CVE-2021-3444 and CVE-2021-20292

Pavel Machek


We have outstanding action item about these two, but at this point I
believe we should simply start monitoring these:

CVE-2021-3444 -- this is about BPF handling. It does not look like
easy backport, and BPF has ton of other issues (especially with
respect to speculative execution), and my recommendation would be to
avoid BPF. My impression is that BPF is not really focus of CIP
project (we may want to ask members if anyone is using it?).

CVE-2021-20292 -- this is basically non issue. First, DRM is not
exactly our focus, but more importantly, this is only issue if
attacker already has root.


There is a flaw reported in ... DRM subsystem. .... An attacker with a
local account with a root privilege, can leverage this vulnerability
to escalate privileges and execute code in the context of the kernel.

Best regards,
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany