070aaac45849]
stable/5.13: [eeaa4b8d1e2e6f10362673d283a97dccc7275afa]

Currenty traking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fixed information as of 2021/08/03

CVE-2021-3640: UAF in sco_send_frame function

There is no fixed information as of 2021/08/03.

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6656): https://lists.cip-project.org/g/cip-dev/message/6656
Mute This Topic: https://lists.cip-project.org/mt/84675707/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] New CVE entries this week

[市川正美]

[-- Attachment #1: Type: text/plain, Size: 2689 bytes --]

Hi !

Here is this week's CVE report.

* CVE short summary

** New CVEs

CVE-2021-21781: stable/4.19 and stable/5.10 are fixed. stable/4.4 is
not fixed yet.
CVE-2021-33909: stable/4.4, stable/4.19, and stable/5.10 are fixed.
CVE-2021-3655: stable/4.19 and stable/5.10 are fixed. stable/4.4 is
not fixed yet.
CVE-2021-37159: not fixed in mainline.

** Updated CVEs

CVE-2020-8835: stable/4.4, stable/4.19, and stable/5.10 aren't affected.

* CVE detail

New CVEs

- CVE-2021-21781: Arm SIGPAGE information disclosure vulnerability

The stable/4.4 kernel is not fixed yet. The stable/4.4 kernel's
get_signal_page() in arch/arm/kernel/signal.c seems to be vulnerabile
too.

Fixed commit

mainline: [9c698bff66ab4914bb3d71da7dc6112519bde23e]
stalbe/4.4: not fixed yet
stable/4.19: [80ef523d2cb719c3de66787e922a96b5099d2fbb]
stable/5.10: [7913ec05fc02ccd7df83280451504b0a3e543097]

- CVE-2021-33909: size_t-to-int vulnerability in Linux's filesystem layer

Fixed commit

mainline: [8cae8cd89f05f6de223d63e6d15e31c8ba9cf53b]
stable/4.19: [6de9f0bf7cacc772a618699f9ed5c9f6fca58a1d]
stable/4.4: [3533e50cbee8ff086bfa04176ac42a01ee3db37d]
stable/5.10: [174c34d9cda1b5818419b8f5a332ced10755e52f]

- CVE-2021-3655: missing size validations on inbound SCTP packets

stable/4.4(v4.4.276) contains upstream commit
50619dbf8db77e98d821d615af4f634d08e22698
(https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.4.276&id=48cd035cad5b5fad0648aa8294c4223bedb166dd).

Fixed commit

mainline: [0c5dc070ff3d6246d22ddd931f23a6266249e3db,
50619dbf8db77e98d821d615af4f634d08e22698,
    b6ffe7671b24689c09faa5675dd58f93758a97ae,
ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9]
stable/4.19: [c7a03ebace4f9cd40d9cd9dd5fb2af558025583c,
dd16e38e1531258d332b0fc7c247367f60c6c381]
stable/5.10: [d4dbef7046e24669278eba4455e9e8053ead6ba0,
6ef81a5c0e22233e13c748e813c54d3bf0145782]

- CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c in the
Linux kernel through 5.13.4 calls unregister_netdev without checking
for the NETREG_REGISTERED state, leading to a use-after-free and a
double free.

Original patch is not  merged.

Updated CVEs

- CVE-2020-8835: bpf verifier (kernel/bpf/verifier.c) did not properly
restrict the register bounds for 32-bit operations, leading to
out-of-bounds reads and writes in kernel memory

This CVE is introduced in v5.5-rc1; fixed in v5.7-rc1. Therefore
stable/4.4, stable/4.19, and stable/5.10 aren't affected.

From last week CVEs

CVE-2021-29256: not fixed in mainline yet
CVE-2021-31615: not fixed in mainline yet


Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 429 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6627): https://lists.cip-project.org/g/cip-dev/message/6627
Mute This Topic: https://lists.cip-project.org/mt/84371343/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/10495289/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] New CVE entries this week

[市川正美]

[-- Attachment #1: Type: text/plain, Size: 3674 bytes --]

Hi !

It's this week's CVE report.

CVE Summary

There is one new CVE.

CVE-2021-22555: Affects all CIP kernels

There is two updated CVEs

CVE-2021-34693: CIP kernel 4.19, 4.19-rt, 4.4 are fixed
CVE-2021-35039: CIP kernel 4.19 and 4.4 are fixed

From last week CVEs

CVE-2020-28097: CIP kernels are fixed
CVE-2021-29256: it seems not fixed in mainline yet
CVE-2021-31615: it seems not fixed in mainline yet
CVE-2021-35039: CIP kernel 4.4 and 4.4-rt aren't affected. 4.19 is fixed

* New CVEs detail

- 2021/07/12

CVE-2021-22555 -- Heap Out-Of-Bounds Write in xt_compat_target_from_user

The compat IPT_SO_SET_REPLACE/IP6T_SO_SET_REPLACE setsockopt
implementation in the netfilter subsystem in the Linux kernel allows
local users to gain privileges or cause a denial of service (heap
memory corruption) via user namespace.

This vulnerability affects from v2.6.19-rc1 to v5.11.

Fixed status.
cip/4.19: [12ec80252edefff00809d473a47e5f89c7485499]
cip/4.19-rt: [12ec80252edefff00809d473a47e5f89c7485499]
cip/4.4: [b0d98b2193a38ef93c92e5e1953d134d0f426531]
cip/4.4-rt: not fixed yet
cip/5.10: not fixed yet

* Updated CVEs detail

CVE-2021-34693 -- can: bcm: fix infoleak in struct bcm_msg_head

Fixed status

cip/4.19: [8899857d7e450805e6410de5004126491f197146]
cip/4.19-rt: not fixed yet
cip/4.4: [f638caa211e7a121a5596986d29ebbdaf9156398]
cip/4.4-rt: not fixed yet
cip/5.10: not fixed yet

CVE-2021-35039 -- module: limit enabling module.sig_enforce

Fixed status

cip/4.19: [ff660863628fb144badcb3395cde7821c82c13a6]
cip/4.19-rt: not fixed yet
cip/4.4: not affected
cip/4.4-rt: not affected
cip/5.10: not fixed yet

* From last week CVE report

CVE-2020-28097 -- vgacon_scrolldelta out-of-bounds read

This vulnerability affects before v5.9-rc6, so v5.10 kernel doesn't affect.

Fixed status

cip/4.19: [f5fa64c8daf7b97280865c73903edc0a3eea819e]
cip/4.19-rt: [f5fa64c8daf7b97280865c73903edc0a3eea819e]
cip/4.4: [5f76b4c6ac297ce836abe17f495123f45bfc4fb3]
cip/4.4-rt: [5f76b4c6ac297ce836abe17f495123f45bfc4fb3]
cip/5.10: not affected

Since CONFIG_VGACON_SOFT_SCROLLBACK option has been removed by this
CVE fix, we can remove this option from these configs in
cip-kernel-config repo.

- 4.19.y-cip/x86/cip_qemu_defconfig
- 4.19.y-cip/x86/plathome_obsvx2.config
- 4.19.y-cip-rt/x86/siemens_i386-rt.config
- 4.4.y-cip/x86/cip_qemu_defconfig


CVE-2021-29256.yml -- Mali GPU Kernel Driver elevates CPU RO pages to writable

According to the
https://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driver
, it said "This issue is fixed in Bifrost and Valhall GPU Kernel
Driver r30p0. It will be fixed in future Midgard release. Users are
recommended to upgrade if they are impacted by this issue." so it
seems that CVE hasn't been fixed yet.

CVE-2021-31615 -- InjectaBLE: Injecting malicious traffic into
established Bluetooth Low Energy connections

According to the
https://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driver
, it said "This issue is fixed in Bifrost and Valhall GPU Kernel
Driver r30p0. It will be fixed in future Midgard release. Users are
recommended to upgrade if they are impacted by this issue." so it
seems that CVE hasn't been fixed yet.

CVE-2021-35039 -- Without CONFIG_MODULE_SIG, verification that a
kernel module is signed, for loading via init_module, does not occur
for a module.sig_enforce=1 command-line argument.

Fixed status

cip/4.19: [ff660863628fb144badcb3395cde7821c82c13a6]
cip/linux-4.4: not affected
cip/linux-4.4-rt: not affected
cip/5.10: not fixed yet

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6621): https://lists.cip-project.org/g/cip-dev/message/6621
Mute This Topic: https://lists.cip-project.org/mt/84216032/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[masashi.kudo]

[-- Attachment #1: Type: text/plain, Size: 1391 bytes --]

Hi, Pavel-san,

Thanks for your diagnosis!

Best regards,
--
M. Kudo

-----Original Message-----
From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of Pavel Machek
Sent: Sunday, July 11, 2021 5:33 PM
To: cip-dev@lists.cip-project.org
Subject: Re: [cip-dev] New CVE entries this week

Hi!

> These are the new issues this week:
> 
> * 2021/06/30
> 
> CVE-2020-28097 -- vgacon_scrolldelta out-of-bounds read

This is sad situation but we don't need to do anything here.

> CVE-2021-29256.yml -- Mali GPU Kernel Driver elevates CPU RO pages  to 
> writable

Too early to do anything here, we don't have enough information.

> CVE-2021-31615 -- InjectaBLE: Injecting malicious traffic into 
> established Bluetooth Low Energy connections

Too early to do anything here, we don't have enough information.

> * 2021/07/08
> 
> CVE-2021-35039 -- Without CONFIG_MODULE_SIG, verification that a 
> kernel module is signed, for loading via init_module, does not occur 
> for a module.sig_enforce=1 command-line argument.
> 
> This CVE affects v4.15 to v5.12, so v4.4 kernel doesn't affect.

Stable did the work, we don't need to do anything. Good :-).

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6619): https://lists.cip-project.org/g/cip-dev/message/6619
Mute This Topic: https://lists.cip-project.org/mt/84058381/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 1062 bytes --]

Hi!

> These are the new issues this week:
> 
> * 2021/06/30
> 
> CVE-2020-28097 -- vgacon_scrolldelta out-of-bounds read

This is sad situation but we don't need to do anything here.

> CVE-2021-29256.yml -- Mali GPU Kernel Driver elevates CPU RO pages
>  to writable

Too early to do anything here, we don't have enough information.

> CVE-2021-31615 -- InjectaBLE: Injecting malicious traffic into
> established Bluetooth Low Energy connections

Too early to do anything here, we don't have enough information.

> * 2021/07/08
> 
> CVE-2021-35039 -- Without CONFIG_MODULE_SIG, verification that a
> kernel module is signed, for loading via init_module, does not occur
> for a module.sig_enforce=1 command-line argument.
> 
> This CVE affects v4.15 to v5.12, so v4.4 kernel doesn't affect.

Stable did the work, we don't need to do anything. Good :-).

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6618): https://lists.cip-project.org/g/cip-dev/message/6618
Mute This Topic: https://lists.cip-project.org/mt/84058381/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] New CVE entries this week

[市川正美]

[-- Attachment #1: Type: text/plain, Size: 1695 bytes --]

Hi!

These are the new issues this week:

* 2021/06/30

CVE-2020-28097 -- vgacon_scrolldelta out-of-bounds read

This commit removes software scrollback support. So,
CONFIG_VGACON_SOFT_SCROLLBACK option is removed from kernel.
Accoring to the cip-kernel-config repo, following configs set
CONFIG_VGACON_SOFT_SCROLLBACK option.

- 4.19.y-cip/x86/cip_qemu_defconfig
- 4.19.y-cip/x86/plathome_obsvx2.config
- 4.19.y-cip-rt/x86/siemens_i386-rt.config
- 4.4.y-cip/x86/cip_qemu_defconfig

This vulnerability affects before Linux 5.8.10 therefore Linux 5.10.y
series do not affect.

CVE-2020-36387 -- fs/io_uring.c has a use-after-free related to
io_async_task_func and ctx reference holding

This CVE affects before Linux 5.8.2. However io_uring was introduced
at Linux 5.1 so that CIP kernels aren't affected by this
vulnerability.

CVE-2021-29256.yml -- Mali GPU Kernel Driver elevates CPU RO pages to writable

Following GPU architectures are affected.

- Bifrost r16p0 through r29p0 before r30p0
- Valhall r19p0 through r29p0 before r30p0
- Midgard r28p0 through r30p0

CVE-2021-31615 -- InjectaBLE: Injecting malicious traffic into
established Bluetooth Low Energy connections

Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core
Specifications 4.0 through 5.2 are affected.

* 2021/07/08

CVE-2021-35039 -- Without CONFIG_MODULE_SIG, verification that a
kernel module is signed, for loading via init_module, does not occur
for a module.sig_enforce=1 command-line argument.

This CVE affects v4.15 to v5.12, so v4.4 kernel doesn't affect.

Regards,

-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6608): https://lists.cip-project.org/g/cip-dev/message/6608
Mute This Topic: https://lists.cip-project.org/mt/84058381/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[市川正美]

[-- Attachment #1: Type: text/plain, Size: 1260 bytes --]

Hi!

2021年6月18日(金) 17:04 Pavel Machek <pavel@denx.de>:
>
> Hi!
>
> In last import, CVE-2020-36385 and CVE-2020-36386 was confused. That's
> fixed now. And we have following new issues:
>
> * 2021-06-13
>
> CVE-2021-0129 -- Passkey Entry protocol of the Bluetooth Core is
> vulnerable to an impersonation, fixed 4.9+
>
> CVE-2021-0512 -- HID arrays, fixed 4.9+
>
> CVE-2021-28691 -- Xen, fixed 5.10+
>
> CVE-2021-3573 -- Bluetooth UAF, fixed 4.9+
>
> * 2021-06-18
>
> CVE-2021-32078 -- ARM: footbridge:, hopefully noone uses this
>
> CVE-2021-34693 -- can: bcm: fix infoleak in struct bcm_msg_head
>
> CVE-2020-36386 -- An issue was discovered in the Linux kernel before
> 5.8.1. net/bluetooth/hci_event.c has a slab out-of-bounds read in
> hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf.
>

Thank you for the update.

> Best regards,
>                                                                 Pavel
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> 
>


-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6543): https://lists.cip-project.org/g/cip-dev/message/6543
Mute This Topic: https://lists.cip-project.org/mt/83449660/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] New CVE entries this week

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 902 bytes --]

Hi!

In last import, CVE-2020-36385 and CVE-2020-36386 was confused. That's
fixed now. And we have following new issues:

* 2021-06-13

CVE-2021-0129 -- Passkey Entry protocol of the Bluetooth Core is
vulnerable to an impersonation, fixed 4.9+

CVE-2021-0512 -- HID arrays, fixed 4.9+

CVE-2021-28691 -- Xen, fixed 5.10+

CVE-2021-3573 -- Bluetooth UAF, fixed 4.9+

* 2021-06-18

CVE-2021-32078 -- ARM: footbridge:, hopefully noone uses this

CVE-2021-34693 -- can: bcm: fix infoleak in struct bcm_msg_head

CVE-2020-36386 -- An issue was discovered in the Linux kernel before
5.8.1. net/bluetooth/hci_event.c has a slab out-of-bounds read in
hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf.

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6535): https://lists.cip-project.org/g/cip-dev/message/6535
Mute This Topic: https://lists.cip-project.org/mt/83449660/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 848 bytes --]

Hi!

> > CVE-2020-36385 -- An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf.
> >
> 
> According to the  CVE-2020-36385.yml it describes 'RDMA/ucma: Rework
> ucma_migrate_id() to avoid races with destroy'. However According to
> the  CVE-2020-36385.yml it describes 'RDMA/ucma: Rework
> ucma_migrate_id() to avoid races with destroy'. However, the
> description of 'An issue was discovered in the Linux kernel before
> 5.8.1 ...' seems like CVE-2020-36386.

You are right, something went wrong with the import. It is corrected
now.

Best regards,
								Pavel

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6534): https://lists.cip-project.org/g/cip-dev/message/6534
Mute This Topic: https://lists.cip-project.org/mt/83449660/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[Masami Ichikawa]

[-- Attachment #1: Type: text/plain, Size: 1939 bytes --]

Hi!

Please ignore my 2nd email from masami.ichikawa@cybertrust.co.jp.
It's my mistake.

Cheers,

On Thu, Jun 17, 2021 at 7:55 PM 市川正美 <masami.ichikawa@cybertrust.co.jp> wrote:
>
> Hi!
>
> 2021年6月11日(金) 2:05 Pavel Machek <pavel@denx.de>:
> >
> > Hi!
> >
> > These are the new issues this week:
> >
> > Best regards,
> >                                                                 Pavel
> >
> > * 2021-06-04
> >
> > CVE-2021-33200 -- BPF fix turned out to be buggy.
> >
> > * 2021-06-09
> >
> > CVE-2021-0606 -- EoP in GPU DRM Driver / reported by android, probably upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31 ... may be interesting?
> >
> > CVE-2021-3587 -- redhat Bugzilla 1968057: CVE-2021-3587 kernel: nfc: Null pointer dereference in llcp_sock_getname
> >
> > CVE-2020-36385 -- An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf.
> >
>
> According to the  CVE-2020-36385.yml it describes 'RDMA/ucma: Rework
> ucma_migrate_id() to avoid races with destroy'. However According to
> the  CVE-2020-36385.yml it describes 'RDMA/ucma: Rework
> ucma_migrate_id() to avoid races with destroy'. However, the
> description of 'An issue was discovered in the Linux kernel before
> 5.8.1 ...' seems like CVE-2020-36386.
>
> > CVE-2020-36387 -- An issue was discovered in the Linux kernel before 5.8.2. fs/io_uring.c has a use-after-free related to io_async_task_func and ctx reference holding, aka CID-6d816e088c35.
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> > HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
> >
> >
> >
>
> 
>


-- 
/**
* Masami Ichikawa
* personal: masami256@gmail.com
* fedora project: masami@fedoraproject.org
*/

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6530): https://lists.cip-project.org/g/cip-dev/message/6530
Mute This Topic: https://lists.cip-project.org/mt/83449660/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[市川正美]

[-- Attachment #1: Type: text/plain, Size: 1556 bytes --]

Hi!

2021年6月11日(金) 2:05 Pavel Machek <pavel@denx.de>:
>
> Hi!
>
> These are the new issues this week:
>
> Best regards,
>                                                                 Pavel
>
> * 2021-06-04
>
> CVE-2021-33200 -- BPF fix turned out to be buggy.
>
> * 2021-06-09
>
> CVE-2021-0606 -- EoP in GPU DRM Driver / reported by android, probably upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31 ... may be interesting?
>
> CVE-2021-3587 -- redhat Bugzilla 1968057: CVE-2021-3587 kernel: nfc: Null pointer dereference in llcp_sock_getname
>
> CVE-2020-36385 -- An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf.
>

According to the CVE-2020-36385.yml, it describes 'RDMA/ucma: Rework
ucma_migrate_id() to avoid races with destroy'. However, the
description of 'An issue was discovered in the Linux kernel before
5.8.1 ...' seems like CVE-2020-36386.

> CVE-2020-36387 -- An issue was discovered in the Linux kernel before 5.8.2. fs/io_uring.c has a use-after-free related to io_async_task_func and ctx reference holding, aka CID-6d816e088c35.
>
>
>
>
>
>
>
>
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> 
>

Sincerely,
-- 
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
          :masami.ichikawa@miraclelinux.com

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6525): https://lists.cip-project.org/g/cip-dev/message/6525
Mute This Topic: https://lists.cip-project.org/mt/83449660/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] New CVE entries this week

[市川正美]

[-- Attachment #1: Type: text/plain, Size: 1531 bytes --]

Hi!

2021年6月11日(金) 2:05 Pavel Machek <pavel@denx.de>:
>
> Hi!
>
> These are the new issues this week:
>
> Best regards,
>                                                                 Pavel
>
> * 2021-06-04
>
> CVE-2021-33200 -- BPF fix turned out to be buggy.
>
> * 2021-06-09
>
> CVE-2021-0606 -- EoP in GPU DRM Driver / reported by android, probably upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31 ... may be interesting?
>
> CVE-2021-3587 -- redhat Bugzilla 1968057: CVE-2021-3587 kernel: nfc: Null pointer dereference in llcp_sock_getname
>
> CVE-2020-36385 -- An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf.
>

According to the  CVE-2020-36385.yml it describes 'RDMA/ucma: Rework
ucma_migrate_id() to avoid races with destroy'. However According to
the  CVE-2020-36385.yml it describes 'RDMA/ucma: Rework
ucma_migrate_id() to avoid races with destroy'. However, the
description of 'An issue was discovered in the Linux kernel before
5.8.1 ...' seems like CVE-2020-36386.

> CVE-2020-36387 -- An issue was discovered in the Linux kernel before 5.8.2. fs/io_uring.c has a use-after-free related to io_async_task_func and ctx reference holding, aka CID-6d816e088c35.
>
>
>
>
>
>
>
>
> --
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>
> 
>

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6528): https://lists.cip-project.org/g/cip-dev/message/6528
Mute This Topic: https://lists.cip-project.org/mt/83449660/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

[cip-dev] New CVE entries this week

[Pavel Machek]

[-- Attachment #1.1: Type: text/plain, Size: 983 bytes --]

Hi!

These are the new issues this week:

Best regards,
								Pavel

* 2021-06-04

CVE-2021-33200 -- BPF fix turned out to be buggy.

* 2021-06-09

CVE-2021-0606 -- EoP in GPU DRM Driver / reported by android, probably upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31 ... may be interesting?

CVE-2021-3587 -- redhat Bugzilla 1968057: CVE-2021-3587 kernel: nfc: Null pointer dereference in llcp_sock_getname

CVE-2020-36385 -- An issue was discovered in the Linux kernel before 5.8.1. net/bluetooth/hci_event.c has a slab out-of-bounds read in hci_extended_inquiry_result_evt, aka CID-51c19bf3d5cf.

CVE-2020-36387 -- An issue was discovered in the Linux kernel before 5.8.2. fs/io_uring.c has a use-after-free related to io_async_task_func and ctx reference holding, aka CID-6d816e088c35.








-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

[-- Attachment #2: Type: text/plain, Size: 428 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6501): https://lists.cip-project.org/g/cip-dev/message/6501
Mute This Topic: https://lists.cip-project.org/mt/83449660/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/4520388/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-