Re: New CVE entries in this week

Masami Ichikawa

Hi !

On Thu, Dec 9, 2021 at 6:21 PM Pavel Machek <pavel@...> wrote:


* New CVEs

CVE-2021-39636: "no details"

CVSS v3 score is not provided

There is no vulnerability details yet. However, there is five patches
are addressed so the bug is in the netfilter module.

f32815d ("xtables: add xt_match, xt_target and data copy_to_user
functions"): merged in 4.11-rc1
f77bc5b ("iptables: use match, target and data copy_to_user helpers"):
merged in 4.11-rc1
e47ddb2 ("ip6tables: use match, target and data copy_to_user
helpers"): merged in 4.11-rc1
ec23189 ("xtables: extend matches and targets with .usersize"): merged
in 4.11-rc1
1e98ffe ("netfilter: x_tables: fix pointer leaks to userspace"):
merged in 4.16-rc1. This fixes commit ec23189 ("xtables: extend
matches and targets with .usersize") that was merged in 4.11-rc1.

Fixed status

mainline: [f32815d21d4d8287336fb9cef4d2d9e0866214c2,
stable/4.14: [f32815d21d4d8287336fb9cef4d2d9e0866214c2,
Hmm. Fun. 1e98ffea5a8935ec040ab72299e349cb44b8defd may have a clue:

This leads to kernel pointer leaks if a match/target is set
and then read back to userspace.

So that sounds like KASLR workaround? iptables are normally limited to
priviledged users, and KASLR is just a technology to make exploitation
hard. I don't think we care too much here.
I got it.

CVE-2018-25020: bpf: fix truncated jump targets on heavy expansions

CVSS v3 score is not provided

Fixed status

The BPF subsystem in the kernel through 4.17-rc7 has overflow bug.

mainline: [050fad7c4534c13c8eb1d9c2ba66012e014773cb]
Fun. JITs are hard to get right. I guess "avoid BPF" and "certainly
don't allow unpriviledged access to BPF" is good advice.
Yeah, I agree.

Best regards,
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...

Join { to automatically receive all group messages.