Re: Cip-kernel-sec Updates for Week of 2021-02-04 <masashi.kudo@...>

Hi, Chen-Yu san,

Thanks for reporting this!

Best regards,
M. Kudo

-----Original Message-----
From: Chen-Yu Tsai <wens@...>
Sent: Friday, February 5, 2021 11:33 AM
To: cip-dev@...
Cc: Pavel Machek <pavel@...>; Nobuhiro Iwamatsu
<nobuhiro1.iwamatsu@...>; 工藤 雅司(CTJ OSS事業推進室)
Subject: Re: Cip-kernel-sec Updates for Week of 2021-02-04

On Thu, Feb 4, 2021 at 1:26 PM Chen-Yu Tsai <wens@...> wrote:

Hi everyone,

Two new issue this week:
- CVE-2021-3347 [UAF in futex]: fixed for 4.14 and later [1]
- CVE-2021-3348 [nbd: UAF when adding connections while operations are
running]: fixed in all kernels

For CVE-2021-3347, based on [1], more patches are needed for 4.4 and 4.9.
The second batch:


has not been included yet. Lee Jones seems to be handling it [2].
FTR, a second backport series for 4.4 was also posted:


For CVE-2020-27825 from two weeks ago, the fix has been backported to
all stable kernels.

For CVE-2020-16120, Ubuntu mentions a regression due to the backported fix
We probably don't care either way since this requires unprivileged
user namespace is enabled.


t/tree/pending/futex_issues.txt [2] [2]

Join to automatically receive all group messages.