diff mbox series

New CVE entries this week

Message ID CAODzB9q=mZ-SdrAZJzgLBCn9pJ+GnDha6JcjqvKOAuYxRvUkyw@mail.gmail.com (mailing list archive)
State New
Headers show
Series New CVE entries this week | expand

Commit Message

Masami Ichikawa Feb. 10, 2022, 1:35 a.m. UTC
Hi !

It's this week's CVE report.

This week reported 5 new CVEs.

* New CVEs

CVE-2021-3894: sctp: local DoS: unprivileged user can cause BUG()

CVSS v3 score is not provided

A local unprivileged user can cause local DoS by sctp subsystem.
The commit a2d859e3fc97 ("sctp: account stream padding length for
reconf chunk") may fix this issue.

Fixed status

Not fixed yet.

CVE-2022-0487: Use after free in moxart_remove

CVSS v3 score is not provided

UAF bug was found in moxart_remove() in drivers/mmc/host/moxart-mmc.c.
The mainline was fixed. Stable kernels are being reviewed.

Apply patch bd2db32 ("moxart: fix potential use-after-free on remove
path") to 4.4 needs to a bit modify code. However, it seems no CIP
member enables CONFIG_MMC_MOXART.

Fixed status

mainline: [bd2db32e7c3e35bd4d9b8bbff689434a50893546]

CVE-2022-0492: cgroup-v1: Require capabilities to set release_agent

CVSS v3 score is not provided

There was a bug in cgroups v1 release_agent feature to escalate
privilege and bypass namespace isolation.
The mainline and 5.X series were fixed but failed to applied the fix
to all 4.X series. This issue is affected to 2.6.24-rc1 or later

Applying the commit 24f6008 ("cgroup-v1: Require capabilities to set
release_agent") depends on the following commits.

- a3ff937 ("prefix-handling analogues of errorf() and friends ")
This commit was introduced at 5.6-rc1. It added invalfc macro to
include/linux/fs_context.h. 5.4 uses cg_invalf macro which calls
invalfc in it.

- 8d2451f ("https://github.com/torvalds/linux/commit/8d2451f4994fa60a57617282bab91b98266a00b1").
This commit was introduced at 5.1-rc1. It added cgroup1_parse_param().

So 4.X series do other way to fix this issue (e.g.
4.9, 4.14, and 4.19 are being reviewed.

4.X series use struct cgroup_namespace to get namespace object which
was introduced at 4.6-rc1. So fixing 4.4 needs the other way to get
namespace object instead of struct cgroup_namespace.

Fixed status

mainline: [24f6008564183aa120d07c03d9289519c2fe02af]
stable/5.10: [1fc3444cda9a78c65b769e3fa93455e09ff7a0d3]
stable/5.15: [4b1c32bfaa02255a5df602b41587174004996477]
stable/5.16: [9c9dbb954e618e3d9110f13cc02c5db1fb73ea5d]
stable/5.4: [0e8283cbe4996ae046cd680b3ed598a8f2b0d5d8]

CVE-2022-24448: NFSv4: Handle case where the lookup of a directory fails

CVSS v3 score is not provided

Server returns uninitialized data in the file descriptor in nfs_atomic_open().
The mainline and stable kernels are fixed.

I attached 0001-NFSv4-Handle-case-where-the-lookup-of-a-directory-fa.patch
for 4.4.y.

Fixed status

mainline: [ac795161c93699d600db16c1a8cc23a65a1eceaf]
stable/4.14: [516f348b759f6a92819820a3f56d678458e22cc8]
stable/4.19: [b00b4c6faad0f21e443fb1584f7a8ea222beb0de]
stable/4.9: [8788981e120694a82a3672e062fe4ea99446634a]
stable/5.10: [ce8c552b88ca25d775ecd0a0fbef4e0e03de9ed2]
stable/5.15: [4c36ca387af4a9b5d775e46a6cb9dc2d151bf057]
stable/5.16: [f0583af88e7dd413229ea5e670a0db36fdf34ba2]
stable/5.4: [0dfacee40021dcc0a9aa991edd965addc04b9370]

CVE-2022-0480: memcg: enable accounting for file lock caches

CVSS v3 score is not provided

A user can cause host memory exhaustion becase of memcg doesn't limit
the number of POSIX file locks.
This issues was fixed in 5.15-rc1.

Patch cannot be applied to 4.4 because this fix uses SLAB_ACCOUNT flag
which was introduced by commit 230e9fc ("slab: add SLAB_ACCOUNT flag
") at 4.5-rc1 is not backported to 4.4.

Fixed status

mainline: [0f12156dff2862ac54235fc72703f18770769042]

* Updated CVEs

CVE-2018-25020: bpf: fix truncated jump targets on heavy expansions

This issue was fixed in 4.17-rc7. 4.14 was fixed this week.

Fixed status

mainline: [050fad7c4534c13c8eb1d9c2ba66012e014773cb]
stable/4.14: [6824208b59a4727b8a8653f83d8e685584d04606]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.

diff mbox series


From 912c6e22cf82aa5bb63e5f27a3a39490e758f7ab Mon Sep 17 00:00:00 2001
From: Trond Myklebust <trond.myklebust@hammerspace.com>
Date: Thu, 6 Jan 2022 18:24:02 -0500
Subject: [PATCH] NFSv4: Handle case where the lookup of a directory fails

If the application sets the O_DIRECTORY flag, and tries to open a
regular file, nfs_atomic_open() will punt to doing a regular lookup.
If the server then returns a regular file, we will happily return a
file descriptor with uninitialised open state.

The fix is to return the expected ENOTDIR error in these cases.

Reported-by: Lyu Tao <tao.lyu@epfl.ch>
Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
[Fix merge conflict in nfs_atomic_open().]
Reference: CVE-2022-24448
Signed-off-by: Masami Ichikawa(CIP) <masami.ichikawa@cybertrust.co.jp>
 fs/nfs/dir.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index ba7e98d8ce09..7c1f83632d63 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -1577,6 +1577,19 @@  out:
 	res = nfs_lookup(dir, dentry, lookup_flags);
+	if (!res) {
+		inode = d_inode(dentry);
+		if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
+		    !S_ISDIR(inode->i_mode))
+			res = ERR_PTR(-ENOTDIR);
+	} else if (!IS_ERR(res)) {
+		inode = d_inode(res);
+		if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
+		    !S_ISDIR(inode->i_mode)) {
+			dput(res);
+			res = ERR_PTR(-ENOTDIR);
+		}
+	}	
 	err = PTR_ERR(res);
 	if (IS_ERR(res))
 		goto out;