New CVE entry this week


Masami Ichikawa
 

Hi !

It's this week's CVE report.

* CVE short summary

** New CVEs

CVE-2021-3739: mainline is fixed. before 4.20-rc1 kernels aren't affected.

CVE-2021-3743: mainline is fixed. before 4.15-rc1 kernels aren't affected.

CVE-2021-3753: mainline is fixed. 4.4 and 4.19 kernels are affected.

** Updated CVEs

CVE-2020-3702: 4.14, 4.19, 5.10, 5.4 kernels are fixed

CVE-2021-3653:stable kernels are fixed.

CVE-2021-3656: stable are fixed. 4.4 is not affected.

CVE-2021-3600: Patches for 4.19 exist in stable-rc tree as of 2021/09/02.

** Tracking CVEs

CVE-2021-31615: No fix information as of 2021/09/02.

CVE-2021-3640: No fix information as of 2021/09/02.

CVE-2020-26555: No fix information as of 2021/09/02.

CVE-2020-26556: No fix information as of 2021/09/02.

CVE-2020-26557: No fix information as of 2021/09/02.

CVE-2020-26559: No fix information as of 2021/09/02.

CVE-2020-26560: No fix information as of 2021/09/02.

CVE-2021-3600: mainline, 5.10, 5.4 are fixed. 4.4 isn't affected. 4.19
will be fixed in stable tree.

* CVE detail

New CVEs

CVE-2021-3739: btrfs: fix NULL pointer dereference when deleting
device by invalid id

Fixed in btrfs tree but not fixed in mainline yet.
This vulnerability has been introduced since 4.20-rc1 so before 4.20
kernel aren't affected this vulnerability.

Fixed status

mainline: [e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091]

CVE-2021-3743: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c

The Qualcomm's IPC router protocol(qrtr) has been introduced since
4.15-rc1 so before 4.15 kernels aren't affected.
Checked on cip-kernel-config, it looks like no CIP member enables QRTR.

Fixed status

mainline: [7e78c597c3ebfd0cb329aa09a838734147e4f117]

CVE-2021-3753: A out-of-bounds caused by the race of KDSETMODE in vt

Commit ffb324e6f874121f7dce5bdae5e05d02baae7269 introduced race
condition and oob bug. The commit ffb324e6f874 have been backported to
4.4 and 4.19.

Fixed status

mainline: [2287a51ba822384834dafc1c798453375d1107c7]

Updated CVEs

CVE-2020-3702: Specifically timed and handcrafted traffic can cause
internal errors in a WLAN device that lead to improper layer 2 Wi-Fi
encryption with a consequent possibility of information disclosure
over the air for a discrete set of traffic

Vulnerability in ath9k driver. 4.4.y-cip/arm/siemens_imx6_defconfig
and 4.4.y-cip/arm/moxa_mxc_defconfig use ath9k.

Fixed status

mainline: [56c5485c9e444c2e85e11694b6c44f1338fc20fd,
73488cb2fa3bb1ef9f6cf0d757f76958bd4deaca,
d2d3e36498dd8e0c83ea99861fac5cf9e8671226,
144cd24dbc36650a51f7fe3bf1424a1432f1f480,
ca2848022c12789685d3fab3227df02b863f9696]
stable/4.14: [2cbb22fd4b4fb4d0822d185bf5bd6d027107bfda,
20e7de09cbdb76a38f28fb71709fae347123ddb7,
995586a56748c532850870523d3a9080492b3433,
f4d4f4473129e9ee55b8562250adc53217bad529,
61b014a8f8de02bedc56f76620170437f5638588]
stable/4.19: [dd5815f023b89c9a28325d8a2a5f0779b57b7190,
d2fd9d34210f34cd0ff5b33fa94e9fcc2a513cea,
fb924bfcecc90ca63ca76b5a10f192bd0e1bb35d,
7c5a966edd3c6eec4a9bdf698c1f27712d1781f0,
08c613a2cb06c68ef4e7733e052af067b21e5dbb]
stable/5.10: [8f05076983ddeaae1165457b6aa4eca9fe0e5498,
6566c207e5767deb37d283ed9f77b98439a1de4e,
2925a8385ec746bf09c11dcadb9af13c26091a4d,
609c0cfd07f0ae6c444e064a59b46c5f3090b705,
e2036bc3fc7daa03c15fda27e1818192da817cea]
stable/5.4: [0c049ce432b37a51a0da005314ac32e5d9324ccf,
add283e2517a90468ce223465e0f4360128bb650,
b7d593705eb4f0655a70f0207f573fb1edb80bda,
c6feaf806da6a0deecc2fe41adb3443cdecba347,
23f77ad13f8176314b7c51f71b9ac7c5c6d10b7b]

CVE-2021-3653: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl

Fixed status

mainline: [0f923e07124df069ba68d8bb12324398f4b6b709]
stable/4.14: [26af47bdc45e454877f15fa7658a167bb9799681]
stable/4.19: [42f4312c0e8a225b5f1e3ed029509ef514f2157a]
stable/4.4: [53723b7be26ef31ad642ce5ffa8b42dec16db40e]
stable/4.9: [29c4f674715ba8fe7a391473313e8c71f98799c4]
stable/5.10: [c0883f693187c646c0972d73e525523f9486c2e3]
stable/5.13: [a0949ee63cf95408870a564ccad163018b1a9e6b]
stable/5.4: [7c1c96ffb658fbfe66c5ebed6bcb5909837bc267]


CVE-2021-3656: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested

Fixed status

mainline: [c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc]
stable/4.14: [6ed198381ed2496fbc82214108e56a441d3b0213]
stable/4.19: [119d547cbf7c055ba8100309ad71910478092f24]
stable/5.10: [3dc5666baf2a135f250e4101d41d5959ac2c2e1f]
stable/5.13: [639a033fd765ed473dfee27028df5ccbe1038a2e]
stable/5.4: [a17f2f2c89494c0974529579f3552ecbd1bc2d52]
stable/4.4: Not affected

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information as of 2021/08/26.

CVE-2021-3640: UAF in sco_send_frame function

There is no fix information as of 2021/08/26.

CVE-2020-26555: BR/EDR pin code pairing broken

There is no fix information as of 2021/08/26.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information as of 2021/08/26.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information as of 2021/08/26.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information as of 2021/08/26.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information as of 2021/08/26.

CVE-2021-3600: eBPF 32-bit source register truncation on div/mod

The vulnerability has been introduced since 4.15-rc9. 4.4 is not
affected. 4.19 is not fixed yet as of 2021/08/26.
Patches have been sent to stable
kernel(https://lore.kernel.org/stable/YSj43Lpw9bilHuIn@kroah.com/T/#t).
Then these have been included in stable-rc tree. These patch set
addressed to fix CVE-2021-3444 and CVE-2021-3600.

Discussion: https://lore.kernel.org/stable/YSd1q9Llm1vsWbXT@mussarela/T/#t

Patches in stable-rc tree.

bpf: Do not use ax register in interpreter on div/mod:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=queue/4.19&id=5179c6c58d0a2a05eeadd1bc0431bee01609d5b2
bpf: Fix 32 bit src register truncation on div/mod:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=queue/4.19&id=ca13f215fc36e37cf46d624b8c0ee71c10e231b1
bpf: Fix truncation handling for mod32 dst reg wrt zero:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=queue/4.19&id=a84037fcded8a9513f4838079cef85c516036f23


mainline: [e88b2c6e5a4d9ce30d75391e4d950da74bb2bd90]
stable/5.10: [1d16cc210fabd0a7ebf52d3025f81c2bde054a90]
stable/5.4: [78e2f71b89b22222583f74803d14f3d90cdf9d12]

Regards,


Pavel Machek
 

Hi!

* CVE short summary
These summaries are not so short; I simply skip them and go to full
list. Perhaps they don't need to be included, or could include only
CVEs where we need to take an action?

* CVE detail

New CVEs

CVE-2021-3739: btrfs: fix NULL pointer dereference when deleting
device by invalid id

Fixed in btrfs tree but not fixed in mainline yet.
This vulnerability has been introduced since 4.20-rc1 so before 4.20
kernel aren't affected this vulnerability.

Fixed status

mainline: [e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091]
This one is queued for 5.10.62, so this is getting fixed for us.

CVE-2021-3743: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c

The Qualcomm's IPC router protocol(qrtr) has been introduced since
4.15-rc1 so before 4.15 kernels aren't affected.
Checked on cip-kernel-config, it looks like no CIP member enables QRTR.

Fixed status

mainline: [7e78c597c3ebfd0cb329aa09a838734147e4f117]
Fixes are queued for 4.19 and 5.10.62, so this is getting fixed for us.

CVE-2021-3753: A out-of-bounds caused by the race of KDSETMODE in vt

Commit ffb324e6f874121f7dce5bdae5e05d02baae7269 introduced race
condition and oob bug. The commit ffb324e6f874 have been backported to
4.4 and 4.19.
Agreed, fixed in 4.19.192 and 4.4.270. Nothing for us to do there.

Updated CVEs

CVE-2020-3702: Specifically timed and handcrafted traffic can cause
internal errors in a WLAN device that lead to improper layer 2 Wi-Fi
encryption with a consequent possibility of information disclosure
over the air for a discrete set of traffic

Vulnerability in ath9k driver. 4.4.y-cip/arm/siemens_imx6_defconfig
and 4.4.y-cip/arm/moxa_mxc_defconfig use ath9k.
Fixed in 4.14 but not 4.4.

stable/4.14: [2cbb22fd4b4fb4d0822d185bf5bd6d027107bfda,
20e7de09cbdb76a38f28fb71709fae347123ddb7,
995586a56748c532850870523d3a9080492b3433,
f4d4f4473129e9ee55b8562250adc53217bad529,
61b014a8f8de02bedc56f76620170437f5638588]
Diffstat looks like this:

key.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
main.c | 5 +++++
1 file changed, 5 insertions(+)
ath.h | 1 +
key.c | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)
ath.h | 2 +-
ath5k/mac80211-ops.c | 2 +-
ath9k/htc_drv_main.c | 2 +-
ath9k/main.c | 5 ++---
key.c | 34 +++++++++++++++++-----------------
5 files changed, 22 insertions(+), 23 deletions(-)
hw.h | 1
main.c | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 87 insertions(+), 1 deletion(-)

Best regards,
Pavel

--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Nobuhiro Iwamatsu
 

Hi,

-----Original Message-----
From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Pavel Machek
Sent: Thursday, September 2, 2021 3:28 PM
To: cip-dev@lists.cip-project.org
Subject: Re: [cip-dev] New CVE entry this week

Hi!

* CVE short summary
These summaries are not so short; I simply skip them and go to full
list. Perhaps they don't need to be included, or could include only
CVEs where we need to take an action?

* CVE detail

New CVEs

CVE-2021-3739: btrfs: fix NULL pointer dereference when deleting
device by invalid id

Fixed in btrfs tree but not fixed in mainline yet.
This vulnerability has been introduced since 4.20-rc1 so before 4.20
kernel aren't affected this vulnerability.

Fixed status

mainline: [e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091]
This one is queued for 5.10.62, so this is getting fixed for us.

CVE-2021-3743: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c

The Qualcomm's IPC router protocol(qrtr) has been introduced since
4.15-rc1 so before 4.15 kernels aren't affected.
Checked on cip-kernel-config, it looks like no CIP member enables QRTR.

Fixed status

mainline: [7e78c597c3ebfd0cb329aa09a838734147e4f117]
Fixes are queued for 4.19 and 5.10.62, so this is getting fixed for us.

CVE-2021-3753: A out-of-bounds caused by the race of KDSETMODE in vt

Commit ffb324e6f874121f7dce5bdae5e05d02baae7269 introduced race
condition and oob bug. The commit ffb324e6f874 have been backported to
4.4 and 4.19.
Agreed, fixed in 4.19.192 and 4.4.270. Nothing for us to do there.

Updated CVEs

CVE-2020-3702: Specifically timed and handcrafted traffic can cause
internal errors in a WLAN device that lead to improper layer 2 Wi-Fi
encryption with a consequent possibility of information disclosure
over the air for a discrete set of traffic

Vulnerability in ath9k driver. 4.4.y-cip/arm/siemens_imx6_defconfig
and 4.4.y-cip/arm/moxa_mxc_defconfig use ath9k.
Fixed in 4.14 but not 4.4.

stable/4.14: [2cbb22fd4b4fb4d0822d185bf5bd6d027107bfda,
20e7de09cbdb76a38f28fb71709fae347123ddb7,
995586a56748c532850870523d3a9080492b3433,
f4d4f4473129e9ee55b8562250adc53217bad529,
61b014a8f8de02bedc56f76620170437f5638588]
Diffstat looks like this:

key.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
main.c | 5 +++++
1 file changed, 5 insertions(+)
ath.h | 1 +
key.c | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)
ath.h | 2 +-
ath5k/mac80211-ops.c | 2 +-
ath9k/htc_drv_main.c | 2 +-
ath9k/main.c | 5 ++---
key.c | 34 +++++++++++++++++-----------------
5 files changed, 22 insertions(+), 23 deletions(-)
hw.h | 1
main.c | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 87 insertions(+), 1 deletion(-)
I checked the patch application and build at hand.
We can backport without any changes to 4.4 tree. But I don't have this device, so I can't confirm the working.


Best regards,
Nobuhiro


Masami Ichikawa
 

Hi !

On Thu, Sep 2, 2021 at 3:28 PM Pavel Machek <pavel@denx.de> wrote:

Hi!

* CVE short summary
These summaries are not so short; I simply skip them and go to full
list. Perhaps they don't need to be included, or could include only
CVEs where we need to take an action?
Thank you for the comment.
This weekly report mail contains full list which are new CVEs, updated
CVEs, and currently tracking CVEs, so summary can be removed or make
it simple I think.
I'll write a new summary style that includes CVEs which we need to take care of.

* CVE detail

New CVEs

CVE-2021-3739: btrfs: fix NULL pointer dereference when deleting
device by invalid id

Fixed in btrfs tree but not fixed in mainline yet.
This vulnerability has been introduced since 4.20-rc1 so before 4.20
kernel aren't affected this vulnerability.

Fixed status

mainline: [e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091]
This one is queued for 5.10.62, so this is getting fixed for us.

CVE-2021-3743: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c

The Qualcomm's IPC router protocol(qrtr) has been introduced since
4.15-rc1 so before 4.15 kernels aren't affected.
Checked on cip-kernel-config, it looks like no CIP member enables QRTR.

Fixed status

mainline: [7e78c597c3ebfd0cb329aa09a838734147e4f117]
Fixes are queued for 4.19 and 5.10.62, so this is getting fixed for us.

CVE-2021-3753: A out-of-bounds caused by the race of KDSETMODE in vt

Commit ffb324e6f874121f7dce5bdae5e05d02baae7269 introduced race
condition and oob bug. The commit ffb324e6f874 have been backported to
4.4 and 4.19.
Agreed, fixed in 4.19.192 and 4.4.270. Nothing for us to do there.

Updated CVEs

CVE-2020-3702: Specifically timed and handcrafted traffic can cause
internal errors in a WLAN device that lead to improper layer 2 Wi-Fi
encryption with a consequent possibility of information disclosure
over the air for a discrete set of traffic

Vulnerability in ath9k driver. 4.4.y-cip/arm/siemens_imx6_defconfig
and 4.4.y-cip/arm/moxa_mxc_defconfig use ath9k.
Fixed in 4.14 but not 4.4.

stable/4.14: [2cbb22fd4b4fb4d0822d185bf5bd6d027107bfda,
20e7de09cbdb76a38f28fb71709fae347123ddb7,
995586a56748c532850870523d3a9080492b3433,
f4d4f4473129e9ee55b8562250adc53217bad529,
61b014a8f8de02bedc56f76620170437f5638588]
Diffstat looks like this:

key.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
main.c | 5 +++++
1 file changed, 5 insertions(+)
ath.h | 1 +
key.c | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)
ath.h | 2 +-
ath5k/mac80211-ops.c | 2 +-
ath9k/htc_drv_main.c | 2 +-
ath9k/main.c | 5 ++---
key.c | 34 +++++++++++++++++-----------------
5 files changed, 22 insertions(+), 23 deletions(-)
hw.h | 1
main.c | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 87 insertions(+), 1 deletion(-)

Best regards,
Pavel

--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@cybertrust.co.jp
:masami.ichikawa@miraclelinux.com