diff mbox series

Bluetooth CVEs deciphered?

Message ID 20201015180628.GB14732@duo.ucw.cz
State New
Headers show
Series Bluetooth CVEs deciphered? | expand

Commit Message

Pavel Machek Oct. 15, 2020, 6:06 p.m. UTC
Hi!

I believe Google has good information which CVE corresponds to which
patch, and I used that to improve cip-kernel-sec. Result is here. Can
you take a look before I start fighting yml?

Best regards,
								Pavel

Comments

Pavel Machek Oct. 15, 2020, 8:30 p.m. UTC | #1
Hi!

> I believe Google has good information which CVE corresponds to which
> patch, and I used that to improve cip-kernel-sec. Result is here. Can
> you take a look before I start fighting yml?

I believe I indentified the other 2 fixes, too. Here's updated diff.

Best regards,
								Pavel

diff --git a/issues/CVE-2020-12351.yml b/issues/CVE-2020-12351.yml
index 63f8b60..a28487e 100644
--- a/issues/CVE-2020-12351.yml
+++ b/issues/CVE-2020-12351.yml
@@ -1,37 +1,14 @@
-description: INTEL-SA-00435
+description: |
+  A heap-based type confusion affecting Linux kernel 4.8 and higher was discovered in net/bluetooth/l2cap_core.c.
+advisory: |
 references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
-comments:
-  debian/carnil: |-
-    CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
-    issues covered by a set of commits/patches sent upstream but
-    there is no clear association from the CVEs to the commits. So
-    duplicate this entry for now to all three CVEs.
-    The commits are:
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
-    which are not yet in mainline, and
-    a2ec905d1e16 ("Bluetooth: fix kernel oops in
-    store_pending_adv_report") which is in 5.8 (and which was
-    backported to 5.7.13, 5.4.56 and 4.19.137).
-    The "fixed version" information in INTEL-SA-00435 is thus as
-    well contradictory as it mentions the issue to be fixed in 5.9
-    or later.
-  wens: |-
-    The four patches are already in net-next as of 2020-10-14 and should hit
-    mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
-    initializing all members") fixes commits going all the way back to
-    3.6, when A2MP was added.
-    Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
-    ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
-    nine are the various "not fully initialized stack variables"; the last
-    two are the sk_filter and BT_HS ones, respectfully.
+  https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq
+aliases:
+  GHSA-h637-c88j-47wq
 introduced-by:
-  mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
-    a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
-    6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
-    aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
-    8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
-    dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+  mainline: dbb50887c8f619fc5c3489783ebc3122bc134a31
+
+  (no Fixed: tag matching dbb50887c8 in -next).
+
+Probably this fixes it?
+  f19425641cb2572a33cb074d5e30283720bd4d22 .. yep.
\ No newline at end of file
diff --git a/issues/CVE-2020-12352.yml b/issues/CVE-2020-12352.yml
index 63f8b60..64b731d 100644
--- a/issues/CVE-2020-12352.yml
+++ b/issues/CVE-2020-12352.yml
@@ -1,37 +1,19 @@
-description: INTEL-SA-00435
+description: |
+  BadChoice: Stack-Based Information Leak (BleedingTooth)
+  A stack-based information leak affecting Linux kernel 3.6 and higher was discovered in net/bluetooth/a2mp.c.
+advisory: |
 references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
-comments:
-  debian/carnil: |-
-    CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
-    issues covered by a set of commits/patches sent upstream but
-    there is no clear association from the CVEs to the commits. So
-    duplicate this entry for now to all three CVEs.
-    The commits are:
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
-    which are not yet in mainline, and
-    a2ec905d1e16 ("Bluetooth: fix kernel oops in
-    store_pending_adv_report") which is in 5.8 (and which was
-    backported to 5.7.13, 5.4.56 and 4.19.137).
-    The "fixed version" information in INTEL-SA-00435 is thus as
-    well contradictory as it mentions the issue to be fixed in 5.9
-    or later.
-  wens: |-
-    The four patches are already in net-next as of 2020-10-14 and should hit
-    mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
-    initializing all members") fixes commits going all the way back to
-    3.6, when A2MP was added.
-    Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
-    ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
-    nine are the various "not fully initialized stack variables"; the last
-    two are the sk_filter and BT_HS ones, respectfully.
+  https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq
+aliases:
+  GHSA-7mh3-gq28-gfrq
 introduced-by:
-  mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
-    a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
-    6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
-    aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
-    8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
-    dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+  mainline:
+    47f2d97d38816aaca94c9b6961c6eff1cfcd0bd6
+    8e2a0d92c56ec6955526a8b60838c9b00f70540d ?
+fixed-by:
+  probably this: eddb7732119d53400f48a02536a84c509692faa8
+
+Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date:   Thu Aug 6 11:17:11 2020 -0700
+
+  
\ No newline at end of file
diff --git a/issues/CVE-2020-24490.yml b/issues/CVE-2020-24490.yml
index 63f8b60..8fe3617 100644
--- a/issues/CVE-2020-24490.yml
+++ b/issues/CVE-2020-24490.yml
@@ -1,37 +1,25 @@
-description: INTEL-SA-00435
+description: |
+  BadVibes: Heap-Based Buffer Overflow (BleedingTooth)
+  A heap-based buffer overflow affecting Linux kernel 4.19 and higher was discovered in net/bluetooth/hci_event.c.  
+advisory: |
+  
 references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
+  https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649
+aliases:
+  GHSA-ccx2-w2r4-x649
 comments:
-  debian/carnil: |-
-    CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
-    issues covered by a set of commits/patches sent upstream but
-    there is no clear association from the CVEs to the commits. So
-    duplicate this entry for now to all three CVEs.
-    The commits are:
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
-    which are not yet in mainline, and
-    a2ec905d1e16 ("Bluetooth: fix kernel oops in
-    store_pending_adv_report") which is in 5.8 (and which was
-    backported to 5.7.13, 5.4.56 and 4.19.137).
-    The "fixed version" information in INTEL-SA-00435 is thus as
-    well contradictory as it mentions the issue to be fixed in 5.9
-    or later.
-  wens: |-
-    The four patches are already in net-next as of 2020-10-14 and should hit
-    mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
-    initializing all members") fixes commits going all the way back to
-    3.6, when A2MP was added.
-    Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
-    ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
-    nine are the various "not fully initialized stack variables"; the last
-    two are the sk_filter and BT_HS ones, respectfully.
+  Pavel Machek:
+    This actually looks like most severe from the recent bluetooth stuff.
+
+    Fix is not one-liner but also not scary. Adds checking at expected places.
 introduced-by:
-  mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
-    a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
-    6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
-    aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
-    8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
-    dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+  mainline: 
+    c215e9397b00b3045a668120ed7dbd89f2866e74
+    b2cc9761f144e8ef714be8c590603073b80ddc13
+fixed-by:
+  mainline:
+    a2ec905d1e160a33b2e210e45ad30445ef26ce0e
+  4.19:
+    5df9e5613d1c51e16b1501a4c75e139fbbe0fb6c
+    -- needs to be backported to 4.4?
+    
\ No newline at end of file
diff mbox series

Patch

diff --git a/issues/CVE-2020-12351.yml b/issues/CVE-2020-12351.yml
index 63f8b60..b7f519b 100644
--- a/issues/CVE-2020-12351.yml
+++ b/issues/CVE-2020-12351.yml
@@ -1,37 +1,9 @@ 
-description: INTEL-SA-00435
+description: |
+  A heap-based type confusion affecting Linux kernel 4.8 and higher was discovered in net/bluetooth/l2cap_core.c.
+advisory: |
 references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
-comments:
-  debian/carnil: |-
-    CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
-    issues covered by a set of commits/patches sent upstream but
-    there is no clear association from the CVEs to the commits. So
-    duplicate this entry for now to all three CVEs.
-    The commits are:
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
-    which are not yet in mainline, and
-    a2ec905d1e16 ("Bluetooth: fix kernel oops in
-    store_pending_adv_report") which is in 5.8 (and which was
-    backported to 5.7.13, 5.4.56 and 4.19.137).
-    The "fixed version" information in INTEL-SA-00435 is thus as
-    well contradictory as it mentions the issue to be fixed in 5.9
-    or later.
-  wens: |-
-    The four patches are already in net-next as of 2020-10-14 and should hit
-    mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
-    initializing all members") fixes commits going all the way back to
-    3.6, when A2MP was added.
-    Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
-    ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
-    nine are the various "not fully initialized stack variables"; the last
-    two are the sk_filter and BT_HS ones, respectfully.
+  https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq
+aliases:
+  GHSA-h637-c88j-47wq
 introduced-by:
-  mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
-    a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
-    6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
-    aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
-    8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
-    dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+  mainline: dbb50887c8f619fc5c3489783ebc3122bc134a31
diff --git a/issues/CVE-2020-12352.yml b/issues/CVE-2020-12352.yml
index 63f8b60..372e3ce 100644
--- a/issues/CVE-2020-12352.yml
+++ b/issues/CVE-2020-12352.yml
@@ -1,37 +1,13 @@ 
-description: INTEL-SA-00435
+description: |
+  BadChoice: Stack-Based Information Leak (BleedingTooth)
+  A stack-based information leak affecting Linux kernel 3.6 and higher was discovered in net/bluetooth/a2mp.c.
+advisory: |
 references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
-comments:
-  debian/carnil: |-
-    CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
-    issues covered by a set of commits/patches sent upstream but
-    there is no clear association from the CVEs to the commits. So
-    duplicate this entry for now to all three CVEs.
-    The commits are:
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
-    which are not yet in mainline, and
-    a2ec905d1e16 ("Bluetooth: fix kernel oops in
-    store_pending_adv_report") which is in 5.8 (and which was
-    backported to 5.7.13, 5.4.56 and 4.19.137).
-    The "fixed version" information in INTEL-SA-00435 is thus as
-    well contradictory as it mentions the issue to be fixed in 5.9
-    or later.
-  wens: |-
-    The four patches are already in net-next as of 2020-10-14 and should hit
-    mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
-    initializing all members") fixes commits going all the way back to
-    3.6, when A2MP was added.
-    Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
-    ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
-    nine are the various "not fully initialized stack variables"; the last
-    two are the sk_filter and BT_HS ones, respectfully.
+  https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq
+aliases:
+  GHSA-7mh3-gq28-gfrq
 introduced-by:
-  mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
-    a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
-    6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
-    aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
-    8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
-    dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+  mainline:
+    47f2d97d38816aaca94c9b6961c6eff1cfcd0bd6
+    8e2a0d92c56ec6955526a8b60838c9b00f70540d
+fixed-by:
\ No newline at end of file
diff --git a/issues/CVE-2020-24490.yml b/issues/CVE-2020-24490.yml
index 63f8b60..8fe3617 100644
--- a/issues/CVE-2020-24490.yml
+++ b/issues/CVE-2020-24490.yml
@@ -1,37 +1,25 @@ 
-description: INTEL-SA-00435
+description: |
+  BadVibes: Heap-Based Buffer Overflow (BleedingTooth)
+  A heap-based buffer overflow affecting Linux kernel 4.19 and higher was discovered in net/bluetooth/hci_event.c.  
+advisory: |
+  
 references:
-- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html
+  https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649
+aliases:
+  GHSA-ccx2-w2r4-x649
 comments:
-  debian/carnil: |-
-    CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490 are three
-    issues covered by a set of commits/patches sent upstream but
-    there is no clear association from the CVEs to the commits. So
-    duplicate this entry for now to all three CVEs.
-    The commits are:
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-1-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-2-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-3-luiz.dentz@gmail.com/
-    https://lore.kernel.org/linux-bluetooth/20200806181714.3216076-4-luiz.dentz@gmail.com/
-    which are not yet in mainline, and
-    a2ec905d1e16 ("Bluetooth: fix kernel oops in
-    store_pending_adv_report") which is in 5.8 (and which was
-    backported to 5.7.13, 5.4.56 and 4.19.137).
-    The "fixed version" information in INTEL-SA-00435 is thus as
-    well contradictory as it mentions the issue to be fixed in 5.9
-    or later.
-  wens: |-
-    The four patches are already in net-next as of 2020-10-14 and should hit
-    mainline soon. As far as I can tell, ("Bluetooth: A2MP: Fix not
-    initializing all members") fixes commits going all the way back to
-    3.6, when A2MP was added.
-    Regarding the culprit commits, the first commit is fixed by a2ec905d1e16
-    ("Bluetooth: fix kernel oops in store_pending_adv_report"); the next
-    nine are the various "not fully initialized stack variables"; the last
-    two are the sk_filter and BT_HS ones, respectfully.
+  Pavel Machek:
+    This actually looks like most severe from the recent bluetooth stuff.
+
+    Fix is not one-liner but also not scary. Adds checking at expected places.
 introduced-by:
-  mainline: [c215e9397b00b3045a668120ed7dbd89f2866e74, 6b44d9b8d96b37f72ccd7335b32f386a67b7f1f4,
-    a28381dc9ca3e54b0678e2cd7c68c1afb2d7cc76, e072f5dab22e7bf0a10daf854acc0fc271396ee7,
-    6113f84fc1a8962aed25f54a115b196e9aea151f, 8e2a0d92c56ec6955526a8b60838c9b00f70540d,
-    aa09537d80bf7e6282103618eb496f03e76f2953, 0d868de9d8760c76f6d4c6c777935c05ef272caa,
-    8e05e3ba88adcf7ac644e6ef26676ea7c048a08c, 93c3e8f5c9a0e4dc6b6c93108dcf3ec54ab1191a,
-    dbb50887c8f619fc5c3489783ebc3122bc134a31, 6d80dfd094a7b286e95cdcac79efeb7bbb4e226f]
+  mainline: 
+    c215e9397b00b3045a668120ed7dbd89f2866e74
+    b2cc9761f144e8ef714be8c590603073b80ddc13
+fixed-by:
+  mainline:
+    a2ec905d1e160a33b2e210e45ad30445ef26ce0e
+  4.19:
+    5df9e5613d1c51e16b1501a4c75e139fbbe0fb6c
+    -- needs to be backported to 4.4?
+    
\ No newline at end of file