New CVE entries this week


Masami Ichikawa
 

Hi !

It's this week's CVE report.

This week reported 6 new CVEs and 5 updated CVEs.

* New CVEs

CVE-2022-2785: bpf: Disallow bpf programs call prog_run command.

CVSS v3 score is 5.5 MEDIUM(NIST).
CVSS v3 score is 6.7 MEDIUM(CNA).

There exists an arbitrary memory read within the Linux Kernel BPF -
Constants provided to fill pointers in structs passed in to
bpf_sys_bpf are not verified and can point anywhere, including memory
not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory
from anywhere on the system.

This vulnerability was introduced by commit b1d18a7574d0 ("bpf: Extend
sys_bpf commands for bpf_syscall programs.") in 5.18-rc1.
LTS kernels don't have this commit so they aren't affected by this issue.

Fixed status
mainline: [86f44fcec22ce2979507742bc53db8400e454f46]
stable/5.19: [b429d0b9a7a0f3dddb1f782b72629e6353f292fd]

CVE-2022-3103: io_uring: fix off-by-one in sync cancelation file check

CVSS v3 score is 7.8 HIGH.

There is a wrong validation check in io_uring/cancel.c. It will cause
an off-by-one.

This bug was introduced by commit 78a861b ("io_uring: add sync
cancelation API through io_uring_register()") in 6.0-rc1. This commit
is not backported to stable kernels so it only affected from 6.0-rc1
to 6.0-rc2.

Fixed status
mainline: [47abea041f897d64dbd5777f0cf7745148f85d75]

CVE-2022-3239: A use-after-free bug was found in video4linux driver
for the Empia 28xx based TV cards

CVSS v3 score is 7.8 HIGH

A flaw use after free in the Linux kernel video4linux driver was found
in the way user triggers em28xx_usb_probe() for the Empia 28xx based
TV cards. A local user could use this flaw to crash the system or
potentially escalate their privileges on the system.
This bug was introduced by commit 47677e5 ("[media] em28xx: Only
deallocate struct em28xx after finishing all extensions") in 3.15-rc1.

No CIP member enables CONFIG_VIDEO_EM28XX.

Fixed status
mainline: [c08eadca1bdfa099e20a32f8fa4b52b2f672236d]
stable/4.14: [1f6ab281f218c3a2b789eb976c5b1ef67139680a]
stable/4.19: [0113fa98a49a8e46a19b0ad80f29c904c6feec23]
stable/5.10: [ec8a37b2d9a76a9443feb0af95bd06ac3df25444]
stable/5.15: [332d45fe51d75a3a95c4a04e2cb7bffef284edd4]
stable/5.4: [92f84aa82dfaa8382785874277b0c4bedec89a68]

CVE-2022-36402: An integer overflow vulnerability was found in vmwgfx driver

CVSS v3 score is 5.5 MEDIUM(NIST).
CVSS v3 score is 6.3 MEDIUM(CNA).

An integer overflow vulnerability was found in vmwgfx driver in
drivers/gpu/vmxgfx/vmxgfx_execbuf.c in GPU component of Linux kernel
with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a
local attacker with a user account on the system to gain privilege,
causing a denial of service(DoS).

Fixed status
Not fixed yet.

CVE-2022-3303: ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC

CVSS v3 score is not assigned.

A race condition bug was found in snd_pcm_oss_sync() in the
sound/core/oss/pcm_oss.c. This race condition triggers a NULL pointer
dereference that results in a system crash. It looks as if 4.4 is
affected too.

Fixed status
mainline: [8423f0b6d513b259fdab9c9bf4aaa6188d054c2d]
stable/5.15: [8015ef9e8a0ee5cecfd0cb6805834d007ab26f86]
stable/5.19: [723ac5ab2891b6c10dd6cc78ef5456af593490eb]
stable/5.4: [4051324a6dafd7053c74c475e80b3ba10ae672b0]

CVE-2022-3170: ALSA: control: Re-order bounds checking in get_ctl_id_hash()

CVSS v3 score is 7.8 HIGH.

An out-of-bounds access issue was found in the Linux kernel sound
subsystem. It could occur when the 'id->name' provided by the user did
not end with '\0'. A privileged local user could pass a specially
crafted name through ioctl() interface and crash the system or
potentially escalate their privileges on the system.

This vulnarability's root cause is commit c27e1ef ("ALSA: control: Use
xarray for faster lookups"). This commit was merged in 6.0-rc1. The
commit c27e1ef is not backported to stable kernels. So, it affected
6.0-rc1 to 6.0-rc4.

Fixed status
mainline: [5934d9a0383619c14df91af8fd76261dc3de2f5f,
6ab55ec0a938c7f943a4edba3d6514f775983887]

* Updated CVEs

CVE-2022-0171: KVM: cache incoherence issue in SEV API may lead to
kernel crash

stable 5.10 and 5.15 was fixed. This vulnerability is affected to 5.10
or later version.

Fixed status
mainline: [683412ccf61294d727ead4a73d97397396e69a6b]
stable/5.10: [a60babeb60ff276963d4756c7fd2e7bf242bb777]
stable/5.15: [39b0235284c7aa33a64e07b825add7a2c108094a]

CVE-2022-3061: video: fbdev: i740fb: Error out if ''pixclock'' equals zero

5.10 and 5.15 were fixed.

Fixed status
mainline: [15cf0b82271b1823fb02ab8c377badba614d95d5]
stable/5.10: [e00582a36198888ffe91ed6b097d86556c8bb253]
stable/5.15: [59b756da49bfa51a00a0b58b4147ce2652bc3d28]

CVE-2022-39842: video: fbdev: pxa3xx-gcu: Fix integer overflow in
pxa3xx_gcu_write

4.14, 4.10, 4.9, 5.4, 5.10 and 5.15 were fixed.

Fixed status
mainline: [a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7]
stable/4.14: [9556a88a16e381dbd6834da95206742d0973afc6]
stable/4.19: [a34547fc43d02f2662b2b62c9a4c578594cf662d]
stable/4.9: [a0dcaa48042a56a9eee2efed19563866a0ddbce2]
stable/5.10: [06e194e1130c98f82d46beb40cdbc88a0d4fd6de]
stable/5.15: [ab5140c6ddd7473509e12f468948de91138b124e]
stable/5.4: [1878eaf0edb8c9e58a6ca0cf31b7a647ca346be9]

CVE-2022-40307: efi: capsule-loader: Fix use-after-free in efi_capsule_write

This vulnerability was introduced by commit 65117f1 ("efi: Add misc
char driver interface to update EFI firmware") was merged in 4.7-rc1.
4.4.y-cip and linux-4.4.y-rt have this commit but 4.4.y-st doesn't.

Fixed status
mainline: [9cb636b5f6a8cc6d1b50809ec8f8d33ae0c84c95]
stable/4.14: [233d5c4d18971feee5fc2f33f00b63d8205cfc67]
stable/4.19: [021805af5bedeafc76c117fc771c100b358ab419]
stable/5.10: [918d9c4a4bdf5205f2fb3f64dddfb56c9a1d01d6]
stable/5.15: [dd291e070be0eca8807476b022bda00c891d9066]
stable/5.19: [d46815a8f26ca6db2336106a148265239f73b0af]
stable/5.4: [8028ff4cdbb3f20d3c1c04be33a83bab0cb94997]

CVE-2021-4037: kernel: security regression for CVE-2018-13405

5.10 was fixed.

Fixed status
mainline: [01ea173e103edd5ec41acec65b9261b87e123fc2]
stable/5.10: [e811a534ec2f7f6c0d27532c0915715427b7cab1]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...
:masami.ichikawa@...

Join cip-dev@lists.cip-project.org to automatically receive all group messages.