From 588b847539298e0b9bb8ad6d7f3cd44ad28379ef Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 10:29:52 -0500 Subject: [PATCH 01/20] cve-2019-12379 and cve-2015-7566 inital commit --- cves/kernel/CVE-2015-7566.yml | 2 +- cves/kernel/CVE-2019-12379.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2015-7566.yml b/cves/kernel/CVE-2015-7566.yml index 309b12e95..1eb8b06c5 100644 --- a/cves/kernel/CVE-2015-7566.yml +++ b/cves/kernel/CVE-2015-7566.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that diff --git a/cves/kernel/CVE-2019-12379.yml b/cves/kernel/CVE-2019-12379.yml index 7b1556d31..1363c7ad9 100644 --- a/cves/kernel/CVE-2019-12379.yml +++ b/cves/kernel/CVE-2019-12379.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that From 0b77c5f5bb8908820888355fb959c58229a2521a Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 12:19:42 -0500 Subject: [PATCH 02/20] completed cve-2019-12379 --- cves/kernel/CVE-2019-12379.yml | 143 ++++++++++++++++++--------------- 1 file changed, 76 insertions(+), 67 deletions(-) diff --git a/cves/kernel/CVE-2019-12379.yml b/cves/kernel/CVE-2019-12379.yml index 1363c7ad9..c8400612f 100644 --- a/cves/kernel/CVE-2019-12379.yml +++ b/cves/kernel/CVE-2019-12379.yml @@ -26,7 +26,7 @@ reported_instructions: | the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: 2019-05-28 announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -40,21 +40,11 @@ published_instructions: | Please enter your date in YYYY-MM-DD format. published_date: '2019-05-28' description_instructions: | - You can get an initial description from the CVE entry on cve.mitre.org. These - descriptions are a fine start, but they can be kind of jargony. - - Rewrite this description IN YOUR OWN WORDS. Make it interesting and easy to - read to anyone with some programming experience. We can always pull up the NVD - description later to get more technical. - - Try to still be specific in your description, but remove project-specific - stuff. Remove references to versions, specific filenames, and other jargon - that outsiders to this project would not understand. Technology like "regular - expressions" is fine, and security phrases like "invalid write" are fine to - keep too. - - Your target audience is people just like you before you took any course in - security + A possible memory leak in the Linux drivers. This issue can lead to a situation where the + system uses up memory unnecessarily, especially in cases where the system is + already low on memory. This can potentially cause disruptions in the system's + performance and stability. Whether this was actually a problem is debated, though it seems like + it was never a problem to begin with. description: bounty_instructions: | If you came across any indications that a bounty was paid out for this @@ -84,18 +74,17 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: - note: - commit: note: - commit: 84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Taken from NVD references list with Git commit. Manually confirmed. + This may have actually caused the issue, instead of fixing it. + (See the other commit for detailed info on why this wasn't an issue.) - commit: 15b3cd8ef46ad1b100e0d3c7e38774f330726820 note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Taken from NVD references list with Git commit. Manually confirmed. This reverts + 84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac vcc_instructions: | The vulnerability-contributing commits. @@ -110,9 +99,11 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - note: Discovered automatically by archeogit. -- commit: 84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac - note: Discovered automatically by archeogit. + note: Discovered automatically by archeogit. Manually confirmed. This is the inital commit of the repo. +- commit: Taken from NVD references list with Git commit. Manually confirmed. + note: | + Discovered automatically by archeogit. Manually confirmed. This may have fixed the memory leak, though + it appears that it may have actually caused one. upvotes_instructions: | For the first round, ignore this upvotes number. @@ -135,10 +126,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: False + code_answer: No unit testing + fix: False + fix_answer: No unit testing discovered: question: | How was this vulnerability discovered? @@ -153,8 +144,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: + answer: | + Unsure how the possible memory leak was discovered. Checked commit history and any discussion posts. + It is unclear if this is a vulnerability and the fix put in place probably caused one. + automated: False contest: developer: autodiscoverable: @@ -173,8 +166,10 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + A brute force fuzzer attack or stress test could discover the memory leak. This is because it would + slowly eat up all the memory and either crash or slow the system considerably. + answer: True specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -190,8 +185,9 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + Could not find any evidence of the specification. + answer: False subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -225,8 +221,9 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: - note: + name: drivers + note: | + Specifically drivers/tty/vt/consolemap.c in con_insert_unipair. interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -241,8 +238,11 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: - - commit: - note: + - commit: 84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac + note: | + This was an attempt to fix the memory leak. However, it seems to have introduced a memory leak into the system + as it incorrectly freed memory. See the revert 15b3cd8ef46ad1b100e0d3c7e38774f330726820 for more information on + why this commit introduced a memory leak instead of fixing one. - commit: note: i18n: @@ -257,8 +257,9 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + No evidence of internationalization being related to this. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -272,8 +273,9 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + This is unrealted to permissions. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -284,8 +286,9 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + The error is contained within itself. discussion: question: | Was there any discussion surrounding this? @@ -311,9 +314,13 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: | + Commit 84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac is an attempt to fix the memory leak. + Commit 15b3cd8ef46ad1b100e0d3c7e38774f330726820 reverts the previous commit as it creates one. + There are no comments on either. + any_discussion: True + note: | + All references to this issue in the future ignore it. It seems this was a nonissue. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -326,8 +333,9 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + Nothing found. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -341,9 +349,10 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: + any_stacktraces: False stacktrace_with_fix: - note: + note: | + No stacktraces found. Unclear if this was even an issue. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -362,8 +371,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: Issue is concerning freeing memory and does not check values. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -375,8 +384,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: Issue is concerning freeing memory and order does not matter. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -393,37 +402,37 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: False note: least_privilege: - applies: + applies: False note: frameworks_are_optional: - applies: + applies: False note: native_wrappers: - applies: + applies: False note: distrust_input: - applies: + applies: False note: security_by_obscurity: - applies: + applies: False note: serial_killer: - applies: + applies: False note: environment_variables: - applies: + applies: False note: secure_by_default: - applies: + applies: False note: yagni: - applies: + applies: False note: complex_inputs: - applies: + applies: False note: mistakes: question: | From fc4458612738e03d03a54f9daad6e313cecc5e33 Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 13:01:14 -0500 Subject: [PATCH 03/20] cve-2015-7566 completed --- cves/kernel/CVE-2015-7566.yml | 85 +++++++++++++++++++--------------- cves/kernel/CVE-2019-12379.yml | 49 +++++++++++++------- 2 files changed, 80 insertions(+), 54 deletions(-) diff --git a/cves/kernel/CVE-2015-7566.yml b/cves/kernel/CVE-2015-7566.yml index 1eb8b06c5..d866a7c36 100644 --- a/cves/kernel/CVE-2015-7566.yml +++ b/cves/kernel/CVE-2015-7566.yml @@ -26,7 +26,7 @@ reported_instructions: | the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2016-02-24' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,9 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + When using a USB device that lacks a bulk-out endpoint (what sends data from the host to the device), + a NULL pointer error occurs. This causes the system to crash which can lead to more errors and corruption. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -75,7 +77,7 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [] +bugs: [1296466, 1297517] fixes_instructions: | Please put the commit hash in "commit" below. @@ -90,8 +92,7 @@ fixes: note: - commit: cb3232138e37129e88240a98a1d2aba2187ff57c note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Taken from NVD references list with Git commit. Manually confirmed. vcc_instructions: | The vulnerability-contributing commits. @@ -106,7 +107,7 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - note: Discovered automatically by archeogit. + note: Discovered automatically by archeogit. Manually confirmed. This is the inital commit of the repo. upvotes_instructions: | For the first round, ignore this upvotes number. @@ -129,10 +130,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: False + code_answer: No unit tests + fix: False + fix_answer: No unit tests discovered: question: | How was this vulnerability discovered? @@ -147,7 +148,7 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: + answer: Ralf Spenneberg of OpenSource Security reported the issue. automated: contest: developer: @@ -266,8 +267,9 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: | + An unprivileged user with physical access could trigger a kernel NULL-pointer dereference. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -278,8 +280,10 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: | + The error is concerning the bulk OUT endpoint of USB devices. When it attempts to communicate + with a USB device without the endpoint it will cause a systen crash. discussion: question: | Was there any discussion surrounding this? @@ -306,7 +310,7 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. discussed_as_security: - any_discussion: + any_discussion: False note: vouch: question: | @@ -320,8 +324,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: Code was reviewed before it was committed. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -335,9 +339,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: + any_stacktraces: False stacktrace_with_fix: - note: + note: Could not find any stacktraces forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -356,8 +360,9 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: True + note: | + It was never checked to see if the USB device had a bulk OUT endpoint, which caused the errror. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -369,8 +374,9 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: | + No order of operations present. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -387,37 +393,37 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: False note: least_privilege: - applies: + applies: False note: frameworks_are_optional: - applies: + applies: False note: native_wrappers: - applies: + applies: False note: distrust_input: - applies: - note: + applies: True + note: Because it was assumed that USB's would be formatted correctly it never accounted for the vulnerability. security_by_obscurity: - applies: + applies: False note: serial_killer: - applies: + applies: False note: environment_variables: - applies: + applies: False note: secure_by_default: - applies: + applies: False note: yagni: - applies: + applies: False note: complex_inputs: - applies: + applies: False note: mistakes: question: | @@ -448,7 +454,10 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + There were no checks to make sure that there was an endpoint to write to because it was potentionally assumed + that all USB devices would be normal and working. This led the the error occuring when USb devices were inproperly + formatted or purposefully tampered with. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -464,7 +473,7 @@ CWE_instructions: | CWE: ["123", "456"] # this is ok CWE: [123, 456] # also ok CWE: 123 # also ok -CWE: +CWE: 476 CWE_note: nickname_instructions: | A catchy name for this vulnerability that would draw attention it. diff --git a/cves/kernel/CVE-2019-12379.yml b/cves/kernel/CVE-2019-12379.yml index c8400612f..f10934eb2 100644 --- a/cves/kernel/CVE-2019-12379.yml +++ b/cves/kernel/CVE-2019-12379.yml @@ -26,7 +26,7 @@ reported_instructions: | the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: 2019-05-28 +reported_date: '2019-05-28' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -40,12 +40,27 @@ published_instructions: | Please enter your date in YYYY-MM-DD format. published_date: '2019-05-28' description_instructions: | + You can get an initial description from the CVE entry on cve.mitre.org. These + descriptions are a fine start, but they can be kind of jargony. + + Rewrite this description IN YOUR OWN WORDS. Make it interesting and easy to + read to anyone with some programming experience. We can always pull up the NVD + description later to get more technical. + + Try to still be specific in your description, but remove project-specific + stuff. Remove references to versions, specific filenames, and other jargon + that outsiders to this project would not understand. Technology like "regular + expressions" is fine, and security phrases like "invalid write" are fine to + keep too. + + Your target audience is people just like you before you took any course in + security +description: | A possible memory leak in the Linux drivers. This issue can lead to a situation where the system uses up memory unnecessarily, especially in cases where the system is already low on memory. This can potentially cause disruptions in the system's - performance and stability. Whether this was actually a problem is debated, though it seems like - it was never a problem to begin with. -description: + performance and stability. However, it doesn't seem like this was ever actually an issue and + the attempted solution was quickly reverted as it ended up causing a memory leak. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -65,7 +80,7 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [] +bugs: [1715491] fixes_instructions: | Please put the commit hash in "commit" below. @@ -145,8 +160,8 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. answer: | - Unsure how the possible memory leak was discovered. Checked commit history and any discussion posts. - It is unclear if this is a vulnerability and the fix put in place probably caused one. + Unsure how the possible memory leak was discovered. Checked commit history and discussion posts. + This was most likely never a real issue. automated: False contest: developer: @@ -315,11 +330,12 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. discussed_as_security: | - Commit 84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac is an attempt to fix the memory leak. - Commit 15b3cd8ef46ad1b100e0d3c7e38774f330726820 reverts the previous commit as it creates one. - There are no comments on either. + - the suggested patch is incorrect and was reverted in the upstream + - The error path also cleared the wrong index in p->uni_pgdir[], introducing a use-after-free. + - i guess, just close trackers and this flaw with not-a-bug (per my understanding of the original code without the fix, there is really no memory leak, just a pre-allocation which may never be used) any_discussion: True note: | + https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-12379 All references to this issue in the future ignore it. It seems this was a nonissue. vouch: question: | @@ -333,9 +349,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: False - note: | - Nothing found. + answer: True + note: Code was reviewed before it was comitted. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -463,7 +478,10 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + It looks like there was a misunderstanding in what parts of the code were doing, which led + to the bug report being incorrectly filed and a incorrect solution being put in place that + actually caused more issues. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -479,8 +497,7 @@ CWE_instructions: | CWE: ["123", "456"] # this is ok CWE: [123, 456] # also ok CWE: 123 # also ok -CWE: -- 401 +CWE: 401 CWE_note: | CWE as registered in the NVD. If you are curating, check that this is correct and replace this comment with "Manually confirmed". From afa4a3b37e676c1ebde463512b41098c17a2e3b1 Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 13:06:26 -0500 Subject: [PATCH 04/20] linted my yaml --- cves/kernel/CVE-2019-12379.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cves/kernel/CVE-2019-12379.yml b/cves/kernel/CVE-2019-12379.yml index f10934eb2..c4454d53e 100644 --- a/cves/kernel/CVE-2019-12379.yml +++ b/cves/kernel/CVE-2019-12379.yml @@ -93,9 +93,9 @@ fixes: note: - commit: 84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac note: | - Taken from NVD references list with Git commit. Manually confirmed. - This may have actually caused the issue, instead of fixing it. - (See the other commit for detailed info on why this wasn't an issue.) + Taken from NVD references list with Git commit. Manually confirmed. + This may have actually caused the issue, instead of fixing it. + (See the other commit for detailed info on why this wasn't an issue.) - commit: 15b3cd8ef46ad1b100e0d3c7e38774f330726820 note: | Taken from NVD references list with Git commit. Manually confirmed. This reverts From e738d5cac73e7bd020edaf2b244c6bdf486b937c Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 13:10:39 -0500 Subject: [PATCH 05/20] filled outdiscovered in 2019-12379 better --- cves/kernel/CVE-2019-12379.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2019-12379.yml b/cves/kernel/CVE-2019-12379.yml index c4454d53e..3d360d358 100644 --- a/cves/kernel/CVE-2019-12379.yml +++ b/cves/kernel/CVE-2019-12379.yml @@ -163,8 +163,8 @@ discovered: Unsure how the possible memory leak was discovered. Checked commit history and discussion posts. This was most likely never a real issue. automated: False - contest: - developer: + contest: False + developer: False autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered From 24ce516309b9fff23faf0bde8f8a51884a74b6a7 Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 13:12:05 -0500 Subject: [PATCH 06/20] fixed disovered in 2015-7566 --- cves/kernel/CVE-2015-7566.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cves/kernel/CVE-2015-7566.yml b/cves/kernel/CVE-2015-7566.yml index d866a7c36..94a24862c 100644 --- a/cves/kernel/CVE-2015-7566.yml +++ b/cves/kernel/CVE-2015-7566.yml @@ -149,9 +149,9 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. answer: Ralf Spenneberg of OpenSource Security reported the issue. - automated: - contest: - developer: + automated: False + contest: False + developer: True autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered From ba45c314836cd5a9a8ca5b94c8efa2b7a643e316 Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 13:17:18 -0500 Subject: [PATCH 07/20] fixed bool issue --- cves/kernel/CVE-2015-7566.yml | 7 ++++--- cves/kernel/CVE-2019-12379.yml | 6 +----- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/cves/kernel/CVE-2015-7566.yml b/cves/kernel/CVE-2015-7566.yml index 94a24862c..b161f6c8b 100644 --- a/cves/kernel/CVE-2015-7566.yml +++ b/cves/kernel/CVE-2015-7566.yml @@ -309,9 +309,10 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: False - note: + discussed_as_security: False + any_discussion: True + note: | + https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7566 vouch: question: | Was there any part of the fix that involved one person vouching for diff --git a/cves/kernel/CVE-2019-12379.yml b/cves/kernel/CVE-2019-12379.yml index 3d360d358..76c1a8080 100644 --- a/cves/kernel/CVE-2019-12379.yml +++ b/cves/kernel/CVE-2019-12379.yml @@ -329,14 +329,10 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: | - - the suggested patch is incorrect and was reverted in the upstream - - The error path also cleared the wrong index in p->uni_pgdir[], introducing a use-after-free. - - i guess, just close trackers and this flaw with not-a-bug (per my understanding of the original code without the fix, there is really no memory leak, just a pre-allocation which may never be used) + discussed_as_security: True any_discussion: True note: | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-12379 - All references to this issue in the future ignore it. It seems this was a nonissue. vouch: question: | Was there any part of the fix that involved one person vouching for From 6d3088e4869756357bca0dc155c0f2f8ecc30f03 Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 13:26:24 -0500 Subject: [PATCH 08/20] fixed stacktraces --- cves/kernel/CVE-2015-7566.yml | 2 +- cves/kernel/CVE-2019-12379.yml | 7 +++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/cves/kernel/CVE-2015-7566.yml b/cves/kernel/CVE-2015-7566.yml index b161f6c8b..c63ba25fb 100644 --- a/cves/kernel/CVE-2015-7566.yml +++ b/cves/kernel/CVE-2015-7566.yml @@ -341,7 +341,7 @@ stacktrace: Write a note about how you came to the conclusions you did, regardless of what your answer was. any_stacktraces: False - stacktrace_with_fix: + stacktrace_with_fix: False note: Could not find any stacktraces forgotten_check: question: | diff --git a/cves/kernel/CVE-2019-12379.yml b/cves/kernel/CVE-2019-12379.yml index 76c1a8080..98cc1d276 100644 --- a/cves/kernel/CVE-2019-12379.yml +++ b/cves/kernel/CVE-2019-12379.yml @@ -331,8 +331,7 @@ discussion: comment you want to make. discussed_as_security: True any_discussion: True - note: | - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-12379 + note: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-12379 vouch: question: | Was there any part of the fix that involved one person vouching for @@ -361,9 +360,9 @@ stacktrace: Write a note about how you came to the conclusions you did, regardless of what your answer was. any_stacktraces: False - stacktrace_with_fix: + stacktrace_with_fix: False note: | - No stacktraces found. Unclear if this was even an issue. + No stacktraces found. Issue was falsely reported. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? From f63a91372269b8b29e53162b57666e02a8b95279 Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 13:31:18 -0500 Subject: [PATCH 09/20] deleted empty commits sections --- cves/kernel/CVE-2015-7566.yml | 4 ---- cves/kernel/CVE-2019-12379.yml | 2 -- 2 files changed, 6 deletions(-) diff --git a/cves/kernel/CVE-2015-7566.yml b/cves/kernel/CVE-2015-7566.yml index c63ba25fb..031f97011 100644 --- a/cves/kernel/CVE-2015-7566.yml +++ b/cves/kernel/CVE-2015-7566.yml @@ -86,10 +86,6 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: - note: -- commit: - note: - commit: cb3232138e37129e88240a98a1d2aba2187ff57c note: | Taken from NVD references list with Git commit. Manually confirmed. diff --git a/cves/kernel/CVE-2019-12379.yml b/cves/kernel/CVE-2019-12379.yml index 98cc1d276..4592f876e 100644 --- a/cves/kernel/CVE-2019-12379.yml +++ b/cves/kernel/CVE-2019-12379.yml @@ -258,8 +258,6 @@ interesting_commits: This was an attempt to fix the memory leak. However, it seems to have introduced a memory leak into the system as it incorrectly freed memory. See the revert 15b3cd8ef46ad1b100e0d3c7e38774f330726820 for more information on why this commit introduced a memory leak instead of fixing one. - - commit: - note: i18n: question: | Was the feature impacted by this vulnerability about internationalization From e7b189920f50727c0b3f6464b8800d2b56fe1765 Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 13:50:21 -0500 Subject: [PATCH 10/20] deleted empty commits sections --- cves/kernel/CVE-2019-12379.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/cves/kernel/CVE-2019-12379.yml b/cves/kernel/CVE-2019-12379.yml index 4592f876e..fcf27a0ce 100644 --- a/cves/kernel/CVE-2019-12379.yml +++ b/cves/kernel/CVE-2019-12379.yml @@ -89,8 +89,6 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: - note: - commit: 84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac note: | Taken from NVD references list with Git commit. Manually confirmed. From 5efbfadcd024f6b2fa4988b47cb55321792d80ec Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 14:02:47 -0500 Subject: [PATCH 11/20] reverted changes --- cves/kernel/CVE-2019-12379.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2019-12379.yml b/cves/kernel/CVE-2019-12379.yml index fcf27a0ce..b4a34b874 100644 --- a/cves/kernel/CVE-2019-12379.yml +++ b/cves/kernel/CVE-2019-12379.yml @@ -89,6 +89,8 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: +- commit: + note: - commit: 84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac note: | Taken from NVD references list with Git commit. Manually confirmed. @@ -256,6 +258,8 @@ interesting_commits: This was an attempt to fix the memory leak. However, it seems to have introduced a memory leak into the system as it incorrectly freed memory. See the revert 15b3cd8ef46ad1b100e0d3c7e38774f330726820 for more information on why this commit introduced a memory leak instead of fixing one. + - commit: + note: i18n: question: | Was the feature impacted by this vulnerability about internationalization @@ -358,7 +362,7 @@ stacktrace: any_stacktraces: False stacktrace_with_fix: False note: | - No stacktraces found. Issue was falsely reported. + No stacktraces found. Unclear if this was even an issue. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -497,4 +501,4 @@ nickname_instructions: | If the report mentions a nickname, use that. Must be under 30 characters. Optional. nickname: -CVSS: +CVSS: \ No newline at end of file From 12a87651270922ba840a14d0f32c30676b1a6110 Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 14:07:40 -0500 Subject: [PATCH 12/20] test --- cves/kernel/CVE-2019-12379.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2019-12379.yml b/cves/kernel/CVE-2019-12379.yml index b4a34b874..8e1de89ab 100644 --- a/cves/kernel/CVE-2019-12379.yml +++ b/cves/kernel/CVE-2019-12379.yml @@ -98,8 +98,8 @@ fixes: (See the other commit for detailed info on why this wasn't an issue.) - commit: 15b3cd8ef46ad1b100e0d3c7e38774f330726820 note: | - Taken from NVD references list with Git commit. Manually confirmed. This reverts - 84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac + Taken from NVD references list with Git commit. Manually confirmed. This reverts the + previous commit. vcc_instructions: | The vulnerability-contributing commits. From 53284882b8b6bdab5d16faf567d48632d7bd577e Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 14:12:01 -0500 Subject: [PATCH 13/20] fixed vccs --- cves/kernel/CVE-2019-12379.yml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/cves/kernel/CVE-2019-12379.yml b/cves/kernel/CVE-2019-12379.yml index 8e1de89ab..fe94e3fec 100644 --- a/cves/kernel/CVE-2019-12379.yml +++ b/cves/kernel/CVE-2019-12379.yml @@ -91,11 +91,8 @@ fixes_instructions: | fixes: - commit: note: -- commit: 84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac - note: | - Taken from NVD references list with Git commit. Manually confirmed. - This may have actually caused the issue, instead of fixing it. - (See the other commit for detailed info on why this wasn't an issue.) +- commit: + note: - commit: 15b3cd8ef46ad1b100e0d3c7e38774f330726820 note: | Taken from NVD references list with Git commit. Manually confirmed. This reverts the @@ -115,10 +112,10 @@ vcc_instructions: | vccs: - commit: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 note: Discovered automatically by archeogit. Manually confirmed. This is the inital commit of the repo. -- commit: Taken from NVD references list with Git commit. Manually confirmed. +- commit: 84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac note: | - Discovered automatically by archeogit. Manually confirmed. This may have fixed the memory leak, though - it appears that it may have actually caused one. + Discovered automatically by archeogit. Manually confirmed. In an attempt to fix the memory leak, it actually + caused one. upvotes_instructions: | For the first round, ignore this upvotes number. From 4fa0c4ceac290d3bc761779fcc858fee716e3d6b Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 14:16:19 -0500 Subject: [PATCH 14/20] added subsystem for 2015-7566 --- cves/kernel/CVE-2015-7566.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2015-7566.yml b/cves/kernel/CVE-2015-7566.yml index 031f97011..a0741588b 100644 --- a/cves/kernel/CVE-2015-7566.yml +++ b/cves/kernel/CVE-2015-7566.yml @@ -216,7 +216,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: drivers note: interesting_commits: question: | From cf8b178e3d5917713b97dfae5ba1e96b0a120975 Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 14:20:11 -0500 Subject: [PATCH 15/20] filled out 2015-7566 more --- cves/kernel/CVE-2015-7566.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/cves/kernel/CVE-2015-7566.yml b/cves/kernel/CVE-2015-7566.yml index a0741588b..21b5bc20b 100644 --- a/cves/kernel/CVE-2015-7566.yml +++ b/cves/kernel/CVE-2015-7566.yml @@ -164,8 +164,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: True + answer: You can brute force (or check physically) for this check to make sure it was erformed. specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -181,8 +181,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: No mention of specifications. + answer: False subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -217,7 +217,8 @@ subsystem: name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok name: drivers - note: + note: | + Specifically drivers/usb/serial/visor.c in clie_5_attach. interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? From 2ecccbe3c965a4d93b7c8cc386eaf647000b3959 Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 14:27:43 -0500 Subject: [PATCH 16/20] fixed typos: --- cves/kernel/CVE-2015-7566.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2015-7566.yml b/cves/kernel/CVE-2015-7566.yml index 21b5bc20b..f36838628 100644 --- a/cves/kernel/CVE-2015-7566.yml +++ b/cves/kernel/CVE-2015-7566.yml @@ -144,10 +144,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: Ralf Spenneberg of OpenSource Security reported the issue. + answer: Ralf Spenneberg of OpenSource Security reported the issue. Does not specify how it was found. automated: False contest: False - developer: True + developer: False autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered From fd0f20baef5045f9f592742236166c28c291caee Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 14:33:27 -0500 Subject: [PATCH 17/20] fixed formatting maybe: --- cves/kernel/CVE-2015-7566.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/cves/kernel/CVE-2015-7566.yml b/cves/kernel/CVE-2015-7566.yml index f36838628..2b21e6046 100644 --- a/cves/kernel/CVE-2015-7566.yml +++ b/cves/kernel/CVE-2015-7566.yml @@ -165,7 +165,7 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: True - answer: You can brute force (or check physically) for this check to make sure it was erformed. + answer: You can brute force (or check physically) for this check if it was accounted for. specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -249,8 +249,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: False + note: No internationalization present sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -359,8 +359,7 @@ forgotten_check: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: True - note: | - It was never checked to see if the USB device had a bulk OUT endpoint, which caused the errror. + note: It was never checked to see if the USB device had a bulk OUT endpoint, which caused the errror. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of From 9f94e4dea6cfb7f6a82fe2779684a310d6f230be Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 14:42:52 -0500 Subject: [PATCH 18/20] fixed swapped note and answer --- cves/kernel/CVE-2015-7566.yml | 4 ++-- cves/kernel/CVE-2019-12379.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cves/kernel/CVE-2015-7566.yml b/cves/kernel/CVE-2015-7566.yml index 2b21e6046..468a4991c 100644 --- a/cves/kernel/CVE-2015-7566.yml +++ b/cves/kernel/CVE-2015-7566.yml @@ -164,8 +164,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: True - answer: You can brute force (or check physically) for this check if it was accounted for. + note: You can brute force (or check physically) for this check if it was accounted for. + answer: True specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX diff --git a/cves/kernel/CVE-2019-12379.yml b/cves/kernel/CVE-2019-12379.yml index fe94e3fec..75b7adc60 100644 --- a/cves/kernel/CVE-2019-12379.yml +++ b/cves/kernel/CVE-2019-12379.yml @@ -115,7 +115,7 @@ vccs: - commit: 84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac note: | Discovered automatically by archeogit. Manually confirmed. In an attempt to fix the memory leak, it actually - caused one. + caused. upvotes_instructions: | For the first round, ignore this upvotes number. From 8a319d76baafcced75da0b4aab9441f0c3fbffe8 Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Mon, 6 Nov 2023 15:18:02 -0500 Subject: [PATCH 19/20] repush because i think the pipeline got stuck --- cves/kernel/CVE-2015-7566.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2015-7566.yml b/cves/kernel/CVE-2015-7566.yml index 468a4991c..fd627801f 100644 --- a/cves/kernel/CVE-2015-7566.yml +++ b/cves/kernel/CVE-2015-7566.yml @@ -164,7 +164,7 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: You can brute force (or check physically) for this check if it was accounted for. + note: You can brute force (or check physically) for this check if it was accounted for. answer: True specification: instructions: | From facef243a61912fa9f371c3ac2b47bfc93112565 Mon Sep 17 00:00:00 2001 From: AcrylicRobin Date: Wed, 15 Nov 2023 13:24:27 -0500 Subject: [PATCH 20/20] made changes as suggested --- cves/kernel/CVE-2015-7566.yml | 22 ++++++++++++---------- cves/kernel/CVE-2019-12379.yml | 9 +++++---- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/cves/kernel/CVE-2015-7566.yml b/cves/kernel/CVE-2015-7566.yml index fd627801f..15ce9abdb 100644 --- a/cves/kernel/CVE-2015-7566.yml +++ b/cves/kernel/CVE-2015-7566.yml @@ -58,6 +58,8 @@ description_instructions: | description: | When using a USB device that lacks a bulk-out endpoint (what sends data from the host to the device), a NULL pointer error occurs. This causes the system to crash which can lead to more errors and corruption. + This happens due to an incomplete sanity check, the visor driver tries to dereference null-pointers when + a USB is plugged in. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -111,7 +113,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 5 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -144,10 +146,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: Ralf Spenneberg of OpenSource Security reported the issue. Does not specify how it was found. - automated: False + answer: Ralf Spenneberg of OpenSource Security reported the issue, and it was found with a fuzzer. + automated: True contest: False - developer: False + developer: True autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -164,7 +166,7 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: You can brute force (or check physically) for this check if it was accounted for. + note: Yes, it was discovered when tested with a fuzzer. answer: True specification: instructions: | @@ -264,9 +266,9 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: True + answer: False note: | - An unprivileged user with physical access could trigger a kernel NULL-pointer dereference. + Unrelated to sandboxing. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -323,7 +325,7 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: True - note: Code was reviewed before it was committed. + note: Code was reviewed before it was committed. Signed off by Johan Hovold and Vladis Dronov. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -390,8 +392,8 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: False - note: + applies: True + note: This applys because there was a forgotten check that led to it being insecure. least_privilege: applies: False note: diff --git a/cves/kernel/CVE-2019-12379.yml b/cves/kernel/CVE-2019-12379.yml index 75b7adc60..434ebf33e 100644 --- a/cves/kernel/CVE-2019-12379.yml +++ b/cves/kernel/CVE-2019-12379.yml @@ -56,7 +56,8 @@ description_instructions: | Your target audience is people just like you before you took any course in security description: | - A possible memory leak in the Linux drivers. This issue can lead to a situation where the + A possible memory leak in the Linux drivers due to incorrect freeing of memory. + Memlory leaks in general can lead to a situation where the system uses up memory unnecessarily, especially in cases where the system is already low on memory. This can potentially cause disruptions in the system's performance and stability. However, it doesn't seem like this was ever actually an issue and @@ -123,7 +124,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 3 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -287,7 +288,7 @@ sandbox: what your answer was. answer: False note: | - This is unrealted to permissions. + This is unrelated to permissions. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -342,7 +343,7 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: True - note: Code was reviewed before it was comitted. + note: Code was reviewed before it was committed. stacktrace: question: | Are there any stacktraces in the bug reports?