Re: New CVE entries in this week


Masami Ichikawa
 

Hi !

On Thu, Jan 27, 2022 at 5:21 PM Nobuhiro Iwamatsu
<nobuhiro1.iwamatsu@...> wrote:

Hi,

-----Original Message-----
From: cip-dev@... <cip-dev@...> On
Behalf Of Masami Ichikawa
Sent: Thursday, January 27, 2022 8:51 AM
To: cip-dev <cip-dev@...>
Subject: [cip-dev] New CVE entries in this week

Hi !

It's this week's CVE report.

This week reported 4 new CVEs.

* New CVEs

CVE-2022-0322: sctp: account stream padding length for reconf chunk

CVSS v3 score is not provided

This issue was introduced by commit cc16f00 ("sctp: add support for
generating stream reconf ssn reset request chunk") at 4.11-rc1 so 4.9 and 4.4
aren't affected by this issue. All kernels have been fixed.

Fixed status

mainline: [a2d859e3fc97e79d907761550dbc03ff1b36479c]
stable/4.14: [41f0bcc7d9eac315259d4e9fb441552f60e8ec9e]
stable/4.19: [c57fdeff69b152185fafabd37e6bfecfce51efda]
stable/5.10: [d84a69ac410f6228873d05d35120f6bdddab7fc3]
stable/5.4: [d88774539539dcbf825a25e61234f110513f5963]

CVE-2022-0264: bpf: Fix kernel address leakage in atomic fetch

CVSS v3 score is not provided

A local user who has certain privileges is able to gather kernel internal memory
addresses.
This issue was introduced by commit 38086bf ("bpf: Propagate stack bounds
to registers in atomics w/ BPF_FETCH") that was merged in 5.12-rc1-dontuse.
Fixed in 5.17-rc1. so before 5.12 kernels aren't affected this issue.

Fixed status

mainline: [7d3baf0afa3aa9102d6a521a8e4c41888bb79882]
stable/5.15: [423628125a484538111c2c6d9bb1588eb086053b]

CVE-2022-0330: drm/i915: Flush TLBs before releasing backing store

CVSS v3 score is not provided

Vulnerability in the i915 driver. Without an active IOMMU malicious userspace
can gain access (from the code executing on the GPU) to random memory
pages.

Fixed status

mainline: [7938d61591d33394a21bdd7797a245b65428f44c]

CVE-2021-22600: net/packet: rx_owner_map depends on pg_vec

CVSS v3 score: NIST: not provided
CVSS v3 score: CNA: 6.6 medium

A double free bug in packet_set_ring() in net/packet/af_packet.c can be
exploited by a local user through crafted syscalls to escalate privileges or deny
service.
This issue was introduced by commit 61fad68 ("net/packet: tpacket_rcv:
avoid a producer race condition"). This commit was merged in 5.6.
However, it was backported to 5.4, 4.19, and 4.14 so that these kernels are also
affected but 4.4 and 4.9 are not backported.
Because commit 61fad68 was not backported to 4.4 and 4.9.
I think we need to make sure this is also needed for 4.4.
I did a quick check to apply 61fad68 ("net/packet: tpacket_rcv: avoid
a producer race condition"), it seems that we may at least need
following patches.

- 58d19b1 ("packet: vnet_hdr support for tpacket_rcv")
- 55655e3 ("net/packet: fix memory leak in packet_set_ring()")

Commit 55655e3 added a goto label to fix a bug which was introduced by
a commit 7f953ab ("af_packet: TX_RING support for TPACKET_V3"). The
commit 7f953ab is not backported to 4.4.y. Backporting commit 7f953ab
seems like a heavy task.


Fixed status

mainline: [ec6af094ea28f0f2dda1a6a33b14cd57e36a9755]
stable/4.14: [a829ff7c8ec494eca028824628a964cde543dc76]
stable/4.19: [18c73170de6719491f79b04c727ea8314c246b03]
stable/5.10: [7da349f07e457cad135df0920a3f670e423fb5e9]
stable/5.15: [feb116a0ecc5625d6532c616d9a10ef4ef81514b]
stable/5.4: [027a13973dadb64ef4f19db56c9b619ee82c3375]
Best regards,
Nobuhiro



Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...
:masami.ichikawa@...

Join cip-dev@lists.cip-project.org to automatically receive all group messages.