New CVE entries this week


Masami Ichikawa
 

Hi !

It's this week's CVE report.

This week reported 2 new CVEs and 7 updated CVEs.

* New CVEs

CVE-2022-1419 : drm/vgem: Close use-after-free race in vgem_gem_create

CVSS v3 score is not provided

Fixed in 5.6-rc2. An attacker should have the privilege to access drm
to abuse this bug.

Fixed status

mainline: [4b848f20eda5974020f043ca14bacf7a7e634fc8]
stable/5.4: [3ea7f138cec139be98f8bb9fc1a6b432003f834e]

CVE-2022-29582: io_uring: fix race between timeout flush and removal

CVSS v3 score is not provided

A race condition bug will cause an UAF bug.
io_uring was introduced in 5.1. 5.4 doesn't have io_flush_timeouts()
so 5.4 may not be affected by this issue.

Fixed status

mainline: [e677edbcabee849bfdd43f1602bccbecf736a646]
stable/5.10: [2827328e646d0c2d3db1bfcad4b5f5016ce0d643]
stable/5.15: [ba7261af2b030ab2c06189be1fc77b273716839f]
stable/5.17: [11cd7959400258beb1dc17c8680055966263f316]

* Updated CVEs

CVE-2022-1263: KVM: avoid NULL pointer dereference in kvm_dirty_ring_push

The mainline, 5.15, and 5.17 were fixed this week.

This bug was introduced by commit fb04a1e ("KVM: X86: Implement
ring-based dirty memory tracking") so all stable kernels were fixed.

Fixed status

mainline: [5593473a1e6c743764b08e3b6071cb43b5cfa6c4]
stable/5.15: [226b4327ef5c88572fc12187193f1b5073c10837]
stable/5.17: [e8d7f0dad29e634e26d4614cfbd081514c16e042]

CVE-2022-0812: NFS over RDMA random memory leakage

This bug was introduced in 4.7-rc1 by 302d3de ("xprtrdma: Prevent
inline overflow") , then fixed in 5.8-rc6.
4.4 isn't affected by this issue.

Fixed status

mainline: [912288442cb2f431bf3c8cb097a5de83bc6dbac1]
stable/5.4: [c8a4452da9f4b09c28d904f70247b097d4c14932]

CVE-2022-1204: UAF caused by binding operation when ax25 device is detaching

4.14 and 4.19 were fixed this week.

Fixed status

mainline: [d01ffb9eee4af165d83b08dd73ebdf9fe94a519b,
87563a043cef044fed5db7967a75741cc16ad2b1,
feef318c855a361a1eccd880f33e88c460eb63b4,
9fd75b66b8f68498454d685dc4ba13192ae069b0,
5352a761308397a0e6250fdc629bb3f615b94747]
stable/4.14: [ef0a2a0565727a48f2e36a2c461f8b1e3a61922d,
9f444dedb486b9e184bd774caebbd09733ccf859,
b8c07f33aa35dacf5444e7053ed9662d1869f536,
c44a453ffe16eb08acdc6129ac4fa0192dbc0456,
62accd4682d1d85290a9859091d201e6a4701205]
stable/4.19: [e2b558fe507a1ed4c43db2b0057fc6e41f20a14c,
a518be5772d36fcd0e4815d156e06feb137aad82,
b1e0a6fc7f17500484c402ad1cd018c24dfc14b3,
de55a1338e6a48ff1e41ea8db1432496fbe2a62b,
1bf1b2a8a2caf9bc0d3cf1aa903a8dcaaa4371d0]
stable/5.10: [5ea00fc60676c0eebfa8560ec461209d638bca9d,
5ddae8d064412ed868610127561652e90acabeea,
57cc15f5fd550316e4104eaf84b90fbc640fd7a5,
b20a5ab0f5fb175750c6bafd4cf12daccf00c738,
a4942c6fea879972a7fee50f7e92e2e10f3fc23e]
stable/5.15: [9af0fd5c4453a44c692be0cbb3724859b75d739b,
bc706d89199b0d8ee5e2229e18fdb9c0720f6ba8,
b982492ec3a115e0a136856a1b2dbe32f2d21a0e,
452ae92b99062d2f6a34324eaf705a3b7eac9f8b,
1bf8946d5826788c82971977245bcd3313678eac]
stable/5.17: [d01ffb9eee4af165d83b08dd73ebdf9fe94a519b,
87563a043cef044fed5db7967a75741cc16ad2b1,
feef318c855a361a1eccd880f33e88c460eb63b4,
534156dd4ed768e30a43de0036f45dca7c54818f,
01619aa347d35ac8b79751757784ec6f507a3215]
stable/5.4: [418993bbaafb0cd48f904ba68eeda052d624c821,
1db0b2c55c934a33b6fa4d4a4865f5a5be641344,
7528d0f2210c3a1154186175516ed37aa970f2b1,
9e1e088a57c23251f1cfe9601bbd90ade2ea73b9,
eaa7eb23fa76db45f7da1b6192518705863d0ebe]

CVE-2022-1205: Null pointer dereference and use-after-free in
net/ax25/ax25_timer.c

4.14 and 4.19 were fixed this week.

Fixed status

mainline: [fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009,
82e31755e55fbcea6a9dfaae5fe4860ade17cbc0]
stable/4.14: [331210983ba5ce82bf63b827bca0e1c833f293db,
093ab7f96dd3ebaf240fee02d6752c6b0825cc0b]
stable/4.19: [512f09df261b51b088f17d86dbdf300a3492523d,
3082f32c45465b692c314131c2a3657e0c23e09d]
stable/5.10: [f934fa478dd17411bc6884153dc824ff9e7505d8,
5c62d3bf14100a88d30888b925fcb61a8c11c012]
stable/5.15: [43c107021d9160f6a1610bafba6dadc0323ae548,
85f25bb9a0051198af48ac2f3afc9f16f2277114]
stable/5.17: [a45dba71849a963c427637b3330e2ccf098f42d1,
76ff66bb3b22f202c226ddbb0a811f8fb8aab2fa]
stable/5.4: [40cb8b3b19c087a4e20f6740701e53fefbe19a7b,
a83a18c4c9033fb6604c587f52a2d78857cf0ac2]

CVE-2022-28388: can: usb_8dev: usb_8dev_start_xmit(): fix double
dev_kfree_skb() in error path

4.14, 4.19, and 5.4 were fixed this week.

Fixed status

mainline: [3d3925ff6433f98992685a9679613a2cc97f3ce2]
stable/4.14: [a5e2259173eb52a728bbf32e02aa9a388451e614]
stable/4.19: [8eb78da898079c0d7250c32ebf0c35fb81737abe]
stable/5.10: [5318cdf4fd834856ce71238b064f35386f9ef528]
stable/5.15: [f2ce5238904f539648aaf56c5ee49e5eaf44d8fc]
stable/5.16: [3e006cf0fb809815d56e59c9de4486fbe253ccdf]
stable/5.17: [29d6c06168faa23ce23db3321981c8fde576c95c]
stable/5.4: [660784e7194ac2953aebe874c1f75f2441ba3d19]

CVE-2022-1199: Null pointer dereference and use-after-free in ax25_release()

4.14 was fixed this week.
Added commit cb18d72 ("ax25: fix NPD bug in ax25_disconnect") to 4.19.

Fixed status

mainline: [4e0f718daf97d47cf7dec122da1be970f145c809,
7ec02f5ac8a5be5a3f20611731243dc5e1d9ba10,
71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac]
stable/4.14: [a509dbde35fa51d140512cbcf50068a84fdb7aad,
0b0ae8b9813b84f73dfcdec197b6455844ae6bf1,
d03aba820f1549c9f3b1d14bf48fa082663d22b5]
stable/4.19: [3072e72814de56f3c674650a8af98233ddf78b19,
5ab8de9377edde3eaf1de9872e2f01d43157cd6c,
cb18d72179bf42a6ccd2b311739017b0ba9bc26e]
stable/4.9: [851901d339b2ba766ffcf754d37a6f52fa07cea2,
cad71f1094834eb69f7ceec8100d300c26b43053]
stable/5.10: [b9a229fd48bfa45edb954c75a57e3931a3da6c5f,
e2201ef32f933944ee02e59205adb566bafcdf91,
145ea8d213e8f46667cd904ae79d17f298750f00]
stable/5.15: [4c958f0c5714812461da7785393315b35145ac8c,
da6509fba636f7f8b2e902b1e4742fdbf1bf059f,
46ad629e58ce3a88c924ff3c5a7e9129b0df5659]
stable/5.4: [cfc8b37ef0418529e3719c2d128e59e74a3114b0,
d2be5b563ef391f684592a28440067f4fa3735f4,
0a64aea5fe023cf1e4973676b11f49038b1f045b]

CVE-2022-1280: concurrency use-after-free between drm_setmaster_ioctl
and drm_mode_getresources

Fixed in the mainline. Some patches were backported to stable kernels.

The mainline contains the following patches.

b436acd ("drm: Fix use-after-free read in drm_getunique()") was merged
in v5.13-rc6
c336a5e ("drm: Lock pointer access in drm_master_release()") was
merged in v5.13-rc6
869e76f ("drm: avoid circular locks in drm_mode_getconnector") was
merged in v5.15-rc1
5eff958 ("drm: avoid blocking in drm_clients_info's rcu section") was
merged in v5.15-rc1
1f7ef07 ("drm: add a locked version of drm_is_current_master") was
merged in v5.15-rc1
0b0860a ("drm: serialize drm_file.master with a new spinlock") was
merged in v5.15-rc1
56f0729 ("drm: protect drm_master pointers in drm_lease.c") was merged
in v5.15-rc1
28be240 ("drm: use the lookup lock in drm_is_current_master") was
merged in v5.15-rc1
2bc5da5 ("drm/vmwgfx: fix potential UAF in vmwgfx_surface.c") was
merged in v5.15-rc1

The commit 1f7ef07 was reverted in
5.10(https://lore.kernel.org/stable/20210628142607.32218-97-sashal@kernel.org/).
Searching in lore.kernel.org, the commit 869e76f looks as if it isn't
backported to stable kernels.
Searching in lore.kernel.org, the commit 28be240 looks as if it isn't
backported to stable kernels.

Fixed status

mainline: [b436acd1cf7fac0ba987abd22955d98025c80c2b,
c336a5ee984708db4826ef9e47d184e638e29717,
869e76f7a918f010bd4518d58886969b1f642a04,
5eff9585de220cdd131237f5665db5e6c6bdf590,
1f7ef07cfa14fb8557d1f1b7a14c76926142a4fb,
0b0860a3cf5eccf183760b1177a1dcdb821b0b66,
56f0729a510f92151682ff6c89f69724d5595d6e,
28be2405fb753927e18bc1a891617a430b2a0684,
2bc5da528dd570c5ecabc107e6fbdbc55974276f]
stable/4.19: [7d233ba700ceb593905ea82b42dadb4ec8ef85e9,
a376f7e66b654cb290fa9d16d8dab5bfef744463]
stable/4.9: [8e250a134c8fe2a945d10b421d0ccb54e85d8683]
stable/5.10: [491d52e0078860b33b6c14f0a7ac74ca1b603bd6,
aa8591a58cbd2986090709e4202881f18e8ae30e,
54e51d288b38377e8cd645a83e1ad08cc9d20ccc,
06a553a99bacb00d3bc25f79e75c8e0fbf7a5025,
34609faad0c9f9f08d4b59d25c94b78bf5710d93,
d6c91423993e8164ca4162ff046c6437bbd75b53]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...
:masami.ichikawa@...

Join cip-dev@lists.cip-project.org to automatically receive all group messages.