| Message ID | CAODzB9pMmbJugyNLdvOOifW1Tm+1NhnsUi+zQBdRaj3Z=aC+fw@mail.gmail.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | New CVE entry this week | expand |
Hi, > -----Original Message----- > From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Masami Ichikawa > Sent: Thursday, October 21, 2021 10:21 AM > To: cip-dev <cip-dev@lists.cip-project.org> > Subject: [cip-dev] New CVE entry this week > > Hi ! > > It's this week's CVE report. > > This week reported 7 new CVEs. > > * New CVEs > > CVE-2021-20320: kernel: s390 eBPF JIT miscompilation issues fixes. > > This bug is in BPF subsystem and s390 architecture specific. Patches > haven't been backported to 4.4 kernel. However, according to the > cip-kernel-config, it looks like no one uses s390, so can it ignore it > until someone backport patches? > > CVSS v3 score is not provided. > > Fixed status > > mainline: [db7bee653859ef7179be933e7d1384644f795f26, > 6e61dc9da0b7a0d91d57c2e20b5ea4fd2d4e7e53, > 1511df6f5e9ef32826f20db2ee81f8527154dc14] > stable/4.19: [ddf58efd05b5d16d86ea4638675e8bd397320930] > stable/4.9: [c22cf38428cb910f1996839c917e9238d2e44d4b, > 8a09222a512bf7b32e55bb89a033e08522798299] > stable/5.10: [d92d3a9c2b6541f29f800fc2bd44620578b8f8a6, > 4320c222c2ffe778a8aff5b8bc4ac33af6d54eba, > ab7cf225016159bc2c3590be6fa12965565d903b] > stable/5.14: [7a31ec4d215a800b504de74b248795f8be666f8e, > 6a8787093b04057d855822094d63d04a2506444a, > a7593244dc31ad0eea70319f6110975f9c738dca] > > CVE-2021-20321: kernel: In Overlayfs missing a check for a negative > dentry before calling vfs_rename() > > CVSS v3 score is not provided. > > A local attacker can escalate their privileges up to root via > overlayfs vulnerability. > Patch for 4.4 is applied > failed(https://lore.kernel.org/stable/163378772914820@kroah.com/). It > needs to modify the patch. I attached a patch, if it looks good, I'll > send it to the stable mailing list. Thanks, I checked your patch. LGTM. Best regards, Nobuhiro
Hi ! On Thu, Oct 21, 2021 at 5:42 PM Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp> wrote: > > Hi, > > > -----Original Message----- > > From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Masami Ichikawa > > Sent: Thursday, October 21, 2021 10:21 AM > > To: cip-dev <cip-dev@lists.cip-project.org> > > Subject: [cip-dev] New CVE entry this week > > > > Hi ! > > > > It's this week's CVE report. > > > > This week reported 7 new CVEs. > > > > * New CVEs > > > > CVE-2021-20320: kernel: s390 eBPF JIT miscompilation issues fixes. > > > > This bug is in BPF subsystem and s390 architecture specific. Patches > > haven't been backported to 4.4 kernel. However, according to the > > cip-kernel-config, it looks like no one uses s390, so can it ignore it > > until someone backport patches? > > > > CVSS v3 score is not provided. > > > > Fixed status > > > > mainline: [db7bee653859ef7179be933e7d1384644f795f26, > > 6e61dc9da0b7a0d91d57c2e20b5ea4fd2d4e7e53, > > 1511df6f5e9ef32826f20db2ee81f8527154dc14] > > stable/4.19: [ddf58efd05b5d16d86ea4638675e8bd397320930] > > stable/4.9: [c22cf38428cb910f1996839c917e9238d2e44d4b, > > 8a09222a512bf7b32e55bb89a033e08522798299] > > stable/5.10: [d92d3a9c2b6541f29f800fc2bd44620578b8f8a6, > > 4320c222c2ffe778a8aff5b8bc4ac33af6d54eba, > > ab7cf225016159bc2c3590be6fa12965565d903b] > > stable/5.14: [7a31ec4d215a800b504de74b248795f8be666f8e, > > 6a8787093b04057d855822094d63d04a2506444a, > > a7593244dc31ad0eea70319f6110975f9c738dca] > > > > CVE-2021-20321: kernel: In Overlayfs missing a check for a negative > > dentry before calling vfs_rename() > > > > CVSS v3 score is not provided. > > > > A local attacker can escalate their privileges up to root via > > overlayfs vulnerability. > > Patch for 4.4 is applied > > failed(https://lore.kernel.org/stable/163378772914820@kroah.com/). It > > needs to modify the patch. I attached a patch, if it looks good, I'll > > send it to the stable mailing list. > > Thanks, I checked your patch. LGTM. > Thanks ! > Best regards, > Nobuhiro > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#6834): https://lists.cip-project.org/g/cip-dev/message/6834 > Mute This Topic: https://lists.cip-project.org/mt/86480633/4520416 > Group Owner: cip-dev+owner@lists.cip-project.org > Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129101/4520416/1465703922/xyzzy [masami.ichikawa@miraclelinux.com] > -=-=-=-=-=-=-=-=-=-=-=- > Regards,
From 1e43a0933de1ab853f171de45a17b5f9c43b110e Mon Sep 17 00:00:00 2001
From: Zheng Liang <zhengliang6@huawei.com>
Date: Fri, 24 Sep 2021 09:16:27 +0800
Subject: [PATCH] ovl: fix missing negative dentry check in ovl_rename()
From: Zheng Liang <zhengliang6@huawei.com>
commit a295aef603e109a47af355477326bd41151765b6 upstream.
The following reproducer
mkdir lower upper work merge
touch lower/old
touch lower/new
mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merge
rm merge/new
mv merge/old merge/new & unlink upper/new
may result in this race:
PROCESS A:
rename("merge/old", "merge/new");
overwrite=true,ovl_lower_positive(old)=true,
ovl_dentry_is_whiteout(new)=true -> flags |= RENAME_EXCHANGE
PROCESS B:
unlink("upper/new");
PROCESS A:
lookup newdentry in new_upperdir
call vfs_rename() with negative newdentry and RENAME_EXCHANGE
Fix by adding the missing check for negative newdentry.
Signed-off-by: Zheng Liang <zhengliang6@huawei.com>
Fixes: e9be9d5e76e3 ("overlay filesystem")
Cc: <stable@vger.kernel.org> # v3.18
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Reference: CVE-2021-20321
Signed-off-by: Masami Ichikawa(CIP) <masami.ichikawa@cybertrust.co.jp>
---
fs/overlayfs/dir.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index eedacae889b9..80bf0ab52e81 100644
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -824,9 +824,13 @@ static int ovl_rename2(struct inode *olddir, struct dentry *old,
}
} else {
new_create = true;
- if (!d_is_negative(newdentry) &&
- (!new_opaque || !ovl_is_whiteout(newdentry)))
- goto out_dput;
+ if (!d_is_negative(newdentry)) {
+ if (!new_opaque || !ovl_is_whiteout(newdentry))
+ goto out_dput;
+ } else {
+ if (flags & RENAME_EXCHANGE)
+ goto out_dput;
+ }
}
if (olddentry == trap)
--
2.33.0
Hi ! It's this week's CVE report. This week reported 7 new CVEs. * New CVEs CVE-2021-20320: kernel: s390 eBPF JIT miscompilation issues fixes. This bug is in BPF subsystem and s390 architecture specific. Patches haven't been backported to 4.4 kernel. However, according to the cip-kernel-config, it looks like no one uses s390, so can it ignore it until someone backport patches? CVSS v3 score is not provided. Fixed status mainline: [db7bee653859ef7179be933e7d1384644f795f26, 6e61dc9da0b7a0d91d57c2e20b5ea4fd2d4e7e53, 1511df6f5e9ef32826f20db2ee81f8527154dc14] stable/4.19: [ddf58efd05b5d16d86ea4638675e8bd397320930] stable/4.9: [c22cf38428cb910f1996839c917e9238d2e44d4b, 8a09222a512bf7b32e55bb89a033e08522798299] stable/5.10: [d92d3a9c2b6541f29f800fc2bd44620578b8f8a6, 4320c222c2ffe778a8aff5b8bc4ac33af6d54eba, ab7cf225016159bc2c3590be6fa12965565d903b] stable/5.14: [7a31ec4d215a800b504de74b248795f8be666f8e, 6a8787093b04057d855822094d63d04a2506444a, a7593244dc31ad0eea70319f6110975f9c738dca] CVE-2021-20321: kernel: In Overlayfs missing a check for a negative dentry before calling vfs_rename() CVSS v3 score is not provided. A local attacker can escalate their privileges up to root via overlayfs vulnerability. Patch for 4.4 is applied failed(https://lore.kernel.org/stable/163378772914820@kroah.com/). It needs to modify the patch. I attached a patch, if it looks good, I'll send it to the stable mailing list. Fixed status mainline: [a295aef603e109a47af355477326bd41151765b6] stable/4.14: [1caaa820915d802328bc72e4de0d5b1629eab5da] stable/4.19: [9d4969d8b5073d02059bae3f1b8d9a20cf023c55] stable/4.9: [286f94453fb34f7bd6b696861c89f9a13f498721] stable/5.10: [9763ffd4da217adfcbdcd519e9f434dfa3952fc3] stable/5.14: [71b8b36187af58f9e67b25021f5debbc04a18a5d] stable/5.4: [fab338f33c25c4816ca0b2d83a04a0097c2c4aaf] CVE-2021-3847: low-privileged user privileges escalation CVSS v3 score is not provided. A Local attacker can escalate their privileges up to root by overlay fs's vulnerability (https://www.openwall.com/lists/oss-security/2021/10/14/3). Fixed status Not fixed yet. CVE-2021-42252: soc: aspeed: lpc-ctrl: Fix boundary check for mmap CVSS v3 score is not provided. This bug has been introduced since 4.12-rc1. so all stable kernels are fixed. Fixed status mainline: [b49a0e69a7b1a68c8d3f64097d06dabb770fec96] stable/4.14: [b1b55e4073d3da6119ecc41636a2994b67a2be37] stable/4.19: [9c8891b638319ddba9cfa330247922cd960c95b0] stable/5.10: [3fdf2feb6cbe76c6867224ed8527b356e805352c] stable/5.14: [865f5ba9fdfc3ac6acabcac9630056ce99db600d] stable/5.4: [2712f29c44f18db826c7e093915a727b6f3a20e4] CVE-2021-20322: new DNS Cache Poisoning Attack based on ICMP fragment needed packets replies CVSS v3 score is not provided. A flaw in the processing of the received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization. This flaw is similar to the previous CVE-2020-25705 (both DNS poisoning attack based on ICMP replies for open ports scanning, but other type of ICMP packets). Commit 4785305c ("ipv6: use siphash in rt6_exception_hash()") fixes 35732d01 ("ipv6: introduce a hash table to store dst cache") which was merged in 4.15-rc1. stable/4.4 doesn't contain upstream commit 35732d01. stable/4.19 contains upstream commit 35732d01. Commit 6457378f ("ipv4: use siphash instead of Jenkins in fnhe_hashfun()") fixes d546c621 ("ipv4: harden fnhe_hashfun()") which was merged in 3.18-rc1 stable/4.4 and stable/4.19 contain upstream commit d546c621. Commit a00df2ca ("ipv6: make exception cache less predictible") fixes 35732d01 ("ipv6: introduce a hash table to store dst cache") which was merged in 4.15-rc1. stable/4.4 doesn't contain upstream commit 35732d01. stable/4.19 contains upstream commit 35732d01. Commit 67d6d681 ("ipv4: make exception cache less predictible") fixes 4895c771 ("ipv4: Add FIB nexthop exceptions.") which was merged in 3.6-rc1. stable/4.19 applied this patch at commit 3e6bd2b5. stable/4.4 applied this patch at commit bed8941f. Fixed status mainline: [4785305c05b25a242e5314cc821f54ade4c18810, 6457378fe796815c973f631a1904e147d6ee33b1, a00df2caffed3883c341d5685f830434312e4a43, 67d6d681e15b578c1725bad8ad079e05d1c48a8e] stable/4.19: [3e6bd2b583f18da9856fc9741ffa200a74a52cba] stable/4.4: [bed8941fbdb72a61f6348c4deb0db69c4de87aca] stable/4.9: [f10ce783bcc4d8ea454563a7d56ae781640e7dcb] stable/5.10: [8692f0bb29927d13a871b198adff1d336a8d2d00, 5867e20e1808acd0c832ddea2587e5ee49813874, dced8347a727528b388f04820f48166f1e651af6, beefd5f0c63a31a83bc5a99e6888af884745684b] stable/5.14: [4785305c05b25a242e5314cc821f54ade4c18810, 6457378fe796815c973f631a1904e147d6ee33b1, 55938482a1461a35087c6f3051f8447662889ea8, 4589a12dcf80af31137ef202be1ff4a321707a73] CVE-2021-42739: A buffer overflow bug is found in the firewire subsystem CVSS v3 score is not provided. Patches have been sent to Linux Media mailing list but it hasn't been merged in linux-media tree nor mainline yet. According to the cip-kernel-config repo, no CIP member uses firewire driver. Fixed status Not fixed yet. CVE-2021-34866: Linux Kernel eBPF Type Confusion Privilege Escalation Vulnerability CVSS v3 score is not provided. A type confusion bug is found in eBPF subsystem which can leads a local attacker escalates their privileges via this bug. This bug was introduced in commit 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") that has been merged since 5.8-rc1. so before 5.8 kernels aren't affected by this CVE. Fixed status mainline: [5b029a32cfe4600f5e10e36b41778506b90fd4de] stable/5.10: [9dd6f6d89693d8f09af53d2488afad22a8a44a57] * Updated CVEs CVE-2020-29374: gup: document and work around "COW can break either way" issue This bug has been fixed since 5.8-rc1. 4.4 and 4.9 have been fixed this week. All stable kernels are fixed. Fixed status mainline: [17839856fd588f4ab6b789f482ed3ffd7c403e1f] stable/4.14: [407faed92b4a4e2ad900d61ea3831dd597640f29] stable/4.19: [5e24029791e809d641e9ea46a1f99806484e53fc] stable/4.4: [58facc9c7ae307be5ecffc1697552550fedb55bd] stable/4.9: [9bbd42e79720122334226afad9ddcac1c3e6d373] stable/5.4: [1027dc04f557328eb7b7b7eea48698377a959157] CVE-2021-41864: bpf: Fix integer overflow in prealloc_elems_and_freelist() 4.9 and 4.19 have been fixed this week. This bug was introduced in 4.6-rc1 therefore 4.4 doesn't affect. All stable kernels are fixed. Fixed status mainline: [30e29a9a2bc6a4888335a6ede968b75cd329657a] stable/4.14: [f34bcd10c4832d491049905d25ea3f46a410c426] stable/4.19: [078cdd572408176a3900a6eb5a403db0da22f8e0] stable/4.9: [4fd6663eb01bc3c73143cd27fefd7b8351bc6aa6] stable/5.10: [064faa8e8a9b50f5010c5aa5740e06d477677a89] stable/5.14: [3a1ac1e368bedae2777d9a7cfdc65df4859f7e71] stable/5.4: [b14f28126c51533bb329379f65de5b0dd689b13a] Currently tracking CVEs CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core Specifications 4.0 through 5.2 There is no fix information. CVE-2021-3640: UAF in sco_send_frame function Fixed in bluetooth-next tree. https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/net/bluetooth/sco.c?id=99c23da0eed4fd20cae8243f2b51e10e66aa0951 CVE-2020-26555: BR/EDR pin code pairing broken No fix information CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning No fix information. CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh Provisioning Leads to MITM No fix information. CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning No fix information. CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning No fix information. Regards,