CVE-2016-2547 & CVE-2018-20961 #212
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -19,14 +19,14 @@ curated_instructions: | | |
| This will enable additional editorial checks on this file to make sure you | ||
| fill everything out properly. If you are a student, we cannot accept your work | ||
| as finished unless curated is properly updated. | ||
| curation_level: 2 | ||
| reported_instructions: | | ||
| What date was the vulnerability reported to the security team? Look at the | ||
| security bulletins and bug reports. It is not necessarily the same day that | ||
| the CVE was created. Leave blank if no date is given. | ||
|
|
||
| Please enter your date in YYYY-MM-DD format. | ||
| reported_date: '2016-02-24' | ||
| announced_instructions: | | ||
| Was there a date that this vulnerability was announced to the world? You can | ||
| find this in changelogs, blogs, bug reports, or perhaps the CVE date. | ||
|
|
@@ -55,7 +55,10 @@ description_instructions: | | |
|
|
||
| Your target audience is people just like you before you took any course in | ||
| security | ||
| description: The Advanced Linux Sound Architecture (ALSA) is a framework in the linux kernal that provides | ||
| an interface for sound cards devices. The framework used a resource locking approach that did not | ||
| consider slave timer instances. The instacne could still be accessed, creating race condition | ||
|
There was a problem hiding this comment. Misspelled instance here & creating a race condition There was a problem hiding this comment. You describe the ALSA subsystem well, but should also go into detail for terms like "slave timer" and "race condition" for those who may not be familiar with them. |
||
| for resources with the master instance. Leading to resource exhaustion, access to data, or a system crash. | ||
| bounty_instructions: | | ||
| If you came across any indications that a bounty was paid out for this | ||
| vulnerability, fill it out here. Or correct it if the information already here | ||
|
|
@@ -137,10 +140,10 @@ unit_tested: | |
|
|
||
| For the fix_answer below, check if the fix for the vulnerability involves | ||
| adding or improving an automated test to ensure this doesn't happen again. | ||
| code: false | ||
| code_answer: no tests found in commits | ||
| fix: false | ||
| fix_answer: no system tests found | ||
| discovered: | ||
| question: | | ||
| How was this vulnerability discovered? | ||
|
|
@@ -155,10 +158,12 @@ discovered: | |
|
|
||
| If there is no evidence as to how this vulnerability was found, then please | ||
| explain where you looked. | ||
| answer: Dmitry Vyukov, Google developer, discovered that the Advanced Linux Sound Architecture (ALSA) | ||
| framework's handling of high resolution timers did not properly manage its | ||
| data structures 2016-01-15 | ||
|
There was a problem hiding this comment. At the bottom of the fix commit, a system call fuzzer from Google (known as syzkaller) is referenced. It may be worth mentioning as it likely played a role in detecting this bug. There was a problem hiding this comment. "Dmitry Vyukov reported a series of kernel bugs in ALSA core that have been |
||
| automated: false | ||
| contest: false | ||
| developer: true | ||
| autodiscoverable: | ||
| instructions: | | ||
| Is it plausible that a fully automated tool could have discovered | ||
|
|
@@ -175,8 +180,8 @@ autodiscoverable: | |
|
|
||
| The answer field should be boolean. In answer_note, please explain | ||
| why you come to that conclusion. | ||
| note: fuzzer, use-after-free | ||
|
There was a problem hiding this comment. This may need some expanding. Maybe give sentences, along with any related thoughts. |
||
| answer: true | ||
| specification: | ||
| instructions: | | ||
| Is there mention of a violation of a specification? For example, the POSIX | ||
|
|
@@ -192,8 +197,8 @@ specification: | |
|
|
||
| The answer field should be boolean. In answer_note, please explain | ||
| why you come to that conclusion. | ||
| note: none | ||
| answer: false | ||
| subsystem: | ||
| question: | | ||
| What subsystems was the mistake in? These are WITHIN linux kernel | ||
|
|
@@ -227,7 +232,7 @@ subsystem: | |
| e.g. | ||
| name: ["subsystemA", "subsystemB"] # ok | ||
| name: subsystemA # also ok | ||
| name: sound | ||
|
There was a problem hiding this comment. Instead of sound, you likely want to put drivers as the subsystem or ASLA, as you mentioned before. Sound is made up of ASLA drivers and utilities, and is not technically a subsystem. There was a problem hiding this comment. Looking at the repository, I think it's fine actually. Sound is certainly a subsystem, and it appears that no other subsystems were involved. |
||
| note: | ||
| interesting_commits: | ||
| question: | | ||
|
|
@@ -259,8 +264,8 @@ i18n: | |
| Answer should be true or false | ||
| Write a note about how you came to the conclusions you did, regardless of | ||
| what your answer was. | ||
| answer: false | ||
| note: only systems using the Advanced Linux Sound Architecture (ALSA) | ||
|
There was a problem hiding this comment. This reads funny. I would recommend rephrasing There was a problem hiding this comment. Yeah I'm unsure how this relates to i18n. Definitely review, but since it is a general sound framework, I doubt it has any notable relation to i18n. |
||
| sandbox: | ||
| question: | | ||
| Did this vulnerability violate a sandboxing feature that the system | ||
|
|
@@ -274,8 +279,8 @@ sandbox: | |
| Answer should be true or false | ||
| Write a note about how you came to the conclusions you did, regardless of | ||
| what your answer was. | ||
| answer: true | ||
| note: access instance that should be locked for privileged resources | ||
|
There was a problem hiding this comment. It's hard to say, but I would disagree here. Privilege doesn't seem to be the issue, instead more careful management of that resource in a multi-threaded environment. |
||
| ipc: | ||
| question: | | ||
| Did the feature that this vulnerability affected use inter-process | ||
|
|
@@ -286,8 +291,8 @@ ipc: | |
| Answer must be true or false. | ||
| Write a note about how you came to the conclusions you did, regardless of | ||
| what your answer was. | ||
| answer: true | ||
| note: system timing for interprocess resources | ||
| discussion: | ||
| question: | | ||
| Was there any discussion surrounding this? | ||
|
|
@@ -313,9 +318,9 @@ discussion: | |
|
|
||
| Put any links to disagreements you found in the notes section, or any other | ||
| comment you want to make. | ||
| discussed_as_security: false | ||
| any_discussion: false | ||
| note: none found in commits or changelog | ||
| vouch: | ||
| question: | | ||
| Was there any part of the fix that involved one person vouching for | ||
|
|
@@ -328,8 +333,8 @@ vouch: | |
|
|
||
| Answer must be true or false. | ||
| Write a note about how you came to the conclusions you did, regardless of what your answer was. | ||
| answer: false | ||
| note: no supporting dialogue | ||
| stacktrace: | ||
| question: | | ||
| Are there any stacktraces in the bug reports? | ||
|
|
@@ -343,9 +348,9 @@ stacktrace: | |
| Answer must be true or false. | ||
| Write a note about how you came to the conclusions you did, regardless of | ||
| what your answer was. | ||
| any_stacktraces: false | ||
| stacktrace_with_fix: false | ||
| note: none found in commits or changelogs | ||
| forgotten_check: | ||
| question: | | ||
| Does the fix for the vulnerability involve adding a forgotten check? | ||
|
|
@@ -364,8 +369,8 @@ forgotten_check: | |
| Answer must be true or false. | ||
| Write a note about how you came to the conclusions you did, regardless of | ||
| what your answer was. | ||
| answer: true | ||
| note: check if all instances are locked | ||
|
There was a problem hiding this comment. In general, notes like this should be more complete to add confidence in your work |
||
| order_of_operations: | ||
| question: | | ||
| Does the fix for the vulnerability involve correcting an order of | ||
|
|
@@ -377,8 +382,8 @@ order_of_operations: | |
| Answer must be true or false. | ||
| Write a note about how you came to the conclusions you did, regardless of | ||
| what your answer was. | ||
| answer: true | ||
| note: slave instance needed to be locked with master | ||
| lessons: | ||
| question: | | ||
| Are there any common lessons we have learned from class that apply to this | ||
|
|
@@ -456,7 +461,7 @@ mistakes: | |
|
|
||
| Write a thoughtful entry here that people in the software engineering | ||
| industry would find interesting. | ||
| answer: This is a coding lapse. The developer forgot to lock all instances | ||
|
There was a problem hiding this comment. I would elaborate on locking and instances and what role they play |
||
| CWE_instructions: | | ||
| Please go to http://cwe.mitre.org and find the most specific, appropriate CWE | ||
| entry that describes your vulnerability. We recommend going to | ||
|
|
@@ -482,4 +487,4 @@ nickname_instructions: | | |
| If the report mentions a nickname, use that. | ||
| Must be under 30 characters. Optional. | ||
| nickname: | ||
| CVSS: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H | ||
|
There was a problem hiding this comment. Add to upvotes (since not changed in commit): I give this a 2 |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unsure what the exact "reported" date might be, but I found bug reports as early as January 13th from the NVD references: https://lore.kernel.org/all/CACT4Y+ZrVvE3dgcYHRdHDG0X316VgC-=pr2U-233vVn_QbHZHw@mail.gmail.com/T/#u