From patchwork Fri Sep 25 03:59:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Sangorrin X-Patchwork-Id: 11798759 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 75EA3139F for ; Fri, 25 Sep 2020 04:00:06 +0000 (UTC) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 214E121D20 for ; Fri, 25 Sep 2020 04:00:05 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=lists.cip-project.org header.i=@lists.cip-project.org header.b="OJ3pOZSP" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 214E121D20 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=toshiba.co.jp Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=bounce+64572+5473+4520428+8129116@lists.cip-project.org X-Received: by 127.0.0.2 with SMTP id B8bdYY4521763xSBDqArfFD3; Thu, 24 Sep 2020 21:00:05 -0700 X-Received: from mo-csw.securemx.jp (mo-csw.securemx.jp [210.130.202.154]) by mx.groups.io with SMTP id smtpd.web12.83.1601006404940305385 for ; Thu, 24 Sep 2020 21:00:05 -0700 X-Received: by mo-csw.securemx.jp (mx-mo-csw1515) id 08P3xWYY024706; Fri, 25 Sep 2020 12:59:33 +0900 X-Iguazu-Qid: 34trjq6AI9NyB3OFHT X-Iguazu-QSIG: v=2; s=0; t=1601006372; q=34trjq6AI9NyB3OFHT; m=d8dLsnCum8a5B7LH7goYRFhaOyTTXuvVPFPzpPIDNZU= X-Received: from imx12.toshiba.co.jp (imx12.toshiba.co.jp [61.202.160.132]) by relay.securemx.jp (mx-mr1510) id 08P3xVtL039267; Fri, 25 Sep 2020 12:59:32 +0900 X-Received: from enc02.toshiba.co.jp ([61.202.160.51]) by imx12.toshiba.co.jp with ESMTP id 08P3xV83016924; Fri, 25 Sep 2020 12:59:31 +0900 (JST) X-Received: from hop101.toshiba.co.jp ([133.199.85.107]) by enc02.toshiba.co.jp with ESMTP id 08P3xVEX000476; Fri, 25 Sep 2020 12:59:31 +0900 From: "Daniel Sangorrin" To: sz.lin@moxa.com, ben.hutchings@codethink.co.u, wens@csie.org Cc: cip-dev@lists.cip-project.org Subject: [cip-dev] [cip-kernel-sec 2/3] report_affected: Delete extra blank lines between CVEs Date: Fri, 25 Sep 2020 12:59:26 +0900 X-TSB-HOP: ON Message-Id: <20200925035927.1958987-3-daniel.sangorrin@toshiba.co.jp> In-Reply-To: <20200925035927.1958987-1-daniel.sangorrin@toshiba.co.jp> References: <20200925035927.1958987-1-daniel.sangorrin@toshiba.co.jp> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: cip-dev@lists.cip-project.org List-Id: Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Delivered-To: mailing list cip-dev@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org X-Gm-Message-State: uHBPQ0gCmI0YcYDeZ24VLpXCx4520428AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.cip-project.org; q=dns/txt; s=20140610; t=1601006405; bh=rHM0gY7wPCdaJMrFY/KN9q7JH3sdywUuurGB22TBHiU=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=OJ3pOZSPADAp9ElJIWG/BIE72VBnzm1K3GeLR4h5xAQJVLXyp13/82k5ER8fJ3M8qTU zoH598ZNZPICHlvmZFfQtx8e9/fyo83NIiVsvfJ5ynuJJUYDAj7fcmhAlHQaUCzX8Vy2+ 8Y58FoAZ+RXQ0+kS2tcMEh799kZoK6K710g= From: nguyen van hieu When using the --show-description option CVEs had blank lines between them. Remove them to make it more compact. Signed-off-by: nguyen van hieu Signed-off-by: Daniel Sangorrin Reviewed-by: Chen-Yu Tsai (Moxa) --- scripts/report_affected.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/report_affected.py b/scripts/report_affected.py index a181d97..9894602 100755 --- a/scripts/report_affected.py +++ b/scripts/report_affected.py @@ -141,7 +141,7 @@ def main(git_repo, remotes, only_fixed_upstream, wrap_description = '' for line in textwrap.wrap(description, 80, break_long_words=False): wrap_description += line + '\n ' - print(cve_id, '=>',wrap_description) + print(cve_id, '=>',wrap_description.strip()) else: print('%s:' % branch['full_name'], *sorted_cve_ids) From patchwork Fri Sep 25 03:59:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Sangorrin X-Patchwork-Id: 11798761 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 375D36CA for ; Fri, 25 Sep 2020 04:00:08 +0000 (UTC) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C1D5721481 for ; Fri, 25 Sep 2020 04:00:07 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=lists.cip-project.org header.i=@lists.cip-project.org header.b="HQ5VN2Fk" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C1D5721481 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=toshiba.co.jp Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=bounce+64572+5475+4520428+8129116@lists.cip-project.org X-Received: by 127.0.0.2 with SMTP id lvPXYY4521763x1hdc9ehTZW; Thu, 24 Sep 2020 21:00:07 -0700 X-Received: from mo-csw.securemx.jp (mo-csw.securemx.jp [210.130.202.153]) by mx.groups.io with SMTP id smtpd.web12.85.1601006406174083716 for ; Thu, 24 Sep 2020 21:00:06 -0700 X-Received: by mo-csw.securemx.jp (mx-mo-csw1514) id 08P3xXUW022885; Fri, 25 Sep 2020 12:59:33 +0900 X-Iguazu-Qid: 34treJ7jSnpoXH9OnQ X-Iguazu-QSIG: v=2; s=0; t=1601006373; q=34treJ7jSnpoXH9OnQ; m=g6PnKhSUfYGc7TW5Tpophxb6FtmQO0izFVpe4IfvarM= X-Received: from imx2.toshiba.co.jp (imx2.toshiba.co.jp [106.186.93.51]) by relay.securemx.jp (mx-mr1510) id 08P3xWWC039282; Fri, 25 Sep 2020 12:59:32 +0900 X-Received: from enc01.toshiba.co.jp ([106.186.93.100]) by imx2.toshiba.co.jp with ESMTP id 08P3xWns013343; Fri, 25 Sep 2020 12:59:32 +0900 (JST) X-Received: from hop001.toshiba.co.jp ([133.199.164.63]) by enc01.toshiba.co.jp with ESMTP id 08P3xVEs029834; Fri, 25 Sep 2020 12:59:32 +0900 From: "Daniel Sangorrin" To: sz.lin@moxa.com, ben.hutchings@codethink.co.u, wens@csie.org Cc: cip-dev@lists.cip-project.org Subject: [cip-dev] [cip-kernel-sec 3/3] issues: fill in the description field of remaining CVEs Date: Fri, 25 Sep 2020 12:59:27 +0900 X-TSB-HOP: ON Message-Id: <20200925035927.1958987-4-daniel.sangorrin@toshiba.co.jp> In-Reply-To: <20200925035927.1958987-1-daniel.sangorrin@toshiba.co.jp> References: <20200925035927.1958987-1-daniel.sangorrin@toshiba.co.jp> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: cip-dev@lists.cip-project.org List-Id: Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Delivered-To: mailing list cip-dev@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org X-Gm-Message-State: 39ppuzWR72wl94gVzzLAcKUYx4520428AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.cip-project.org; q=dns/txt; s=20140610; t=1601006407; bh=KaMqTojhMRQsucQUCgiATXKVXfuUrFWpD7wexhR4uxw=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=HQ5VN2FkztItbCJm0IEHLk4tpPoTnOJmP6/AJK4RnL2gm5crwXgc5xuVZ5Lo0Sewcd8 +whw9DvKQcE75YS9YVsgrBIpSFvm+nVkolln2OZ+v4xI/6xU6X+lxZ084zXtb3tCbGPwm FqwUs1TR48SO5Z9zwtzmasqXFEW7umC2aDE= From: nguyen van hieu I noticed that some issues have the description field empty when using the --show-description option. Signed-off-by: nguyen van hieu Signed-off-by: Daniel Sangorrin Reviewed-by: Chen-Yu Tsai (Moxa) --- issues/CVE-2016-6213.yml | 5 ++++- issues/CVE-2017-1000364.yml | 5 ++++- issues/CVE-2017-1000365.yml | 6 +++++- issues/CVE-2017-1000379.yml | 5 ++++- issues/CVE-2017-16538.yml | 5 ++++- issues/CVE-2019-15214.yml | 6 +++++- issues/CVE-2019-20794.yml | 6 +++++- issues/CVE-2020-11725.yml | 8 +++++++- 8 files changed, 38 insertions(+), 8 deletions(-) diff --git a/issues/CVE-2016-6213.yml b/issues/CVE-2016-6213.yml index 31762df..58bf472 100644 --- a/issues/CVE-2016-6213.yml +++ b/issues/CVE-2016-6213.yml @@ -1,4 +1,7 @@ -description: '' +description: |- + fs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount namespace, + which allows local users to cause a denial of service (memory consumption and deadlock) via MS_BIND mount system calls, + as demonstrated by a loop that triggers exponential growth in the number of mounts. references: - http://www.openwall.com/lists/oss-security/2016/07/13/6 - https://lkml.org/lkml/2016/8/28/269 diff --git a/issues/CVE-2017-1000364.yml b/issues/CVE-2017-1000364.yml index 8841754..c566c5b 100644 --- a/issues/CVE-2017-1000364.yml +++ b/issues/CVE-2017-1000364.yml @@ -1,4 +1,7 @@ -description: '' +description: |- + An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard + page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), + this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010). references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364 - http://www.ubuntu.com/usn/usn-3324-1 diff --git a/issues/CVE-2017-1000365.yml b/issues/CVE-2017-1000365.yml index 6cbae0b..f87ca53 100644 --- a/issues/CVE-2017-1000365.yml +++ b/issues/CVE-2017-1000365.yml @@ -1,4 +1,8 @@ -description: '' +description: |- + The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through + RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers + into account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and earlier. + It appears that this feature was introduced in the Linux Kernel version 2.6.23. references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000365 - https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt diff --git a/issues/CVE-2017-1000379.yml b/issues/CVE-2017-1000379.yml index 93258d8..2ae11b1 100644 --- a/issues/CVE-2017-1000379.yml +++ b/issues/CVE-2017-1000379.yml @@ -1,4 +1,7 @@ -description: '' +description: |- + The Linux Kernel running on AMD64 systems will sometimes map the contents of PIE executable, + the heap or ld.so to where the stack is mapped allowing attackers to more easily manipulate the stack. + Linux Kernel version 4.11.5 is affected. references: - https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000379 diff --git a/issues/CVE-2017-16538.yml b/issues/CVE-2017-16538.yml index 793db3f..c466041 100644 --- a/issues/CVE-2017-16538.yml +++ b/issues/CVE-2017-16538.yml @@ -1,4 +1,7 @@ -description: '' +description: |- + drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service + (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device, + related to a missing warm-start check and incorrect attach timing (dm04_lme2510_frontend_attach versus dm04_lme2510_tuner). references: - https://patchwork.linuxtv.org/patch/44566/ - https://patchwork.linuxtv.org/patch/44567/ diff --git a/issues/CVE-2019-15214.yml b/issues/CVE-2019-15214.yml index c92091b..cb6006d 100644 --- a/issues/CVE-2019-15214.yml +++ b/issues/CVE-2019-15214.yml @@ -1,4 +1,8 @@ -description: '' +description: |- + An issue was discovered in the Linux kernel before 5.0.10. + There is a use-after-free in the sound subsystem because + card disconnection causes certain data structures to be deleted too early. + This is related to sound/core/init.c and sound/core/info.c. references: - https://syzkaller.appspot.com/bug?id=75903e0021cef79bc434d068b5169b599b2a46a9 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15214 diff --git a/issues/CVE-2019-20794.yml b/issues/CVE-2019-20794.yml index 43e3ccf..8f30e12 100644 --- a/issues/CVE-2019-20794.yml +++ b/issues/CVE-2019-20794.yml @@ -1,4 +1,8 @@ -description: '' +description: |- + An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. + A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, + if the userspace component is terminated via a kill of the PID namespace's pid 1, it will result in a hung task, + and resources being permanently locked up until system reboot. This can result in resource exhaustion. references: - https://github.com/sargun/fuse-example - https://sourceforge.net/p/fuse/mailman/message/36598753/ diff --git a/issues/CVE-2020-11725.yml b/issues/CVE-2020-11725.yml index ca2b80d..3cae05d 100644 --- a/issues/CVE-2020-11725.yml +++ b/issues/CVE-2020-11725.yml @@ -1,4 +1,10 @@ -description: '' +description: |- + ** DISPUTED ** snd_ctl_elem_add in sound/core/control.c in the Linux kernel through 5.6.3 has a count=info->owner line, + which later affects a private_size*count multiplication for unspecified "interesting side effects." + NOTE: kernel engineers dispute this finding, because it could be relevant only if new callers were added + that were unfamiliar with the misuse of the info->owner field to represent data unrelated to the "owner" concept. + The existing callers, SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE, + have been designed to misuse the info->owner field in a safe way. references: - https://twitter.com/yabbadabbadrew/status/1248632267028582400 - https://lore.kernel.org/alsa-devel/s5h4ktmlfpx.wl-tiwai@suse.de/