New CVE in this week

Masami Ichikawa

Hi !

It's this week's CVE report.

This week reported 2 new CVEs.

* New CVEs

CVE-2022-23222: bpf: Fix out of bounds access from invalid *_or_null
type verification

CVSS v3 score is not provided

The adjust_ptr_min_max_vals() in kernel/bpf/verifier.c didn't handle
proper input validation that led a local attacker can escalate his
privilege. This bug affects 5.8 or later kernel.
There is a mitigation that set kernel.unprivileged_bpf_disabled to 1.
So, disabled unprivileged bpf is good way for eBFP as usual :)

Fixed status

mainline: [c25b2ae136039ffa820c26138ed4a5e5f3ab3841]
stable/5.10: [35ab8c9085b0af847df7fac9571ccd26d9f0f513]
stable/5.15: [e8efe8369944c6199f124e3b50662ad05a048b60]
stable/5.16: [931e56be527fb2672556e3c00c57ff2a5f5de43e]

CVE-2022-0185: vfs: fs_context: fix up param length parsing in

CVSS v3 score is not provided

It was introduced by commit 3e1aeb0 ("vfs: Implement a filesystem
superblock creation/configuration context") which was merged in
5.1-rc1. This bug's root cause is an integer underflow which makes a
heap overflow bug. If an unprivileged user can use unshare operation
with CAP_SYS_ADMIN, user will be able to exploit the system via this

Fixed status

mainline: [722d94847de29310e8aa03fcbdb41fc92c521756]

* Updated CVEs

CVE-2021-4095: 'KVM: NULL pointer dereference in kvm_dirty_ring_get()
in virt/kvm/dirty_ring.c'

This issue was fixed in the mainline this week. It introduced at
commit 629b534 ("KVM: x86/xen: update wallclock region") which was
merged in 5.12-rc1-dontuse.

Fixed status

mainline: [55749769fe608fa3f4a075e42e89d237c8e37637]

CVE-2021-4197: cgroup: Use open-time creds and namespace for migration
perm checks

Commit 1756d79 ("cgroup: Use open-time credentials for process
migraton perm checks") failed to apply to 4.4, 4.9, 4.14, 4.19,
5.4,and 5.10. This commit fixes 187fe84 ("cgroup: require write perm
on common ancestor when moving processes on the default hierarchy")
which was merged in 4.2-rc1.

Commit 0d2b595 ("cgroup: Allocate cgroup_file_ctx for
kernfs_open_file->priv") failed to apply to 4.14, 4.19, 5.4, and 5.10.

Commit e574576 ("cgroup: Use open-time cgroup namespace for process
migration perm checks") was failed to apply to 4.14, 4.19, 5.4, and
5.10. This commit fixes 5136f63 ("cgroup: implement "nsdelegate" mount
option") which was merged in 4.13-rc1.

Fixed status

mainline: [1756d7994ad85c2479af6ae5a9750b92324685af,
stable/5.15: [c6ebc35298848accb5e50c37fdb2490cf4690c92,

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...

Join to automatically receive all group messages.