Re: New CVE entries in this week


Masami Ichikawa
 

Hi !

On Thu, Nov 11, 2021 at 6:21 PM Pavel Machek <pavel@...> wrote:

Hi!

CVE-2021-0929: staging: ion: move buffer kmap from begin/end_cpu_access()

CVSS v3 score is not provided.

ION is a memory manager which is used by Android. This CVE may affect
4.4, 4.19, and 5.10 however according to the cip-kernel-config, no cip
member enabled ION. The ION driver has been removed since 5.11.

Fixed status

mainline: [3e9e0c5c764704218c0960ffdb139de075afaadf]
Furthermore, CIP members should really not be using code from staging.

* Updated CVEs

CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in
avc_ca_pmt()

4.19 and 5.X kernels have been fixed in this week. However, appliying
patch to 4.4 and 4.9 are failed.
According to the cip-kernel-config repo, no CIP member uses firewire driver.
This one looks rather easy to backport. It failed only because
reformatting of the printk.
Thank you for the patch! The patch looks good to me.

CVE-2021-3640: UAF in sco_send_frame function

Fixed commit is 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ("Bluetooth:
sco: Fix lock_sock() blockage by memcpy_from_msg()"). Backport patches
for 4.19, 5.4, 5.10, 5.14, and 5.15 have been sent to stable mailing
list on Nov 9. This fix can be applied to 4.4 by git-am without error.

mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]
Would it make sense to ask why it was not applied?
Yes, I think so.

Best regards,
Pavel

diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c
index 280b5ffea592..3a373711f5ad 100644
--- a/drivers/media/firewire/firedtv-avc.c
+++ b/drivers/media/firewire/firedtv-avc.c
@@ -1169,7 +1169,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
read_pos += program_info_length;
write_pos += program_info_length;
}
- while (read_pos < length) {
+ while (read_pos + 4 < length) {
+ if (write_pos + 4 >= sizeof(c->operand) - 4) {
+ ret = -EINVAL;
+ goto out;
+ }
c->operand[write_pos++] = msg[read_pos++];
c->operand[write_pos++] = msg[read_pos++];
c->operand[write_pos++] = msg[read_pos++];
@@ -1181,13 +1185,17 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
c->operand[write_pos++] = es_info_length >> 8;
c->operand[write_pos++] = es_info_length & 0xff;
if (es_info_length > 0) {
+ if (read_pos >= length) {
+ ret = -EINVAL;
+ goto out;
+ }
pmt_cmd_id = msg[read_pos++];
if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
dev_err(fdtv->device, "invalid pmt_cmd_id %d "
"at stream level\n", pmt_cmd_id);

- if (es_info_length > sizeof(c->operand) - 4 -
- write_pos) {
+ if (es_info_length > sizeof(c->operand) - 4 - write_pos ||
+ es_info_length > length - read_pos) {
ret = -EINVAL;
goto out;
}
diff --git a/drivers/media/firewire/firedtv-ci.c b/drivers/media/firewire/firedtv-ci.c
index e63f582378bf..f07482fb8010 100644
--- a/drivers/media/firewire/firedtv-ci.c
+++ b/drivers/media/firewire/firedtv-ci.c
@@ -138,6 +138,8 @@ static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg)
} else {
data_length = msg->msg[3];
}
+ if (data_length > sizeof(msg->msg) - data_pos)
+ return -EINVAL;

return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length);
}

--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Regards,

--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...
:masami.ichikawa@...

Join cip-dev@lists.cip-project.org to automatically receive all group messages.