1. Cip-Dev
  2. Topics

New CVE entries this week

Pavel Machek
 

Hi!

* New CVEs

CVE-2022-42895: Bluetooth: L2CAP: Fix attempting to access uninitialized memory

CVSS v3 score is not provided.

An accessing uninitialized variable bug was found in
l2cap_parse_conf_req() in net/bluetooth/l2cap_core.c
The efs variable is on the stack. It is initialized when the type
variable is L2CAP_CONF_EFS.
So, if type isn't L2CAP_CONF_EFS and rfc.mode is L2CAP_MODE_ERTM, then
accessing uninitialized variable bug occurs.

It looks 4.4 is affected by this issue too.

Fixed status
mainline: [b1a2cd50c0357f243b7435a732b4e62ba3157a2e]
Fix is queued for 5.10.154 and corresponding 4.9 kernel.

CVE-2022-43945: A buffer overflow bug was found in nfsd

CVSS v3 score is 7.5 HIGH.

The Linux kernel NFSD implementation prior to versions 5.19.17 and
6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of
pages held by each NFSD thread by combining the receive and send
buffers of a remote procedure call (RPC) into a single array of pages.
A client can force the send buffer to shrink by sending an RPC message
over TCP with garbage data added at the end of the message. The RPC
message with garbage data is still correctly formed according to the
specification and is passed forward to handlers. Vulnerable code in
NFSD is not expecting the oversized request and writes beyond the
allocated buffer space.

nfsd3_proc_read() and nfsd_proc_read() changed to set argp->count
value adding an extra min_t() macro.
nfsd_init_dirlist_pages() and nfsd3_init_dirlist_pages() changed the
process of setting buf->buflen value.
However, 4.4, 4.19, 5.10 use different ways to set these values. So,
even if these kernels are vulnerable, it needs a different way to fix
them.

Fixed status
mainline: [00b4492686e0497fdb924a9d4c8f6f99377e176c,
640f87c190e0d1b2a0fcb2ecf6d2cd53b1c41991,
401bc1f90874280a80b93f23be33a0e7e2d1f912,
fa6be9cc6e80ec79892ddf08a8c10cabab9baf38]
stable/5.15: [dc7f225090c29a5f3b9419b1af32846a201555e7,
071a076fd1b763aa6fe478efa047e0a549ba9c22,
2be9331ca6061bc6ea32247266f45b8b21030244,
75d9de25a6f833dd0701ca546ac926cabff2b5af]
stable/6.0: [f59c74df82f6ac9d2ea4e01aa3ae7c6c4481652d,
279274e31270c28b86feffe5e166d4088f22317b,
1868332032eccbab8c1878a0d918193058c0a905,
309f29361b6bfae96936317376f1114568c5de19]
Hmm. I don't see these queued for 5.10. OTOH embedded systems are
normally NFS clients (and only during development), not NFS servers.

In 5.10.152, we fixed buffer overrun in nfsd, but that may be
different one:

|0b06ecf29 788f71 o: 5.10| NFSD: Add common helpers to decode void args and encode void results
|78ad3a430 ebcd8e o: 5.10| NFSD: Update the NFSv2 GETATTR argument decoder to use struct xdr_stream
|8505cb6e4 8c293e o: 5.10| NFSD: Update the NFSv2 READ argument decoder to use struct xdr_stream
|827277f03 401bc1 o: 5.10| NFSD: Protect against send buffer overflow in NFSv2 READ
|4204e1a23 c1346a o: 5.10| NFSD: Replace the internals of the READ_BUF() macro
|8bda97f4a cbd9ab o: 5.10| NFSD: Replace READ* macros in nfsd4_decode_commit()
|21b51f620 957536 o: 5.10| NFSD: Update GETATTR3args decoder to use struct xdr_stream
|fea1935a8 be63bd o: 5.10| NFSD: Update READ3arg decoder to use struct xdr_stream
|fb4bb09fc 0cb4d2 o: 5.10| NFSD: Fix the behavior of READ near OFFSET_MAX
|9748f4210 fa6be9 o: 5.10| NFSD: Protect against send buffer overflow in NFSv3 READ

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

signature.asc

signature.asc

Masami Ichikawa
 

Hi !

It's this week's CVE report.

This week reported 3 new CVEs and 2 updated CVEs.

* New CVEs

CVE-2022-42895: Bluetooth: L2CAP: Fix attempting to access uninitialized memory

CVSS v3 score is not provided.

An accessing uninitialized variable bug was found in
l2cap_parse_conf_req() in net/bluetooth/l2cap_core.c
The efs variable is on the stack. It is initialized when the type
variable is L2CAP_CONF_EFS.
So, if type isn't L2CAP_CONF_EFS and rfc.mode is L2CAP_MODE_ERTM, then
accessing uninitialized variable bug occurs.

It looks 4.4 is affected by this issue too.

Fixed status
mainline: [b1a2cd50c0357f243b7435a732b4e62ba3157a2e]

CVE-2022-42896: Bluetooth: L2CAP: Fix accepting connection request for
invalid SPSM

CVSS v3 score is not provided.

There was a valid range check for SPSM. Therefore, it will accept
connections with invalid SPSM value.

It looks 4.4 is affected by this issue too.

Fixed status
mainline: [711f8c3fb3db61897080468586b970c87c61d9e4]

CVE-2022-43945: A buffer overflow bug was found in nfsd

CVSS v3 score is 7.5 HIGH.

The Linux kernel NFSD implementation prior to versions 5.19.17 and
6.0.2 are vulnerable to buffer overflow. NFSD tracks the number of
pages held by each NFSD thread by combining the receive and send
buffers of a remote procedure call (RPC) into a single array of pages.
A client can force the send buffer to shrink by sending an RPC message
over TCP with garbage data added at the end of the message. The RPC
message with garbage data is still correctly formed according to the
specification and is passed forward to handlers. Vulnerable code in
NFSD is not expecting the oversized request and writes beyond the
allocated buffer space.

nfsd3_proc_read() and nfsd_proc_read() changed to set argp->count
value adding an extra min_t() macro.
nfsd_init_dirlist_pages() and nfsd3_init_dirlist_pages() changed the
process of setting buf->buflen value.
However, 4.4, 4.19, 5.10 use different ways to set these values. So,
even if these kernels are vulnerable, it needs a different way to fix
them.

Fixed status
mainline: [00b4492686e0497fdb924a9d4c8f6f99377e176c,
640f87c190e0d1b2a0fcb2ecf6d2cd53b1c41991,
401bc1f90874280a80b93f23be33a0e7e2d1f912,
fa6be9cc6e80ec79892ddf08a8c10cabab9baf38]
stable/5.15: [dc7f225090c29a5f3b9419b1af32846a201555e7,
071a076fd1b763aa6fe478efa047e0a549ba9c22,
2be9331ca6061bc6ea32247266f45b8b21030244,
75d9de25a6f833dd0701ca546ac926cabff2b5af]
stable/6.0: [f59c74df82f6ac9d2ea4e01aa3ae7c6c4481652d,
279274e31270c28b86feffe5e166d4088f22317b,
1868332032eccbab8c1878a0d918193058c0a905,
309f29361b6bfae96936317376f1114568c5de19]

* Updated CVEs

CVE-2022-20369: 'media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP
buffers across ioctls

4.14 and 4.19 were fixed this week.

Fixed status
mainline: [8310ca94075e784bbb06593cd6c068ee6b6e4ca6]
stable/4.14: [7339b6bdf9e084f9e83c084ccc8879b6ae80b75a]
stable/4.19: [95c4751705f7eef0f16a245e121259857f867c4a]
stable/5.10: [8a83731a09a5954b85b1ce49c01ff5c2a3465cb7]
stable/5.15: [48d00e24822e4384edcee3aae03d54c1b7982eba]
stable/5.4: [54e1abbe856020522a7952140c26a4426f01dab6]

CVE-2022-3524: tcp/udp: Fix memory leak in ipv6_renew_options().

5.15 and 6.0 were fixed this week.

Fixed status
mainline: [3c52c6bb831f6335c176a0fc7214e26f43adbd11]
stable/5.15: [1401e9336bebaa6dd5a320f83bddc17619d4e3a6]
stable/6.0: [0c5d628f1e1d049c33595693fab1b6e9baf25795]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

Regards,
--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...
:masami.ichikawa@...

1 - 2 of 2