New CVE entries this week
Masami Ichikawa
Hi !
It's this week's CVE report.
This week reported 11 new CVEs and 3 updated CVEs.
CVE-2022-45884, CVE-2022-45885, CVE-2022-45886, CVE-2022-45887 are
fixed in a same patch series.
* New CVEs
CVE-2022-4129: l2tp: missing lock when clearing sk_user_data can lead
to NULL pointer dereference
CVSS v3 score is not provided.
A NULL pointer dereference bug was found in the l2tp module.
Introduced by commit b68777d54fac ("l2tp: Serialize access to
sk_user_data with sk_callback_lock") in 6.1-rc6.
It fixes commit 3557baa ("[L2TP]: PPP over L2TP driver core") in 2.6.23-rc1.
Commit b68777d54fac is not backported to stable kernels so these
kernels aren't affected by this issue.
Fixed status
Patch is available(https://lore.kernel.org/netdev/20221119130317.39158-1-jakub@cloudflare.com/)
but not merged yet.
CVE-2022-28667: Out-of-bounds write for some Intel(R) PROSet/Wireless
WiFi software
CVSS v3 score is 6.5 MEDIUM.
Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi software
before version 22.140 may allow an unauthenticated user to potentially
enable denial of service via adjacent access.
According to the Intel security advisory INTEL-SA-00687, it said that
"IntelĀ® PROSet/Wireless WiFi drivers to mitigate this vulnerability
will be up streamed by November 08, 2022." so the mainline kernel
seems affected by this issue.
Fixed status
Not fixed yet
CVE-2022-45884: A use-after-free bug was found in
drivers/media/dvb-core/dvbdev.c
CVSS v3 score is 7.0 HIGH.
An issue was discovered in the Linux kernel.
drivers/media/dvb-core/dvbdev.c has a use-after-free, related to
dvb_register_device dynamically allocating fops.
It looks like all stable kernels (include 4.4) are affected by this issue.
Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel@gmail.com/
CVE-2022-45885: A use-after-free bug was found in
drivers/media/dvb-core/dvb_frontend.c
CVSS v3 score is 7.0 HIGH.
An issue was discovered in the Linux kernel.
drivers/media/dvb-core/dvb_frontend.c has a race condition that can
cause a use-after-free when a device is disconnected.
It looks like all stable kernels (include 4.4) are affected by this issue.
Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel@gmail.com/
CVE-2022-45886: A use-after-free bug was found in
drivers/media/dvb-core/dvb_net.c
CVSS v3 score is 7.0 HIGH.
An issue was discovered in the Linux kernel.
drivers/media/dvb-core/dvb_net.c has a .disconnect versus
dvb_device_open race condition that leads to a use-after-free.
It looks like all stable kernels (include 4.4) are affected by this issue.
Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel@gmail.com/
CVE-2022-45887: media: ttusb-dec: Fix memory leak in ttusb_dec_exit_dvb()
CVSS v3 score is 4.7 MEDIUM.
An issue was discovered in the Linux kernel.
drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of
the lack of a dvb_frontend_detach call.
It looks like all stable kernels (including 4.4) are affected by this issue.
Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel@gmail.com/
CVE-2022-45888: char: xillybus: Fix use-after-free in xillyusb_open()
CVSS v3 score is 6.4 MEDIUM.
An issue was discovered in the Linux kernel.
drivers/char/xillybus/xillyusb.c has a race condition and
use-after-free during physical removal of a USB device.
XILLYUSB driver was added by a53d120 ("char: xillybus: Add driver for
XillyUSB (Xillybus variant for USB)" in 5.14-rc1. So, before 5.14
kernels are not affected.
Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/all/20221022175404.GA375335@ubuntu/
CVE-2022-45919: media: dvb-core: Fix use-after-free due to race
condition occurring in dvb_ca_en50221
CVSS v3 score is 7.0 HIGH.
An issue was discovered in the Linux kernel. In
drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur if
there is a disconnect after an open, because of the lack of a
wait_event.
It looks like all stable kernels (include 4.4) are affected by this issue.
Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/linux-media/20221121063308.GA33821@ubuntu/T/#u
CVE-2022-45934: Bluetooth: L2CAP: Fix u8 overflow
CVSS v3 score is not provided.
An issue was discovered in the Linux kernel. l2cap_config_req in
net/bluetooth/l2cap_core.c has an integer wraparound via
L2CAP_CONF_REQ packets.
It looks like all stable kernels (include 4.4) are affected by this issue.
Fixed status
fixed in the bluetooth-next tree.
https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=ae4569813a6e931258db627cdfe50dfb4f917d5d
CVE-2022-45869: KVM: x86/mmu: Fix race condition in direct_page_fault
CVSS v3 score is not provided.
A race condition bug was found in direct_page_fault() it will lead to
a systemc crash.
Introduced by commit a2855af ("KVM: x86/mmu: Allow parallel page
faults for the TDP MMU") in v5.12-rc1-dontuse. It is not backported to
stable kernels.
so less than 5.12 kernels are not affected by this issue.
Fixed status
mainline: [47b0c2e4c220f2251fd8dcfbb44479819c715e15]
CVE-2022-4139: drm/i915: fix TLB invalidation for Gen12 video and
compute enginescip
CVSS v3 score is not provided.
A random memory corruption or data leaks problem in Intel i915 graphic
driver because of incorrect GPU TLB flush.
This bug was introduced by commit 7938d61 ("drm/i915: Flush TLBs
before releasing backing store") which was backported to all stable
kernels.
Fixed status
mainline: [04aa64375f48a5d430b5550d9271f8428883e550]
* Updated CVEs
CVE-2022-3169: Request to NVME_IOCTL_RESET and NVME_IOCTL_SUBSYS_RESET
may cause a DOS
stable kernels are fixed this week.
Fixed status
mainline: [1e866afd4bcdd01a70a5eddb4371158d3035ce03]
stable/5.10: [023435a095d22bcbbaeea7e3a8c534b5c57d0d82]
stable/5.15: [b1a27b2aad936746e6ef64c8a24bcb6dce6f926a]
stable/6.0: [0c2b1c56252bf19d3412137073c2c07e86f40ba1]
CVE-2022-3521: kcm: avoid potential race in kcm_tx_work
stable kernels are fixed this week. kernel 4.4 is not affected by this issue.
Fixed status
mainline: [ec7eede369fe5b0d085ac51fdbb95184f87bfc6c]
stable/4.14: [381b6cb3f3e66b84db77028ac7d84f18d80f1153]
stable/4.19: [23a0a5869749c7833772330313ae7aec6581ec60]
stable/4.9: [fe3f79701fdaf8a087bc7043839e7f8b2e61b6fe]
stable/5.10: [7deb7a9d33e4941c5ff190108146d3a56bf69e9d]
stable/5.15: [27d706b0d394a907ff8c4f83ffef9d3e5817fa84]
stable/5.4: [ad39d09190a545d0f05ae0a82900eee96c5facea]
stable/6.0: [2526ac6b0f5a9b38e7e9073e37141cf78408078d]
CVE-2022-3344: KVM: SVM: nested shutdown interception could lead to host crash
mainline was fixed this week.
Fixed status
mainline: [16ae56d7e0528559bf8dc9070e3bfd8ba3de80df,
ed129ec9057f89d615ba0c81a4984a90345a1684]
Currently tracking CVEs
CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2
There is no fix information.
CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning
No fix information.
CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM
No fix information.
CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning
No fix information.
CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning
No fix information.
Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.
Email :masami.ichikawa@...
:masami.ichikawa@...
It's this week's CVE report.
This week reported 11 new CVEs and 3 updated CVEs.
CVE-2022-45884, CVE-2022-45885, CVE-2022-45886, CVE-2022-45887 are
fixed in a same patch series.
* New CVEs
CVE-2022-4129: l2tp: missing lock when clearing sk_user_data can lead
to NULL pointer dereference
CVSS v3 score is not provided.
A NULL pointer dereference bug was found in the l2tp module.
Introduced by commit b68777d54fac ("l2tp: Serialize access to
sk_user_data with sk_callback_lock") in 6.1-rc6.
It fixes commit 3557baa ("[L2TP]: PPP over L2TP driver core") in 2.6.23-rc1.
Commit b68777d54fac is not backported to stable kernels so these
kernels aren't affected by this issue.
Fixed status
Patch is available(https://lore.kernel.org/netdev/20221119130317.39158-1-jakub@cloudflare.com/)
but not merged yet.
CVE-2022-28667: Out-of-bounds write for some Intel(R) PROSet/Wireless
WiFi software
CVSS v3 score is 6.5 MEDIUM.
Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi software
before version 22.140 may allow an unauthenticated user to potentially
enable denial of service via adjacent access.
According to the Intel security advisory INTEL-SA-00687, it said that
"IntelĀ® PROSet/Wireless WiFi drivers to mitigate this vulnerability
will be up streamed by November 08, 2022." so the mainline kernel
seems affected by this issue.
Fixed status
Not fixed yet
CVE-2022-45884: A use-after-free bug was found in
drivers/media/dvb-core/dvbdev.c
CVSS v3 score is 7.0 HIGH.
An issue was discovered in the Linux kernel.
drivers/media/dvb-core/dvbdev.c has a use-after-free, related to
dvb_register_device dynamically allocating fops.
It looks like all stable kernels (include 4.4) are affected by this issue.
Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel@gmail.com/
CVE-2022-45885: A use-after-free bug was found in
drivers/media/dvb-core/dvb_frontend.c
CVSS v3 score is 7.0 HIGH.
An issue was discovered in the Linux kernel.
drivers/media/dvb-core/dvb_frontend.c has a race condition that can
cause a use-after-free when a device is disconnected.
It looks like all stable kernels (include 4.4) are affected by this issue.
Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel@gmail.com/
CVE-2022-45886: A use-after-free bug was found in
drivers/media/dvb-core/dvb_net.c
CVSS v3 score is 7.0 HIGH.
An issue was discovered in the Linux kernel.
drivers/media/dvb-core/dvb_net.c has a .disconnect versus
dvb_device_open race condition that leads to a use-after-free.
It looks like all stable kernels (include 4.4) are affected by this issue.
Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel@gmail.com/
CVE-2022-45887: media: ttusb-dec: Fix memory leak in ttusb_dec_exit_dvb()
CVSS v3 score is 4.7 MEDIUM.
An issue was discovered in the Linux kernel.
drivers/media/usb/ttusb-dec/ttusb_dec.c has a memory leak because of
the lack of a dvb_frontend_detach call.
It looks like all stable kernels (including 4.4) are affected by this issue.
Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/linux-media/20221115131822.6640-1-imv4bel@gmail.com/
CVE-2022-45888: char: xillybus: Fix use-after-free in xillyusb_open()
CVSS v3 score is 6.4 MEDIUM.
An issue was discovered in the Linux kernel.
drivers/char/xillybus/xillyusb.c has a race condition and
use-after-free during physical removal of a USB device.
XILLYUSB driver was added by a53d120 ("char: xillybus: Add driver for
XillyUSB (Xillybus variant for USB)" in 5.14-rc1. So, before 5.14
kernels are not affected.
Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/all/20221022175404.GA375335@ubuntu/
CVE-2022-45919: media: dvb-core: Fix use-after-free due to race
condition occurring in dvb_ca_en50221
CVSS v3 score is 7.0 HIGH.
An issue was discovered in the Linux kernel. In
drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur if
there is a disconnect after an open, because of the lack of a
wait_event.
It looks like all stable kernels (include 4.4) are affected by this issue.
Fixed status
Patch is available but it hasn't been merged yet.
https://lore.kernel.org/linux-media/20221121063308.GA33821@ubuntu/T/#u
CVE-2022-45934: Bluetooth: L2CAP: Fix u8 overflow
CVSS v3 score is not provided.
An issue was discovered in the Linux kernel. l2cap_config_req in
net/bluetooth/l2cap_core.c has an integer wraparound via
L2CAP_CONF_REQ packets.
It looks like all stable kernels (include 4.4) are affected by this issue.
Fixed status
fixed in the bluetooth-next tree.
https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=ae4569813a6e931258db627cdfe50dfb4f917d5d
CVE-2022-45869: KVM: x86/mmu: Fix race condition in direct_page_fault
CVSS v3 score is not provided.
A race condition bug was found in direct_page_fault() it will lead to
a systemc crash.
Introduced by commit a2855af ("KVM: x86/mmu: Allow parallel page
faults for the TDP MMU") in v5.12-rc1-dontuse. It is not backported to
stable kernels.
so less than 5.12 kernels are not affected by this issue.
Fixed status
mainline: [47b0c2e4c220f2251fd8dcfbb44479819c715e15]
CVE-2022-4139: drm/i915: fix TLB invalidation for Gen12 video and
compute enginescip
CVSS v3 score is not provided.
A random memory corruption or data leaks problem in Intel i915 graphic
driver because of incorrect GPU TLB flush.
This bug was introduced by commit 7938d61 ("drm/i915: Flush TLBs
before releasing backing store") which was backported to all stable
kernels.
Fixed status
mainline: [04aa64375f48a5d430b5550d9271f8428883e550]
* Updated CVEs
CVE-2022-3169: Request to NVME_IOCTL_RESET and NVME_IOCTL_SUBSYS_RESET
may cause a DOS
stable kernels are fixed this week.
Fixed status
mainline: [1e866afd4bcdd01a70a5eddb4371158d3035ce03]
stable/5.10: [023435a095d22bcbbaeea7e3a8c534b5c57d0d82]
stable/5.15: [b1a27b2aad936746e6ef64c8a24bcb6dce6f926a]
stable/6.0: [0c2b1c56252bf19d3412137073c2c07e86f40ba1]
CVE-2022-3521: kcm: avoid potential race in kcm_tx_work
stable kernels are fixed this week. kernel 4.4 is not affected by this issue.
Fixed status
mainline: [ec7eede369fe5b0d085ac51fdbb95184f87bfc6c]
stable/4.14: [381b6cb3f3e66b84db77028ac7d84f18d80f1153]
stable/4.19: [23a0a5869749c7833772330313ae7aec6581ec60]
stable/4.9: [fe3f79701fdaf8a087bc7043839e7f8b2e61b6fe]
stable/5.10: [7deb7a9d33e4941c5ff190108146d3a56bf69e9d]
stable/5.15: [27d706b0d394a907ff8c4f83ffef9d3e5817fa84]
stable/5.4: [ad39d09190a545d0f05ae0a82900eee96c5facea]
stable/6.0: [2526ac6b0f5a9b38e7e9073e37141cf78408078d]
CVE-2022-3344: KVM: SVM: nested shutdown interception could lead to host crash
mainline was fixed this week.
Fixed status
mainline: [16ae56d7e0528559bf8dc9070e3bfd8ba3de80df,
ed129ec9057f89d615ba0c81a4984a90345a1684]
Currently tracking CVEs
CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2
There is no fix information.
CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning
No fix information.
CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM
No fix information.
CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning
No fix information.
CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning
No fix information.
Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.
Email :masami.ichikawa@...
:masami.ichikawa@...