CVE-2015-5366 and CVE-2016-2184

cves/kernel/CVE-2015-5366.yml

@@ -55,7 +55,10 @@ description_instructions: |
 
   Your target audience is people just like you before you took any course in
   security
-description:
+description: 
+  The udp_revmsg and udpv6_recvmsg functions in the linux kernel that provide 
+  inappropriate EAGAIN return values. This allows attackers to perform a DOS via
+  incorrect checksum in a UDP packet
 bounty_instructions: |
   If you came across any indications that a bounty was paid out for this
   vulnerability, fill it out here. Or correct it if the information already here
@@ -75,7 +78,7 @@ bugs_instructions: |
     * Mentioned in mailing list discussions
     * References from NVD entry
     * Various other places
-bugs: []
+bugs: ["1478843", "1479369", "1479370"]
 fixes_instructions: |
   Please put the commit hash in "commit" below.
 
@@ -136,9 +139,11 @@ unit_tested:
     For the fix_answer below, check if the fix for the vulnerability involves
     adding or improving an automated test to ensure this doesn't happen again.
   code:
-  code_answer:
-  fix:
-  fix_answer:
+  code_answer: 
+    Returns -EAGAIN to the application even if recieve queue is not empty. 
+    This breaks the application using edge trigger epoll()
+  fix: false
+  fix_answer: remove the code that was causing the incorrect return statement
 discovered:
   question: |
     How was this vulnerability discovered?
@@ -153,10 +158,12 @@ discovered:
 
     If there is no evidence as to how this vulnerability was found, then please
     explain where you looked.
-  answer:
-  automated:
-  contest:
-  developer:
+  answer: 
+    The vulnerability was found in a twitter message where the security team was
+    contacted to create the CVE,
+  automated: false
+  contest: nil
+  developer: nil
 autodiscoverable:
   instructions: |
     Is it plausible that a fully automated tool could have discovered
@@ -173,8 +180,12 @@ autodiscoverable:
 
     The answer field should be boolean. In answer_note, please explain
     why you come to that conclusion.
-  note:
-  answer:
+  note: 
+    The reason why this bug can be discovered automatically is because the
+    bug causes a DOS attack because it causes an infinite loop making it so
+    that users can't get acces to the data. This can be tested automatically
+    by tesitng edge cases for return values.
+  answer: true
 specification:
   instructions: |
     Is there mention of a violation of a specification? For example, the POSIX
@@ -190,8 +201,10 @@ specification:
 
     The answer field should be boolean. In answer_note, please explain
     why you come to that conclusion.
-  note:
-  answer:
+  note: 
+    there was no violation of a specification as the bug appeared from not 
+    properly checking and validating the result before returning it. 
+  answer: false
 subsystem:
   question: |
     What subsystems was the mistake in? These are WITHIN linux kernel
@@ -225,7 +238,7 @@ subsystem:
     e.g.
         name: ["subsystemA", "subsystemB"] # ok
         name: subsystemA # also ok
-  name:
+  name: This bug affect the net subsystem
   note:
 interesting_commits:
   question: |
@@ -240,9 +253,15 @@ interesting_commits:
       * A significant rewrite in the git history
       * Other commits that fixed a similar issue as this vulnerability
       * Anything else you find interesting.
-  commits:
-  - commit:
+  commits: 
+  - commit: 
+      beb39db59d14990e401e235faf66a6b9b31240b0
     note:
+      The reason that I found this commit interesting is because the
+      developer mentions that it could only be tempory solution and 
+      says that they might return to it later. This makes it seem that
+      the developer was not sure if the fix would work and thought it
+      would just be a band-aid on the problem.
   - commit:
     note:
 i18n:
@@ -257,8 +276,10 @@ i18n:
     Answer should be true or false
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: false
+  note: 
+    The main thing that was impacted this was the accesibiliy to the public becaue
+    the DOS would make it so that people would not be able to access the application
 sandbox:
   question: |
     Did this vulnerability violate a sandboxing feature that the system
@@ -272,8 +293,11 @@ sandbox:
     Answer should be true or false
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
+  answer: true
   note:
+    Since the attacker is able to cause a DOS attack because this vulnerability
+    it affects the accesibility of the application which interferes with
+    internationalization
 ipc:
   question: |
     Did the feature that this vulnerability affected use inter-process
@@ -284,8 +308,10 @@ ipc:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
+  answer: true
   note:
+    This vulnerability directly affected UDP connection as it was interrupting  the 
+    UDP stack causing trouble with communication.
 discussion:
   question: |
     Was there any discussion surrounding this?
@@ -312,8 +338,11 @@ discussion:
     Put any links to disagreements you found in the notes section, or any other
     comment you want to make.
   discussed_as_security:
+    The discussion is talking about the security risk of the invalid checksum and
+    what threat it is to the system
   any_discussion:
   note:
+    https://seclists.org/oss-sec/2015/q3/10
 vouch:
   question: |
     Was there any part of the fix that involved one person vouching for
@@ -326,8 +355,10 @@ vouch:
 
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of what your answer was.
-  answer:
+  answer: true
   note:
+    This is because the on the commit message fixing the bug it was signed off by both Eric Dumazet and 
+    David S. Miller. https://github.com/torvalds/linux/commit/beb39db59d14990e401e235faf66a6b9b31240b0
 stacktrace:
   question: |
     Are there any stacktraces in the bug reports?
@@ -341,9 +372,12 @@ stacktrace:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  any_stacktraces:
-  stacktrace_with_fix:
-  note:
+  any_stacktraces: false
+  stacktrace_with_fix: false
+  note: 
+    The main reason why there are no stacktraces is that the error
+    causes an infinite loop causing the program to hang instead of a 
+    stack trace.
 forgotten_check:
   question: |
     Does the fix for the vulnerability involve adding a forgotten check?
@@ -362,8 +396,10 @@ forgotten_check:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
+  answer: true
   note:
+    The fix involved having to check if the return value for the udp was valid 
+    befoe returning the value.
 order_of_operations:
   question: |
     Does the fix for the vulnerability involve correcting an order of
@@ -375,8 +411,10 @@ order_of_operations:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: false
+  note: 
+    This is because the only thing that needed to be change was to add a
+    check to make sure the return value is valid before returning.
 lessons:
   question: |
     Are there any common lessons we have learned from class that apply to this
@@ -396,22 +434,22 @@ lessons:
     applies:
     note:
   least_privilege:
-    applies:
+    applies: false
     note:
   frameworks_are_optional:
-    applies:
+    applies: false
     note:
   native_wrappers:
-    applies:
+    applies: false
     note:
   distrust_input:
     applies:
     note:
   security_by_obscurity:
-    applies:
+    applies: false
     note:
   serial_killer:
-    applies:
+    applies: false
     note:
   environment_variables:
     applies:
@@ -420,8 +458,11 @@ lessons:
     applies:
     note:
   yagni:
-    applies:
-    note:
+    applies: true
+    note: 
+      This is because the check for valid return value
+      was not added until the developers realized that threat
+      actors could exploit it.
   complex_inputs:
     applies:
     note:
@@ -454,7 +495,9 @@ mistakes:
 
     Write a thoughtful entry here that people in the software engineering
     industry would find interesting.
-  answer:
+  answer: 
+    There was a lapse in judgment in that the developers forgot to
+    check if the return value was valid.
 CWE_instructions: |
   Please go to http://cwe.mitre.org and find the most specific, appropriate CWE
   entry that describes your vulnerability. We recommend going to