diff --git a/cves/kernel/CVE-2016-6156.yml b/cves/kernel/CVE-2016-6156.yml index d43086eb0..980e89992 100644 --- a/cves/kernel/CVE-2016-6156.yml +++ b/cves/kernel/CVE-2016-6156.yml @@ -19,14 +19,14 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2023-11-06' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,11 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + A race condition in the ec_device_ioctl_xcmd function caused a denial of + service, known as a "double fetch" vulnerability. This occurs when either + "u_cmd.outsize" or "u_cmd.insize" changes between the two times the + copy_from_user() is called within the function. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -90,8 +94,7 @@ fixes: note: - commit: '096cdc6f52225835ff503f987a0d68ef770bb78e' note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Manually Confirmed vcc_instructions: | The vulnerability-contributing commits. @@ -118,7 +121,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 11 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -133,10 +136,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: No automated unit tests were found. + fix: false + fix_answer: No automated unit tests were found. discovered: question: | How was this vulnerability discovered? @@ -151,10 +154,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: Information was not given about the discovery of this vulnerability. + automated: false + contest: false + developer: false autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -171,8 +174,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: No information is provided. + answer: false specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -188,8 +191,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: No information is provided. + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -223,7 +226,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: drivers note: interesting_commits: question: | @@ -255,8 +258,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: This vulnerability has no relation to i18n. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -270,8 +273,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: This vulnerability has no relation to sandboxing. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -282,8 +285,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: no relation to ipc discussion: question: | Was there any discussion surrounding this? @@ -309,9 +312,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: false + any_discussion: false + note: No discussion was had in regards to this issue that is available. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -324,8 +327,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: Commit for change was signed off, reviewed, and tested. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -339,9 +342,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: No stacktraces were found. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -360,8 +363,10 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: | + The fix verifies that "u_cmd.outsize" and "u_cmd.insize" values have not changed between + the two times copy_from_user() is called. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -373,8 +378,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: The fix involved adding new code, not reordering old code. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -390,38 +395,41 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. - defense_in_depth: - applies: - note: - least_privilege: - applies: + defense_in_depth: + applies: false note: - frameworks_are_optional: - applies: + least_privilege: + applies: false note: - native_wrappers: - applies: + frameworks_are_optional: + applies: false note: - distrust_input: - applies: + native_wrappers: + applies: false note: - security_by_obscurity: - applies: + distrust_input: + applies: true + note: | + The "u_cmd.outsize" and "u_cmd.insize" values must not change between the + two times copy_from_user() is called. If the values change, it could lead to + a buffer overflow if unchecked. + security_by_obscurity: + applies: false note: - serial_killer: - applies: + serial_killer: + applies: false note: - environment_variables: - applies: + environment_variables: + applies: false note: - secure_by_default: - applies: + secure_by_default: + applies: false note: - yagni: - applies: + yagni: + applies: false note: - complex_inputs: - applies: + complex_inputs: + applies: false note: mistakes: question: | @@ -452,7 +460,12 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + The mistake that led to this bug was an oversight about the possibility of + "u_cmd.outsize" or "u_cmd.insize" changing between the two times the + copy_from_user() is called. Additionally, cros_ec_cmd_xfer() was changed to + set s_cmd->insize to a lower value if possible. The previous implementation + copied too much data to the user, which was a design oversight. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to diff --git a/cves/kernel/CVE-2017-5576.yml b/cves/kernel/CVE-2017-5576.yml index af6bcf296..3db2e13c4 100644 --- a/cves/kernel/CVE-2017-5576.yml +++ b/cves/kernel/CVE-2017-5576.yml @@ -19,14 +19,14 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2023-11-06' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,10 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + An integer overflow in the vc4_get_bcl funcion, used in grapics processing, + caused users to have a denial of service error, as there was not enough memory + allocated for copy_from_user. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -90,8 +93,7 @@ fixes: note: - commit: 0f2ff82e11c86c05d051cae32b58226392d33bbf note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Manually Confirmed vcc_instructions: | The vulnerability-contributing commits. @@ -114,7 +116,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 7 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -129,10 +131,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: No automated unit tests were found. + fix: false + fix_answer: No automated unit tests were found. discovered: question: | How was this vulnerability discovered? @@ -147,10 +149,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: Information was not given about the discovery of this vulnerability. + automated: false + contest: false + developer: false autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -167,8 +169,9 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + No information is provided. + answer: false specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -184,8 +187,9 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + ioctl arguments are not validated. + answer: true subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -219,7 +223,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: drivers note: interesting_commits: question: | @@ -251,8 +255,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: This vulnerability has no relation to i18n sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -266,8 +270,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: This vulnerability has no relation to sandboxing. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -278,8 +282,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: This vulnerability has no relation to IPC. discussion: question: | Was there any discussion surrounding this? @@ -305,9 +309,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: false + any_discussion: false + note: No discussion was had in regards to this issue that is available. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -320,8 +324,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: The fix was signed off. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -335,9 +339,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: No stacktraces were mentioned. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -356,8 +360,11 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: | + The fix involved adding a forgotten check in the roundup() function for + the shader_rec_offset against the bin_cl_size in order to prevent an + integer overflow error. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -369,8 +376,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: The fix does not involve chnaging the order of operations. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -387,37 +394,38 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: false note: least_privilege: - applies: + applies: false note: frameworks_are_optional: - applies: + applies: false note: native_wrappers: - applies: + applies: false note: distrust_input: - applies: - note: + applies: true + note: | + Vulnerability was caused by a failure to check if the input was too large. security_by_obscurity: - applies: + applies: false note: serial_killer: - applies: + applies: false note: environment_variables: - applies: + applies: false note: secure_by_default: - applies: + applies: false note: yagni: - applies: + applies: false note: complex_inputs: - applies: + applies: false note: mistakes: question: | @@ -448,7 +456,10 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + This vulnerability was caused because no check was made to confirm that the + input in the roundup() for shader_rec_offset would fit within the allocated + bin_cl_size. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to