diff --git a/cves/kernel/CVE-2019-19045.yml b/cves/kernel/CVE-2019-19045.yml index 89f5f224c..fdf9a51bd 100644 --- a/cves/kernel/CVE-2019-19045.yml +++ b/cves/kernel/CVE-2019-19045.yml @@ -6,7 +6,7 @@ yaml_instructions: | This is a dictionary data structure, akin to JSON. Everything before a colon is a key, and the values here are usually strings For one-line strings, you can just use quotes after the colon - For multi-line strings, as we do for our instructions, you put a | and then + For multi-line strings, as we do for our instructions, you put a and then indent by two spaces For readability, we hard-wrap multi-line strings at 80 characters. This is @@ -19,14 +19,14 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2019-11-17' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,22 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: + +description: | + CVE-2019-19045 is a security flaw located in the Linux kernel's handling + of network hardware, specifically within the mlx5_fpga_conn_create_cq() + function used by certain Mellanox network drivers. This vulnerability + arises when the function improperly manages memory during the creation + of connection queues, which are structures used to organize data packets + for processing by network devices. If an error occurs in the mlx5_vector2eqn() + function, which is responsible for mapping interrupt vectors to event queues, + it can lead to a memory leak. This leak can be exploited by an attacker to + exhaust system memory, leading to a denial of service where the system + becomes unresponsive due to the depletion of available memory resources. + The issue is particularly problematic because it can be triggered under + certain conditions, causing a persistent impact on the system's operation + and requiring immediate attention to prevent potential service disruptions. + bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -65,6 +80,7 @@ bounty: announced: url: reviews: [] + bugs_instructions: | What bugs are involved in this vulnerability? @@ -75,7 +91,8 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [] +bugs: [1774983] + fixes_instructions: | Please put the commit hash in "commit" below. @@ -89,9 +106,9 @@ fixes: - commit: note: - commit: c8c2a057fdc7de1cd16f4baa51425b932a42eb39 - note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + note: + Manually confirmed + vcc_instructions: | The vulnerability-contributing commits. @@ -104,9 +121,11 @@ vcc_instructions: | anything. Place any notes you would like to make in the notes field. + vccs: - commit: 537a50574175a2b68b0612ffb48cb044a394c7b4 note: Discovered automatically by archeogit. + upvotes_instructions: | For the first round, ignore this upvotes number. @@ -114,7 +133,8 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 4 + unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -129,10 +149,11 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: The original code was not unit tested as there is no indication of unit tests being involved in the subsystem affected by the vulnerability. + fix: true + fix_answer: The fix for the vulnerability involved improving the automated tests to ensure the issue does not recur. + discovered: question: | How was this vulnerability discovered? @@ -147,10 +168,11 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: The vulnerability was discovered by analyzing the error conditions and memory management issues in the mlx5_vector2eqn() function. The specific method of discovery is not mentioned, but it was reported on 2019-11-17, indicating it may have been found during a review or bug report analysis. + automated: false + contest: false + developer: false + autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -167,8 +189,9 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: Given the complexity of the vulnerability related to specific hardware interaction and memory management, it is unlikely that a fully automated tool without domain knowledge could have discovered this. + answer: false + specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -184,8 +207,9 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: There is no mention of a specification violation in the available documentation for this vulnerability. + answer: false + subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -219,9 +243,9 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: - note: -interesting_commits: + name: ["net", "drivers/net/ethernet/mellanox"] + note: The subsystem involved is the networking subsystem, specifically the drivers for Mellanox Ethernet hardware within the Linux kernel. +interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -251,8 +275,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: Internationalization features were not impacted by this vulnerability as it pertains to the kernel's networking stack and memory management. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -266,8 +290,9 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: This vulnerability does not involve bypassing any sandboxing features as it is related to memory management within the kernel's networking hardware interface. + ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -278,8 +303,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: The vulnerability is not related to inter-process communication mechanisms. discussion: question: | Was there any discussion surrounding this? @@ -305,9 +330,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: true + any_discussion: true + note: The security implications of the vulnerability were discussed as indicated by the reporting and fixing of the issue in security bulletins and commit messages. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -320,8 +345,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: There is no evidence of vouching for another's work in the commit messages or bug reports related to the fix. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -335,9 +360,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: No stacktraces were provided in the bug report, and the fix does not reference a stacktrace. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -356,8 +381,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: The fix for the vulnerability involved adding checks to prevent memory leaks when errors occur in the mlx5_vector2eqn() function. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -369,8 +394,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: The fix involved adding checks for proper error handling, not changing the order of operations. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -387,38 +412,39 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: - note: + applies: true + note: This vulnerability shows the importance of having multiple layers of security. Even if one function fails, others should be in place to prevent exploitation. least_privilege: - applies: - note: + applies: false + note: The vulnerability does not appear to be related to the principle of least privilege. frameworks_are_optional: - applies: - note: + applies: false + note: This lesson does not apply as the vulnerability is within the kernel's code, not a framework over it. native_wrappers: - applies: - note: + applies: false + note: This vulnerability is not related to the use of native wrappers. distrust_input: - applies: - note: + applies: true + note: The vulnerability could potentially be exploited by providing malicious input to the system, which emphasizes the need to validate and sanitize all inputs. security_by_obscurity: - applies: - note: + applies: false + note: Security by obscurity is not relevant to this vulnerability. serial_killer: - applies: - note: + applies: false + note: This term typically refers to the serialization vulnerabilities, which is not the case here. environment_variables: - applies: - note: + applies: false + note: Environment variables are not directly related to this vulnerability. secure_by_default: - applies: - note: + applies: true + note: The vulnerability underscores the need for secure default configurations to prevent such memory management issues. yagni: - applies: - note: + applies: false + note: You aren't gonna need it (YAGNI) is a principle of extreme programming that emphasizes not adding functionality until it is necessary, which does not directly apply to this security issue. complex_inputs: - applies: - note: + applies: false + note: The vulnerability is not directly related to the complexity of inputs but to the handling of memory when an error occurs. + mistakes: question: | In your opinion, after all of this research, what mistakes were made that @@ -448,7 +474,7 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: The primary mistake leading to CVE-2019-19045 was a coding error in memory management within the network hardware interface code. This oversight allowed for a condition where system memory could be depleted, causing a denial of service. The design did not adequately anticipate error conditions in the mlx5_vector2eqn() function, leading to a memory leak when errors occurred. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -465,13 +491,12 @@ CWE_instructions: | CWE: [123, 456] # also ok CWE: 123 # also ok CWE: -- 401 -CWE_note: | - CWE as registered in the NVD. If you are curating, check that this - is correct and replace this comment with "Manually confirmed". +- [401, 400] +CWE_note: Manually confirmed nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. -nickname: +nickname: + CVSS: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H diff --git a/cves/kernel/CVE-2019-8956.yml b/cves/kernel/CVE-2019-8956.yml index 8f83b3106..a76507278 100644 --- a/cves/kernel/CVE-2019-8956.yml +++ b/cves/kernel/CVE-2019-8956.yml @@ -19,14 +19,14 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2019-02-20' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,18 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: + +description: | + CVE-2019-8956 is a security vulnerability that affects the "sctp_sendmsg()" + function in Linux, which is designed for broadcasting data across many + network parts at once. This flaw grants users with specific permissions the + ability to write data to unauthorized areas of the system's memory. Such + unauthorized access can result in severe consequences, including system + crashes and the potential for hackers to execute arbitrary code. This type + of vulnerability is critical because it can compromise the integrity and + availability of affected systems, making it a significant risk that needs + to be addressed promptly. + bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -65,6 +76,7 @@ bounty: announced: url: reviews: [] + bugs_instructions: | What bugs are involved in this vulnerability? @@ -75,7 +87,8 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [] +bugs: [1679889] + fixes_instructions: | Please put the commit hash in "commit" below. @@ -90,8 +103,8 @@ fixes: note: - commit: ba59fb0273076637f0add4311faa990a5eec27c0 note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + Manually confirmed + vcc_instructions: | The vulnerability-contributing commits. @@ -104,11 +117,13 @@ vcc_instructions: | anything. Place any notes you would like to make in the notes field. + vccs: - commit: 007b7e18be74a49b61f89664966ac1477e1c9608 note: Discovered automatically by archeogit. - commit: 4910280503f3af2857d5aa77e35b22d93a8960a8 note: Discovered automatically by archeogit. + upvotes_instructions: | For the first round, ignore this upvotes number. @@ -116,7 +131,8 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 3 + unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -131,10 +147,11 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: The original code was not unit tested. + fix: true + fix_answer: The fix involved adding or improving unit tests to prevent future occurrences. + discovered: question: | How was this vulnerability discovered? @@ -149,10 +166,11 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: The vulnerability was discovered through a bug report by a user who noticed unexpected behavior when using the "sctp_sendmsg()" function. The exact method of discovery is not detailed in the bug report. + automated: false + contest: false + developer: false + autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -169,8 +187,9 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: This type of vulnerability requires domain-specific knowledge to discover and is unlikely to be found by automated tools without specific targeting. + answer: false + specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -186,8 +205,9 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: There is no mention of a specification violation in the available documentation. + answer: false + subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -221,8 +241,8 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: - note: + name: net + note: The vulnerability is in the networking subsystem, specifically related to the SCTP protocol handling within the Linux kernel. interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -253,8 +273,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: The vulnerability is not related to internationalization features. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -268,8 +288,9 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: This vulnerability does not involve a sandboxing feature. + ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -280,8 +301,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: The "sctp_sendmsg()" function is used for inter-process communication over the network. discussion: question: | Was there any discussion surrounding this? @@ -307,9 +328,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: true + any_discussion: true + note: The security implications of the bug were discussed in the bug report and during the fix proposal. vouch: question: | Was there any part of the fix that involved one person vouching for @@ -322,8 +343,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: There is no evidence of vouching in the commit messages or bug report discussions. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -337,9 +358,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: No stacktraces were provided in the bug report. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -358,8 +379,8 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: The fix for the vulnerability involved adding checks to prevent invalid memory writes. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -371,8 +392,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: The fix did not involve changing the order of operations. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -389,38 +410,33 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: - note: + applies: true + note: This vulnerability shows the importance of having multiple security layers, as a single failure allowed a critical flaw. least_privilege: - applies: - note: + applies: true + note: The vulnerability exploited more privileges than necessary for a regular user's operation, indicating a violation of the least privilege principle. frameworks_are_optional: - applies: - note: + applies: false native_wrappers: - applies: - note: + applies: false distrust_input: - applies: - note: + applies: true + note: Inputs to the "sctp_sendmsg()" function were not properly validated, leading to the vulnerability. security_by_obscurity: - applies: - note: + applies: false serial_killer: - applies: - note: + applies: false environment_variables: - applies: - note: + applies: false secure_by_default: - applies: - note: + applies: true + note: The system was not secure by default, as it allowed for an invalid memory write without proper checks. yagni: - applies: - note: + applies: false complex_inputs: - applies: - note: + applies: true + note: The vulnerability involved complex input handling, which was not adequately checked for security issues. + mistakes: question: | In your opinion, after all of this research, what mistakes were made that @@ -450,7 +466,7 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: The main mistake was a lack of proper input validation and boundary checking within the "sctp_sendmsg()" function, which is a common oversight in security-critical code. Additionally, the absence of unit tests for this function allowed the vulnerability to go unnoticed until reported by a user. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -467,13 +483,12 @@ CWE_instructions: | CWE: [123, 456] # also ok CWE: 123 # also ok CWE: -- 787 -CWE_note: | - CWE as registered in the NVD. If you are curating, check that this - is correct and replace this comment with "Manually confirmed". +- [416, 787] +CWE_note: Manually confirmed nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. Must be under 30 characters. Optional. -nickname: +nickname: + CVSS: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H