New CVE in this week


Pavel Machek
 

Hi!

CVE-2022-0185: vfs: fs_context: fix up param length parsing in
legacy_parse_param
mainline: [722d94847de29310e8aa03fcbdb41fc92c521756]
This one is queued up for 5.10.93. We likely don't need to do anything
here.

CVE-2021-4095: 'KVM: NULL pointer dereference in kvm_dirty_ring_get()
in virt/kvm/dirty_ring.c'

This issue was fixed in the mainline this week. It introduced at
commit 629b534 ("KVM: x86/xen: update wallclock region") which was
merged in 5.12-rc1-dontuse.
As it does not affect "our" kernels, we don't need to do anything. Good.

CVE-2021-4197: cgroup: Use open-time creds and namespace for migration
perm checks

Commit 1756d79 ("cgroup: Use open-time credentials for process
migraton perm checks") failed to apply to 4.4, 4.9, 4.14, 4.19,
5.4,and 5.10. This commit fixes 187fe84 ("cgroup: require write perm
on common ancestor when moving processes on the default hierarchy")
which was merged in 4.2-rc1.
This one looks relatively simple.

Commit 0d2b595 ("cgroup: Allocate cgroup_file_ctx for
kernfs_open_file->priv") failed to apply to 4.14, 4.19, 5.4, and 5.10.

Commit e574576 ("cgroup: Use open-time cgroup namespace for process
migration perm checks") was failed to apply to 4.14, 4.19, 5.4, and
5.10. This commit fixes 5136f63 ("cgroup: implement "nsdelegate" mount
option") which was merged in 4.13-rc1.
Unfortunatley these two are more complicated.

Best regards,
Pavel

--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Masami Ichikawa
 

Hi !

It's this week's CVE report.

This week reported 2 new CVEs.

* New CVEs

CVE-2022-23222: bpf: Fix out of bounds access from invalid *_or_null
type verification

CVSS v3 score is not provided

The adjust_ptr_min_max_vals() in kernel/bpf/verifier.c didn't handle
proper input validation that led a local attacker can escalate his
privilege. This bug affects 5.8 or later kernel.
There is a mitigation that set kernel.unprivileged_bpf_disabled to 1.
So, disabled unprivileged bpf is good way for eBFP as usual :)

Fixed status

mainline: [c25b2ae136039ffa820c26138ed4a5e5f3ab3841]
stable/5.10: [35ab8c9085b0af847df7fac9571ccd26d9f0f513]
stable/5.15: [e8efe8369944c6199f124e3b50662ad05a048b60]
stable/5.16: [931e56be527fb2672556e3c00c57ff2a5f5de43e]

CVE-2022-0185: vfs: fs_context: fix up param length parsing in
legacy_parse_param

CVSS v3 score is not provided

It was introduced by commit 3e1aeb0 ("vfs: Implement a filesystem
superblock creation/configuration context") which was merged in
5.1-rc1. This bug's root cause is an integer underflow which makes a
heap overflow bug. If an unprivileged user can use unshare operation
with CAP_SYS_ADMIN, user will be able to exploit the system via this
bug.

Fixed status

mainline: [722d94847de29310e8aa03fcbdb41fc92c521756]

* Updated CVEs

CVE-2021-4095: 'KVM: NULL pointer dereference in kvm_dirty_ring_get()
in virt/kvm/dirty_ring.c'

This issue was fixed in the mainline this week. It introduced at
commit 629b534 ("KVM: x86/xen: update wallclock region") which was
merged in 5.12-rc1-dontuse.

Fixed status

mainline: [55749769fe608fa3f4a075e42e89d237c8e37637]

CVE-2021-4197: cgroup: Use open-time creds and namespace for migration
perm checks

Commit 1756d79 ("cgroup: Use open-time credentials for process
migraton perm checks") failed to apply to 4.4, 4.9, 4.14, 4.19,
5.4,and 5.10. This commit fixes 187fe84 ("cgroup: require write perm
on common ancestor when moving processes on the default hierarchy")
which was merged in 4.2-rc1.

Commit 0d2b595 ("cgroup: Allocate cgroup_file_ctx for
kernfs_open_file->priv") failed to apply to 4.14, 4.19, 5.4, and 5.10.

Commit e574576 ("cgroup: Use open-time cgroup namespace for process
migration perm checks") was failed to apply to 4.14, 4.19, 5.4, and
5.10. This commit fixes 5136f63 ("cgroup: implement "nsdelegate" mount
option") which was merged in 4.13-rc1.

Fixed status

mainline: [1756d7994ad85c2479af6ae5a9750b92324685af,
0d2b5955b36250a9428c832664f2079cbf723bec,
e57457641613fef0d147ede8bd6a3047df588b95]
stable/5.15: [c6ebc35298848accb5e50c37fdb2490cf4690c92,
50273128d640e8d21a13aec5f4bbce4802f17d7d,
43fa0b3639c5fd48c96b19d645d0c7ff2327651a]


Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...
:masami.ichikawa@...