From: Pavel Machek <pavel@denx.de>
To: cip-dev@lists.cip-project.org
Subject: Re: [cip-dev] New CVE entries in this week
Date: Thu, 11 Nov 2021 10:21:38 +0100 [thread overview]
Message-ID: <20211111092138.GA8515@amd> (raw)
In-Reply-To: <CAODzB9okpxqQ9ezVD0ua8wKqCjo=j1zw0pU18v7gmE=r1KGOQg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 3404 bytes --]
Hi!
> CVE-2021-0929: staging: ion: move buffer kmap from begin/end_cpu_access()
>
> CVSS v3 score is not provided.
>
> ION is a memory manager which is used by Android. This CVE may affect
> 4.4, 4.19, and 5.10 however according to the cip-kernel-config, no cip
> member enabled ION. The ION driver has been removed since 5.11.
>
> Fixed status
>
> mainline: [3e9e0c5c764704218c0960ffdb139de075afaadf]
Furthermore, CIP members should really not be using code from staging.
> * Updated CVEs
>
> CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in
> avc_ca_pmt()
>
> 4.19 and 5.X kernels have been fixed in this week. However, appliying
> patch to 4.4 and 4.9 are failed.
> According to the cip-kernel-config repo, no CIP member uses firewire driver.
This one looks rather easy to backport. It failed only because
reformatting of the printk.
> CVE-2021-3640: UAF in sco_send_frame function
>
> Fixed commit is 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ("Bluetooth:
> sco: Fix lock_sock() blockage by memcpy_from_msg()"). Backport patches
> for 4.19, 5.4, 5.10, 5.14, and 5.15 have been sent to stable mailing
> list on Nov 9. This fix can be applied to 4.4 by git-am without error.
>
> mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]
Would it make sense to ask why it was not applied?
Best regards,
Pavel
diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c
index 280b5ffea592..3a373711f5ad 100644
--- a/drivers/media/firewire/firedtv-avc.c
+++ b/drivers/media/firewire/firedtv-avc.c
@@ -1169,7 +1169,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
read_pos += program_info_length;
write_pos += program_info_length;
}
- while (read_pos < length) {
+ while (read_pos + 4 < length) {
+ if (write_pos + 4 >= sizeof(c->operand) - 4) {
+ ret = -EINVAL;
+ goto out;
+ }
c->operand[write_pos++] = msg[read_pos++];
c->operand[write_pos++] = msg[read_pos++];
c->operand[write_pos++] = msg[read_pos++];
@@ -1181,13 +1185,17 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
c->operand[write_pos++] = es_info_length >> 8;
c->operand[write_pos++] = es_info_length & 0xff;
if (es_info_length > 0) {
+ if (read_pos >= length) {
+ ret = -EINVAL;
+ goto out;
+ }
pmt_cmd_id = msg[read_pos++];
if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
dev_err(fdtv->device, "invalid pmt_cmd_id %d "
"at stream level\n", pmt_cmd_id);
- if (es_info_length > sizeof(c->operand) - 4 -
- write_pos) {
+ if (es_info_length > sizeof(c->operand) - 4 - write_pos ||
+ es_info_length > length - read_pos) {
ret = -EINVAL;
goto out;
}
diff --git a/drivers/media/firewire/firedtv-ci.c b/drivers/media/firewire/firedtv-ci.c
index e63f582378bf..f07482fb8010 100644
--- a/drivers/media/firewire/firedtv-ci.c
+++ b/drivers/media/firewire/firedtv-ci.c
@@ -138,6 +138,8 @@ static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg)
} else {
data_length = msg->msg[3];
}
+ if (data_length > sizeof(msg->msg) - data_pos)
+ return -EINVAL;
return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length);
}
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
next prev parent reply other threads:[~2021-11-11 9:21 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-10 23:52 New CVE entries in this week Masami Ichikawa
2021-11-11 9:21 ` Pavel Machek [this message]
2021-11-11 12:47 ` [cip-dev] " Masami Ichikawa
-- strict thread matches above, loose matches on Subject: below --
2022-01-26 23:51 Masami Ichikawa
2022-01-27 8:21 ` [cip-dev] " nobuhiro1.iwamatsu
2022-01-28 6:18 ` Masami Ichikawa
2022-01-29 21:03 ` Pavel Machek
2022-01-31 0:00 ` Masami Ichikawa
2022-01-12 23:39 Masami Ichikawa
2022-01-13 8:07 ` [cip-dev] " Pavel Machek
2022-01-13 12:41 ` Masami Ichikawa
2021-12-29 23:29 Masami Ichikawa
2021-12-30 10:20 ` [cip-dev] " Pavel Machek
2021-12-30 23:05 ` Masami Ichikawa
2021-12-23 0:48 Masami Ichikawa
2021-12-23 17:11 ` [cip-dev] " Pavel Machek
2021-12-15 23:49 Masami Ichikawa
2021-12-16 5:26 ` [cip-dev] " nobuhiro1.iwamatsu
2021-12-16 5:58 ` Masami Ichikawa
2021-12-16 8:49 ` Pavel Machek
2021-12-08 23:44 Masami Ichikawa
2021-12-09 9:20 ` [cip-dev] " Pavel Machek
2021-12-09 14:12 ` Masami Ichikawa
[not found] <16BAA9D56D09F20A.23256@lists.cip-project.org>
2021-11-25 5:16 ` Masami Ichikawa
2021-11-25 8:00 ` nobuhiro1.iwamatsu
2021-11-25 12:00 ` Masami Ichikawa
2021-11-25 9:09 ` Pavel Machek
2021-11-25 12:01 ` Masami Ichikawa
2021-11-25 2:41 Masami Ichikawa
2021-11-25 9:14 ` [cip-dev] " Pavel Machek
2021-11-04 1:11 New CVE Entries " Masami Ichikawa
2021-11-04 9:57 ` [cip-dev] " Pavel Machek
2021-11-04 13:04 ` Masami Ichikawa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211111092138.GA8515@amd \
--to=pavel@denx.de \
--cc=cip-dev@lists.cip-project.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox