diff --git a/cves/kernel/CVE-2016-5728.yml b/cves/kernel/CVE-2016-5728.yml index 133205d4c..b5b58a9eb 100644 --- a/cves/kernel/CVE-2016-5728.yml +++ b/cves/kernel/CVE-2016-5728.yml @@ -19,14 +19,14 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2016-04-27' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,14 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + An undesirable situation in one of the functions in a certain driver attempts + to fetch a value that is already being fetched by another function at the same time. + This is an example of a race condition and it allows users to obtain senstive information + from memory or cause memory corruption or a system crash. If one user thread modifies + the header of a file, the function might incorrectly fetch the wrong value since there's + another point in the file where the old value has been fetched. This incorrect reading + in the value may lead to information leakage or a system crash. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -75,7 +82,7 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [] +bugs: [116651] fixes_instructions: | Please put the commit hash in "commit" below. @@ -90,8 +97,7 @@ fixes: note: - commit: 9bf292bfca94694a721449e3fd752493856710f6 note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Taken from NVD references list with Git commit. Manually confirmed. vcc_instructions: | The vulnerability-contributing commits. @@ -106,7 +112,9 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 61e9c905df78c253752971e200f0ac6d8667dda6 - note: Discovered automatically by archeogit. + note: | + Discovered automatically by archeogit. Manually Confirmed, was the initial commit + for this patch to enable VOP host side functionality. upvotes_instructions: | For the first round, ignore this upvotes number. @@ -114,7 +122,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 3 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -129,10 +137,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: False + code_answer: No observable unit testing done. + fix: False + fix_answer: No observable unit testing done. discovered: question: | How was this vulnerability discovered? @@ -147,11 +155,13 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: -autodiscoverable: + answer: | + '2016-04-18' An email was sent on Kernal.org Bugzilla from Pengfei Wang that + detailed them finding the bug while examining the source code. + automated: False + contest: False + developer: False +autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered this? These are tools that require little knowledge of the domain, @@ -167,8 +177,10 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + If a fuzzer modifed the header in some way, then it might be able to cause this + exploit. + answer: True specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -184,8 +196,10 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + After checking the only mailing list, it didn't specify that any specification was + violated. + answer: False subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -219,7 +233,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: drivers note: interesting_commits: question: | @@ -251,8 +265,10 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + This vulnerability doesn't have anything to do with the locale of the user + or any conversion to the user's preferences. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -266,8 +282,10 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + This vulnerability does not work with permissions, rather improper variable/memory + management. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -278,8 +296,10 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + This function does not communicate with any other process or system, it's an + error in its own system. discussion: question: | Was there any discussion surrounding this? @@ -305,9 +325,12 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: False + any_discussion: False + note: | + This was reported only one time and no back and forth discussion. An report was + sent and reviewed, once reviewed a bug was reported and a fix was followed up. Recommendations + were given in the report message. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -320,8 +343,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: Sudeep Dutt and Ashutosh Dixit, both from Intel, had signed off on the commit that fixed the issue. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -335,9 +358,12 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: False + stacktrace_with_fix: False + note: | + No stacktraces were found, however there might have been one since the original + person that found the fix knew specific line numbers that pointed out the issues in the + race condition. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -356,8 +382,9 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: This fix involves checking if a certain value has not changed in between two + reads from different functions. If not checked, a race condition would occur. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -369,8 +396,11 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: | + This fix involves changing a variable if the check was passed. Once this variable is + changed to a certain value, it can then be written over correctly, or get used with the + correct data that it contains. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -387,37 +417,39 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: False note: least_privilege: - applies: + applies: False note: frameworks_are_optional: - applies: + applies: False note: native_wrappers: - applies: + applies: False note: distrust_input: - applies: + applies: False note: security_by_obscurity: - applies: + applies: False note: serial_killer: - applies: + applies: False note: environment_variables: - applies: - note: + applies: True + note: | + There seems to be an added environment variable to assist checking for the race + condition before continuing code execution. secure_by_default: - applies: + applies: False note: yagni: - applies: + applies: False note: complex_inputs: - applies: + applies: False note: mistakes: question: | @@ -448,7 +480,11 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + Not completing checks to see if the variable is being written multiple times may lead + to undesirable outcomes when handling lots of data that the system, or the user controls. + Since memory and variables can be changed by the user, it's important to check whether + the system is changing those variable as well to see if there is a conflict. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to diff --git a/cves/kernel/CVE-2017-5548.yml b/cves/kernel/CVE-2017-5548.yml index f59ae6382..2194697da 100644 --- a/cves/kernel/CVE-2017-5548.yml +++ b/cves/kernel/CVE-2017-5548.yml @@ -19,14 +19,14 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2017-01-20' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,11 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + A driver in the Linux Kernal version 4.9.x before 4.9.6 does not + correctly interact with a system config option. This allows a local user + to cause a system crash or a memory corruption or possibly something else by way + of manipulating virtual memory mapping. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -75,7 +79,7 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [] +bugs: [1416110] fixes_instructions: | Please put the commit hash in "commit" below. @@ -90,8 +94,7 @@ fixes: note: - commit: 05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655 note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Taken from NVD references list with Git commit. Manually confirmed. vcc_instructions: | The vulnerability-contributing commits. @@ -106,7 +109,9 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 7490b008d123f9bd781f51ad86b543aed49f6200 - note: Discovered automatically by archeogit. + note: | + Discovered automatically by archeogit. Initial commit that adds + support for the atusb transceiver. - commit: 33a238ae65cee561b3eb78694a41cd3e196fe59c note: Discovered automatically by archeogit. upvotes_instructions: | @@ -116,7 +121,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 2 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -131,10 +136,13 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: False + code_answer: | + There is no observable unit testing in the code. Seems to be user + and maybe tested by others locally. + fix: False + fix_answer: The fix doesn't include adding tests, instead just optimizing and fixing memory + allocation. discovered: question: | How was this vulnerability discovered? @@ -149,10 +157,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: '2017-01-12' + automated: False + contest: False + developer: True autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -169,8 +177,10 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + Doesn't seem like a automated tool could have been used since it requires + knowledge of the DMA scatterlist and exploiting virtual pages for them. + answer: False specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -186,8 +196,10 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + After checking most if not all artifacts, there doesn't seem to be any + specification that has been violated. + answer: False subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -221,7 +233,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: drivers note: interesting_commits: question: | @@ -237,10 +249,12 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: - - commit: - note: - - commit: - note: + - commit: 7490b008d123f9bd781f51ad86b543aed49f6200 + note: | + Initial commit, has the phrase 'I did small changes to this driver to work + with xmit_async callback and setting of a random extended perm address'. This maybe + hints to a possible change that was made that caused the vulnerability. It's hard to + tell however. i18n: question: | Was the feature impacted by this vulnerability about internationalization @@ -253,8 +267,10 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + It's made to add support for atusb transceivers, not so much localized translations + or anything. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -268,8 +284,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: This feature is not restricted to sets of users. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -280,8 +296,12 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: | + Since this feature in the driver affects usb input and output, it affects + inter-process communication since a usb establishes connection protocols + between connected devices. + discussion: question: | Was there any discussion surrounding this? @@ -307,9 +327,11 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: False + any_discussion: False + note: | + Just a note in the fix commit message that this fixes it and a recommendation + to other devs about how to go about future releases. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -322,8 +344,10 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: | + Stefan Schmidt of Samsung and Marcel Holtmann of Intel signed off on this commit as well + as a cc to stable@vger.kernal.org. Stefan being the original developer of this commit. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -337,9 +361,12 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: False + stacktrace_with_fix: False + note: | + After checking all commits and CVE descriptions as well as dev notes, no stacktraces were + found. But I'm not entirely sure how it was found without one, + unless someone just reviewed it and saw vulnerabilities. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -358,8 +385,10 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: | + In the fix there are a bunch of checks to see if the buffer is available or not + and also freeing the buffer in order to not overflow, or corrupt it. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -371,8 +400,10 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + No indication of an order of operations error, more of a problem with memory allocation + and freeing. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -389,37 +420,38 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: False note: least_privilege: - applies: + applies: False note: frameworks_are_optional: - applies: + applies: False note: native_wrappers: - applies: + applies: False note: distrust_input: - applies: + applies: False note: security_by_obscurity: - applies: + applies: False note: serial_killer: - applies: + applies: False note: environment_variables: - applies: - note: + applies: True + note: | + An environmental variable was added in order to fix the memory allocation problems. secure_by_default: - applies: + applies: False note: yagni: - applies: + applies: False note: complex_inputs: - applies: + applies: False note: mistakes: question: | @@ -450,7 +482,13 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + This was mainly caused by failing to properly manage memory in the buffer. + This can allow people to exploit overflows or corruption in order to create and + denial of service. Check and track all instances of variable to see if it's still + functional/usable. Even though it might be difficult or confusing to keep track of + and manage all memory allocated and freed, it's apparent that a simple slip or lapse + in judgement can become an exploitable vulnerability in a system. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -469,8 +507,7 @@ CWE_instructions: | CWE: - 119 CWE_note: | - CWE as registered in the NVD. If you are curating, check that this - is correct and replace this comment with "Manually confirmed". + CWE as registered in the NVD. Manually confirmed. nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that.