From b178c023e111ce17cb1d24791d7ea3313f963bb2 Mon Sep 17 00:00:00 2001 From: Chsalinetti Date: Mon, 6 Nov 2023 12:45:49 -0500 Subject: [PATCH 1/8] updated curation levels --- cves/kernel/CVE-2016-6156.yml | 2 +- cves/kernel/CVE-2017-5576.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/kernel/CVE-2016-6156.yml b/cves/kernel/CVE-2016-6156.yml index d43086eb0..db3075974 100644 --- a/cves/kernel/CVE-2016-6156.yml +++ b/cves/kernel/CVE-2016-6156.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that diff --git a/cves/kernel/CVE-2017-5576.yml b/cves/kernel/CVE-2017-5576.yml index af6bcf296..86ba382d3 100644 --- a/cves/kernel/CVE-2017-5576.yml +++ b/cves/kernel/CVE-2017-5576.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that From 9a6e5dba27910a961a65dbfdd6704344ffa9532a Mon Sep 17 00:00:00 2001 From: Chsalinetti Date: Mon, 6 Nov 2023 15:08:12 -0500 Subject: [PATCH 2/8] finished pt 1 --- cves/kernel/CVE-2016-6156.yml | 117 ++++++++++++++++++---------------- cves/kernel/CVE-2017-5576.yml | 96 +++++++++++++++------------- 2 files changed, 112 insertions(+), 101 deletions(-) diff --git a/cves/kernel/CVE-2016-6156.yml b/cves/kernel/CVE-2016-6156.yml index db3075974..39f53e3e6 100644 --- a/cves/kernel/CVE-2016-6156.yml +++ b/cves/kernel/CVE-2016-6156.yml @@ -26,7 +26,7 @@ reported_instructions: | the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2023-11-06' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,9 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + A race condition in the ec_device_ioctl_xcmd function caused a denial of + service, known as a "double fetch" vulnerability. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -92,6 +94,7 @@ fixes: note: | Taken from NVD references list with Git commit. If you are curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Manually Confirmed vcc_instructions: | The vulnerability-contributing commits. @@ -133,10 +136,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: no automated unit tests were found + fix: false + fix_answer: no automated unit tests were found discovered: question: | How was this vulnerability discovered? @@ -151,10 +154,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: Information was not given about the discovery of this vulnerability. + automated: false + contest: false + developer: false autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -171,8 +174,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: no information is provided. + answer: false specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -188,8 +191,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: no information is provided. + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -223,7 +226,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: drivers note: interesting_commits: question: | @@ -255,8 +258,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: no relation to i18n sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -270,8 +273,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: no relation to sandboxing ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -282,8 +285,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: no relation to ipc discussion: question: | Was there any discussion surrounding this? @@ -309,9 +312,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: false + any_discussion: false + note: no discussion was had in regards to this issue that is available. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -324,8 +327,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: commit for change was signed off, reviewed, and tested stacktrace: question: | Are there any stacktraces in the bug reports? @@ -339,9 +342,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: + any_stacktraces: false stacktrace_with_fix: - note: + note: no stacktraces found forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -360,8 +363,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: Verifies values havent changed, checks were added to prevent buffer overflows. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -373,8 +376,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: no mention. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -390,38 +393,38 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. - defense_in_depth: - applies: - note: - least_privilege: - applies: + defense_in_depth: + applies: false note: - frameworks_are_optional: - applies: + least_privilege: + applies: false note: - native_wrappers: - applies: + frameworks_are_optional: + applies: false note: - distrust_input: - applies: + native_wrappers: + applies: false note: - security_by_obscurity: - applies: + distrust_input: + applies: true + note: confirm input is correct, and not too large + security_by_obscurity: + applies: false note: - serial_killer: - applies: + serial_killer: + applies: false note: - environment_variables: - applies: + environment_variables: + applies: false note: - secure_by_default: - applies: + secure_by_default: + applies: false note: - yagni: - applies: + yagni: + applies: false note: - complex_inputs: - applies: + complex_inputs: + applies: false note: mistakes: question: | @@ -452,7 +455,9 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + The mistake that led to this issue was just a simple check that was missed + to confirm that the values have not changed to prevent a buffer overflow. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to diff --git a/cves/kernel/CVE-2017-5576.yml b/cves/kernel/CVE-2017-5576.yml index 86ba382d3..6adde5976 100644 --- a/cves/kernel/CVE-2017-5576.yml +++ b/cves/kernel/CVE-2017-5576.yml @@ -26,7 +26,7 @@ reported_instructions: | the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2023-11-06' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,9 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + An integer overflow in the vc4_get_bcl function caused users to have a denial + of service error. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -92,6 +94,7 @@ fixes: note: | Taken from NVD references list with Git commit. If you are curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Manually Confirmed vcc_instructions: | The vulnerability-contributing commits. @@ -129,10 +132,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: no automated unit tests were found + fix: false + fix_answer: no automated unit tests were found discovered: question: | How was this vulnerability discovered? @@ -147,10 +150,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: Information was not given about the discovery of this vulnerability. + automated: false + contest: false + developer: insomniasec autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -167,8 +170,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: no information is provided. + answer: false specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -184,8 +187,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: no information is provided. + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -219,7 +222,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: drivers note: interesting_commits: question: | @@ -251,8 +254,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: no relation to i18n sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -266,8 +269,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: no relation to sandboxing ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -278,8 +281,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: no relation to ipc discussion: question: | Was there any discussion surrounding this? @@ -305,9 +308,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: false + any_discussion: false + note: no discussion was had in regards to this issue that is available. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -320,8 +323,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: fix was signed off stacktrace: question: | Are there any stacktraces in the bug reports? @@ -335,9 +338,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: no stacktraces mentioned forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -356,8 +359,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: changes were made to prevent a race condition, a value is now cgecked that previously was not. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -369,8 +372,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: no relation lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -387,37 +390,37 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: false note: least_privilege: - applies: + applies: false note: frameworks_are_optional: - applies: + applies: false note: native_wrappers: - applies: + applies: false note: distrust_input: - applies: + applies: false note: security_by_obscurity: - applies: + applies: false note: serial_killer: - applies: + applies: false note: environment_variables: - applies: + applies: false note: secure_by_default: - applies: + applies: false note: yagni: - applies: + applies: false note: complex_inputs: - applies: + applies: false note: mistakes: question: | @@ -448,7 +451,10 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + This issue was caused by a race condition that was not checked for, as well + as some other information that was not checked. This was resolved by implementing + these checks. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to From df15555cc8e76a90eb72e72444f29588fa78962f Mon Sep 17 00:00:00 2001 From: Chsalinetti Date: Mon, 6 Nov 2023 15:21:10 -0500 Subject: [PATCH 3/8] yaml fix --- cves/kernel/CVE-2016-6156.yml | 4 ++-- cves/kernel/CVE-2017-5576.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cves/kernel/CVE-2016-6156.yml b/cves/kernel/CVE-2016-6156.yml index 39f53e3e6..8423c9c3b 100644 --- a/cves/kernel/CVE-2016-6156.yml +++ b/cves/kernel/CVE-2016-6156.yml @@ -456,8 +456,8 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. answer: | - The mistake that led to this issue was just a simple check that was missed - to confirm that the values have not changed to prevent a buffer overflow. + The mistake that led to this issue was just a simple check that was missed + to confirm that the values have not changed to prevent a buffer overflow. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to diff --git a/cves/kernel/CVE-2017-5576.yml b/cves/kernel/CVE-2017-5576.yml index 6adde5976..8b7c66a27 100644 --- a/cves/kernel/CVE-2017-5576.yml +++ b/cves/kernel/CVE-2017-5576.yml @@ -452,9 +452,9 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. answer: | - This issue was caused by a race condition that was not checked for, as well - as some other information that was not checked. This was resolved by implementing - these checks. + This issue was caused by a race condition that was not checked for, as well + as some other information that was not checked. This was resolved by implementing + these checks. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to From e3410e0445a2357e7dc3911faf4c1284be2671b8 Mon Sep 17 00:00:00 2001 From: Chsalinetti Date: Mon, 6 Nov 2023 15:42:46 -0500 Subject: [PATCH 4/8] update --- cves/kernel/CVE-2016-6156.yml | 2 +- cves/kernel/CVE-2017-5576.yml | 13 +++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/cves/kernel/CVE-2016-6156.yml b/cves/kernel/CVE-2016-6156.yml index 8423c9c3b..9409fa588 100644 --- a/cves/kernel/CVE-2016-6156.yml +++ b/cves/kernel/CVE-2016-6156.yml @@ -343,7 +343,7 @@ stacktrace: Write a note about how you came to the conclusions you did, regardless of what your answer was. any_stacktraces: false - stacktrace_with_fix: + stacktrace_with_fix: false note: no stacktraces found forgotten_check: question: | diff --git a/cves/kernel/CVE-2017-5576.yml b/cves/kernel/CVE-2017-5576.yml index 8b7c66a27..e99be7529 100644 --- a/cves/kernel/CVE-2017-5576.yml +++ b/cves/kernel/CVE-2017-5576.yml @@ -150,8 +150,9 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: Information was not given about the discovery of this vulnerability. - automated: false + answer: | + discovered through automated testing + automated: true contest: false developer: insomniasec autodiscoverable: @@ -170,8 +171,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: no information is provided. - answer: false + note: Discovered by archeogit + answer: true specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -187,8 +188,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: no information is provided. - answer: false + note: ioctl arguments are not validated. + answer: true subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel From a15d484f959be07561c7b553969fe805f81d6da6 Mon Sep 17 00:00:00 2001 From: Chsalinetti Date: Mon, 6 Nov 2023 15:48:37 -0500 Subject: [PATCH 5/8] update --- cves/kernel/CVE-2017-5576.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/cves/kernel/CVE-2017-5576.yml b/cves/kernel/CVE-2017-5576.yml index e99be7529..b85eb9468 100644 --- a/cves/kernel/CVE-2017-5576.yml +++ b/cves/kernel/CVE-2017-5576.yml @@ -154,7 +154,7 @@ discovered: discovered through automated testing automated: true contest: false - developer: insomniasec + developer: false autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -171,7 +171,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: Discovered by archeogit + note: | + discovered by archeogit answer: true specification: instructions: | @@ -188,7 +189,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: ioctl arguments are not validated. + note: | + ioctl arguments are not validated. answer: true subsystem: question: | @@ -361,7 +363,8 @@ forgotten_check: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: true - note: changes were made to prevent a race condition, a value is now cgecked that previously was not. + note: | + changes were made to prevent a race condition, a value is now checked that previously was not. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of From 90326d1364d2dab3a00b8b3e311e863be6c8c534 Mon Sep 17 00:00:00 2001 From: Chsalinetti Date: Sun, 12 Nov 2023 19:47:21 -0500 Subject: [PATCH 6/8] fixed based on comments --- cves/kernel/CVE-2016-6156.yml | 34 +++++++++++++++----------- cves/kernel/CVE-2017-5576.yml | 45 ++++++++++++++++++----------------- 2 files changed, 43 insertions(+), 36 deletions(-) diff --git a/cves/kernel/CVE-2016-6156.yml b/cves/kernel/CVE-2016-6156.yml index 9409fa588..80df229a0 100644 --- a/cves/kernel/CVE-2016-6156.yml +++ b/cves/kernel/CVE-2016-6156.yml @@ -92,8 +92,6 @@ fixes: note: - commit: '096cdc6f52225835ff503f987a0d68ef770bb78e' note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' Manually Confirmed vcc_instructions: | The vulnerability-contributing commits. @@ -121,7 +119,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 2 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -174,7 +172,7 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: no information is provided. + note: No information is provided. answer: false specification: instructions: | @@ -259,7 +257,7 @@ i18n: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: no relation to i18n + note: This vulnerability has no relation to i18n. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -274,7 +272,7 @@ sandbox: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: no relation to sandboxing + note: This vulnerability has no relation to sandboxing. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -314,7 +312,7 @@ discussion: comment you want to make. discussed_as_security: false any_discussion: false - note: no discussion was had in regards to this issue that is available. + note: No discussion was had in regards to this issue that is available. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -328,7 +326,7 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: true - note: commit for change was signed off, reviewed, and tested + note: Commit for change was signed off, reviewed, and tested stacktrace: question: | Are there any stacktraces in the bug reports? @@ -344,7 +342,7 @@ stacktrace: what your answer was. any_stacktraces: false stacktrace_with_fix: false - note: no stacktraces found + note: No stacktraces were found. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -364,7 +362,9 @@ forgotten_check: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: true - note: Verifies values havent changed, checks were added to prevent buffer overflows. + note: | + The fix verifies that "u_cmd.outsize" and "u_cmd.insize" values have not changed between + the two times copy_from_user() is called. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -377,7 +377,7 @@ order_of_operations: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: no mention. + note: The fix involved adding new code, not reordering old code. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -407,7 +407,10 @@ lessons: note: distrust_input: applies: true - note: confirm input is correct, and not too large + note: | + The "u_cmd.outsize" and "u_cmd.insize" values must not change between the + two times copy_from_user() is called. If the values change, it could lead to + a buffer overflow if unchecked. security_by_obscurity: applies: false note: @@ -456,8 +459,11 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. answer: | - The mistake that led to this issue was just a simple check that was missed - to confirm that the values have not changed to prevent a buffer overflow. + The mistake that led to this bug was an oversight about the possibility of + "u_cmd.outsize" or "u_cmd.insize" changing between the two times the + copy_from_user() is called. Additionally, cros_ec_cmd_xfer() was changed to + set s_cmd->insize to a lower value if possible. The previous implementation + copied too much data to the user, which was a design oversight. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to diff --git a/cves/kernel/CVE-2017-5576.yml b/cves/kernel/CVE-2017-5576.yml index b85eb9468..17e5eba77 100644 --- a/cves/kernel/CVE-2017-5576.yml +++ b/cves/kernel/CVE-2017-5576.yml @@ -56,8 +56,9 @@ description_instructions: | Your target audience is people just like you before you took any course in security description: | - An integer overflow in the vc4_get_bcl function caused users to have a denial - of service error. + An integer overflow in the vc4_get_bcl funcion, used in grapics processing, + caused users to have a denial of service error, as there was not enough memory + allocated for copy_from_user. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -92,8 +93,6 @@ fixes: note: - commit: 0f2ff82e11c86c05d051cae32b58226392d33bbf note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' Manually Confirmed vcc_instructions: | The vulnerability-contributing commits. @@ -117,7 +116,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 1 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -133,9 +132,9 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. code: false - code_answer: no automated unit tests were found + code_answer: No automated unit tests were found. fix: false - fix_answer: no automated unit tests were found + fix_answer: No automated unit tests were found. discovered: question: | How was this vulnerability discovered? @@ -151,7 +150,7 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. answer: | - discovered through automated testing + This vulnerability was discovered through automated testing with archeogit. automated: true contest: false developer: false @@ -172,7 +171,7 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: | - discovered by archeogit + This vulnerability was discovered using the automated tool archeogit. answer: true specification: instructions: | @@ -258,7 +257,7 @@ i18n: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: no relation to i18n + note: This vulnerability has no relation to i18n sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -273,7 +272,7 @@ sandbox: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: no relation to sandboxing + note: This vulnerability has no relation to sandboxing. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -285,7 +284,7 @@ ipc: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: no relation to ipc + note: This vulnerability has no relation to IPC. discussion: question: | Was there any discussion surrounding this? @@ -313,7 +312,7 @@ discussion: comment you want to make. discussed_as_security: false any_discussion: false - note: no discussion was had in regards to this issue that is available. + note: No discussion was had in regards to this issue that is available. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -327,7 +326,7 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: true - note: fix was signed off + note: The fix was signed off. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -343,7 +342,7 @@ stacktrace: what your answer was. any_stacktraces: false stacktrace_with_fix: false - note: no stacktraces mentioned + note: No stacktraces were mentioned. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -364,7 +363,8 @@ forgotten_check: what your answer was. answer: true note: | - changes were made to prevent a race condition, a value is now checked that previously was not. + Checks the roundup() for the shader_rec_offset against bin_cl_size to + prevent an integer overflow. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -377,7 +377,7 @@ order_of_operations: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: no relation + note: The fix does not involve chnaging the order of operations. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -406,8 +406,9 @@ lessons: applies: false note: distrust_input: - applies: false - note: + applies: true + note: | + Vulnerability was caused by a failure to check if the input was too large. security_by_obscurity: applies: false note: @@ -456,9 +457,9 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. answer: | - This issue was caused by a race condition that was not checked for, as well - as some other information that was not checked. This was resolved by implementing - these checks. + This vulnerability was caused due to a lapse about checking to make sure + that the input in the roundup() for shader_rec_offset would fit within + the allocated bin_cl_size. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to From d2a9c87bad8d84e656f31d61ef365fa8f5f49f62 Mon Sep 17 00:00:00 2001 From: Chsalinetti Date: Mon, 13 Nov 2023 11:45:12 -0500 Subject: [PATCH 7/8] fixed some issues --- cves/kernel/CVE-2016-6156.yml | 8 ++++---- cves/kernel/CVE-2017-5576.yml | 9 ++++----- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/cves/kernel/CVE-2016-6156.yml b/cves/kernel/CVE-2016-6156.yml index 80df229a0..9725ca2a5 100644 --- a/cves/kernel/CVE-2016-6156.yml +++ b/cves/kernel/CVE-2016-6156.yml @@ -135,9 +135,9 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. code: false - code_answer: no automated unit tests were found + code_answer: No automated unit tests were found. fix: false - fix_answer: no automated unit tests were found + fix_answer: No automated unit tests were found. discovered: question: | How was this vulnerability discovered? @@ -189,7 +189,7 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: no information is provided. + note: No information is provided. answer: false subsystem: question: | @@ -326,7 +326,7 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: true - note: Commit for change was signed off, reviewed, and tested + note: Commit for change was signed off, reviewed, and tested. stacktrace: question: | Are there any stacktraces in the bug reports? diff --git a/cves/kernel/CVE-2017-5576.yml b/cves/kernel/CVE-2017-5576.yml index 17e5eba77..4fe81b960 100644 --- a/cves/kernel/CVE-2017-5576.yml +++ b/cves/kernel/CVE-2017-5576.yml @@ -149,9 +149,8 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: | - This vulnerability was discovered through automated testing with archeogit. - automated: true + answer: Information was not given about the discovery of this vulnerability. + automated: false contest: false developer: false autodiscoverable: @@ -171,8 +170,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: | - This vulnerability was discovered using the automated tool archeogit. - answer: true + No information is provided. + answer: false specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX From e58813ccd0338ca3b657fbb7011ae23bad6dd442 Mon Sep 17 00:00:00 2001 From: Chsalinetti Date: Thu, 16 Nov 2023 12:52:51 -0500 Subject: [PATCH 8/8] fixed more stuff --- cves/kernel/CVE-2016-6156.yml | 6 ++++-- cves/kernel/CVE-2017-5576.yml | 13 +++++++------ 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/cves/kernel/CVE-2016-6156.yml b/cves/kernel/CVE-2016-6156.yml index 9725ca2a5..980e89992 100644 --- a/cves/kernel/CVE-2016-6156.yml +++ b/cves/kernel/CVE-2016-6156.yml @@ -57,7 +57,9 @@ description_instructions: | security description: | A race condition in the ec_device_ioctl_xcmd function caused a denial of - service, known as a "double fetch" vulnerability. + service, known as a "double fetch" vulnerability. This occurs when either + "u_cmd.outsize" or "u_cmd.insize" changes between the two times the + copy_from_user() is called within the function. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -119,7 +121,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: 2 +upvotes: 11 unit_tested: question: | Were automated unit tests involved in this vulnerability? diff --git a/cves/kernel/CVE-2017-5576.yml b/cves/kernel/CVE-2017-5576.yml index 4fe81b960..3db2e13c4 100644 --- a/cves/kernel/CVE-2017-5576.yml +++ b/cves/kernel/CVE-2017-5576.yml @@ -116,7 +116,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: 1 +upvotes: 7 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -362,8 +362,9 @@ forgotten_check: what your answer was. answer: true note: | - Checks the roundup() for the shader_rec_offset against bin_cl_size to - prevent an integer overflow. + The fix involved adding a forgotten check in the roundup() function for + the shader_rec_offset against the bin_cl_size in order to prevent an + integer overflow error. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -456,9 +457,9 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. answer: | - This vulnerability was caused due to a lapse about checking to make sure - that the input in the roundup() for shader_rec_offset would fit within - the allocated bin_cl_size. + This vulnerability was caused because no check was made to confirm that the + input in the roundup() for shader_rec_offset would fit within the allocated + bin_cl_size. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to