diff --git a/cves/kernel/CVE-2016-2547.yml b/cves/kernel/CVE-2016-2547.yml index 9195be97f..b910f4534 100644 --- a/cves/kernel/CVE-2016-2547.yml +++ b/cves/kernel/CVE-2016-2547.yml @@ -19,14 +19,14 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2016-02-24' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,10 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: The Advanced Linux Sound Architecture (ALSA) is a framework in the linux kernal that provides + an interface for sound cards devices. The framework used a resource locking approach that did not + consider slave timer instances. The instacne could still be accessed, creating race condition + for resources with the master instance. Leading to resource exhaustion, access to data, or a system crash. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -137,10 +140,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: no tests found in commits + fix: false + fix_answer: no system tests found discovered: question: | How was this vulnerability discovered? @@ -155,10 +158,12 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: Dmitry Vyukov, Google developer, discovered that the Advanced Linux Sound Architecture (ALSA) + framework's handling of high resolution timers did not properly manage its + data structures 2016-01-15 + automated: false + contest: false + developer: true autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -175,8 +180,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: fuzzer, use-after-free + answer: true specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -192,8 +197,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: none + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -227,7 +232,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: sound note: interesting_commits: question: | @@ -259,8 +264,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: only systems using the Advanced Linux Sound Architecture (ALSA) sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -274,8 +279,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: access instance that should be locked for privileged resources ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -286,8 +291,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: system timing for interprocess resources discussion: question: | Was there any discussion surrounding this? @@ -313,9 +318,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: false + any_discussion: false + note: none found in commits or changelog vouch: question: | Was there any part of the fix that involved one person vouching for @@ -328,8 +333,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: no supporting dialogue stacktrace: question: | Are there any stacktraces in the bug reports? @@ -343,9 +348,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: none found in commits or changelogs forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -364,8 +369,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: check if all instances are locked order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -377,8 +382,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: slave instance needed to be locked with master lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -456,7 +461,7 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: This is a coding lapse. The developer forgot to lock all instances CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -482,4 +487,4 @@ nickname_instructions: | If the report mentions a nickname, use that. Must be under 30 characters. Optional. nickname: -CVSS: +CVSS: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H diff --git a/cves/kernel/CVE-2018-20961.yml b/cves/kernel/CVE-2018-20961.yml index 97fa96f92..9c9c5cbf8 100644 --- a/cves/kernel/CVE-2018-20961.yml +++ b/cves/kernel/CVE-2018-20961.yml @@ -19,14 +19,14 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2019-08-07' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,9 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: Some USB gadgets have multiple 'modes' devices that can switch between modes + and possibly cause a double-free flaw. Subsequently the USB gadget Midi driver + in the Linux kernel created a double-free when handling certain errors. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -106,7 +108,7 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: ad0d1a058eac46503edbc510d1ce44c5df8e0c91 - note: Discovered automatically by archeogit. + note: Patch meant to fix memory leak when system fails - commit: '079fe5a6da616891cca1a26e803e1df2a87e9ae5' note: Discovered automatically by archeogit. - commit: e0466156ee2e944fb47a3fa00932c3698a6d2c67 @@ -135,10 +137,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: no unit tests found in commits + fix: false + fix_answer: no system tests found discovered: question: | How was this vulnerability discovered? @@ -153,10 +155,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: Greg Kroah-Hartman from linux foundations + automated: false + contest: false + developer: false autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -173,8 +175,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: no tools/tests mentioned in commits + answer: false specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -190,8 +192,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: none + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -225,7 +227,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: driver note: interesting_commits: question: | @@ -257,8 +259,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: vulnerability was local sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -272,8 +274,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: double-free can cause arbitrary code exe. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -284,8 +286,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: usb instance freed when process failed discussion: question: | Was there any discussion surrounding this? @@ -311,9 +313,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: false + any_discussion: false + note: none found in commits or changelog vouch: question: | Was there any part of the fix that involved one person vouching for @@ -326,8 +328,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: no supporting dialogue stacktrace: question: | Are there any stacktraces in the bug reports? @@ -341,9 +343,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: none found in commits or changelogs forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -362,8 +364,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: check for existing free() of resource elsewhere order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -454,7 +456,7 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: This is a coding lapse. The developer forgot to check if resource was already free CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to