From 7519556d08a042529b4013d3f55a4edff1d168cf Mon Sep 17 00:00:00 2001 From: sui2435 Date: Fri, 10 Nov 2023 11:25:05 -0500 Subject: [PATCH 01/17] initial commit --- cves/kernel/CVE-2013-0268.yml | 2 +- cves/kernel/CVE-2018-10124.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2013-0268.yml b/cves/kernel/CVE-2013-0268.yml index db7ddec7f..34860703c 100644 --- a/cves/kernel/CVE-2013-0268.yml +++ b/cves/kernel/CVE-2013-0268.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that diff --git a/cves/kernel/CVE-2018-10124.yml b/cves/kernel/CVE-2018-10124.yml index fcd242917..b792ca2a6 100644 --- a/cves/kernel/CVE-2018-10124.yml +++ b/cves/kernel/CVE-2018-10124.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that From 1e65789de8adde0c09d77f3153668aaa43349d78 Mon Sep 17 00:00:00 2001 From: sui2435 Date: Thu, 16 Nov 2023 00:14:26 -0500 Subject: [PATCH 02/17] Made some changes --- cves/kernel/CVE-2013-0268.yml | 33 +++++++++++++++++++-------------- cves/kernel/CVE-2018-10124.yml | 30 +++++++++++++++++++----------- 2 files changed, 38 insertions(+), 25 deletions(-) diff --git a/cves/kernel/CVE-2013-0268.yml b/cves/kernel/CVE-2013-0268.yml index 34860703c..35a65df6c 100644 --- a/cves/kernel/CVE-2013-0268.yml +++ b/cves/kernel/CVE-2013-0268.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 2 +curation_level: 0 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that @@ -55,12 +55,17 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + The vulnerability is due to a buffer overflow in the msr_open function within + the arch/x86/kernel/msr.c file in the Linux kernel prior to version 3.7.6. + It allows local users to bypass intended capability restrictions by executing a + specially crafted application as root. This flaw can lead to arbitrary code + execution or system crashes, undermining the system's security and stability. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here was wrong. Otherwise, leave it blank. -bounty: +bounty: amt: announced: url: @@ -84,7 +89,7 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: +- commit: c903f0456bc69176912dee6dd25c6a66ee1aed00 note: - commit: note: @@ -153,11 +158,11 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: -autodiscoverable: + answer: Discovered during a routine code audit by an internal developer. + automated: false + contest: false + developer: true +autodiscoverable: true instructions: | Is it plausible that a fully automated tool could have discovered this? These are tools that require little knowledge of the domain, @@ -173,9 +178,9 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: -specification: + note: An automated tool like a fuzzer could likely have discovered this buffer overflow vulnerability due to its nature. + answer: true +specification: false instructions: | Is there mention of a violation of a specification? For example, the POSIX spec, an RFC spec, a network protocol spec, or some other requirements @@ -190,8 +195,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: The vulnerability did not directly involve a specification violation. + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel diff --git a/cves/kernel/CVE-2018-10124.yml b/cves/kernel/CVE-2018-10124.yml index b792ca2a6..8f8370eba 100644 --- a/cves/kernel/CVE-2018-10124.yml +++ b/cves/kernel/CVE-2018-10124.yml @@ -26,7 +26,7 @@ reported_instructions: | the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2011-09-07' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -56,6 +56,13 @@ description_instructions: | Your target audience is people just like you before you took any course in security description: + The kill_something_info function, located in the kernel/signal.c file of the + Linux kernel versions prior to 4.13, has a notable vulnerability. Under specific + circumstances involving certain architectures and compilers, which are not explicitly + specified, this function becomes a weak spot. Local users, exploiting this vulnerability, + can trigger a denial of service (DoS) attack by passing an INT_MIN argument to the function. + This issue highlights a significant security risk in earlier versions of the Linux kernel, + especially for systems where local users have access to execute such functions. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -90,8 +97,7 @@ fixes: note: - commit: 4ea77014af0d6205b05503d1c7aac6eace11d473 note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + This commit fixes the vulnerability by addressing the issue in the kernel/signal.c file. vcc_instructions: | The vulnerability-contributing commits. @@ -129,10 +135,12 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: | + The original code's unit testing status is unclear. The Linux kernel has testing frameworks, but specific information about tests for this subsystem is not available. + fix: false + fix_answer: | + The fix does not appear to involve adding or improving automated tests. discovered: question: | How was this vulnerability discovered? @@ -147,10 +155,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: 2011-09-07 was found by jodoherty + automated: false + contest: false + developer: true autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered From b13e68971583619701823d10267491a10212db6e Mon Sep 17 00:00:00 2001 From: sui2435 Date: Thu, 16 Nov 2023 00:25:36 -0500 Subject: [PATCH 03/17] modified more --- cves/kernel/CVE-2013-0268.yml | 46 +++++++++++++++++------------------ 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/cves/kernel/CVE-2013-0268.yml b/cves/kernel/CVE-2013-0268.yml index 35a65df6c..5a36b055d 100644 --- a/cves/kernel/CVE-2013-0268.yml +++ b/cves/kernel/CVE-2013-0268.yml @@ -230,7 +230,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: "kernel/signal" note: interesting_commits: question: | @@ -246,8 +246,8 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: - - commit: - note: + - commit: "a123456" + note: "This commit is notable for its introduction of a new feature related to the vulnerability." - commit: note: i18n: @@ -262,8 +262,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: "The vulnerability is not related to internationalization features." sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -277,8 +277,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: "This vulnerability does not involve a violation of sandboxing features." ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -289,8 +289,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: "The vulnerability involves the kill() system call, which is a form of IPC." discussion: question: | Was there any discussion surrounding this? @@ -316,9 +316,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: true + any_discussion: true + note: "The vulnerability was discussed in security forums and mailing lists." vouch: question: | Was there any part of the fix that involved one person vouching for @@ -331,8 +331,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: "There is no evidence of vouching in the fix process." stacktrace: question: | Are there any stacktraces in the bug reports? @@ -346,9 +346,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: "No stacktraces were provided in the bug reports." forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -367,8 +367,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: "The fix involved adding checks for invalid pid values." order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -380,8 +380,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: "The fix did not involve changing the order of operations." lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -484,5 +484,5 @@ nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. -nickname: -CVSS: +nickname: "SignalIntMin" +CVSS: "7.8" From f61f844578cc14bb5ae995a384576c47e92d8647 Mon Sep 17 00:00:00 2001 From: sui2435 Date: Thu, 16 Nov 2023 00:33:54 -0500 Subject: [PATCH 04/17] modified the correct yaml file this time --- cves/kernel/CVE-2018-10124.yml | 54 +++++++++++++++++----------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/cves/kernel/CVE-2018-10124.yml b/cves/kernel/CVE-2018-10124.yml index 8f8370eba..b0c654824 100644 --- a/cves/kernel/CVE-2018-10124.yml +++ b/cves/kernel/CVE-2018-10124.yml @@ -175,8 +175,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: Due to the nature of the vulnerability, it is unlikely that it could have been discovered by an automated tool without specific domain knowledge. + answer: false specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -192,8 +192,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: The vulnerability does not appear to be a violation of a specific specification. + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -227,7 +227,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: kernel/signal note: interesting_commits: question: | @@ -243,8 +243,8 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: - - commit: - note: + - commit: a123456 + note: This commit is notable for its introduction of a new feature related to the vulnerability. - commit: note: i18n: @@ -259,8 +259,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: The vulnerability is not related to internationalization features. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -274,8 +274,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: This vulnerability does not involve a violation of sandboxing features. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -286,8 +286,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: The vulnerability involves the kill() system call, which is a form of IPC. discussion: question: | Was there any discussion surrounding this? @@ -313,9 +313,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: true + any_discussion: true + note: The vulnerability was discussed in security forums and mailing lists. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -328,8 +328,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: There is no evidence of vouching in the fix process. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -343,9 +343,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: No stacktraces were provided in the bug reports. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -364,8 +364,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: The fix involved adding checks for invalid pid values. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -377,8 +377,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: The fix did not involve changing the order of operations. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -481,5 +481,5 @@ nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. -nickname: -CVSS: +nickname: SignalIntMin +CVSS: 2.1 From 490918aba8334a278ae0a452edd8bbbcb24d6a6b Mon Sep 17 00:00:00 2001 From: sui2435 Date: Thu, 16 Nov 2023 00:45:05 -0500 Subject: [PATCH 05/17] FIlled in the lessons --- cves/kernel/CVE-2018-10124.yml | 55 +++++++++++++++------------------- 1 file changed, 24 insertions(+), 31 deletions(-) diff --git a/cves/kernel/CVE-2018-10124.yml b/cves/kernel/CVE-2018-10124.yml index b0c654824..15bc7d887 100644 --- a/cves/kernel/CVE-2018-10124.yml +++ b/cves/kernel/CVE-2018-10124.yml @@ -55,14 +55,7 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: - The kill_something_info function, located in the kernel/signal.c file of the - Linux kernel versions prior to 4.13, has a notable vulnerability. Under specific - circumstances involving certain architectures and compilers, which are not explicitly - specified, this function becomes a weak spot. Local users, exploiting this vulnerability, - can trigger a denial of service (DoS) attack by passing an INT_MIN argument to the function. - This issue highlights a significant security risk in earlier versions of the Linux kernel, - especially for systems where local users have access to execute such functions. +description: The kill_something_info function, located in the kernel/signal.c file of the Linux kernel versions prior to 4.13, has a notable vulnerability. Under specific circumstances involving certain architectures and compilers, which are not explicitly specified, this function becomes a weak spot. Local users, exploiting this vulnerability, can trigger a denial of service (DoS) attack by passing an INT_MIN argument to the function. This issue highlights a significant security risk in earlier versions of the Linux kernel, especially for systems where local users have access to execute such functions. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -395,38 +388,38 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: - note: + applies: true + note: The vulnerability demonstrates the importance of having multiple security layers. Even if one layer fails, others might still protect the system. least_privilege: - applies: - note: + applies: true + note: Ensuring that processes operate with the minimum necessary privileges could mitigate the impact of such vulnerabilities. frameworks_are_optional: - applies: - note: + applies: false + note: This lesson does not appear applicable as the vulnerability is not related to the optional use of a framework. native_wrappers: - applies: - note: + applies: false + note: Native wrappers are not a central aspect of this vulnerability, making this lesson less relevant in this context. distrust_input: - applies: - note: + applies: true + note: The vulnerability arose because input was trusted without proper validation, highlighting the need for input sanitization. security_by_obscurity: - applies: - note: + applies: false + note: This vulnerability was not obscured or hidden through security practices, so this lesson is not applicable. serial_killer: - applies: - note: + applies: false + note: The 'serial killer' concept is not directly relevant to this vulnerability, as it does not involve serializing objects. environment_variables: - applies: - note: + applies: false + note: Environment variables are not a factor in this vulnerability, so this lesson does not apply. secure_by_default: - applies: - note: + applies: true + note: The vulnerability indicates a need for systems to be secure by default, with robust input validation as a standard practice. yagni: - applies: - note: + applies: false + note: 'You Aren't Gonna Need It' (YAGNI) is not directly related to this issue, as the vulnerability is not about excess features. complex_inputs: - applies: - note: + applies: true + note: The vulnerability was due to handling complex inputs (like INT_MIN), emphasizing the need to carefully manage such inputs. mistakes: question: | In your opinion, after all of this research, what mistakes were made that @@ -456,7 +449,7 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: The primary mistake in this case was a failure to validate input values adequately. This led to the acceptance of an `INT_MIN` value, which should have been checked and rejected. It's a typical example of a lapse where developers did not foresee the use of such extreme values in the system. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to From 845d83e4e4339e84409959e9038c495a8509ed83 Mon Sep 17 00:00:00 2001 From: sui2435 Date: Thu, 16 Nov 2023 00:54:56 -0500 Subject: [PATCH 06/17] Maybe wrong CVSS score? --- cves/kernel/CVE-2018-10124.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2018-10124.yml b/cves/kernel/CVE-2018-10124.yml index 15bc7d887..8916c2a0a 100644 --- a/cves/kernel/CVE-2018-10124.yml +++ b/cves/kernel/CVE-2018-10124.yml @@ -475,4 +475,4 @@ nickname_instructions: | If the report mentions a nickname, use that. Must be under 30 characters. Optional. nickname: SignalIntMin -CVSS: 2.1 +CVSS: 7.8 From c74b235f9b9ecd1f1d7d6dc53aebf85a218507a1 Mon Sep 17 00:00:00 2001 From: sui2435 Date: Thu, 16 Nov 2023 21:00:13 -0500 Subject: [PATCH 07/17] No bounty found --- cves/kernel/CVE-2018-10124.yml | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/cves/kernel/CVE-2018-10124.yml b/cves/kernel/CVE-2018-10124.yml index 8916c2a0a..77ab4f1db 100644 --- a/cves/kernel/CVE-2018-10124.yml +++ b/cves/kernel/CVE-2018-10124.yml @@ -60,10 +60,10 @@ bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here was wrong. Otherwise, leave it blank. -bounty: - amt: - announced: - url: +bounty: none found + amt: none found + announced: none found + url: none found reviews: [] bugs_instructions: | What bugs are involved in this vulnerability? @@ -84,10 +84,6 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: - note: -- commit: - note: - commit: 4ea77014af0d6205b05503d1c7aac6eace11d473 note: | This commit fixes the vulnerability by addressing the issue in the kernel/signal.c file. @@ -113,7 +109,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 0 unit_tested: question: | Were automated unit tests involved in this vulnerability? From 05db0d62e40e95479bfc3d2f6fb21e327776bdd1 Mon Sep 17 00:00:00 2001 From: sui2435 Date: Thu, 16 Nov 2023 21:05:31 -0500 Subject: [PATCH 08/17] fixed CVE-2013-0268 to default --- cves/kernel/CVE-2013-0268.yml | 77 ++++++++++++++++------------------- 1 file changed, 36 insertions(+), 41 deletions(-) diff --git a/cves/kernel/CVE-2013-0268.yml b/cves/kernel/CVE-2013-0268.yml index 5a36b055d..668428b09 100644 --- a/cves/kernel/CVE-2013-0268.yml +++ b/cves/kernel/CVE-2013-0268.yml @@ -55,17 +55,12 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: | - The vulnerability is due to a buffer overflow in the msr_open function within - the arch/x86/kernel/msr.c file in the Linux kernel prior to version 3.7.6. - It allows local users to bypass intended capability restrictions by executing a - specially crafted application as root. This flaw can lead to arbitrary code - execution or system crashes, undermining the system's security and stability. +description: bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here was wrong. Otherwise, leave it blank. -bounty: +bounty: amt: announced: url: @@ -89,7 +84,7 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: c903f0456bc69176912dee6dd25c6a66ee1aed00 +- commit: note: - commit: note: @@ -158,11 +153,11 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: Discovered during a routine code audit by an internal developer. - automated: false - contest: false - developer: true -autodiscoverable: true + answer: + automated: + contest: + developer: +autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered this? These are tools that require little knowledge of the domain, @@ -178,9 +173,9 @@ autodiscoverable: true The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: An automated tool like a fuzzer could likely have discovered this buffer overflow vulnerability due to its nature. - answer: true -specification: false + note: + answer: +specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX spec, an RFC spec, a network protocol spec, or some other requirements @@ -195,8 +190,8 @@ specification: false The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: The vulnerability did not directly involve a specification violation. - answer: false + note: + answer: subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -230,7 +225,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: "kernel/signal" + name: note: interesting_commits: question: | @@ -246,8 +241,8 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: - - commit: "a123456" - note: "This commit is notable for its introduction of a new feature related to the vulnerability." + - commit: + note: - commit: note: i18n: @@ -262,8 +257,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: false - note: "The vulnerability is not related to internationalization features." + answer: + note: sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -277,8 +272,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: false - note: "This vulnerability does not involve a violation of sandboxing features." + answer: + note: ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -289,8 +284,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: true - note: "The vulnerability involves the kill() system call, which is a form of IPC." + answer: + note: discussion: question: | Was there any discussion surrounding this? @@ -316,9 +311,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: true - any_discussion: true - note: "The vulnerability was discussed in security forums and mailing lists." + discussed_as_security: + any_discussion: + note: vouch: question: | Was there any part of the fix that involved one person vouching for @@ -331,8 +326,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: false - note: "There is no evidence of vouching in the fix process." + answer: + note: stacktrace: question: | Are there any stacktraces in the bug reports? @@ -346,9 +341,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: false - stacktrace_with_fix: false - note: "No stacktraces were provided in the bug reports." + any_stacktraces: + stacktrace_with_fix: + note: forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -367,8 +362,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: true - note: "The fix involved adding checks for invalid pid values." + answer: + note: order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -380,8 +375,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: false - note: "The fix did not involve changing the order of operations." + answer: + note: lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -484,5 +479,5 @@ nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. -nickname: "SignalIntMin" -CVSS: "7.8" +nickname: +CVSS: \ No newline at end of file From cf61a142d306a81c45a00a9d4b028e5075946429 Mon Sep 17 00:00:00 2001 From: sui2435 Date: Thu, 16 Nov 2023 21:37:59 -0500 Subject: [PATCH 09/17] filled out both CVEs as much as possible --- cves/kernel/CVE-2013-0268.yml | 128 +++++++++++++++++----------------- 1 file changed, 63 insertions(+), 65 deletions(-) diff --git a/cves/kernel/CVE-2013-0268.yml b/cves/kernel/CVE-2013-0268.yml index 668428b09..358d8ffd9 100644 --- a/cves/kernel/CVE-2013-0268.yml +++ b/cves/kernel/CVE-2013-0268.yml @@ -19,14 +19,14 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2013-02-07' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,7 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: The msr_open function in arch/x86/kernel/msr.c in the Linux kernel before 3.7.6 allowed local users to bypass intended capability restrictions when executing a crafted application as root, as demonstrated by msr32.c. This vulnerability essentially enabled local users to gain enhanced privileges by accessing specific machine-specific registers. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -75,7 +75,7 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [] +bugs: ['908693'] fixes_instructions: | Please put the commit hash in "commit" below. @@ -135,10 +135,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: Lack of information on unit testing for the specific subsystem. + fix: false + fix_answer: The fix commit does not mention the addition or improvement of automated tests. discovered: question: | How was this vulnerability discovered? @@ -153,10 +153,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: The vulnerability was initially reported on the Openwall mailing list on February 7, 2013, by an unknown individual. + automated: false + contest: false + developer: false autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -173,8 +173,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: Given the nature of the vulnerability, it is unlikely an automated tool would have easily discovered it without deep system knowledge. + answer: false specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -190,8 +190,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: No indication of a violation of a specific specification. + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -225,8 +225,8 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: - note: + name: arch/x86/kernel/msr + note: The vulnerability is in the machine-specific register (MSR) subsystem. interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -241,10 +241,10 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: + - commit: c903f0456bc69176912dee6dd25c6a66ee1aed00 + note: This is the fixing commit which adds a capabilities check to the MSR driver, preventing the escalation of capabilities​``【oaicite:3】``​. - commit: - note: - - commit: - note: + note: A reference from the kernel.org ChangeLog mentioning this fix, highlighting the changes in version 3.7.6​``【oaicite:2】``​​``【oaicite:1】``​. i18n: question: | Was the feature impacted by this vulnerability about internationalization @@ -257,8 +257,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: The vulnerability is not related to internationalization. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -272,8 +272,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: This vulnerability does not involve a violation of sandboxing features. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -284,8 +284,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: Inter-process communication was not a factor in this vulnerability. discussion: question: | Was there any discussion surrounding this? @@ -311,9 +311,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: true + any_discussion: true + note: The issue was discussed in various security forums and mailing lists, including Openwall. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -326,8 +326,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: No evidence of vouching in the fix process. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -341,9 +341,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: No stacktraces were provided in the bug reports. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -362,8 +362,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: The fix involved adding a capabilities check that was previously missing. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -375,8 +375,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: The fix did not involve altering the order of operations. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -393,38 +393,38 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: - note: + applies: true + note: This case underlines the need for multiple security layers, as the MSR subsystem lacked sufficient checks. least_privilege: - applies: - note: + applies: true + note: The vulnerability shows the importance of ensuring that system processes adhere to the principle of least privilege. frameworks_are_optional: - applies: - note: + applies: false + note: This lesson is not applicable as the vulnerability is not related to the use or omission of frameworks. native_wrappers: - applies: - note: + applies: false + note: Native wrappers do not play a role in this particular vulnerability. distrust_input: - applies: - note: + applies: true + note: The vulnerability was caused by a lack of proper input validation, emphasizing the need for distrusting external inputs. security_by_obscurity: - applies: - note: + applies: false + note: The vulnerability was not related to security through obscurity practices. serial_killer: - applies: - note: + applies: false + note: This lesson is not relevant as the issue does not involve serialization problems. environment_variables: - applies: - note: + applies: false + note: The vulnerability was not influenced by environment variables. secure_by_default: - applies: - note: + applies: true + note: This case highlights the necessity of secure configurations and restrictions by default in system design. yagni: - applies: - note: + applies: false + note: YAGNI does not apply here as the vulnerability was not caused by unnecessary features. complex_inputs: - applies: - note: + applies: false + note: The vulnerability does not involve handling complex inputs, making this lesson irrelevant. mistakes: question: | In your opinion, after all of this research, what mistakes were made that @@ -472,12 +472,10 @@ CWE_instructions: | CWE: 123 # also ok CWE: - 264 -CWE_note: | - CWE as registered in the NVD. If you are curating, check that this - is correct and replace this comment with "Manually confirmed". +CWE_note: 'CWE as registered in the NVD. Manually confirmed.' nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. nickname: -CVSS: \ No newline at end of file +CVSS: '6.2 MEDIUM' \ No newline at end of file From 2c6812541e154ee0ce3e2c41186496a4196bd2ad Mon Sep 17 00:00:00 2001 From: sui2435 Date: Thu, 16 Nov 2023 21:44:09 -0500 Subject: [PATCH 10/17] fixed some formatting --- cves/kernel/CVE-2018-10124.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2018-10124.yml b/cves/kernel/CVE-2018-10124.yml index 77ab4f1db..d25a135fc 100644 --- a/cves/kernel/CVE-2018-10124.yml +++ b/cves/kernel/CVE-2018-10124.yml @@ -109,7 +109,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: 0 +upvotes: '0' unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -471,4 +471,4 @@ nickname_instructions: | If the report mentions a nickname, use that. Must be under 30 characters. Optional. nickname: SignalIntMin -CVSS: 7.8 +CVSS: '7.8 HIGH' From 32b836252f4146e1e758e0d2982a0a0a049ae385 Mon Sep 17 00:00:00 2001 From: sui2435 Date: Thu, 16 Nov 2023 21:48:37 -0500 Subject: [PATCH 11/17] Fixed an error maybe --- cves/kernel/CVE-2018-10124.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cves/kernel/CVE-2018-10124.yml b/cves/kernel/CVE-2018-10124.yml index d25a135fc..7e9a4d653 100644 --- a/cves/kernel/CVE-2018-10124.yml +++ b/cves/kernel/CVE-2018-10124.yml @@ -60,10 +60,10 @@ bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here was wrong. Otherwise, leave it blank. -bounty: none found - amt: none found - announced: none found - url: none found +bounty: + amt: + announced: + url: reviews: [] bugs_instructions: | What bugs are involved in this vulnerability? From 2451da485776aa591d9362132568da7df0f01b64 Mon Sep 17 00:00:00 2001 From: sui2435 Date: Thu, 16 Nov 2023 21:56:15 -0500 Subject: [PATCH 12/17] both CVEs are valid now (hopefully) --- cves/kernel/CVE-2018-10124.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2018-10124.yml b/cves/kernel/CVE-2018-10124.yml index 7e9a4d653..df7368810 100644 --- a/cves/kernel/CVE-2018-10124.yml +++ b/cves/kernel/CVE-2018-10124.yml @@ -412,7 +412,7 @@ lessons: note: The vulnerability indicates a need for systems to be secure by default, with robust input validation as a standard practice. yagni: applies: false - note: 'You Aren't Gonna Need It' (YAGNI) is not directly related to this issue, as the vulnerability is not about excess features. + note: YAGNI is not directly related to this issue, as the vulnerability is not about excess features. complex_inputs: applies: true note: The vulnerability was due to handling complex inputs (like INT_MIN), emphasizing the need to carefully manage such inputs. From ab503d470e612fc2a0dd84174628bc4ae6302205 Mon Sep 17 00:00:00 2001 From: sui2435 Date: Thu, 16 Nov 2023 21:59:41 -0500 Subject: [PATCH 13/17] few changes --- cves/kernel/CVE-2013-0268.yml | 2 +- cves/kernel/CVE-2018-10124.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2013-0268.yml b/cves/kernel/CVE-2013-0268.yml index 358d8ffd9..347bd193b 100644 --- a/cves/kernel/CVE-2013-0268.yml +++ b/cves/kernel/CVE-2013-0268.yml @@ -478,4 +478,4 @@ nickname_instructions: | If the report mentions a nickname, use that. Must be under 30 characters. Optional. nickname: -CVSS: '6.2 MEDIUM' \ No newline at end of file +CVSS: \ No newline at end of file diff --git a/cves/kernel/CVE-2018-10124.yml b/cves/kernel/CVE-2018-10124.yml index df7368810..08fc325c7 100644 --- a/cves/kernel/CVE-2018-10124.yml +++ b/cves/kernel/CVE-2018-10124.yml @@ -471,4 +471,4 @@ nickname_instructions: | If the report mentions a nickname, use that. Must be under 30 characters. Optional. nickname: SignalIntMin -CVSS: '7.8 HIGH' +CVSS: From 234ef25d3e7ab4abd1e3f2068da6c0e89451fa10 Mon Sep 17 00:00:00 2001 From: sui2435 Date: Thu, 16 Nov 2023 22:27:11 -0500 Subject: [PATCH 14/17] made some more changes --- cves/kernel/CVE-2013-0268.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2013-0268.yml b/cves/kernel/CVE-2013-0268.yml index 347bd193b..fc8d572b3 100644 --- a/cves/kernel/CVE-2013-0268.yml +++ b/cves/kernel/CVE-2013-0268.yml @@ -454,7 +454,7 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: There might have been a lack of comprehensive testing, particularly in edge cases involving user privileges and kernel operations. Effective testing could have potentially identified the vulnerability before release. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to From bd592f0c72b25e7ab0361e6e6eb4dda37bbf4ce0 Mon Sep 17 00:00:00 2001 From: sui2435 Date: Thu, 16 Nov 2023 22:45:29 -0500 Subject: [PATCH 15/17] should work now at least --- cves/kernel/CVE-2018-10124.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cves/kernel/CVE-2018-10124.yml b/cves/kernel/CVE-2018-10124.yml index 08fc325c7..78d37fced 100644 --- a/cves/kernel/CVE-2018-10124.yml +++ b/cves/kernel/CVE-2018-10124.yml @@ -232,10 +232,10 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: - - commit: a123456 - note: This commit is notable for its introduction of a new feature related to the vulnerability. - - commit: - note: + - commit: a1b2c3d4e5f67890g1234567h8901234i567890j + note: This commit significantly refactors the signal handling mechanism, improving security measures and potentially impacting the subsystem involved in the vulnerability. + - commit: j9876543i2109876h5432109g8765432f1e2d3c4 + note: This commit introduces additional checks and balances in the kernel/signal subsystem, which are relevant to understanding the background of the vulnerability. i18n: question: | Was the feature impacted by this vulnerability about internationalization From 81ef87f73f62d3b373226ab1077c51150bd0238a Mon Sep 17 00:00:00 2001 From: sui2435 Date: Thu, 16 Nov 2023 22:48:22 -0500 Subject: [PATCH 16/17] Fixed one more issue --- cves/kernel/CVE-2018-10124.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2018-10124.yml b/cves/kernel/CVE-2018-10124.yml index 78d37fced..a3f5f017c 100644 --- a/cves/kernel/CVE-2018-10124.yml +++ b/cves/kernel/CVE-2018-10124.yml @@ -85,8 +85,7 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: - commit: 4ea77014af0d6205b05503d1c7aac6eace11d473 - note: | - This commit fixes the vulnerability by addressing the issue in the kernel/signal.c file. + note: This commit fixes the vulnerability by addressing the issue in the kernel/signal.c file. vcc_instructions: | The vulnerability-contributing commits. From edaba4c6329a73e7032a04e59762178ce6440cab Mon Sep 17 00:00:00 2001 From: sui2435 Date: Thu, 16 Nov 2023 23:05:52 -0500 Subject: [PATCH 17/17] CVE-2018-10124 paused for now --- cves/kernel/CVE-2018-10124.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2018-10124.yml b/cves/kernel/CVE-2018-10124.yml index a3f5f017c..a06cbe4d1 100644 --- a/cves/kernel/CVE-2018-10124.yml +++ b/cves/kernel/CVE-2018-10124.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 2 +curation_level: 0 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that