From 35ba450376c61bd3f8c85babbd5858e82ff89295 Mon Sep 17 00:00:00 2001 From: Anjanm7504 Date: Sun, 5 Nov 2023 19:43:31 -0500 Subject: [PATCH 1/5] completed CVE-2017-5548 Investigation --- cves/kernel/CVE-2016-5728.yml | 2 +- cves/kernel/CVE-2017-5548.yml | 126 +++++++++++++++++++--------------- 2 files changed, 73 insertions(+), 55 deletions(-) diff --git a/cves/kernel/CVE-2016-5728.yml b/cves/kernel/CVE-2016-5728.yml index 133205d4c..9b6183755 100644 --- a/cves/kernel/CVE-2016-5728.yml +++ b/cves/kernel/CVE-2016-5728.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that diff --git a/cves/kernel/CVE-2017-5548.yml b/cves/kernel/CVE-2017-5548.yml index f59ae6382..48f303a03 100644 --- a/cves/kernel/CVE-2017-5548.yml +++ b/cves/kernel/CVE-2017-5548.yml @@ -19,14 +19,14 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2017-01-20' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,11 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: + A driver in the Linux Kernal version 4.9.x before 4.9.6 does not + correctly interact with a system config option. This allows a local user + to cause a system crash or a memory corruption or possibly something else by way + of manipulating virtual memory mapping. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -75,7 +79,7 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [] +bugs: [1416110] fixes_instructions: | Please put the commit hash in "commit" below. @@ -90,8 +94,7 @@ fixes: note: - commit: 05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655 note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Taken from NVD references list with Git commit. Manually confirmed. vcc_instructions: | The vulnerability-contributing commits. @@ -106,7 +109,8 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 7490b008d123f9bd781f51ad86b543aed49f6200 - note: Discovered automatically by archeogit. + note: Discovered automatically by archeogit. Initial commit that adds + support for the atusb transceiver. - commit: 33a238ae65cee561b3eb78694a41cd3e196fe59c note: Discovered automatically by archeogit. upvotes_instructions: | @@ -131,10 +135,12 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: False + code_answer: There is no observable unit testing in the code. Seems to be user + and maybe tested by others locally. + fix: False + fix_answer: The fix doesn't include adding tests, instead just optimizing and fixing memory + allocation. discovered: question: | How was this vulnerability discovered? @@ -149,10 +155,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: '2017-01-12' + automated: False + contest: False + developer: True autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -169,8 +175,9 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: Doesn't seem like a automated tool could have been used since it requires + knowledge of the DMA scatterlist and exploiting virtual pages for them. + answer: False specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -187,7 +194,7 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: - answer: + answer: False subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -221,7 +228,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: drivers/net/ieee802154/atusb.c note: interesting_commits: question: | @@ -237,8 +244,11 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: - - commit: - note: + - commit: 7490b008d123f9bd781f51ad86b543aed49f6200 + note: Initial commit, has the phrase 'I did small changes to this driver to work + with xmit_async callback and setting of a random extended perm address'. This maybe + hints to a possible change that was made that caused the vulnerability. It's hard to + tell however. - commit: note: i18n: @@ -253,8 +263,9 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: It's made to add support for atusb transceivers, not so much localized translations + or anything. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -268,8 +279,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: This feature is not restricted to sets of users. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -280,8 +291,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: A usb establishes connection protocols between connected devices. discussion: question: | Was there any discussion surrounding this? @@ -307,9 +318,10 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: False + any_discussion: False + note: Just a note in the fix commit message that this fixes it and a recommendation + to other devs about how to go about future releases. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -322,8 +334,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: Two people signed off on this commit as well as a cc to stable@vger.kernal.org. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -337,9 +349,11 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: False + stacktrace_with_fix: False + note: I tried checking all commits and CVE descriptions as well as dev notes. I did not + find any sort of stack trace. But I'm not entirely sure how it was found without one, + unless someone just reviewed it and saw vulnerabilities. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -358,8 +372,9 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: In the fix there are a bunch of checks to see if the buffer is available or not + and also freeing the buffer in order to not overflow, or corrupt it. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -371,8 +386,9 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: Doesn't seem like an order of operations, more of a problem with memory allocation + and freeing. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -389,37 +405,38 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: False note: least_privilege: - applies: + applies: False note: frameworks_are_optional: - applies: + applies: False note: native_wrappers: - applies: + applies: False note: distrust_input: - applies: + applies: False note: security_by_obscurity: - applies: + applies: False note: serial_killer: - applies: + applies: False note: environment_variables: - applies: - note: + applies: True + note: There seems to be added environmental variable that have been added in order to + fix the memory allocation problems. secure_by_default: - applies: + applies: False note: yagni: - applies: + applies: False note: complex_inputs: - applies: + applies: False note: mistakes: question: | @@ -450,7 +467,9 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: Failing to properly manage memory in the buffer. This can allow people to exploit + overflows or corruption in order to create and denial of service. Check and track all instances + of variable to see if it's still functional/usable. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -469,8 +488,7 @@ CWE_instructions: | CWE: - 119 CWE_note: | - CWE as registered in the NVD. If you are curating, check that this - is correct and replace this comment with "Manually confirmed". + CWE as registered in the NVD. Manually confirmed. nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. From 5e87bf88215255fa573622e6089b1cf0727344fe Mon Sep 17 00:00:00 2001 From: Anjanm7504 Date: Sun, 5 Nov 2023 20:39:25 -0500 Subject: [PATCH 2/5] complete CVE-2016-5728 Investigation --- cves/kernel/CVE-2016-5728.yml | 119 ++++++++++++++++++++-------------- 1 file changed, 69 insertions(+), 50 deletions(-) diff --git a/cves/kernel/CVE-2016-5728.yml b/cves/kernel/CVE-2016-5728.yml index 9b6183755..069ac92fe 100644 --- a/cves/kernel/CVE-2016-5728.yml +++ b/cves/kernel/CVE-2016-5728.yml @@ -26,7 +26,7 @@ reported_instructions: | the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2016-04-27' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,11 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: A race condition in one of the functions in a certain driver that allows + users to obtain senstive information from memory or cause memory corruption or a system + crash. If the user modifies the header of a file, the function might incorrectly fetch + the wrong value since there's another point in the file where the old value has been fetched. + This incorrect reading in the value may lead to information leakage or a crash. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -75,7 +79,7 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [] +bugs: [116651] fixes_instructions: | Please put the commit hash in "commit" below. @@ -90,8 +94,7 @@ fixes: note: - commit: 9bf292bfca94694a721449e3fd752493856710f6 note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Taken from NVD references list with Git commit. Manually confirmed. vcc_instructions: | The vulnerability-contributing commits. @@ -106,7 +109,8 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 61e9c905df78c253752971e200f0ac6d8667dda6 - note: Discovered automatically by archeogit. + note: Discovered automatically by archeogit. Manually Confirmed, was the initial commit + for this patch to enable VOP host side functionality. upvotes_instructions: | For the first round, ignore this upvotes number. @@ -129,10 +133,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: False + code_answer: No observable unit testing done. + fix: False + fix_answer: No observable unit testing done. discovered: question: | How was this vulnerability discovered? @@ -147,11 +151,12 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: -autodiscoverable: + answer: '2016-04-18' An email was sent that detailed them finding the bug while examining + the source code. + automated: False + contest: False + developer: False +autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered this? These are tools that require little knowledge of the domain, @@ -167,8 +172,9 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: If a fuzzer modifed the header in some way, then it might be able to cause this + exploit. + answer: True specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -184,8 +190,9 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: I checked the only mailing list and it didn't specify that any specification was + violated. + answer: False subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -219,7 +226,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: drivers/misc/mic/vop/vop_vringh.c note: interesting_commits: question: | @@ -251,8 +258,9 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: This vulnerability doesn't have anything to do with the locale of the user + or any conversion to the user's preferences. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -266,8 +274,9 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: This vulnerability does not work with permissions, rather improper variable/memory + management. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -278,8 +287,9 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: This function does not comminicate with any other process or system, it's an + error in its own system. discussion: question: | Was there any discussion surrounding this? @@ -305,9 +315,11 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: True + any_discussion: False + note: This was discussed only one time, but no back and forth discussion. An email was + sent and reviewed, once reviewed a bug was reported and a fix was followed up. Recommendations + were given in the email. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -320,8 +332,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: Two people had signed off on the commit that fixed the issue. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -335,9 +347,11 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: False + stacktrace_with_fix: False + note: No stacktraces were found, however there might have been one since the original + person that found the fix knew specific line numbers that pointed out the issues in the + race condition. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -356,8 +370,9 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: This fix involves checking if a certain value has not changed in between two + reads from different functions. If not checked, a race condition would occur. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -369,8 +384,10 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: This fix involves changing a variable if the check was passed. Once this variable is + changed to a certain value, it can then be written over correclty, or get used with the + correct data that it contains. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -386,38 +403,38 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. - defense_in_depth: + defense_in_depth: False applies: note: least_privilege: - applies: + applies: False note: frameworks_are_optional: - applies: + applies: False note: native_wrappers: - applies: + applies: False note: distrust_input: - applies: + applies: False note: security_by_obscurity: - applies: + applies: False note: serial_killer: - applies: + applies: False note: environment_variables: - applies: + applies: False note: secure_by_default: - applies: + applies: False note: yagni: - applies: + applies: False note: complex_inputs: - applies: + applies: False note: mistakes: question: | @@ -448,7 +465,9 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: Not completing checks to see if the variable is being written multiple times. + Since memory and variables can be changed by the user, it's important to check whether + the system is changing those variable as well to see if there is a conflict. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to From 9cd782f1ab660f6fa8e514910d63d6b490a4c856 Mon Sep 17 00:00:00 2001 From: Anjanm7504 Date: Sun, 5 Nov 2023 20:58:23 -0500 Subject: [PATCH 3/5] fixed yaml syntax --- cves/kernel/CVE-2016-5728.yml | 41 +++++++++++++++++++------------ cves/kernel/CVE-2017-5548.yml | 45 +++++++++++++++++++++-------------- 2 files changed, 53 insertions(+), 33 deletions(-) diff --git a/cves/kernel/CVE-2016-5728.yml b/cves/kernel/CVE-2016-5728.yml index 069ac92fe..91a378b27 100644 --- a/cves/kernel/CVE-2016-5728.yml +++ b/cves/kernel/CVE-2016-5728.yml @@ -109,7 +109,8 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 61e9c905df78c253752971e200f0ac6d8667dda6 - note: Discovered automatically by archeogit. Manually Confirmed, was the initial commit + note: | + Discovered automatically by archeogit. Manually Confirmed, was the initial commit for this patch to enable VOP host side functionality. upvotes_instructions: | For the first round, ignore this upvotes number. @@ -151,8 +152,9 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: '2016-04-18' An email was sent that detailed them finding the bug while examining - the source code. + answer: | + '2016-04-18' An email was sent that detailed them finding the bug while examining + the source code. automated: False contest: False developer: False @@ -172,7 +174,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: If a fuzzer modifed the header in some way, then it might be able to cause this + note: | + If a fuzzer modifed the header in some way, then it might be able to cause this exploit. answer: True specification: @@ -190,7 +193,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: I checked the only mailing list and it didn't specify that any specification was + note: | + I checked the only mailing list and it didn't specify that any specification was violated. answer: False subsystem: @@ -259,7 +263,8 @@ i18n: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: False - note: This vulnerability doesn't have anything to do with the locale of the user + note: | + This vulnerability doesn't have anything to do with the locale of the user or any conversion to the user's preferences. sandbox: question: | @@ -275,7 +280,8 @@ sandbox: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: False - note: This vulnerability does not work with permissions, rather improper variable/memory + note: | + This vulnerability does not work with permissions, rather improper variable/memory management. ipc: question: | @@ -288,7 +294,8 @@ ipc: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: False - note: This function does not comminicate with any other process or system, it's an + note: | + This function does not comminicate with any other process or system, it's an error in its own system. discussion: question: | @@ -317,7 +324,8 @@ discussion: comment you want to make. discussed_as_security: True any_discussion: False - note: This was discussed only one time, but no back and forth discussion. An email was + note: | + This was discussed only one time, but no back and forth discussion. An email was sent and reviewed, once reviewed a bug was reported and a fix was followed up. Recommendations were given in the email. vouch: @@ -349,7 +357,8 @@ stacktrace: what your answer was. any_stacktraces: False stacktrace_with_fix: False - note: No stacktraces were found, however there might have been one since the original + note: | + No stacktraces were found, however there might have been one since the original person that found the fix knew specific line numbers that pointed out the issues in the race condition. forgotten_check: @@ -385,7 +394,8 @@ order_of_operations: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: True - note: This fix involves changing a variable if the check was passed. Once this variable is + note: | + This fix involves changing a variable if the check was passed. Once this variable is changed to a certain value, it can then be written over correclty, or get used with the correct data that it contains. lessons: @@ -403,8 +413,8 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. - defense_in_depth: False - applies: + defense_in_depth: + applies: False note: least_privilege: applies: False @@ -425,7 +435,7 @@ lessons: applies: False note: environment_variables: - applies: False + applies: True note: secure_by_default: applies: False @@ -465,7 +475,8 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: Not completing checks to see if the variable is being written multiple times. + answer: | + Not completing checks to see if the variable is being written multiple times. Since memory and variables can be changed by the user, it's important to check whether the system is changing those variable as well to see if there is a conflict. CWE_instructions: | diff --git a/cves/kernel/CVE-2017-5548.yml b/cves/kernel/CVE-2017-5548.yml index 48f303a03..4a314b25e 100644 --- a/cves/kernel/CVE-2017-5548.yml +++ b/cves/kernel/CVE-2017-5548.yml @@ -55,7 +55,7 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | A driver in the Linux Kernal version 4.9.x before 4.9.6 does not correctly interact with a system config option. This allows a local user to cause a system crash or a memory corruption or possibly something else by way @@ -109,8 +109,9 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 7490b008d123f9bd781f51ad86b543aed49f6200 - note: Discovered automatically by archeogit. Initial commit that adds - support for the atusb transceiver. + note: | + Discovered automatically by archeogit. Initial commit that adds + support for the atusb transceiver. - commit: 33a238ae65cee561b3eb78694a41cd3e196fe59c note: Discovered automatically by archeogit. upvotes_instructions: | @@ -136,7 +137,8 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. code: False - code_answer: There is no observable unit testing in the code. Seems to be user + code_answer: | + There is no observable unit testing in the code. Seems to be user and maybe tested by others locally. fix: False fix_answer: The fix doesn't include adding tests, instead just optimizing and fixing memory @@ -175,7 +177,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: Doesn't seem like a automated tool could have been used since it requires + note: | + Doesn't seem like a automated tool could have been used since it requires knowledge of the DMA scatterlist and exploiting virtual pages for them. answer: False specification: @@ -245,12 +248,11 @@ interesting_commits: * Anything else you find interesting. commits: - commit: 7490b008d123f9bd781f51ad86b543aed49f6200 - note: Initial commit, has the phrase 'I did small changes to this driver to work - with xmit_async callback and setting of a random extended perm address'. This maybe - hints to a possible change that was made that caused the vulnerability. It's hard to - tell however. - - commit: - note: + note: | + Initial commit, has the phrase 'I did small changes to this driver to work + with xmit_async callback and setting of a random extended perm address'. This maybe + hints to a possible change that was made that caused the vulnerability. It's hard to + tell however. i18n: question: | Was the feature impacted by this vulnerability about internationalization @@ -264,7 +266,8 @@ i18n: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: False - note: It's made to add support for atusb transceivers, not so much localized translations + note: | + It's made to add support for atusb transceivers, not so much localized translations or anything. sandbox: question: | @@ -320,7 +323,8 @@ discussion: comment you want to make. discussed_as_security: False any_discussion: False - note: Just a note in the fix commit message that this fixes it and a recommendation + note: | + Just a note in the fix commit message that this fixes it and a recommendation to other devs about how to go about future releases. vouch: question: | @@ -351,7 +355,8 @@ stacktrace: what your answer was. any_stacktraces: False stacktrace_with_fix: False - note: I tried checking all commits and CVE descriptions as well as dev notes. I did not + note: | + I tried checking all commits and CVE descriptions as well as dev notes. I did not find any sort of stack trace. But I'm not entirely sure how it was found without one, unless someone just reviewed it and saw vulnerabilities. forgotten_check: @@ -373,7 +378,8 @@ forgotten_check: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: True - note: In the fix there are a bunch of checks to see if the buffer is available or not + note: | + In the fix there are a bunch of checks to see if the buffer is available or not and also freeing the buffer in order to not overflow, or corrupt it. order_of_operations: question: | @@ -387,7 +393,8 @@ order_of_operations: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: False - note: Doesn't seem like an order of operations, more of a problem with memory allocation + note: | + Doesn't seem like an order of operations, more of a problem with memory allocation and freeing. lessons: question: | @@ -427,7 +434,8 @@ lessons: note: environment_variables: applies: True - note: There seems to be added environmental variable that have been added in order to + note: | + There seems to be added environmental variable that have been added in order to fix the memory allocation problems. secure_by_default: applies: False @@ -467,7 +475,8 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: Failing to properly manage memory in the buffer. This can allow people to exploit + answer: | + Failing to properly manage memory in the buffer. This can allow people to exploit overflows or corruption in order to create and denial of service. Check and track all instances of variable to see if it's still functional/usable. CWE_instructions: | From 8c5b5722813e0c6bd868f976b460b71c7aee02bc Mon Sep 17 00:00:00 2001 From: Anjanm7504 Date: Sun, 5 Nov 2023 21:05:39 -0500 Subject: [PATCH 4/5] fixed yaml syntax and answers --- cves/kernel/CVE-2016-5728.yml | 2 +- cves/kernel/CVE-2017-5548.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cves/kernel/CVE-2016-5728.yml b/cves/kernel/CVE-2016-5728.yml index 91a378b27..9e55ba323 100644 --- a/cves/kernel/CVE-2016-5728.yml +++ b/cves/kernel/CVE-2016-5728.yml @@ -230,7 +230,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: drivers/misc/mic/vop/vop_vringh.c + name: drivers note: interesting_commits: question: | diff --git a/cves/kernel/CVE-2017-5548.yml b/cves/kernel/CVE-2017-5548.yml index 4a314b25e..5279526d3 100644 --- a/cves/kernel/CVE-2017-5548.yml +++ b/cves/kernel/CVE-2017-5548.yml @@ -196,7 +196,7 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: + note: I checked and there doesn't seem to be any specification that has been violated answer: False subsystem: question: | @@ -231,7 +231,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: drivers/net/ieee802154/atusb.c + name: drivers note: interesting_commits: question: | From d5753fe0469d0e897269a15b2e5cc0648b16d42d Mon Sep 17 00:00:00 2001 From: Anjanm7504 Date: Tue, 14 Nov 2023 19:12:50 -0500 Subject: [PATCH 5/5] revised cve records based on feedback --- cves/kernel/CVE-2016-5728.yml | 40 ++++++++++++++++++++--------------- cves/kernel/CVE-2017-5548.yml | 34 ++++++++++++++++++----------- 2 files changed, 45 insertions(+), 29 deletions(-) diff --git a/cves/kernel/CVE-2016-5728.yml b/cves/kernel/CVE-2016-5728.yml index 9e55ba323..b5b58a9eb 100644 --- a/cves/kernel/CVE-2016-5728.yml +++ b/cves/kernel/CVE-2016-5728.yml @@ -55,11 +55,14 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: A race condition in one of the functions in a certain driver that allows - users to obtain senstive information from memory or cause memory corruption or a system - crash. If the user modifies the header of a file, the function might incorrectly fetch - the wrong value since there's another point in the file where the old value has been fetched. - This incorrect reading in the value may lead to information leakage or a crash. +description: | + An undesirable situation in one of the functions in a certain driver attempts + to fetch a value that is already being fetched by another function at the same time. + This is an example of a race condition and it allows users to obtain senstive information + from memory or cause memory corruption or a system crash. If one user thread modifies + the header of a file, the function might incorrectly fetch the wrong value since there's + another point in the file where the old value has been fetched. This incorrect reading + in the value may lead to information leakage or a system crash. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -119,7 +122,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 3 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -153,8 +156,8 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. answer: | - '2016-04-18' An email was sent that detailed them finding the bug while examining - the source code. + '2016-04-18' An email was sent on Kernal.org Bugzilla from Pengfei Wang that + detailed them finding the bug while examining the source code. automated: False contest: False developer: False @@ -194,7 +197,7 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: | - I checked the only mailing list and it didn't specify that any specification was + After checking the only mailing list, it didn't specify that any specification was violated. answer: False subsystem: @@ -295,7 +298,7 @@ ipc: what your answer was. answer: False note: | - This function does not comminicate with any other process or system, it's an + This function does not communicate with any other process or system, it's an error in its own system. discussion: question: | @@ -322,12 +325,12 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: True + discussed_as_security: False any_discussion: False note: | - This was discussed only one time, but no back and forth discussion. An email was + This was reported only one time and no back and forth discussion. An report was sent and reviewed, once reviewed a bug was reported and a fix was followed up. Recommendations - were given in the email. + were given in the report message. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -341,7 +344,7 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: True - note: Two people had signed off on the commit that fixed the issue. + note: Sudeep Dutt and Ashutosh Dixit, both from Intel, had signed off on the commit that fixed the issue. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -396,7 +399,7 @@ order_of_operations: answer: True note: | This fix involves changing a variable if the check was passed. Once this variable is - changed to a certain value, it can then be written over correclty, or get used with the + changed to a certain value, it can then be written over correctly, or get used with the correct data that it contains. lessons: question: | @@ -436,7 +439,9 @@ lessons: note: environment_variables: applies: True - note: + note: | + There seems to be an added environment variable to assist checking for the race + condition before continuing code execution. secure_by_default: applies: False note: @@ -476,7 +481,8 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. answer: | - Not completing checks to see if the variable is being written multiple times. + Not completing checks to see if the variable is being written multiple times may lead + to undesirable outcomes when handling lots of data that the system, or the user controls. Since memory and variables can be changed by the user, it's important to check whether the system is changing those variable as well to see if there is a conflict. CWE_instructions: | diff --git a/cves/kernel/CVE-2017-5548.yml b/cves/kernel/CVE-2017-5548.yml index 5279526d3..2194697da 100644 --- a/cves/kernel/CVE-2017-5548.yml +++ b/cves/kernel/CVE-2017-5548.yml @@ -121,7 +121,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 2 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -196,7 +196,9 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: I checked and there doesn't seem to be any specification that has been violated + note: | + After checking most if not all artifacts, there doesn't seem to be any + specification that has been violated. answer: False subsystem: question: | @@ -295,7 +297,11 @@ ipc: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: True - note: A usb establishes connection protocols between connected devices. + note: | + Since this feature in the driver affects usb input and output, it affects + inter-process communication since a usb establishes connection protocols + between connected devices. + discussion: question: | Was there any discussion surrounding this? @@ -339,7 +345,9 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: True - note: Two people signed off on this commit as well as a cc to stable@vger.kernal.org. + note: | + Stefan Schmidt of Samsung and Marcel Holtmann of Intel signed off on this commit as well + as a cc to stable@vger.kernal.org. Stefan being the original developer of this commit. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -356,8 +364,8 @@ stacktrace: any_stacktraces: False stacktrace_with_fix: False note: | - I tried checking all commits and CVE descriptions as well as dev notes. I did not - find any sort of stack trace. But I'm not entirely sure how it was found without one, + After checking all commits and CVE descriptions as well as dev notes, no stacktraces were + found. But I'm not entirely sure how it was found without one, unless someone just reviewed it and saw vulnerabilities. forgotten_check: question: | @@ -394,7 +402,7 @@ order_of_operations: what your answer was. answer: False note: | - Doesn't seem like an order of operations, more of a problem with memory allocation + No indication of an order of operations error, more of a problem with memory allocation and freeing. lessons: question: | @@ -435,8 +443,7 @@ lessons: environment_variables: applies: True note: | - There seems to be added environmental variable that have been added in order to - fix the memory allocation problems. + An environmental variable was added in order to fix the memory allocation problems. secure_by_default: applies: False note: @@ -476,9 +483,12 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. answer: | - Failing to properly manage memory in the buffer. This can allow people to exploit - overflows or corruption in order to create and denial of service. Check and track all instances - of variable to see if it's still functional/usable. + This was mainly caused by failing to properly manage memory in the buffer. + This can allow people to exploit overflows or corruption in order to create and + denial of service. Check and track all instances of variable to see if it's still + functional/usable. Even though it might be difficult or confusing to keep track of + and manage all memory allocated and freed, it's apparent that a simple slip or lapse + in judgement can become an exploitable vulnerability in a system. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to