Re: New CVE entries in this week


Pavel Machek
 

Hi!

CVE-2021-0929: staging: ion: move buffer kmap from begin/end_cpu_access()

CVSS v3 score is not provided.

ION is a memory manager which is used by Android. This CVE may affect
4.4, 4.19, and 5.10 however according to the cip-kernel-config, no cip
member enabled ION. The ION driver has been removed since 5.11.

Fixed status

mainline: [3e9e0c5c764704218c0960ffdb139de075afaadf]
Furthermore, CIP members should really not be using code from staging.

* Updated CVEs

CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in
avc_ca_pmt()

4.19 and 5.X kernels have been fixed in this week. However, appliying
patch to 4.4 and 4.9 are failed.
According to the cip-kernel-config repo, no CIP member uses firewire driver.
This one looks rather easy to backport. It failed only because
reformatting of the printk.

CVE-2021-3640: UAF in sco_send_frame function

Fixed commit is 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ("Bluetooth:
sco: Fix lock_sock() blockage by memcpy_from_msg()"). Backport patches
for 4.19, 5.4, 5.10, 5.14, and 5.15 have been sent to stable mailing
list on Nov 9. This fix can be applied to 4.4 by git-am without error.

mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]
Would it make sense to ask why it was not applied?

Best regards,
Pavel

diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c
index 280b5ffea592..3a373711f5ad 100644
--- a/drivers/media/firewire/firedtv-avc.c
+++ b/drivers/media/firewire/firedtv-avc.c
@@ -1169,7 +1169,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
read_pos += program_info_length;
write_pos += program_info_length;
}
- while (read_pos < length) {
+ while (read_pos + 4 < length) {
+ if (write_pos + 4 >= sizeof(c->operand) - 4) {
+ ret = -EINVAL;
+ goto out;
+ }
c->operand[write_pos++] = msg[read_pos++];
c->operand[write_pos++] = msg[read_pos++];
c->operand[write_pos++] = msg[read_pos++];
@@ -1181,13 +1185,17 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
c->operand[write_pos++] = es_info_length >> 8;
c->operand[write_pos++] = es_info_length & 0xff;
if (es_info_length > 0) {
+ if (read_pos >= length) {
+ ret = -EINVAL;
+ goto out;
+ }
pmt_cmd_id = msg[read_pos++];
if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
dev_err(fdtv->device, "invalid pmt_cmd_id %d "
"at stream level\n", pmt_cmd_id);

- if (es_info_length > sizeof(c->operand) - 4 -
- write_pos) {
+ if (es_info_length > sizeof(c->operand) - 4 - write_pos ||
+ es_info_length > length - read_pos) {
ret = -EINVAL;
goto out;
}
diff --git a/drivers/media/firewire/firedtv-ci.c b/drivers/media/firewire/firedtv-ci.c
index e63f582378bf..f07482fb8010 100644
--- a/drivers/media/firewire/firedtv-ci.c
+++ b/drivers/media/firewire/firedtv-ci.c
@@ -138,6 +138,8 @@ static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg)
} else {
data_length = msg->msg[3];
}
+ if (data_length > sizeof(msg->msg) - data_pos)
+ return -EINVAL;

return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length);
}

--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Join cip-dev@lists.cip-project.org to automatically receive all group messages.