New CVE entries this week


Masami Ichikawa
 

Hi !

Here is this week's CVE report.

* CVE short summary

** New CVEs

CVE-2021-3640: there is no fixed information as of 2021/07/29.

CVE-2021-37576: mainline and stable kernels are fixed. This CVE only
affects powerpc architecture.

** Updated CVEs

CVE-2021-31829: I fixed wrong security information.

CVE-2021-22543: added stable/4.19 fixed commit.

** Traking CVEs

CVE-2021-29256: not fiexd in mainline yet

CVE-2021-31615: not fiexd in mainline yet

CVE-2021-21781: v4.4 is not fixed as of 2021/07/29

CVE-2021-3655: v4.4 is not fixed as of 2021/07/29

CVE-2021-37159: mainline is not fixed as of 2021/07/29

* CVE detail

New CVEs

- CVE-2021-3640: Linux kernel: UAF in sco_send_frame function

Not fixed in mainline.

From email(https://www.openwall.com/lists/oss-security/2021/07/22/1)

-------------
2021-07-08: Bug reported to security@...nel.org and
linux-distros@...openwall.org
2021-07-09: CVE-2021-3640 is assigned
2021-07-22: 14 days of the embargo is over

One sad thing is that the bluez team is currently focused on fixing up the
CVE-2021-3573, which I failed to properly patched, and the patch for this
new is not yet fully discussed.
I hope the patch will be settled down and merged to the mainline in the
near future.
-------------

CVE-2021-37576: KVM guest to host memory corruption

This vulnerability only affects PowerPC architecture.

No CIP memeber uses PPC architecture.

Fixed status
mainline: [f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a]
stable/4.19: [0493b10c06021796ba80cbe53c961defd5aca6e5]
stable/4.4: [1e90a673f6ee09c668fe01aa1b94924f972c9811]
stable/5.10: [c1fbdf0f3c26004a2803282fdc1c35086908a99e]

Updated CVEs

CVE-2021-22543: KVM through Improper handling of VM_IO|VM_PFNMAP vmas
in KVM can bypass RO checks and can lead to pages being freed while
still accessible by the VMM and guest

Added stable/4.19 fixed commit.

v4.4 kernel gets pfn following way in hva_to_pfn(). It not uses
kvm_get_pfn(). hva_to_pfn_remapped() doesn't exist in v4.4 kernel.

else if ((vma->vm_flags & VM_PFNMAP)) {
pfn = ((addr - vma->vm_start) >> PAGE_SHIFT) +
vma->vm_pgoff;


If v4.4 has same vulnerability, it'll need to write a patch by own.

CVE-2021-31829: Linux kernel protection of stack pointer against
speculative pointer arithmetic can be bypassed to leak content of
kernel memory

Fixed status
mainline: [f8be156be163a052a067306417cd0ff679068c97]
stable/4.19: [117777467bc015f0dc5fc079eeba0fa80c965149]
stable/5.10: [dd8ed6c9bc2224c1ace5292d01089d3feb7ebbc3]

There was wrong informaition so I updated it.
stable/5.10 is fixed but cip/5.10 is not fixed yet.

Currenty traking CVEs

CVE-2021-29256: The Arm Mali GPU kernel driver allows an unprivileged
user to achieve access to freed memory

Not fiexd in mainline yet

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

Not fiexd in mainline yet

CVE-2021-21781: Arm SIGPAGE information disclosure vulnerability

v4.4 is not fixed as of 2021/07/29

Fixed status
mainline: [9c698bff66ab4914bb3d71da7dc6112519bde23e]
stable/4.19: [80ef523d2cb719c3de66787e922a96b5099d2fbb]
stable/5.10: [7913ec05fc02ccd7df83280451504b0a3e543097]

CVE-2021-3655: missing size validations on inbound SCTP packets

According to cip-kernel-sec's scripts v4.4 is not fixed as of 2021/07/29

One of a patch 50619dbf8db77e98d821d615af4f634d08e22698 is included.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/sctp?h=linux-4.4.y&id=48cd035cad5b5fad0648aa8294c4223bedb166dd

Fixed status
mainline: [0c5dc070ff3d6246d22ddd931f23a6266249e3db,
50619dbf8db77e98d821d615af4f634d08e22698,b6ffe7671b24689c09faa5675dd58f93758a97ae,
ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9]
stable/4.19: [c7a03ebace4f9cd40d9cd9dd5fb2af558025583c,
dd16e38e1531258d332b0fc7c247367f60c6c381]
stable/4.9: [c7da1d1ed43a6c2bece0d287e2415adf2868697e]
stable/5.10: [d4dbef7046e24669278eba4455e9e8053ead6ba0,
6ef81a5c0e22233e13c748e813c54d3bf0145782]


CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c in the
Linux kernel through 5.13.4 calls unregister_netdev without checking
for the NETREG_REGISTERED state, leading to a use-after-free and a
double free.

The mainline is not fixed as of 2021/07/29

Regards,


--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
:masami.ichikawa@miraclelinux.com


Pavel Machek
 

Hi!

** Traking CVEs

CVE-2021-21781: v4.4 is not fixed as of 2021/07/29
This is basically missing memset. Does not look evil to backport.

CVE-2021-3655: v4.4 is not fixed as of 2021/07/29
This may need more careful look. There are 4 patches fixing this in
mainline, but only two in
5.10. c7da1d1ed43a6c2bece0d287e2415adf2868697e should be easy to
backport to 4.4.

CVE-2021-31829: Linux kernel protection of stack pointer against
speculative pointer arithmetic can be bypassed to leak content of
kernel memory

Fixed status
mainline: [f8be156be163a052a067306417cd0ff679068c97]
stable/4.19: [117777467bc015f0dc5fc079eeba0fa80c965149]
Strange, this talks about CVE-2021-22543 in the changelog.

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

Not fiexd in mainline yet
CVE-2021-3655: missing size validations on inbound SCTP packets

According to cip-kernel-sec's scripts v4.4 is not fixed as of 2021/07/29

One of a patch 50619dbf8db77e98d821d615af4f634d08e22698 is included.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/sctp?h=linux-4.4.y&id=48cd035cad5b5fad0648aa8294c4223bedb166dd
I guess this should be listed in stable/4.4: ... then?

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Nobuhiro Iwamatsu
 

Hi,

-----Original Message-----
From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of 市川正美
Sent: Thursday, July 29, 2021 10:19 AM
To: cip-dev <cip-dev@lists.cip-project.org>
Subject: [cip-dev] New CVE entries this week

Hi !

Here is this week's CVE report.

* CVE short summary

** New CVEs

CVE-2021-3640: there is no fixed information as of 2021/07/29.

CVE-2021-37576: mainline and stable kernels are fixed. This CVE only
affects powerpc architecture.

** Updated CVEs

CVE-2021-31829: I fixed wrong security information.

CVE-2021-22543: added stable/4.19 fixed commit.

** Traking CVEs

CVE-2021-29256: not fiexd in mainline yet

CVE-2021-31615: not fiexd in mainline yet

CVE-2021-21781: v4.4 is not fixed as of 2021/07/29

CVE-2021-3655: v4.4 is not fixed as of 2021/07/29
This has been fixed with the following commit.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.4.y&id=48cd035cad5b5fad0648aa8294c4223bedb166dd

Best regards,
Nobuhiro


Masami Ichikawa
 

Hi !

On Thu, Jul 29, 2021 at 4:47 PM Pavel Machek <pavel@denx.de> wrote:

Hi!

** Traking CVEs

CVE-2021-21781: v4.4 is not fixed as of 2021/07/29
This is basically missing memset. Does not look evil to backport.
Thanks.

CVE-2021-3655: v4.4 is not fixed as of 2021/07/29
This may need more careful look. There are 4 patches fixing this in
mainline, but only two in
5.10. c7da1d1ed43a6c2bece0d287e2415adf2868697e should be easy to
backport to 4.4.
Okay. I'll take another look.

CVE-2021-31829: Linux kernel protection of stack pointer against
speculative pointer arithmetic can be bypassed to leak content of
kernel memory

Fixed status
mainline: [f8be156be163a052a067306417cd0ff679068c97]
stable/4.19: [117777467bc015f0dc5fc079eeba0fa80c965149]
Strange, this talks about CVE-2021-22543 in the changelog.
ok, I'll check again.

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

Not fiexd in mainline yet
CVE-2021-3655: missing size validations on inbound SCTP packets

According to cip-kernel-sec's scripts v4.4 is not fixed as of 2021/07/29

One of a patch 50619dbf8db77e98d821d615af4f634d08e22698 is included.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/sctp?h=linux-4.4.y&id=48cd035cad5b5fad0648aa8294c4223bedb166dd
I guess this should be listed in stable/4.4: ... then?
Yes, it is. I'll add it.

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Regards,

--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
:masami.ichikawa@miraclelinux.com


Masami Ichikawa
 

Hi !

On Thu, Jul 29, 2021 at 4:50 PM Nobuhiro Iwamatsu
<nobuhiro1.iwamatsu@toshiba.co.jp> wrote:

Hi,

-----Original Message-----
From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of 市川正美
Sent: Thursday, July 29, 2021 10:19 AM
To: cip-dev <cip-dev@lists.cip-project.org>
Subject: [cip-dev] New CVE entries this week

Hi !

Here is this week's CVE report.

* CVE short summary

** New CVEs

CVE-2021-3640: there is no fixed information as of 2021/07/29.

CVE-2021-37576: mainline and stable kernels are fixed. This CVE only
affects powerpc architecture.

** Updated CVEs

CVE-2021-31829: I fixed wrong security information.

CVE-2021-22543: added stable/4.19 fixed commit.

** Traking CVEs

CVE-2021-29256: not fiexd in mainline yet

CVE-2021-31615: not fiexd in mainline yet

CVE-2021-21781: v4.4 is not fixed as of 2021/07/29

CVE-2021-3655: v4.4 is not fixed as of 2021/07/29
This has been fixed with the following commit.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.4.y&id=48cd035cad5b5fad0648aa8294c4223bedb166dd
Thank you! I'll add this one to fixed-by list.

Best regards,
Nobuhiro



--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
:masami.ichikawa@miraclelinux.com


Pavel Machek
 

Hi!

CVE-2021-3655: v4.4 is not fixed as of 2021/07/29
This may need more careful look. There are 4 patches fixing this in
mainline, but only two in
5.10. c7da1d1ed43a6c2bece0d287e2415adf2868697e should be easy to
backport to 4.4.
Okay. I'll take another look.
Thank you.

Note that I pushed my comments into the repository, so you may want to
do the pull before doing changes there.

Best regards,
Pavel

--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany