From e268ed547d785f21c7de82b7f65588feb54346b0 Mon Sep 17 00:00:00 2001 From: evstod Date: Fri, 10 Nov 2023 14:30:38 -0500 Subject: [PATCH 01/20] Update Curation Level to 2 --- cves/kernel/CVE-2016-9754.yml | 2 +- cves/kernel/CVE-2022-0516.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2016-9754.yml b/cves/kernel/CVE-2016-9754.yml index e4da6ad6b..3e71fa62b 100644 --- a/cves/kernel/CVE-2016-9754.yml +++ b/cves/kernel/CVE-2016-9754.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that diff --git a/cves/kernel/CVE-2022-0516.yml b/cves/kernel/CVE-2022-0516.yml index a289cfd86..7e978cd17 100644 --- a/cves/kernel/CVE-2022-0516.yml +++ b/cves/kernel/CVE-2022-0516.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that From ed022af00f8ce3208fb97f592fc4680280dc0b40 Mon Sep 17 00:00:00 2001 From: evstod Date: Sat, 11 Nov 2023 14:16:07 -0500 Subject: [PATCH 02/20] CVE-2022-0516 yml filled --- cves/kernel/CVE-2022-0516.yml | 139 +++++++++++++++++++--------------- 1 file changed, 80 insertions(+), 59 deletions(-) diff --git a/cves/kernel/CVE-2022-0516.yml b/cves/kernel/CVE-2022-0516.yml index 7e978cd17..7627c0935 100644 --- a/cves/kernel/CVE-2022-0516.yml +++ b/cves/kernel/CVE-2022-0516.yml @@ -26,7 +26,7 @@ reported_instructions: | the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2022-02-03' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,12 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + A vulnerability was found in a function for handling guest permissions in KVM. + This flaw allows a local attacker with a normal user privilege to obtain + unauthorized memory write access as the aforementioned function has insufficient + checks for write permissions, causing false access. This flaw affects Linux + kernel versions prior to 5.17-rc4. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -84,10 +89,6 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: - note: -- commit: - note: - commit: '09a93c1df3eafa43bcdfd7bf837c574911f12f55' note: | Taken from NVD references list with Git commit. If you are @@ -114,7 +115,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 8 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -129,10 +130,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: 0 + code_answer: 'There were no surrounding tests. Since this subsystem surrounds permissions. Unit tests handling this type of defect would be difficult.' + fix: 0 + fix_answer: 'No tests were added. Since this subsystem surrounds permissions. Unit tests handling this type of defect would be difficult.' discovered: question: | How was this vulnerability discovered? @@ -147,10 +148,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: 'The fix appears to have been discoved by a user on the Red Hat forums' + automated: false + contest: false + developer: false autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -167,8 +168,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: 'This issue was purely about permissions.' + answer: 0 specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -184,8 +185,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: 'NVD, the commit notes, pull request, and bug report all have no mention of such violations.' + answer: 0 subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -219,8 +220,8 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: - note: + name: kvm + note: 'KVM subsystem for s390' interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -235,10 +236,14 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: - - commit: - note: - - commit: - note: + - commit: a43b80b782c9f56b3bcc2e5e51261dc3980839ec + note: | + There is 2 years worth of work on this subsystem and even file from the origin + to the fix, but none of them really did anything with the Guest users functionality + except this one. This one adds a global for debugging, KVM_GUESTDBG_VALID_MASK. + Though it has no effect on the specific function of the bug, it is interesting that + permissions debugging systems were made in the bug's subsystem, and yet the bug + remained elusive. i18n: question: | Was the feature impacted by this vulnerability about internationalization @@ -251,8 +256,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: 0 + note: 'The issue is purely regarding permissions. Language and character sets are not involved.' sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -266,8 +271,11 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: 1 + note: | + The permissions issue is regarding guest user functionality. + The guest user defaults were meant to give limited default permissions to the system. + But a missing check allowed incorrect write access. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -278,8 +286,10 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: 0 + note: | + The issue was purely regarding the permission checks of the KVM subsystem. + No user input or other communications affected the functionality in question. discussion: question: | Was there any discussion surrounding this? @@ -305,9 +315,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: 0 + any_discussion: 0 + note: 'The bug report and mailing list discussions seem to only state the bug and the progress toward fixing it.' vouch: question: | Was there any part of the fix that involved one person vouching for @@ -320,8 +330,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: 0 + note: 'The fix was made directly by Linus. No acknowledgements are present in the commit message like they are for the origin commit.' stacktrace: question: | Are there any stacktraces in the bug reports? @@ -335,9 +345,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: 0 + stacktrace_with_fix: 0 + note: 'No stacktraces are seen in the disussions or commits. This is a about a missing check, so there is no system error to trace.' forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -356,8 +366,10 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: 1 + note: | + The Debian vulnerability notes write it specifically as an "insufficient check in the KVM subsystem for s390x". + The missing check was for if the virtual cpu for checking if the kvm subsystem was protected. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -369,8 +381,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: 0 + note: 'The fix is just adding a new if statement.' lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -387,37 +399,41 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: - note: + applies: 1 + note: | + The Virtual CPU functionality was made to prevent issues in the KVM subsystem from tampering with CPU operations, + but the missing check for the CPUs protections made this functionality useless. least_privilege: - applies: - note: + applies: 1 + note: | + The Guest users are intended to have limited privledges. The KVM subsyetme assumes no privledges where privledges aren't defined. + This missing check caused guest users to be able to get write privledges by default instead. frameworks_are_optional: - applies: + applies: 0 note: native_wrappers: - applies: + applies: 0 note: distrust_input: - applies: + applies: 0 note: security_by_obscurity: - applies: + applies: 0 note: serial_killer: - applies: + applies: 0 note: environment_variables: - applies: + applies: 0 note: secure_by_default: - applies: + applies: 0 note: yagni: - applies: + applies: 0 note: complex_inputs: - applies: + applies: 0 note: mistakes: question: | @@ -448,7 +464,12 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + This is likely a simple lapse. The function used for making the check on the virtual cpu was created + and intnded to be used, but the check was never placed in along with the rest. The fix was simply adding the check in. + CWE 280 recommends using "safe areas" surrounded by trust boundaries in the design of the subsystem. These were assumably + already in place given the specificness of the other checks in the permissions functionality. The CWE also recommends always + checking that a resource was properlly and successfully accessed. This is now followed since such a check was added. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -464,11 +485,11 @@ CWE_instructions: | CWE: ["123", "456"] # this is ok CWE: [123, 456] # also ok CWE: 123 # also ok -CWE: +CWE: 280 CWE_note: nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. -nickname: +nickname: 'Unruly Guest' CVSS: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H From 2c1bfa716da17c208ef307d32abbc8623c0830e8 Mon Sep 17 00:00:00 2001 From: evstod Date: Sat, 11 Nov 2023 14:36:37 -0500 Subject: [PATCH 03/20] Remove unintned upvotes --- cves/kernel/CVE-2022-0516.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2022-0516.yml b/cves/kernel/CVE-2022-0516.yml index 7627c0935..024235ac2 100644 --- a/cves/kernel/CVE-2022-0516.yml +++ b/cves/kernel/CVE-2022-0516.yml @@ -115,7 +115,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: 8 +upvotes: 0 unit_tested: question: | Were automated unit tests involved in this vulnerability? From 53cbbf94c612489190a30b1a5010d046869b2fc4 Mon Sep 17 00:00:00 2001 From: evstod Date: Sat, 11 Nov 2023 15:05:44 -0500 Subject: [PATCH 04/20] CVE-2016-9754 yml filled --- cves/kernel/CVE-2016-9754.yml | 132 ++++++++++++++++++---------------- 1 file changed, 69 insertions(+), 63 deletions(-) diff --git a/cves/kernel/CVE-2016-9754.yml b/cves/kernel/CVE-2016-9754.yml index 3e71fa62b..3594b96b7 100644 --- a/cves/kernel/CVE-2016-9754.yml +++ b/cves/kernel/CVE-2016-9754.yml @@ -26,7 +26,7 @@ reported_instructions: | the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2016-05-13' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,12 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + The ring_buffer_resize function used for converting a buffer for use in a userspace + in the profiling subsystem mishandles certain integer calculations. This + misculaculation is capable of causing an overflow during ineger rounding. This + allows users to gain unintended privileges by changing the buffer suze by + writing to the /sys/kernel/debug/tracing/buffer_size_kb file. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -75,7 +80,7 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [] +bugs: [118001, 112571, 106031, 114201, 116651] fixes_instructions: | Please put the commit hash in "commit" below. @@ -84,14 +89,11 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: - note: -- commit: - note: +- commit: 0b8eecc14410eaa197809f66f4de8fa85c2721ed + note: 'Found in kernel.org changelog: "ring-buffer: Use long for nr_pages to avoid overflow failures"' - commit: 59643d1535eb220668692a5359de22545af579f6 note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Manually Confirmed vcc_instructions: | The vulnerability-contributing commits. @@ -106,9 +108,9 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 7a8e76a3829f1067b70f715771ff88baf2fbf3c3 - note: Discovered automatically by archeogit. + note: Discovered automatically by archeogit. Introduces the ring buffer. - commit: 83f40318dab00e3298a1f6d0b12ac025e84e478d - note: Discovered automatically by archeogit. + note: Discovered automatically by archeogit. Adds the capability to remove pages from a ring buffer without destroying any existing data in it. upvotes_instructions: | For the first round, ignore this upvotes number. @@ -131,10 +133,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: 0 + code_answer: 'No unit tests were added when the ring buffer feature was added' + fix: 0 + fix_answer: 'No unit tests were added in the fixes' discovered: question: | How was this vulnerability discovered? @@ -149,10 +151,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: 'The issue was reported by a Red Hat employee' + automated: 0 + contest: 0 + developer: 0 autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -169,8 +171,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: 1 + answer: 'Buffer overflows can be found by automated tools.' specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -186,8 +188,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: 0 + answer: 'No speicifications are mentioned in the commit, bug report, or mail chain' subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -221,7 +223,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: profiling note: interesting_commits: question: | @@ -237,10 +239,8 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: - - commit: - note: - - commit: - note: + - commit: 9b94a8fba501f38368aef6ac1b30e7335252a220 + note: This seems to be an attempt at fixing the buffer overflow. Howvwer it didnt cover every cause, so overflow was still possible. i18n: question: | Was the feature impacted by this vulnerability about internationalization @@ -253,8 +253,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: 0 + note: The issue was regarding byte buffers. Characters were not involved. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -268,8 +268,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: 0 + note: The feature that has the issue is a method of storing paged data. It is not a sandbox feature. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -280,8 +280,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: 1 + note: The exploit involves user input to modify a file controlling buffer size. discussion: question: | Was there any discussion surrounding this? @@ -307,9 +307,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: 0 + any_discussion: 0 + note: No bug discussion, and the mail chain is just a series of concurrent fixes. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -322,8 +322,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: 1 + note: 'The commit has an acknowledgement reading "Signed-off-by: Steven Rostedt "' stacktrace: question: | Are there any stacktraces in the bug reports? @@ -337,9 +337,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: 0 + stacktrace_with_fix: 0 + note: The commit and mail chain do not have a stacktrace, only instructions for repriduction and likely cause. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -358,8 +358,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: 0 + note: The fix involved changing incorrect calculations. No checks were added. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -371,8 +371,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: 1 + note: The order of rounding up the buffer size and multiplying the buffer size by the page count has been reversed. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -389,38 +389,38 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: 0 note: least_privilege: - applies: + applies: 0 note: frameworks_are_optional: - applies: + applies: 0 note: native_wrappers: - applies: + applies: 0 note: distrust_input: - applies: - note: + applies: 1 + note: The functionality previously trusted the buffer sizes from a file that could be modified by a user. security_by_obscurity: - applies: + applies: 0 note: serial_killer: - applies: + applies: 0 note: environment_variables: - applies: + applies: 0 note: secure_by_default: - applies: + applies: 0 note: yagni: - applies: + applies: 0 note: complex_inputs: - applies: - note: + applies: 1 + note: The functionality lacks boundary checks for the buffer. mistakes: question: | In your opinion, after all of this research, what mistakes were made that @@ -450,7 +450,14 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + This was likely a planning error. The issue was caused by a mixup in algebraic logic. + I suspect this was simply a lack of oversight and concept testing when designing said + logic. The CWE recommends that a bahvior that is seen as 'out-of-bounds' is strictly + defined. This is not seen in the code itself, but is possibly present in some planning + documentation. There is also no check to make sure the buffer is in bounds. The other + mitigations, however, about learly understanding the behavior of the signed integers + that are used are met. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -469,11 +476,10 @@ CWE_instructions: | CWE: - 190 CWE_note: | - CWE as registered in the NVD. If you are curating, check that this - is correct and replace this comment with "Manually confirmed". + Manually Confirmed nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. -nickname: +nickname: Ring Buffer Overflow CVSS: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H From f44635fe2379535f774890a61c0985d3fa1d667c Mon Sep 17 00:00:00 2001 From: evstod Date: Sat, 11 Nov 2023 15:15:03 -0500 Subject: [PATCH 05/20] Fix tabbing in CVE-2022-0516 interesting_commits --- cves/kernel/CVE-2022-0516.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/cves/kernel/CVE-2022-0516.yml b/cves/kernel/CVE-2022-0516.yml index 024235ac2..2d142eeaa 100644 --- a/cves/kernel/CVE-2022-0516.yml +++ b/cves/kernel/CVE-2022-0516.yml @@ -238,12 +238,12 @@ interesting_commits: commits: - commit: a43b80b782c9f56b3bcc2e5e51261dc3980839ec note: | - There is 2 years worth of work on this subsystem and even file from the origin - to the fix, but none of them really did anything with the Guest users functionality - except this one. This one adds a global for debugging, KVM_GUESTDBG_VALID_MASK. - Though it has no effect on the specific function of the bug, it is interesting that - permissions debugging systems were made in the bug's subsystem, and yet the bug - remained elusive. + There is 2 years worth of work on this subsystem and even file from the origin + to the fix, but none of them really did anything with the Guest users functionality + except this one. This one adds a global for debugging, KVM_GUESTDBG_VALID_MASK. + Though it has no effect on the specific function of the bug, it is interesting that + permissions debugging systems were made in the bug's subsystem, and yet the bug + remained elusive. i18n: question: | Was the feature impacted by this vulnerability about internationalization From b4b960ec42d50337fcaa3aedf5d872d7d97a23a8 Mon Sep 17 00:00:00 2001 From: evstod Date: Sat, 11 Nov 2023 15:30:22 -0500 Subject: [PATCH 06/20] fix booleans to succeed checks --- cves/kernel/CVE-2016-9754.yml | 60 +++++++++++++++++------------------ cves/kernel/CVE-2022-0516.yml | 56 ++++++++++++++++---------------- 2 files changed, 58 insertions(+), 58 deletions(-) diff --git a/cves/kernel/CVE-2016-9754.yml b/cves/kernel/CVE-2016-9754.yml index 3594b96b7..ac2a4b475 100644 --- a/cves/kernel/CVE-2016-9754.yml +++ b/cves/kernel/CVE-2016-9754.yml @@ -89,7 +89,7 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: 0b8eecc14410eaa197809f66f4de8fa85c2721ed +- commit: falseb8eecc14410eaa197809f66f4de8fa85c2721ed note: 'Found in kernel.org changelog: "ring-buffer: Use long for nr_pages to avoid overflow failures"' - commit: 59643d1535eb220668692a5359de22545af579f6 note: | @@ -133,9 +133,9 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: 0 + code: false code_answer: 'No unit tests were added when the ring buffer feature was added' - fix: 0 + fix: false fix_answer: 'No unit tests were added in the fixes' discovered: question: | @@ -152,9 +152,9 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. answer: 'The issue was reported by a Red Hat employee' - automated: 0 - contest: 0 - developer: 0 + automated: false + contest: false + developer: false autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -171,7 +171,7 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: 1 + note: true answer: 'Buffer overflows can be found by automated tools.' specification: instructions: | @@ -188,7 +188,7 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: 0 + note: false answer: 'No speicifications are mentioned in the commit, bug report, or mail chain' subsystem: question: | @@ -253,7 +253,7 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: 0 + answer: false note: The issue was regarding byte buffers. Characters were not involved. sandbox: question: | @@ -268,7 +268,7 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: 0 + answer: false note: The feature that has the issue is a method of storing paged data. It is not a sandbox feature. ipc: question: | @@ -280,7 +280,7 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: 1 + answer: true note: The exploit involves user input to modify a file controlling buffer size. discussion: question: | @@ -307,8 +307,8 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: 0 - any_discussion: 0 + discussed_as_security: false + any_discussion: false note: No bug discussion, and the mail chain is just a series of concurrent fixes. vouch: question: | @@ -322,7 +322,7 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: 1 + answer: true note: 'The commit has an acknowledgement reading "Signed-off-by: Steven Rostedt "' stacktrace: question: | @@ -337,8 +337,8 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: 0 - stacktrace_with_fix: 0 + any_stacktraces: false + stacktrace_with_fix: false note: The commit and mail chain do not have a stacktrace, only instructions for repriduction and likely cause. forgotten_check: question: | @@ -358,7 +358,7 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: 0 + answer: false note: The fix involved changing incorrect calculations. No checks were added. order_of_operations: question: | @@ -371,7 +371,7 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: 1 + answer: true note: The order of rounding up the buffer size and multiplying the buffer size by the page count has been reversed. lessons: question: | @@ -389,37 +389,37 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: 0 + applies: false note: least_privilege: - applies: 0 + applies: false note: frameworks_are_optional: - applies: 0 + applies: false note: native_wrappers: - applies: 0 + applies: false note: distrust_input: - applies: 1 + applies: true note: The functionality previously trusted the buffer sizes from a file that could be modified by a user. security_by_obscurity: - applies: 0 + applies: false note: serial_killer: - applies: 0 + applies: false note: environment_variables: - applies: 0 + applies: false note: secure_by_default: - applies: 0 + applies: false note: yagni: - applies: 0 + applies: false note: complex_inputs: - applies: 1 + applies: true note: The functionality lacks boundary checks for the buffer. mistakes: question: | @@ -472,7 +472,7 @@ CWE_instructions: | apply here, then place them in an array like this CWE: ["123", "456"] # this is ok CWE: [123, 456] # also ok - CWE: 123 # also ok + CWE: true23 # also ok CWE: - 190 CWE_note: | diff --git a/cves/kernel/CVE-2022-0516.yml b/cves/kernel/CVE-2022-0516.yml index 2d142eeaa..609e6c6ad 100644 --- a/cves/kernel/CVE-2022-0516.yml +++ b/cves/kernel/CVE-2022-0516.yml @@ -106,7 +106,7 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: -- commit: 19e1227768863a1469797c13ef8fea1af7beac2c +- commit: true9e1227768863a1469797c13ef8fea1af7beac2c note: Discovered automatically by archeogit. upvotes_instructions: | For the first round, ignore this upvotes number. @@ -115,7 +115,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: 0 +upvotes: false unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -130,9 +130,9 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: 0 + code: false code_answer: 'There were no surrounding tests. Since this subsystem surrounds permissions. Unit tests handling this type of defect would be difficult.' - fix: 0 + fix: false fix_answer: 'No tests were added. Since this subsystem surrounds permissions. Unit tests handling this type of defect would be difficult.' discovered: question: | @@ -169,7 +169,7 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: 'This issue was purely about permissions.' - answer: 0 + answer: false specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -186,7 +186,7 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: 'NVD, the commit notes, pull request, and bug report all have no mention of such violations.' - answer: 0 + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -256,7 +256,7 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: 0 + answer: false note: 'The issue is purely regarding permissions. Language and character sets are not involved.' sandbox: question: | @@ -271,7 +271,7 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: 1 + answer: true note: | The permissions issue is regarding guest user functionality. The guest user defaults were meant to give limited default permissions to the system. @@ -286,7 +286,7 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: 0 + answer: false note: | The issue was purely regarding the permission checks of the KVM subsystem. No user input or other communications affected the functionality in question. @@ -315,8 +315,8 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: 0 - any_discussion: 0 + discussed_as_security: false + any_discussion: false note: 'The bug report and mailing list discussions seem to only state the bug and the progress toward fixing it.' vouch: question: | @@ -330,7 +330,7 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: 0 + answer: false note: 'The fix was made directly by Linus. No acknowledgements are present in the commit message like they are for the origin commit.' stacktrace: question: | @@ -345,8 +345,8 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: 0 - stacktrace_with_fix: 0 + any_stacktraces: false + stacktrace_with_fix: false note: 'No stacktraces are seen in the disussions or commits. This is a about a missing check, so there is no system error to trace.' forgotten_check: question: | @@ -366,7 +366,7 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: 1 + answer: true note: | The Debian vulnerability notes write it specifically as an "insufficient check in the KVM subsystem for s390x". The missing check was for if the virtual cpu for checking if the kvm subsystem was protected. @@ -381,7 +381,7 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: 0 + answer: false note: 'The fix is just adding a new if statement.' lessons: question: | @@ -399,41 +399,41 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: 1 + applies: true note: | The Virtual CPU functionality was made to prevent issues in the KVM subsystem from tampering with CPU operations, but the missing check for the CPUs protections made this functionality useless. least_privilege: - applies: 1 + applies: true note: | The Guest users are intended to have limited privledges. The KVM subsyetme assumes no privledges where privledges aren't defined. This missing check caused guest users to be able to get write privledges by default instead. frameworks_are_optional: - applies: 0 + applies: false note: native_wrappers: - applies: 0 + applies: false note: distrust_input: - applies: 0 + applies: false note: security_by_obscurity: - applies: 0 + applies: false note: serial_killer: - applies: 0 + applies: false note: environment_variables: - applies: 0 + applies: false note: secure_by_default: - applies: 0 + applies: false note: yagni: - applies: 0 + applies: false note: complex_inputs: - applies: 0 + applies: false note: mistakes: question: | @@ -484,7 +484,7 @@ CWE_instructions: | apply here, then place them in an array like this CWE: ["123", "456"] # this is ok CWE: [123, 456] # also ok - CWE: 123 # also ok + CWE: true23 # also ok CWE: 280 CWE_note: nickname_instructions: | From 28a4b0c2f42cea585343881cefd071c70e3eadd9 Mon Sep 17 00:00:00 2001 From: evstod Date: Sat, 11 Nov 2023 15:33:24 -0500 Subject: [PATCH 07/20] fix unit_tested, sandbox, i18n, and ipc notes --- cves/kernel/CVE-2016-9754.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cves/kernel/CVE-2016-9754.yml b/cves/kernel/CVE-2016-9754.yml index ac2a4b475..b962d71b6 100644 --- a/cves/kernel/CVE-2016-9754.yml +++ b/cves/kernel/CVE-2016-9754.yml @@ -254,7 +254,7 @@ i18n: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: The issue was regarding byte buffers. Characters were not involved. + note: 'The issue was regarding byte buffers. Characters were not involved.' sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -269,7 +269,7 @@ sandbox: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: The feature that has the issue is a method of storing paged data. It is not a sandbox feature. + note: 'The feature that has the issue is a method of storing paged data. It is not a sandbox feature.' ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -281,7 +281,7 @@ ipc: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: true - note: The exploit involves user input to modify a file controlling buffer size. + note: 'The exploit involves user input to modify a file controlling buffer size.' discussion: question: | Was there any discussion surrounding this? From 6316e0fa051d92a216400de92af4467b6b96c349 Mon Sep 17 00:00:00 2001 From: evstod Date: Sat, 11 Nov 2023 15:36:47 -0500 Subject: [PATCH 08/20] Fix vccs quotes --- cves/kernel/CVE-2016-9754.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cves/kernel/CVE-2016-9754.yml b/cves/kernel/CVE-2016-9754.yml index b962d71b6..816528620 100644 --- a/cves/kernel/CVE-2016-9754.yml +++ b/cves/kernel/CVE-2016-9754.yml @@ -108,9 +108,9 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 7a8e76a3829f1067b70f715771ff88baf2fbf3c3 - note: Discovered automatically by archeogit. Introduces the ring buffer. + note: 'Discovered automatically by archeogit. Introduces the ring buffer.' - commit: 83f40318dab00e3298a1f6d0b12ac025e84e478d - note: Discovered automatically by archeogit. Adds the capability to remove pages from a ring buffer without destroying any existing data in it. + note: 'Discovered automatically by archeogit. Adds the capability to remove pages from a ring buffer without destroying any existing data in it.' upvotes_instructions: | For the first round, ignore this upvotes number. @@ -359,7 +359,7 @@ forgotten_check: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: The fix involved changing incorrect calculations. No checks were added. + note: 'The fix involved changing incorrect calculations. No checks were added.' order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of From 773e65cbe117dabb75cab877957fa232ef6d1a1b Mon Sep 17 00:00:00 2001 From: evstod Date: Sat, 11 Nov 2023 15:40:23 -0500 Subject: [PATCH 09/20] fix specification answer --- cves/kernel/CVE-2016-9754.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2016-9754.yml b/cves/kernel/CVE-2016-9754.yml index 816528620..1dff14378 100644 --- a/cves/kernel/CVE-2016-9754.yml +++ b/cves/kernel/CVE-2016-9754.yml @@ -188,8 +188,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: false - answer: 'No speicifications are mentioned in the commit, bug report, or mail chain' + note: 'No speicifications are mentioned in the commit, bug report, or mail chain' + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel From 34ee0ca496eec365a3d679547e86e03cd5e7821f Mon Sep 17 00:00:00 2001 From: evstod Date: Sat, 11 Nov 2023 15:44:31 -0500 Subject: [PATCH 10/20] fix autodiscoverable answer --- cves/kernel/CVE-2016-9754.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2016-9754.yml b/cves/kernel/CVE-2016-9754.yml index 1dff14378..ac9ec7af1 100644 --- a/cves/kernel/CVE-2016-9754.yml +++ b/cves/kernel/CVE-2016-9754.yml @@ -171,8 +171,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: true - answer: 'Buffer overflows can be found by automated tools.' + note: 'Buffer overflows can be found by automated tools.' + answer: true specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX From 29c9f41cbe692c8eab96ccb73d5db909e1d3f969 Mon Sep 17 00:00:00 2001 From: Evan Stoddard <38697067+evstod@users.noreply.github.com> Date: Mon, 13 Nov 2023 14:14:20 -0500 Subject: [PATCH 11/20] CVE-2016-9754 specifications typo fix Co-authored-by: Sharad Khanna --- cves/kernel/CVE-2016-9754.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2016-9754.yml b/cves/kernel/CVE-2016-9754.yml index ac9ec7af1..dd82c02bf 100644 --- a/cves/kernel/CVE-2016-9754.yml +++ b/cves/kernel/CVE-2016-9754.yml @@ -188,7 +188,7 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: 'No speicifications are mentioned in the commit, bug report, or mail chain' + note: 'No specifications are mentioned in the commit, bug report, or mail chain' answer: false subsystem: question: | From 1175637ed1969a8568f21771586d91801192ab23 Mon Sep 17 00:00:00 2001 From: evstod Date: Mon, 13 Nov 2023 14:21:35 -0500 Subject: [PATCH 12/20] Redefine "buffer overflow" as "integer overflow While the vuln regards an int that controls a buffer size, it is not a buffer overflow --- cves/kernel/CVE-2016-9754.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cves/kernel/CVE-2016-9754.yml b/cves/kernel/CVE-2016-9754.yml index dd82c02bf..b6d07c65f 100644 --- a/cves/kernel/CVE-2016-9754.yml +++ b/cves/kernel/CVE-2016-9754.yml @@ -171,7 +171,7 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: 'Buffer overflows can be found by automated tools.' + note: 'Integer overflows can be found by automated tools.' answer: true specification: instructions: | @@ -240,7 +240,7 @@ interesting_commits: * Anything else you find interesting. commits: - commit: 9b94a8fba501f38368aef6ac1b30e7335252a220 - note: This seems to be an attempt at fixing the buffer overflow. Howvwer it didnt cover every cause, so overflow was still possible. + note: This seems to be an attempt at fixing the integer overflow. However it didnt cover every cause, so overflow was still possible. i18n: question: | Was the feature impacted by this vulnerability about internationalization @@ -420,7 +420,7 @@ lessons: note: complex_inputs: applies: true - note: The functionality lacks boundary checks for the buffer. + note: The functionality lacks boundary checks for the integer that controls buffer size. mistakes: question: | In your opinion, after all of this research, what mistakes were made that From 5087cc03eb5f0e70ca2bcda46fc16d38fb0cf67d Mon Sep 17 00:00:00 2001 From: evstod Date: Mon, 13 Nov 2023 14:25:31 -0500 Subject: [PATCH 13/20] Fix missing char in VCC commit id CVE-2022-0516 --- cves/kernel/CVE-2022-0516.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2022-0516.yml b/cves/kernel/CVE-2022-0516.yml index 609e6c6ad..7643cad7e 100644 --- a/cves/kernel/CVE-2022-0516.yml +++ b/cves/kernel/CVE-2022-0516.yml @@ -106,7 +106,7 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: -- commit: true9e1227768863a1469797c13ef8fea1af7beac2c +- commit: '19e1227768863a1469797c13ef8fea1af7beac2c' note: Discovered automatically by archeogit. upvotes_instructions: | For the first round, ignore this upvotes number. From e0c2ff18628652c3eae7a812e6f6e6597c47d978 Mon Sep 17 00:00:00 2001 From: evstod Date: Mon, 13 Nov 2023 14:29:56 -0500 Subject: [PATCH 14/20] fix broken fix commit id --- cves/kernel/CVE-2016-9754.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2016-9754.yml b/cves/kernel/CVE-2016-9754.yml index b6d07c65f..1dc269bc3 100644 --- a/cves/kernel/CVE-2016-9754.yml +++ b/cves/kernel/CVE-2016-9754.yml @@ -89,7 +89,7 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: falseb8eecc14410eaa197809f66f4de8fa85c2721ed +- commit: 0b8eecc14410eaa197809f66f4de8fa85c2721ed note: 'Found in kernel.org changelog: "ring-buffer: Use long for nr_pages to avoid overflow failures"' - commit: 59643d1535eb220668692a5359de22545af579f6 note: | From afd6a554e4cd325dcfd42c945822b9ab72dda998 Mon Sep 17 00:00:00 2001 From: evstod Date: Mon, 13 Nov 2023 14:39:16 -0500 Subject: [PATCH 15/20] CVE-2016-9754 change ipc answer to false. --- cves/kernel/CVE-2016-9754.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2016-9754.yml b/cves/kernel/CVE-2016-9754.yml index 1dc269bc3..08d1aa2fa 100644 --- a/cves/kernel/CVE-2016-9754.yml +++ b/cves/kernel/CVE-2016-9754.yml @@ -280,8 +280,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: true - note: 'The exploit involves user input to modify a file controlling buffer size.' + answer: false + note: 'The buffer size integer is not controlled by the user unless they manually set it in debug mode. The calculations occur automatically.' discussion: question: | Was there any discussion surrounding this? From ed241d3ba90f5cf0101dd6351dff45e525cc3595 Mon Sep 17 00:00:00 2001 From: evstod Date: Mon, 13 Nov 2023 14:44:23 -0500 Subject: [PATCH 16/20] Revert "CVE-2016-9754 change ipc answer to false." This reverts commit afd6a554e4cd325dcfd42c945822b9ab72dda998. --- cves/kernel/CVE-2016-9754.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2016-9754.yml b/cves/kernel/CVE-2016-9754.yml index 08d1aa2fa..1dc269bc3 100644 --- a/cves/kernel/CVE-2016-9754.yml +++ b/cves/kernel/CVE-2016-9754.yml @@ -280,8 +280,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: false - note: 'The buffer size integer is not controlled by the user unless they manually set it in debug mode. The calculations occur automatically.' + answer: true + note: 'The exploit involves user input to modify a file controlling buffer size.' discussion: question: | Was there any discussion surrounding this? From 65836342da6d4e815f868ec21761c54e1e622e7e Mon Sep 17 00:00:00 2001 From: evstod Date: Mon, 13 Nov 2023 14:52:30 -0500 Subject: [PATCH 17/20] Change upvotes to 2 --- cves/kernel/CVE-2016-9754.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2016-9754.yml b/cves/kernel/CVE-2016-9754.yml index 1dc269bc3..a5bd0fda0 100644 --- a/cves/kernel/CVE-2016-9754.yml +++ b/cves/kernel/CVE-2016-9754.yml @@ -118,7 +118,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 2 unit_tested: question: | Were automated unit tests involved in this vulnerability? From 997a01f1896ebdeb94969f42479c0961fa7d10d6 Mon Sep 17 00:00:00 2001 From: evstod Date: Mon, 13 Nov 2023 15:07:32 -0500 Subject: [PATCH 18/20] Add upvotes --- cves/kernel/CVE-2016-9754.yml | 2 +- cves/kernel/CVE-2022-0516.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2016-9754.yml b/cves/kernel/CVE-2016-9754.yml index a5bd0fda0..068e0e217 100644 --- a/cves/kernel/CVE-2016-9754.yml +++ b/cves/kernel/CVE-2016-9754.yml @@ -118,7 +118,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: 2 +upvotes: 1 unit_tested: question: | Were automated unit tests involved in this vulnerability? diff --git a/cves/kernel/CVE-2022-0516.yml b/cves/kernel/CVE-2022-0516.yml index 7643cad7e..9e3546786 100644 --- a/cves/kernel/CVE-2022-0516.yml +++ b/cves/kernel/CVE-2022-0516.yml @@ -115,7 +115,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: false +upvotes: 2 unit_tested: question: | Were automated unit tests involved in this vulnerability? From 82cd6a92e0ba079f724de34879a96089bb240276 Mon Sep 17 00:00:00 2001 From: evstod Date: Wed, 15 Nov 2023 14:15:39 -0500 Subject: [PATCH 19/20] Update upvotes --- cves/kernel/CVE-2016-9754.yml | 2 +- cves/kernel/CVE-2022-0516.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2016-9754.yml b/cves/kernel/CVE-2016-9754.yml index 068e0e217..9bad02ac1 100644 --- a/cves/kernel/CVE-2016-9754.yml +++ b/cves/kernel/CVE-2016-9754.yml @@ -118,7 +118,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: 1 +upvotes: 3 unit_tested: question: | Were automated unit tests involved in this vulnerability? diff --git a/cves/kernel/CVE-2022-0516.yml b/cves/kernel/CVE-2022-0516.yml index 9e3546786..24629767b 100644 --- a/cves/kernel/CVE-2022-0516.yml +++ b/cves/kernel/CVE-2022-0516.yml @@ -115,7 +115,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: 2 +upvotes: 10 unit_tested: question: | Were automated unit tests involved in this vulnerability? From 86d3715693485a1a7dbf718bf8a478c09d091326 Mon Sep 17 00:00:00 2001 From: evstod Date: Thu, 16 Nov 2023 11:13:53 -0500 Subject: [PATCH 20/20] upvotes & type fixes --- cves/kernel/CVE-2016-9754.yml | 14 +++++++------- cves/kernel/CVE-2022-0516.yml | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/cves/kernel/CVE-2016-9754.yml b/cves/kernel/CVE-2016-9754.yml index 9bad02ac1..8048c7f25 100644 --- a/cves/kernel/CVE-2016-9754.yml +++ b/cves/kernel/CVE-2016-9754.yml @@ -58,8 +58,8 @@ description_instructions: | description: | The ring_buffer_resize function used for converting a buffer for use in a userspace in the profiling subsystem mishandles certain integer calculations. This - misculaculation is capable of causing an overflow during ineger rounding. This - allows users to gain unintended privileges by changing the buffer suze by + miscalculation is capable of causing an overflow during integer rounding. This + allows users to gain unintended privileges by changing the buffer size by writing to the /sys/kernel/debug/tracing/buffer_size_kb file. bounty_instructions: | If you came across any indications that a bounty was paid out for this @@ -118,7 +118,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: 3 +upvotes: 8 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -339,7 +339,7 @@ stacktrace: what your answer was. any_stacktraces: false stacktrace_with_fix: false - note: The commit and mail chain do not have a stacktrace, only instructions for repriduction and likely cause. + note: The commit and mail chain do not have a stacktrace, only instructions for reproduction and likely cause. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -453,11 +453,11 @@ mistakes: answer: | This was likely a planning error. The issue was caused by a mixup in algebraic logic. I suspect this was simply a lack of oversight and concept testing when designing said - logic. The CWE recommends that a bahvior that is seen as 'out-of-bounds' is strictly + logic. The CWE recommends that a behavior that is seen as 'out-of-bounds' is strictly defined. This is not seen in the code itself, but is possibly present in some planning documentation. There is also no check to make sure the buffer is in bounds. The other - mitigations, however, about learly understanding the behavior of the signed integers - that are used are met. + mitigations, however, about clearly understanding the behavior of the signed integers + that are used, are met. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to diff --git a/cves/kernel/CVE-2022-0516.yml b/cves/kernel/CVE-2022-0516.yml index 24629767b..6eaf3ac7b 100644 --- a/cves/kernel/CVE-2022-0516.yml +++ b/cves/kernel/CVE-2022-0516.yml @@ -115,7 +115,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: 10 +upvotes: 12 unit_tested: question: | Were automated unit tests involved in this vulnerability?