Cip-kernel-sec Updates for Week of 2021-05-05


Masami Ichikawa
 

Hi!

May I ask some questions?

2021年5月5日(水) 13:37 Chen-Yu Tsai (Moxa) <wens@...>:

Hi everyone,

Two new CVEs this week:

- CVE-2021-31829 [bpf: stack pointer protection from speculative
arithmetic] - fixed
Fixes just landed in mainline as part of the merge window. Fixes not
tagged for stable.
I'm looking into CVE-2021-31829. The issues/CVE-2021-31829.yml in
cip-kernel-sec repository describes this bug was introduced by commit
2c78ee898d8f10ae6fb2fa23a3fbaec96b1b7366.
The bug fix commit b9b34ddbe2076ade359cd5ce7537d5ed019e9807[1] has
Fixes tag which said "Fixes: 979d63d50c0c ("bpf: prevent out of bounds
speculation on pointer arithmetic")"
so, CVE-2021-31829.yml's introduced-by section may be
979d63d50c0c0f7bc537bf821e056cc9fe5abd38 ?

Also, one of a patch that fix CVE-2021-29155 has Fixes tag, that said
"Fixes: 2c78ee898d8f ("bpf: Implement CAP_BPF")[2]"
so, issues/CVE-2021-29155.yml's introduced-by section may be
2c78ee898d8f10ae6fb2fa23a3fbaec96b1b7366 ?

1:https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=b9b34ddbe2076ade359cd5ce7537d5ed019e9807
2:https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/kernel/bpf/verifier.c?id=9601148392520e2e134936e76788fc2a6371e7be

- CVE-2021-31916 [md: dm_ioctl: out-of-bounds array access] - fixed
Likely needs backport to 4.9 and earlier.

Additionally, one old CVE is now fixed:

- CVE-2020-26541


Regards
ChenYu


Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...
:masami.ichikawa@...


Chen-Yu Tsai (Moxa) <wens@...>
 

On Wed, May 5, 2021 at 4:34 PM Pavel Machek <pavel@...> wrote:

Hi!

- CVE-2021-31916 [md: dm_ioctl: out-of-bounds array access] - fixed
Likely needs backport to 4.9 and earlier.
Backport is trivial in this case.

Additionally, one old CVE is now fixed:
- CVE-2020-26541
This is UEFI secure boot, and it is more of "implement missing
blacklist functionality" than a bugfix.

If someone uses secure boot on UEFI, we may need to do this, but
perhaps noone is doing that.
No idea. All the servers I touched at work were still booting via
legacy BIOS. Mind you that these were old servers. The latest machine
we have, an AMD EPYC 7002, is UEFI only. I never looked at the
settings though.

ChenYu

Best regards,
Pavel

diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index eab3f7325e31..a6e6a852c9e8 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -524,7 +524,7 @@ static int list_devices(struct dm_ioctl *param, size_t param_size)
* Grab our output buffer.
*/
nl = get_result_buffer(param, param_size, &len);
- if (len < needed) {
+ if (len < needed || len < sizeof(nl->dev)) {
param->flags |= DM_BUFFER_FULL_FLAG;
goto out;
}

Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Pavel Machek
 

Hi!

- CVE-2021-31916 [md: dm_ioctl: out-of-bounds array access] - fixed
Likely needs backport to 4.9 and earlier.
Backport is trivial in this case.

Additionally, one old CVE is now fixed:
- CVE-2020-26541
This is UEFI secure boot, and it is more of "implement missing
blacklist functionality" than a bugfix.

If someone uses secure boot on UEFI, we may need to do this, but
perhaps noone is doing that.

Best regards,
Pavel

diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index eab3f7325e31..a6e6a852c9e8 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -524,7 +524,7 @@ static int list_devices(struct dm_ioctl *param, size_t param_size)
* Grab our output buffer.
*/
nl = get_result_buffer(param, param_size, &len);
- if (len < needed) {
+ if (len < needed || len < sizeof(nl->dev)) {
param->flags |= DM_BUFFER_FULL_FLAG;
goto out;
}

Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Pavel Machek
 

Hi!

Two new CVEs this week:

- CVE-2021-31829 [bpf: stack pointer protection from speculative
arithmetic] - fixed
Fixes just landed in mainline as part of the merge window. Fixes not
tagged for stable.
Could you push your changes to cip-kernel-sec?
Done. Sorry about that.
Thank you!

These are queued for 5.10.35 and 4.19, I believe they may be related.

v |8373088d4 b9b34d o: 5.10| bpf: Fix masking negation logic upon negative dst register
a |fbb1ea771 b9b34d o: 4.19| bpf: Fix masking negation logic upon negative dst register
a |024fb2412 801c60 o: 5.10| bpf: Fix leakage of uninitialized bpf stack under speculation
I only looked through my inbox. And our scripts don't pick things up
from the stable-queue. In any case they will be picked up once the
stable kernels including them are released.
According to https://ubuntu.com/security/CVE-2021-31829 it is those
two patches that fix it. So this should get resolved in 5.10.35 for
us.

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Chen-Yu Tsai (Moxa) <wens@...>
 

On Wed, May 5, 2021 at 3:51 PM Pavel Machek <pavel@...> wrote:

Hi!

Two new CVEs this week:

- CVE-2021-31829 [bpf: stack pointer protection from speculative
arithmetic] - fixed
Fixes just landed in mainline as part of the merge window. Fixes not
tagged for stable.
Could you push your changes to cip-kernel-sec?
Done. Sorry about that.

These are queued for 5.10.35 and 4.19, I believe they may be related.

v |8373088d4 b9b34d o: 5.10| bpf: Fix masking negation logic upon negative dst register
a |fbb1ea771 b9b34d o: 4.19| bpf: Fix masking negation logic upon negative dst register
a |024fb2412 801c60 o: 5.10| bpf: Fix leakage of uninitialized bpf stack under speculation
I only looked through my inbox. And our scripts don't pick things up
from the stable-queue. In any case they will be picked up once the
stable kernels including them are released.


ChenYu


Pavel Machek
 

Hi!

Two new CVEs this week:

- CVE-2021-31829 [bpf: stack pointer protection from speculative
arithmetic] - fixed
Fixes just landed in mainline as part of the merge window. Fixes not
tagged for stable.
Could you push your changes to cip-kernel-sec?

These are queued for 5.10.35 and 4.19, I believe they may be related.

v |8373088d4 b9b34d o: 5.10| bpf: Fix masking negation logic upon negative dst register
a |fbb1ea771 b9b34d o: 4.19| bpf: Fix masking negation logic upon negative dst register
a |024fb2412 801c60 o: 5.10| bpf: Fix leakage of uninitialized bpf stack under speculation

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Chen-Yu Tsai (Moxa) <wens@...>
 

Hi everyone,

Two new CVEs this week:

- CVE-2021-31829 [bpf: stack pointer protection from speculative
arithmetic] - fixed
Fixes just landed in mainline as part of the merge window. Fixes not
tagged for stable.

- CVE-2021-31916 [md: dm_ioctl: out-of-bounds array access] - fixed
Likely needs backport to 4.9 and earlier.

Additionally, one old CVE is now fixed:

- CVE-2020-26541


Regards
ChenYu