All of lore.kernel.org
 help / color / mirror / Atom feed
From: Pavel Machek <pavel@denx.de>
To: cip-dev@lists.cip-project.org
Subject: CVE-2021-3640: UAF in sco_send_frame function was Re: [cip-dev] New CVE entries in this week
Date: Thu, 25 Nov 2021 10:53:39 +0100	[thread overview]
Message-ID: <20211125095339.GC3327@amd> (raw)
In-Reply-To: <16BABF37827ACD8B.14741@lists.cip-project.org>

[-- Attachment #1: Type: text/plain, Size: 3502 bytes --]

Hi!

> > CVE-2021-3640: UAF in sco_send_frame function
> > 
> > 5.10 and 5.15 are fixed this week.
> > 
> > Fixed status
> > 
> > mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]
> > stable/5.10: [4dfba42604f08a505f1a1efc69ec5207ea6243de]
> > stable/5.14: [2c2b295af72e4e30d17556375e100ae65ac0b896]
> > stable/5.15: [b990c219c4c9d4993ef65ea9db73d9497e70f697]
> > stable/5.4: [d416020f1a9cc5f903ae66649b2c56d9ad5256ab]
> 
> Interesting.
> 
> commit 99c23da0eed4fd20cae8243f2b51e10e66aa0951
> Author: Takashi Iwai <tiwai@suse.de>
> 
> Says:
> 
>     This should be the last piece for fixing CVE-2021-3640 after a few
>     already queued fixes.
> 
> Which means more than 99c23da0eed is needed to fix this one,
> unfortunately it does not give us good way to identify what commits
> are needed.

Aha, but we have required information in
cip-kernel-sec/issues/CVE-2021-3640.yml. It lists patches that should
be fixing this.

Some searching in the trees reveals that one of those patches is buggy
itself, and additionaly 49d8a5606428ca0962d09050a5af81461ff90fbb is
needed.

The patches fixing this are:

~  stable/5.10: [4dfba42604f08a505f1a1efc69ec5207ea6243de,
                f2f856b65ac4b77049c76c0e89ecd3a177e9fcd1,
 		98d44b7be6f1bcfd4f824c5f8bc2b742f890879f,
 		c20d8c197454068da758a83e09d93683f520d681,
 		a1073aad497d0d071a71f61b721966a176d50c08]

But we still miss backport of 27c24fda62b6 ("Bluetooth: switch to
lock_sock in SCO") to 5.10, which has its own prerequisites
according to the changelog. AFAICT those prerequisites are
734bc5ff783115aa3164f4e9dd5967ae78e0a8ab and
ba316be1b6a00db7126ed9a39f9bee434a508043, and both are in 5.10.

I'm not sure how to express this in yml cleanly. I came with this:

diff --git a/issues/CVE-2021-3640.yml b/issues/CVE-2021-3640.yml
index fb52d5a..d386093 100644
--- a/issues/CVE-2021-3640.yml
+++ b/issues/CVE-2021-3640.yml
@@ -23,9 +23,23 @@ comments:
     there is no fixed information as of 2021/07/26.
     Fixed in bluetooth-next tree. commit 99c23da0eed4fd20cae8243f2b51e10e66aa0951.
   ubuntu/sbeattie: Possibly addressed by Desmond Cheong Zhi Xi's patchset.
+  pavel: We are one patch away from fixing this 5.10, 27c24fda62b6 is needed.
 fixed-by:
-  mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]
-  stable/5.10: [4dfba42604f08a505f1a1efc69ec5207ea6243de]
+  mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951,
+  	     e04480920d1eec9c061841399aa6f35b6f987d8b,
+	     734bc5ff783115aa3164f4e9dd5967ae78e0a8ab,
+	     49d8a5606428ca0962d09050a5af81461ff90fbb,
+	     ba316be1b6a00db7126ed9a39f9bee434a508043,
+	     27c24fda62b601d6f9ca5e992502578c4310876f,
+	     734bc5ff783115aa3164f4e9dd5967ae78e0a8ab,
+	     ba316be1b6a00db7126ed9a39f9bee434a508043]
+  stable/5.10: [4dfba42604f08a505f1a1efc69ec5207ea6243de,
+    	        f2f856b65ac4b77049c76c0e89ecd3a177e9fcd1,
+		98d44b7be6f1bcfd4f824c5f8bc2b742f890879f,
+		c20d8c197454068da758a83e09d93683f520d681,
+		a1073aad497d0d071a71f61b721966a176d50c08,
+		98d44b7be6f1bcfd4f824c5f8bc2b742f890879f,
+		a1073aad497d0d071a71f61b721966a176d50c08]
   stable/5.14: [2c2b295af72e4e30d17556375e100ae65ac0b896]
   stable/5.15: [b990c219c4c9d4993ef65ea9db73d9497e70f697]
   stable/5.4: [d416020f1a9cc5f903ae66649b2c56d9ad5256ab]

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

  parent reply	other threads:[~2021-11-25  9:53 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-25  2:41 New CVE entries in this week Masami Ichikawa
2021-11-25  9:14 ` [cip-dev] " Pavel Machek
     [not found] ` <16BABF37827ACD8B.14741@lists.cip-project.org>
2021-11-25  9:53   ` Pavel Machek [this message]
2021-11-25 14:22     ` CVE-2021-3640: UAF in sco_send_frame function was " Masami Ichikawa
2021-11-26 10:02       ` Pavel Machek
2021-11-26 13:39         ` Masami Ichikawa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211125095339.GC3327@amd \
    --to=pavel@denx.de \
    --cc=cip-dev@lists.cip-project.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.