Date
1 - 3 of 3
New CVE entries in this week
|
Masami Ichikawa
Hi !
It's this week's CVE report. This week reported 4 new CVEs. * New CVEs CVE-2021-0920: af_unix: fix garbage collect vs MSG_PEEK CVSS v3 score is not provided. Mainline and stable kernels are already fixed. Fixed status mainline: [cbcf01128d0a92e131bd09f1688fe032480b65ca] stable/4.14: [af3e2b87b36100c28feb71da52c57293c4540690] stable/4.19: [1dabafa9f61118b1377fde424d9a94bf8dbf2813] stable/4.4: [72247f34d90e25c1493436e45e193e8306082b19] stable/4.9: [a805a7bd94644207d762d9c287078fecfcf52b3e] stable/5.10: [93c5951e0ce137e994237c19cd75a7caa1f80543] stable/5.4: [85abe0d47fe65391ed41f78a66b5eff73987c086] CVE-2021-0929: staging: ion: move buffer kmap from begin/end_cpu_access() CVSS v3 score is not provided. ION is a memory manager which is used by Android. This CVE may affect 4.4, 4.19, and 5.10 however according to the cip-kernel-config, no cip member enabled ION. The ION driver has been removed since 5.11. Fixed status mainline: [3e9e0c5c764704218c0960ffdb139de075afaadf] CVE-2021-3736: uninitialized kernel stack may lead to information disclosure According to the Red Hat bugzilla(https://bugzilla.redhat.com/show_bug.cgi?id=1995570), there is a memory leak problem in samples/vfio-mdev/mbochs.c. This vulnerability is in a sample code. Also no cip member enabled CONFIG_SAMPLE_VFIO_MDEV_MBOCHS. Bugzilla comment #6 pointed commit de5494af4815a4c9328536c72741229b7de88e7f ("vfio/mbochs: Fix missing error unwind of mbochs_used_mbytes ") as a fix commit but not confirmed yet. If commit de5494af4815a is the fix, this vulnerability was introduced since 5.14-rc1. Fixed status Not fixed. CVE-2021-43389: isdn: cpai: check ctr->cnr to avoid array index out of bound CVSS v3 score is "5.5 MEDIUM". The array index out of bound bug in the drivers/isdn/capi/kcapi.c. This bug has been fixed in mainline and stable kernels. No cip member use CAPI. Fixed status mainline: [1f3e2e97c003f80c4b087092b225c8787ff91e4d] stable/4.14: [9b6b2db77bc3121fe435f1d4b56e34de443bec75] stable/4.19: [7d91adc0ccb060ce564103315189466eb822cc6a] stable/4.4: [e8b8de17e164c9f1b7777f1c6f99d05539000036] stable/4.9: [24219a977bfe3d658687e45615c70998acdbac5a] stable/5.10: [7f221ccbee4ec662e2292d490a43ce6c314c4594] stable/5.14: [cc20226e218a2375d50dd9ac14fb4121b43375ff] stable/5.4: [285e9210b1fab96a11c0be3ed5cea9dd48b6ac54] * Updated CVEs CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt() 4.19 and 5.X kernels have been fixed in this week. However, appliying patch to 4.4 and 4.9 are failed. According to the cip-kernel-config repo, no CIP member uses firewire driver. Fixed status mainline: [35d2969ea3c7d32aee78066b1f3cf61a0d935a4e] stable/4.19: [53ec9dab4eb0a8140fc85760fb50effb526fe219] stable/5.10: [d7fc85f6104259541ec136199d3bf7c8a736613d] stable/5.14: [02a476ca886dc8155025fe99cbbad4121d029fa7] stable/5.15: [cb667140875a3b1db92e4c50b4617a7cbf84659b] stable/5.4: [2461f38384d50dd966e1db44fe165b1896f5df5a] CVE-2021-3892: memory leak in fib6_rule_suppress could result in DoS According to the SUSE bugzilla (https://bugzilla.suse.com/show_bug.cgi?id=1192261#c1), this CVE is duplicate of CVE-2019-18198. If so, this CVE is already fixed. CVE-2021-3640: UAF in sco_send_frame function Fixed commit is 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ("Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()"). Backport patches for 4.19, 5.4, 5.10, 5.14, and 5.15 have been sent to stable mailing list on Nov 9. This fix can be applied to 4.4 by git-am without error. mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951] Currently tracking CVEs CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core Specifications 4.0 through 5.2 There is no fix information. CVE-2020-26555: BR/EDR pin code pairing broken No fix information CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning No fix information. CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh Provisioning Leads to MITM No fix information. CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning No fix information. CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning No fix information. Regards, -- Masami Ichikawa Cybertrust Japan Co., Ltd. Email :masami.ichikawa@... :masami.ichikawa@... |
|
|
|
Pavel Machek
Hi!
CVE-2021-0929: staging: ion: move buffer kmap from begin/end_cpu_access()Furthermore, CIP members should really not be using code from staging. * Updated CVEsThis one looks rather easy to backport. It failed only because reformatting of the printk. CVE-2021-3640: UAF in sco_send_frame functionWould it make sense to ask why it was not applied? Best regards, Pavel diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c index 280b5ffea592..3a373711f5ad 100644 --- a/drivers/media/firewire/firedtv-avc.c +++ b/drivers/media/firewire/firedtv-avc.c @@ -1169,7 +1169,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) read_pos += program_info_length; write_pos += program_info_length; } - while (read_pos < length) { + while (read_pos + 4 < length) { + if (write_pos + 4 >= sizeof(c->operand) - 4) { + ret = -EINVAL; + goto out; + } c->operand[write_pos++] = msg[read_pos++]; c->operand[write_pos++] = msg[read_pos++]; c->operand[write_pos++] = msg[read_pos++]; @@ -1181,13 +1185,17 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length) c->operand[write_pos++] = es_info_length >> 8; c->operand[write_pos++] = es_info_length & 0xff; if (es_info_length > 0) { + if (read_pos >= length) { + ret = -EINVAL; + goto out; + } pmt_cmd_id = msg[read_pos++]; if (pmt_cmd_id != 1 && pmt_cmd_id != 4) dev_err(fdtv->device, "invalid pmt_cmd_id %d " "at stream level\n", pmt_cmd_id); - if (es_info_length > sizeof(c->operand) - 4 - - write_pos) { + if (es_info_length > sizeof(c->operand) - 4 - write_pos || + es_info_length > length - read_pos) { ret = -EINVAL; goto out; } diff --git a/drivers/media/firewire/firedtv-ci.c b/drivers/media/firewire/firedtv-ci.c index e63f582378bf..f07482fb8010 100644 --- a/drivers/media/firewire/firedtv-ci.c +++ b/drivers/media/firewire/firedtv-ci.c @@ -138,6 +138,8 @@ static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg) } else { data_length = msg->msg[3]; } + if (data_length > sizeof(msg->msg) - data_pos) + return -EINVAL; return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length); } -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany |
|
|
|
Masami Ichikawa
Hi !
On Thu, Nov 11, 2021 at 6:21 PM Pavel Machek <pavel@...> wrote: Thank you for the patch! The patch looks good to me. Yes, I think so.CVE-2021-3640: UAF in sco_send_frame functionWould it make sense to ask why it was not applied? Best regards,Regards, -- Masami Ichikawa Cybertrust Japan Co., Ltd. Email :masami.ichikawa@... :masami.ichikawa@... |
|
|