From 29456342ae1f5378beb585ec95934a99e942f907 Mon Sep 17 00:00:00 2001 From: jm8084 Date: Tue, 7 Nov 2023 23:10:27 -0500 Subject: [PATCH 1/5] 0 --- cves/kernel/CVE-2016-2547.yml | 31 +++++++++++++++++++------------ cves/kernel/CVE-2018-20961.yml | 25 ++++++++++++++----------- 2 files changed, 33 insertions(+), 23 deletions(-) diff --git a/cves/kernel/CVE-2016-2547.yml b/cves/kernel/CVE-2016-2547.yml index 9195be97f..de533e571 100644 --- a/cves/kernel/CVE-2016-2547.yml +++ b/cves/kernel/CVE-2016-2547.yml @@ -19,14 +19,14 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2016-02-24' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,11 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + The Advanced Linux Sound Architecture (ALSA) is a framework in the linux kernal that provides + an interface for sound cards devices. The framework used a resource locking approach that did not + consider slave timer instances. The instacne could still be accessed, creating race condition + for resources with the master instance. Leading to resource exhaustion, access to data, or a system crash. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -137,9 +141,9 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: + code: false code_answer: - fix: + fix: false fix_answer: discovered: question: | @@ -155,10 +159,13 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: | + Dmitry Vyukov, Google developer, discovered that the Advanced Linux Sound Architecture (ALSA) + framework's handling of high resolution timers did not properly manage its + data structures 2016-01-15 + automated: false + contest: false + developer: true autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -175,8 +182,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: fuzzer + answer: use-after-free specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -227,7 +234,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: sound note: interesting_commits: question: | diff --git a/cves/kernel/CVE-2018-20961.yml b/cves/kernel/CVE-2018-20961.yml index 97fa96f92..3b11de7c9 100644 --- a/cves/kernel/CVE-2018-20961.yml +++ b/cves/kernel/CVE-2018-20961.yml @@ -19,14 +19,14 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2019-08-07' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,10 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + Some USB gadgets have multiple 'modes' devices that can switch between modes + and possibly cause a double-free flaw. Subsequently the USB gadget Midi driver + in the Linux kernel created a double-free when handling certain errors. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -106,7 +109,7 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: ad0d1a058eac46503edbc510d1ce44c5df8e0c91 - note: Discovered automatically by archeogit. + note: Patch meant to fix memory leak when system fails - commit: '079fe5a6da616891cca1a26e803e1df2a87e9ae5' note: Discovered automatically by archeogit. - commit: e0466156ee2e944fb47a3fa00932c3698a6d2c67 @@ -135,9 +138,9 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: + code: false code_answer: - fix: + fix: false fix_answer: discovered: question: | @@ -153,10 +156,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: Greg Kroah-Hartman from linux foundations + automated: false + contest: false + developer: true autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -225,7 +228,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: driver note: interesting_commits: question: | From b72b2695434ebd5d7dcde7c0f0d71d3463581862 Mon Sep 17 00:00:00 2001 From: jm8084 Date: Tue, 7 Nov 2023 23:10:27 -0500 Subject: [PATCH 2/5] CVE-2016-2547, CVE-2018-20961 --- cves/kernel/CVE-2016-2547.yml | 31 +++++++++++++++++++------------ cves/kernel/CVE-2018-20961.yml | 25 ++++++++++++++----------- 2 files changed, 33 insertions(+), 23 deletions(-) diff --git a/cves/kernel/CVE-2016-2547.yml b/cves/kernel/CVE-2016-2547.yml index 9195be97f..de533e571 100644 --- a/cves/kernel/CVE-2016-2547.yml +++ b/cves/kernel/CVE-2016-2547.yml @@ -19,14 +19,14 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2016-02-24' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,11 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + The Advanced Linux Sound Architecture (ALSA) is a framework in the linux kernal that provides + an interface for sound cards devices. The framework used a resource locking approach that did not + consider slave timer instances. The instacne could still be accessed, creating race condition + for resources with the master instance. Leading to resource exhaustion, access to data, or a system crash. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -137,9 +141,9 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: + code: false code_answer: - fix: + fix: false fix_answer: discovered: question: | @@ -155,10 +159,13 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: | + Dmitry Vyukov, Google developer, discovered that the Advanced Linux Sound Architecture (ALSA) + framework's handling of high resolution timers did not properly manage its + data structures 2016-01-15 + automated: false + contest: false + developer: true autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -175,8 +182,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: fuzzer + answer: use-after-free specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -227,7 +234,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: sound note: interesting_commits: question: | diff --git a/cves/kernel/CVE-2018-20961.yml b/cves/kernel/CVE-2018-20961.yml index 97fa96f92..3b11de7c9 100644 --- a/cves/kernel/CVE-2018-20961.yml +++ b/cves/kernel/CVE-2018-20961.yml @@ -19,14 +19,14 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2019-08-07' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,10 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + Some USB gadgets have multiple 'modes' devices that can switch between modes + and possibly cause a double-free flaw. Subsequently the USB gadget Midi driver + in the Linux kernel created a double-free when handling certain errors. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -106,7 +109,7 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: ad0d1a058eac46503edbc510d1ce44c5df8e0c91 - note: Discovered automatically by archeogit. + note: Patch meant to fix memory leak when system fails - commit: '079fe5a6da616891cca1a26e803e1df2a87e9ae5' note: Discovered automatically by archeogit. - commit: e0466156ee2e944fb47a3fa00932c3698a6d2c67 @@ -135,9 +138,9 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: + code: false code_answer: - fix: + fix: false fix_answer: discovered: question: | @@ -153,10 +156,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: Greg Kroah-Hartman from linux foundations + automated: false + contest: false + developer: true autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -225,7 +228,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: driver note: interesting_commits: question: | From 8d97b467d4370039b8adb88690c0341defc417fc Mon Sep 17 00:00:00 2001 From: jm8084 Date: Wed, 8 Nov 2023 00:09:10 -0500 Subject: [PATCH 3/5] CVE: 2016-2547, 2018-20961 --- cves/kernel/CVE-2016-2547.yml | 44 ++++++++++++++++------------------ cves/kernel/CVE-2018-20961.yml | 37 ++++++++++++++-------------- 2 files changed, 39 insertions(+), 42 deletions(-) diff --git a/cves/kernel/CVE-2016-2547.yml b/cves/kernel/CVE-2016-2547.yml index de533e571..361ffff17 100644 --- a/cves/kernel/CVE-2016-2547.yml +++ b/cves/kernel/CVE-2016-2547.yml @@ -55,8 +55,7 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: | - The Advanced Linux Sound Architecture (ALSA) is a framework in the linux kernal that provides +description: The Advanced Linux Sound Architecture (ALSA) is a framework in the linux kernal that provides an interface for sound cards devices. The framework used a resource locking approach that did not consider slave timer instances. The instacne could still be accessed, creating race condition for resources with the master instance. Leading to resource exhaustion, access to data, or a system crash. @@ -142,9 +141,9 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. code: false - code_answer: + code_answer: no tests found in commits fix: false - fix_answer: + fix_answer: no system tests found discovered: question: | How was this vulnerability discovered? @@ -159,8 +158,7 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: | - Dmitry Vyukov, Google developer, discovered that the Advanced Linux Sound Architecture (ALSA) + answer: Dmitry Vyukov, Google developer, discovered that the Advanced Linux Sound Architecture (ALSA) framework's handling of high resolution timers did not properly manage its data structures 2016-01-15 automated: false @@ -182,8 +180,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: fuzzer - answer: use-after-free + note: fuzzer, use-after-free + answer: true specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -200,7 +198,7 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: - answer: + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -266,8 +264,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: only systems using the Advanced Linux Sound Architecture (ALSA) sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -281,8 +279,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: access instance that should be locked for privileged resources ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -293,8 +291,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: system timing for interprocess resources discussion: question: | Was there any discussion surrounding this? @@ -335,8 +333,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: no supporting dialogue stacktrace: question: | Are there any stacktraces in the bug reports? @@ -350,9 +348,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: none found in commits or changelogs forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -371,8 +369,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: check if all instances are locked order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -489,4 +487,4 @@ nickname_instructions: | If the report mentions a nickname, use that. Must be under 30 characters. Optional. nickname: -CVSS: +CVSS: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H diff --git a/cves/kernel/CVE-2018-20961.yml b/cves/kernel/CVE-2018-20961.yml index 3b11de7c9..aca5ff43b 100644 --- a/cves/kernel/CVE-2018-20961.yml +++ b/cves/kernel/CVE-2018-20961.yml @@ -55,8 +55,7 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: | - Some USB gadgets have multiple 'modes' devices that can switch between modes +description: Some USB gadgets have multiple 'modes' devices that can switch between modes and possibly cause a double-free flaw. Subsequently the USB gadget Midi driver in the Linux kernel created a double-free when handling certain errors. bounty_instructions: | @@ -139,9 +138,9 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. code: false - code_answer: + code_answer: no unit tests found in commits fix: false - fix_answer: + fix_answer: no system tests found discovered: question: | How was this vulnerability discovered? @@ -177,7 +176,7 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: - answer: + answer: false specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -194,7 +193,7 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: - answer: + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -260,8 +259,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: vulnerability was local sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -275,8 +274,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: double-free can cause arbitrary code exe. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -287,8 +286,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: usb instance freed when process failed discussion: question: | Was there any discussion surrounding this? @@ -329,8 +328,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: no supporting dialogue stacktrace: question: | Are there any stacktraces in the bug reports? @@ -344,9 +343,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: none found in commits or changelogs forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -365,8 +364,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: use of resource (other free) in other files order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of From c776fdb04c3eaa9e3bec3e8c5e4ecc0438f08d60 Mon Sep 17 00:00:00 2001 From: jm8084 Date: Wed, 8 Nov 2023 00:27:55 -0500 Subject: [PATCH 4/5] CVE: 2016-2547 & 2018-20961 --- cves/kernel/CVE-2016-2547.yml | 8 ++++---- cves/kernel/CVE-2018-20961.yml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cves/kernel/CVE-2016-2547.yml b/cves/kernel/CVE-2016-2547.yml index 361ffff17..1ed053969 100644 --- a/cves/kernel/CVE-2016-2547.yml +++ b/cves/kernel/CVE-2016-2547.yml @@ -197,7 +197,7 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: + note: none answer: false subsystem: question: | @@ -382,8 +382,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: slave instance needed to be locked with master lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -461,7 +461,7 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: This is a coding lapse. The developer forgot to lock all instances CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to diff --git a/cves/kernel/CVE-2018-20961.yml b/cves/kernel/CVE-2018-20961.yml index aca5ff43b..c2bb24744 100644 --- a/cves/kernel/CVE-2018-20961.yml +++ b/cves/kernel/CVE-2018-20961.yml @@ -192,7 +192,7 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: + note: none answer: false subsystem: question: | @@ -456,7 +456,7 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: This is a coding lapse. The developer forgot to check if resource was already free CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to From 43888baeb57a911151a6b82bd6325b979c699d56 Mon Sep 17 00:00:00 2001 From: jm8084 Date: Wed, 8 Nov 2023 10:26:08 -0500 Subject: [PATCH 5/5] CVE: 2016-2547, 2018-20961 --- cves/kernel/CVE-2016-2547.yml | 6 +++--- cves/kernel/CVE-2018-20961.yml | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/cves/kernel/CVE-2016-2547.yml b/cves/kernel/CVE-2016-2547.yml index 1ed053969..b910f4534 100644 --- a/cves/kernel/CVE-2016-2547.yml +++ b/cves/kernel/CVE-2016-2547.yml @@ -318,9 +318,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: false + any_discussion: false + note: none found in commits or changelog vouch: question: | Was there any part of the fix that involved one person vouching for diff --git a/cves/kernel/CVE-2018-20961.yml b/cves/kernel/CVE-2018-20961.yml index c2bb24744..9c9c5cbf8 100644 --- a/cves/kernel/CVE-2018-20961.yml +++ b/cves/kernel/CVE-2018-20961.yml @@ -158,7 +158,7 @@ discovered: answer: Greg Kroah-Hartman from linux foundations automated: false contest: false - developer: true + developer: false autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -175,7 +175,7 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: + note: no tools/tests mentioned in commits answer: false specification: instructions: | @@ -313,9 +313,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: false + any_discussion: false + note: none found in commits or changelog vouch: question: | Was there any part of the fix that involved one person vouching for @@ -365,7 +365,7 @@ forgotten_check: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: true - note: use of resource (other free) in other files + note: check for existing free() of resource elsewhere order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of