From patchwork Thu Feb 10 01:35:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masami Ichikawa X-Patchwork-Id: 12741131 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7C4AC433F5 for ; Thu, 10 Feb 2022 01:36:07 +0000 (UTC) Received: from mail-oi1-f175.google.com (mail-oi1-f175.google.com [209.85.167.175]) by mx.groups.io with SMTP id smtpd.web08.4430.1644456965967976637 for ; Wed, 09 Feb 2022 17:36:07 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@miraclelinux-com.20210112.gappssmtp.com header.s=20210112 header.b=xd7oC54Q; spf=pass (domain: miraclelinux.com, ip: 209.85.167.175, mailfrom: masami.ichikawa@miraclelinux.com) Received: by mail-oi1-f175.google.com with SMTP id r27so4461965oiw.4 for ; Wed, 09 Feb 2022 17:36:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=miraclelinux-com.20210112.gappssmtp.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=3jTKdMwGyC6ZZWevV87ZK8vb0gSps9sRRNZZmrK9hf0=; b=xd7oC54QDSGgatOf907FxXj/vCiNF/JQClpPwFqSkNW2TveMVZEkr4WewSa+3lonon +m5pkpnAa6Oh0Z+8aq+WUZJaT+I2/wDL/J1lMyHzvHYCYcNzi+qTsh7wKq/VDnolXxlA 0YMwpevNPTdEySRgYbZyBCUboUBxsH2vR8z7mMB0BmIQpo/VJTLfzqACDVUXX07qSXZt im7qvFXqWd6fczQ4AcVQDrEVCkgQLEKJM0Pl82bd/m9qqSidOgXMGTZa9mJzbP0bBviy +OGPKn0d1/cooqh/3p6Ofqn6FmgGkOafN64GZmHARIDioVqz6FEl7S3qT04w+gfipSap RnHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=3jTKdMwGyC6ZZWevV87ZK8vb0gSps9sRRNZZmrK9hf0=; b=cKlWp1lEJgV+tnxSa1CkF66wD8Nml0i/ZmEbxJfsZVDkQGsvlH82rsQ0dODKjBr/7u pK0A4Ov22XorAvi1mgjwdlfVEszFN2VVnQohgDYl6hGj+ncd/0K44G5fgvVASY0b3Skm YNSuNtFBERioShRU6hMTC9iy3Ndb0lgs+7TnJ8eE6uG02jh4yRu8Qqa7Cw5n1wCQ4yJj TepMAOFv8HOkM24xqCVqATcWYtcgP1GOKpwd60ZvcJias9X1XkrRR9V2YDjPyw8WroNM TvhtIkEi/UfJNzscfzcWz0mpxnsfTbM+P9/1jygUe1ocv1jFAqep69EOUQbfQRb7uEMc aUgA== X-Gm-Message-State: AOAM531Jrozv5l3mG/aVnYlr0GR+upKzMtuGsH3MXpQ/HzOCylDoVVIf 6sbh6PZjVnUzPvtMThbVC6X+COwRvx3VNBowCeBZMpOPfFJ78g== X-Google-Smtp-Source: ABdhPJyxqGq8XSmcKTU2Bl1wrJ0o2jBda1F3eeYCe8cHutRQNjZVTd0yRr3Q9WuzJSwb7d24YAaCnWPTjKMFkge0Pds= X-Received: by 2002:aca:1011:: with SMTP id 17mr75810oiq.27.1644456964695; Wed, 09 Feb 2022 17:36:04 -0800 (PST) MIME-Version: 1.0 From: Masami Ichikawa Date: Thu, 10 Feb 2022 10:35:28 +0900 Message-ID: Subject: New CVE entries this week To: cip-dev List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 10 Feb 2022 01:36:07 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/7588 Hi ! It's this week's CVE report. This week reported 5 new CVEs. * New CVEs CVE-2021-3894: sctp: local DoS: unprivileged user can cause BUG() CVSS v3 score is not provided A local unprivileged user can cause local DoS by sctp subsystem. The commit a2d859e3fc97 ("sctp: account stream padding length for reconf chunk") may fix this issue. Fixed status Not fixed yet. CVE-2022-0487: Use after free in moxart_remove CVSS v3 score is not provided UAF bug was found in moxart_remove() in drivers/mmc/host/moxart-mmc.c. The mainline was fixed. Stable kernels are being reviewed. Apply patch bd2db32 ("moxart: fix potential use-after-free on remove path") to 4.4 needs to a bit modify code. However, it seems no CIP member enables CONFIG_MMC_MOXART. Fixed status mainline: [bd2db32e7c3e35bd4d9b8bbff689434a50893546] CVE-2022-0492: cgroup-v1: Require capabilities to set release_agent CVSS v3 score is not provided There was a bug in cgroups v1 release_agent feature to escalate privilege and bypass namespace isolation. The mainline and 5.X series were fixed but failed to applied the fix to all 4.X series. This issue is affected to 2.6.24-rc1 or later version. Applying the commit 24f6008 ("cgroup-v1: Require capabilities to set release_agent") depends on the following commits. - a3ff937 ("prefix-handling analogues of errorf() and friends ") This commit was introduced at 5.6-rc1. It added invalfc macro to include/linux/fs_context.h. 5.4 uses cg_invalf macro which calls invalfc in it. - 8d2451f ("https://github.com/torvalds/linux/commit/8d2451f4994fa60a57617282bab91b98266a00b1"). This commit was introduced at 5.1-rc1. It added cgroup1_parse_param(). So 4.X series do other way to fix this issue (e.g. https://lore.kernel.org/stable/20220209191248.652388187@linuxfoundation.org/). 4.9, 4.14, and 4.19 are being reviewed. 4.X series use struct cgroup_namespace to get namespace object which was introduced at 4.6-rc1. So fixing 4.4 needs the other way to get namespace object instead of struct cgroup_namespace. Fixed status mainline: [24f6008564183aa120d07c03d9289519c2fe02af] stable/5.10: [1fc3444cda9a78c65b769e3fa93455e09ff7a0d3] stable/5.15: [4b1c32bfaa02255a5df602b41587174004996477] stable/5.16: [9c9dbb954e618e3d9110f13cc02c5db1fb73ea5d] stable/5.4: [0e8283cbe4996ae046cd680b3ed598a8f2b0d5d8] CVE-2022-24448: NFSv4: Handle case where the lookup of a directory fails CVSS v3 score is not provided Server returns uninitialized data in the file descriptor in nfs_atomic_open(). The mainline and stable kernels are fixed. I attached 0001-NFSv4-Handle-case-where-the-lookup-of-a-directory-fa.patch for 4.4.y. Fixed status mainline: [ac795161c93699d600db16c1a8cc23a65a1eceaf] stable/4.14: [516f348b759f6a92819820a3f56d678458e22cc8] stable/4.19: [b00b4c6faad0f21e443fb1584f7a8ea222beb0de] stable/4.9: [8788981e120694a82a3672e062fe4ea99446634a] stable/5.10: [ce8c552b88ca25d775ecd0a0fbef4e0e03de9ed2] stable/5.15: [4c36ca387af4a9b5d775e46a6cb9dc2d151bf057] stable/5.16: [f0583af88e7dd413229ea5e670a0db36fdf34ba2] stable/5.4: [0dfacee40021dcc0a9aa991edd965addc04b9370] CVE-2022-0480: memcg: enable accounting for file lock caches CVSS v3 score is not provided A user can cause host memory exhaustion becase of memcg doesn't limit the number of POSIX file locks. This issues was fixed in 5.15-rc1. Patch cannot be applied to 4.4 because this fix uses SLAB_ACCOUNT flag which was introduced by commit 230e9fc ("slab: add SLAB_ACCOUNT flag ") at 4.5-rc1 is not backported to 4.4. Fixed status mainline: [0f12156dff2862ac54235fc72703f18770769042] * Updated CVEs CVE-2018-25020: bpf: fix truncated jump targets on heavy expansions This issue was fixed in 4.17-rc7. 4.14 was fixed this week. Fixed status mainline: [050fad7c4534c13c8eb1d9c2ba66012e014773cb] stable/4.14: [6824208b59a4727b8a8653f83d8e685584d04606] Currently tracking CVEs CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core Specifications 4.0 through 5.2 There is no fix information. CVE-2020-26555: BR/EDR pin code pairing broken No fix information CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning No fix information. CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh Provisioning Leads to MITM No fix information. CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning No fix information. CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning No fix information. Regards, From 912c6e22cf82aa5bb63e5f27a3a39490e758f7ab Mon Sep 17 00:00:00 2001 From: Trond Myklebust Date: Thu, 6 Jan 2022 18:24:02 -0500 Subject: [PATCH] NFSv4: Handle case where the lookup of a directory fails If the application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() will punt to doing a regular lookup. If the server then returns a regular file, we will happily return a file descriptor with uninitialised open state. The fix is to return the expected ENOTDIR error in these cases. Reported-by: Lyu Tao Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()") Signed-off-by: Trond Myklebust Signed-off-by: Anna Schumaker [Fix merge conflict in nfs_atomic_open().] Reference: CVE-2022-24448 Signed-off-by: Masami Ichikawa(CIP) --- fs/nfs/dir.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c index ba7e98d8ce09..7c1f83632d63 100644 --- a/fs/nfs/dir.c +++ b/fs/nfs/dir.c @@ -1577,6 +1577,19 @@ out: no_open: res = nfs_lookup(dir, dentry, lookup_flags); + if (!res) { + inode = d_inode(dentry); + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && + !S_ISDIR(inode->i_mode)) + res = ERR_PTR(-ENOTDIR); + } else if (!IS_ERR(res)) { + inode = d_inode(res); + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && + !S_ISDIR(inode->i_mode)) { + dput(res); + res = ERR_PTR(-ENOTDIR); + } + } err = PTR_ERR(res); if (IS_ERR(res)) goto out; -- 2.35.1