From dd520bceeaa27b0847b03f63fd374140236fbf75 Mon Sep 17 00:00:00 2001 From: Borna5356 Date: Tue, 7 Nov 2023 14:40:21 -0500 Subject: [PATCH 1/7] Finished Researching the CVE --- cves/kernel/CVE-2015-5366.yml | 109 +++++++++++++++++++++++----------- 1 file changed, 74 insertions(+), 35 deletions(-) diff --git a/cves/kernel/CVE-2015-5366.yml b/cves/kernel/CVE-2015-5366.yml index 4e5512136..299db1b3e 100644 --- a/cves/kernel/CVE-2015-5366.yml +++ b/cves/kernel/CVE-2015-5366.yml @@ -55,7 +55,10 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: +The udp_revmsg and udpv6_recvmsg functions in the linuz kernel that provide +inappropriate EAGAIN return values. This allows attackers to perform a DOS via +incorrect checksum in a UDP packet bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -75,7 +78,7 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [] +bugs: ["1478843", "1479369", "1479370"] fixes_instructions: | Please put the commit hash in "commit" below. @@ -136,9 +139,11 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. code: - code_answer: - fix: - fix_answer: + code_answer: + Returns -EAGAIN to the application even if recieve queue is not empty. + This breaks the application using edge trigger epoll() + fix: false + fix_answer: remove the code that was causing the incorrect return statement discovered: question: | How was this vulnerability discovered? @@ -153,10 +158,12 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: + The vulnerability was found in a twitter message where the security team was + contacted to create the CVE, + automated: false + contest: nil + developer: nil autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -173,8 +180,12 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: + The reason why this bug can be discovered automatically is because the + bug causes a DOS attack because it causes an infinite loop making it so + that users can't get acces to the data. This can be tested automatically + by tesitng edge cases for return values. + answer: true specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -190,8 +201,10 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: + there was no violation of a specification as the bug appeared from not + properly checking and validating the result before returning it. + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -225,7 +238,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: This bug affect the net subsystem note: interesting_commits: question: | @@ -240,9 +253,15 @@ interesting_commits: * A significant rewrite in the git history * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. - commits: - - commit: + commits: + - commit: + beb39db59d14990e401e235faf66a6b9b31240b0 note: + The reason that I found this commit interesting is because the + developer mentions that it could only be tempory solution and + says that they might return to it later. This makes it seem that + the developer was not sure if the fix would work and thought it + would just be a band-aid on the problem. - commit: note: i18n: @@ -257,8 +276,10 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: + The main thing that was impacted this was the accesibiliy to the public becaue + the DOS would make it so that people would not be able to access the application sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -272,8 +293,11 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: + answer: true note: + Since the attacker is able to cause a DOS attack because this vulnerability + it affects the accesibility of the application which interferes with + internationalization ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -284,8 +308,10 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: + answer: true note: + This vulnerability directly affected UDP connection as it was interuptin the + UDP stack causing trouble with communication. discussion: question: | Was there any discussion surrounding this? @@ -312,8 +338,11 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. discussed_as_security: + The discussion is talking about the security risk of the invalid checksum and + what threath it is to the system any_discussion: note: + https://seclists.org/oss-sec/2015/q3/10 vouch: question: | Was there any part of the fix that involved one person vouching for @@ -326,8 +355,10 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: + answer: true note: + This is because the on the commit message fixing the bug it was signed off bu both Eric Dumazet and + David S. Miller stacktrace: question: | Are there any stacktraces in the bug reports? @@ -341,9 +372,11 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: The main reason why there are no stacktraces is that the error + causes an infinite loop causing the program to hang instead of a + stack trace. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -362,8 +395,10 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: + answer: true note: + The fix involved having to check if the return value for the udp was valid + befoe returning the value. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -375,8 +410,9 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: This is because the only thing that needed to be change was to add a + check to make sure the return value is valid before returning. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -396,22 +432,22 @@ lessons: applies: note: least_privilege: - applies: + applies: false note: frameworks_are_optional: - applies: + applies: false note: native_wrappers: - applies: + applies: false note: distrust_input: applies: note: security_by_obscurity: - applies: + applies: false note: serial_killer: - applies: + applies: false note: environment_variables: applies: @@ -420,8 +456,10 @@ lessons: applies: note: yagni: - applies: - note: + applies: true + note: This is because the check for valid return value + was not added until the developers realized that threat + actors could exploit it. complex_inputs: applies: note: @@ -454,7 +492,8 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: There was a lapse in judgment in that the developers forgot to + check if the return value was valid. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to From 62037be86793332e8f37980d872e83c994548530 Mon Sep 17 00:00:00 2001 From: Borna5356 Date: Tue, 7 Nov 2023 19:19:06 -0500 Subject: [PATCH 2/7] Finished researching CVE-2016-2184 --- cves/kernel/CVE-2016-2184.yml | 115 ++++++++++++++++++++++------------ 1 file changed, 74 insertions(+), 41 deletions(-) diff --git a/cves/kernel/CVE-2016-2184.yml b/cves/kernel/CVE-2016-2184.yml index 5899d0467..d40996d53 100644 --- a/cves/kernel/CVE-2016-2184.yml +++ b/cves/kernel/CVE-2016-2184.yml @@ -56,6 +56,10 @@ description_instructions: | Your target audience is people just like you before you took any course in security description: +The create_fixed_stream_quirk funcrtion in sound/usb/quirks.c in the snd-usb-audio +driver in the Linux kernel before 4.5.1 allows physicaaly prximate attackers to +cause a DOS (NULL pointer dereference or double free and system crash) via a +crafted endpoints value in a USB device descriptor bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -75,7 +79,7 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [] +bugs: [971125] fixes_instructions: | Please put the commit hash in "commit" below. @@ -84,14 +88,16 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: +- commit: 0f886ca12765d20124bd06291c82951fd49a33be note: + create_fixed_stream_quirk() may cause a NULL-pointer dereference by + accessing the non-existing endpoint when a USB device with a malformed USB + descriptor is used. This patch avoids it simply by adding a sanity check of + bNumEndpoints before the accesses. - commit: note: -- commit: 0f886ca12765d20124bd06291c82951fd49a33be +- commit: note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' vcc_instructions: | The vulnerability-contributing commits. @@ -119,7 +125,7 @@ upvotes_instructions: | interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. upvotes: -unit_tested: +unit_tested: false question: | Were automated unit tests involved in this vulnerability? Was the original code unit tested, or not unit tested? Did the fix involve @@ -133,10 +139,14 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: + code: false code_answer: + added a check to make sure that the number of endpoints is greater than 1 + then taking action based on that fix: fix_answer: + The fix was adding a check to make sure that the number of endpoints was + greater than 1 discovered: question: | How was this vulnerability discovered? @@ -151,11 +161,13 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: -autodiscoverable: + answer: + The bug was found using the USB-fuzzing frramework from SergeJ Shumilo. This + found out that the crash was caused by a zero value for bNumEndpoints. + automated: true + contest: nil + developer: nil +autodiscoverable: nil instructions: | Is it plausible that a fully automated tool could have discovered this? These are tools that require little knowledge of the domain, @@ -171,8 +183,11 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: + note: + https://seclists.org/bugtraq/2016/Mar/89 The developers used a + USB-fuzzing framework to discover the bug. answer: + true specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -189,7 +204,9 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: - answer: + This is because the application does not check for endpoints which is + a very realistic possiblity that can occur. + answer: true subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -223,7 +240,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: + name: The subsystem that the bug was apart of was the sound subsystem note: interesting_commits: question: | @@ -255,8 +272,10 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: + This bug does not affect internationalization as it only impacts + being able to connect to USB devices sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -270,8 +289,10 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: + answer: true note: + This is because the user might not be able to connect to the application + via USB and be able to use the audio. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -282,8 +303,9 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: + answer: ture note: + This is because the bug impacts the usb connection which transfers data using packets discussion: question: | Was there any discussion surrounding this? @@ -309,8 +331,8 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: + discussed_as_security: false + any_discussion: false note: vouch: question: | @@ -324,8 +346,9 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: + answer: true note: + Takashi Iwai signed off the commit that fixed the error in github. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -339,9 +362,11 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: + any_stacktraces: true + stacktrace_with_fix: false note: + There was a message sent explaing the details of the bug that included a + stacktrace. https://seclists.org/bugtraq/2016/Mar/88 forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -360,8 +385,10 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: + answer: true note: + This is because there was a forgotten check if the number of endpoints is + greater than 0. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -373,8 +400,10 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: + The only fix that was needed was to make sure that there were more than + one endpoints. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -390,38 +419,39 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. - defense_in_depth: - applies: + defense_in_depth: + applies: false note: least_privilege: - applies: + applies: false note: frameworks_are_optional: - applies: + applies: false note: native_wrappers: - applies: + applies: false note: distrust_input: - applies: - note: + applies: true + note: The reason the error was happening was because of an unsanitized input security_by_obscurity: - applies: + applies: false note: serial_killer: - applies: + applies: false note: environment_variables: - applies: - note: + applies: true + note: The reason the error was happening was because there was nothing checking + the endpoint value secure_by_default: - applies: + applies: false note: yagni: - applies: + applies: false note: complex_inputs: - applies: + applies: false note: mistakes: question: | @@ -453,6 +483,9 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. answer: + The main mistake that was made in this application was not sanitizng + the inputs to check and see if there was moe than one endpoint connected + via USB CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to From e4407429a99dafb2644cc585c15aad05f2d1bb47 Mon Sep 17 00:00:00 2001 From: Borna5356 Date: Fri, 10 Nov 2023 11:03:41 -0500 Subject: [PATCH 3/7] Fixed an spelling error --- cves/kernel/CVE-2016-2184.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cves/kernel/CVE-2016-2184.yml b/cves/kernel/CVE-2016-2184.yml index d40996d53..3e5a8bb41 100644 --- a/cves/kernel/CVE-2016-2184.yml +++ b/cves/kernel/CVE-2016-2184.yml @@ -56,7 +56,7 @@ description_instructions: | Your target audience is people just like you before you took any course in security description: -The create_fixed_stream_quirk funcrtion in sound/usb/quirks.c in the snd-usb-audio +The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel before 4.5.1 allows physicaaly prximate attackers to cause a DOS (NULL pointer dereference or double free and system crash) via a crafted endpoints value in a USB device descriptor @@ -88,7 +88,7 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: 0f886ca12765d20124bd06291c82951fd49a33be +- commit: '0f886ca12765d20124bd06291c82951fd49a33be' note: create_fixed_stream_quirk() may cause a NULL-pointer dereference by accessing the non-existing endpoint when a USB device with a malformed USB @@ -140,7 +140,7 @@ unit_tested: false For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. code: false - code_answer: + code_answer: added a check to make sure that the number of endpoints is greater than 1 then taking action based on that fix: From 6f0a233ffb716fb697eacf9f17b3945ad2d5c748 Mon Sep 17 00:00:00 2001 From: Borna5356 Date: Sat, 11 Nov 2023 09:48:47 -0500 Subject: [PATCH 4/7] Fixed YAML formatting --- cves/kernel/CVE-2015-5366.yml | 90 ++++++++++++++++++----------------- cves/kernel/CVE-2016-2184.yml | 78 +++++++++++++++--------------- 2 files changed, 87 insertions(+), 81 deletions(-) diff --git a/cves/kernel/CVE-2015-5366.yml b/cves/kernel/CVE-2015-5366.yml index 299db1b3e..e06a3c04e 100644 --- a/cves/kernel/CVE-2015-5366.yml +++ b/cves/kernel/CVE-2015-5366.yml @@ -56,9 +56,9 @@ description_instructions: | Your target audience is people just like you before you took any course in security description: -The udp_revmsg and udpv6_recvmsg functions in the linuz kernel that provide -inappropriate EAGAIN return values. This allows attackers to perform a DOS via -incorrect checksum in a UDP packet + The udp_revmsg and udpv6_recvmsg functions in the linuz kernel that provide + inappropriate EAGAIN return values. This allows attackers to perform a DOS via + incorrect checksum in a UDP packet bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -140,8 +140,8 @@ unit_tested: adding or improving an automated test to ensure this doesn't happen again. code: code_answer: - Returns -EAGAIN to the application even if recieve queue is not empty. - This breaks the application using edge trigger epoll() + Returns -EAGAIN to the application even if recieve queue is not empty. + This breaks the application using edge trigger epoll() fix: false fix_answer: remove the code that was causing the incorrect return statement discovered: @@ -159,8 +159,8 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. answer: - The vulnerability was found in a twitter message where the security team was - contacted to create the CVE, + The vulnerability was found in a twitter message where the security team was + contacted to create the CVE, automated: false contest: nil developer: nil @@ -181,10 +181,10 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: - The reason why this bug can be discovered automatically is because the - bug causes a DOS attack because it causes an infinite loop making it so - that users can't get acces to the data. This can be tested automatically - by tesitng edge cases for return values. + The reason why this bug can be discovered automatically is because the + bug causes a DOS attack because it causes an infinite loop making it so + that users can't get acces to the data. This can be tested automatically + by tesitng edge cases for return values. answer: true specification: instructions: | @@ -202,8 +202,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: - there was no violation of a specification as the bug appeared from not - properly checking and validating the result before returning it. + there was no violation of a specification as the bug appeared from not + properly checking and validating the result before returning it. answer: false subsystem: question: | @@ -255,13 +255,13 @@ interesting_commits: * Anything else you find interesting. commits: - commit: - beb39db59d14990e401e235faf66a6b9b31240b0 + beb39db59d14990e401e235faf66a6b9b31240b0 note: - The reason that I found this commit interesting is because the - developer mentions that it could only be tempory solution and - says that they might return to it later. This makes it seem that - the developer was not sure if the fix would work and thought it - would just be a band-aid on the problem. + The reason that I found this commit interesting is because the + developer mentions that it could only be tempory solution and + says that they might return to it later. This makes it seem that + the developer was not sure if the fix would work and thought it + would just be a band-aid on the problem. - commit: note: i18n: @@ -278,8 +278,8 @@ i18n: what your answer was. answer: false note: - The main thing that was impacted this was the accesibiliy to the public becaue - the DOS would make it so that people would not be able to access the application + The main thing that was impacted this was the accesibiliy to the public becaue + the DOS would make it so that people would not be able to access the application sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -295,9 +295,9 @@ sandbox: what your answer was. answer: true note: - Since the attacker is able to cause a DOS attack because this vulnerability - it affects the accesibility of the application which interferes with - internationalization + Since the attacker is able to cause a DOS attack because this vulnerability + it affects the accesibility of the application which interferes with + internationalization ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -310,8 +310,8 @@ ipc: what your answer was. answer: true note: - This vulnerability directly affected UDP connection as it was interuptin the - UDP stack causing trouble with communication. + This vulnerability directly affected UDP connection as it was interuptin the + UDP stack causing trouble with communication. discussion: question: | Was there any discussion surrounding this? @@ -338,11 +338,11 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. discussed_as_security: - The discussion is talking about the security risk of the invalid checksum and - what threath it is to the system + The discussion is talking about the security risk of the invalid checksum and + what threath it is to the system any_discussion: note: - https://seclists.org/oss-sec/2015/q3/10 + https://seclists.org/oss-sec/2015/q3/10 vouch: question: | Was there any part of the fix that involved one person vouching for @@ -357,8 +357,8 @@ vouch: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: true note: - This is because the on the commit message fixing the bug it was signed off bu both Eric Dumazet and - David S. Miller + This is because the on the commit message fixing the bug it was signed off bu both Eric Dumazet and + David S. Miller stacktrace: question: | Are there any stacktraces in the bug reports? @@ -374,9 +374,10 @@ stacktrace: what your answer was. any_stacktraces: false stacktrace_with_fix: false - note: The main reason why there are no stacktraces is that the error - causes an infinite loop causing the program to hang instead of a - stack trace. + note: + The main reason why there are no stacktraces is that the error + causes an infinite loop causing the program to hang instead of a + stack trace. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -397,8 +398,8 @@ forgotten_check: what your answer was. answer: true note: - The fix involved having to check if the return value for the udp was valid - befoe returning the value. + The fix involved having to check if the return value for the udp was valid + befoe returning the value. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -411,8 +412,9 @@ order_of_operations: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: This is because the only thing that needed to be change was to add a - check to make sure the return value is valid before returning. + note: + This is because the only thing that needed to be change was to add a + check to make sure the return value is valid before returning. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -457,9 +459,10 @@ lessons: note: yagni: applies: true - note: This is because the check for valid return value - was not added until the developers realized that threat - actors could exploit it. + note: + This is because the check for valid return value + was not added until the developers realized that threat + actors could exploit it. complex_inputs: applies: note: @@ -492,8 +495,9 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: There was a lapse in judgment in that the developers forgot to - check if the return value was valid. + answer: + There was a lapse in judgment in that the developers forgot to + check if the return value was valid. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to diff --git a/cves/kernel/CVE-2016-2184.yml b/cves/kernel/CVE-2016-2184.yml index 3e5a8bb41..7cb059873 100644 --- a/cves/kernel/CVE-2016-2184.yml +++ b/cves/kernel/CVE-2016-2184.yml @@ -56,10 +56,10 @@ description_instructions: | Your target audience is people just like you before you took any course in security description: -The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio -driver in the Linux kernel before 4.5.1 allows physicaaly prximate attackers to -cause a DOS (NULL pointer dereference or double free and system crash) via a -crafted endpoints value in a USB device descriptor + The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio + driver in the Linux kernel before 4.5.1 allows physicaaly prximate attackers to + cause a DOS (NULL pointer dereference or double free and system crash) via a + crafted endpoints value in a USB device descriptor bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -90,10 +90,10 @@ fixes_instructions: | fixes: - commit: '0f886ca12765d20124bd06291c82951fd49a33be' note: - create_fixed_stream_quirk() may cause a NULL-pointer dereference by - accessing the non-existing endpoint when a USB device with a malformed USB - descriptor is used. This patch avoids it simply by adding a sanity check of - bNumEndpoints before the accesses. + create_fixed_stream_quirk() may cause a NULL-pointer dereference by + accessing the non-existing endpoint when a USB device with a malformed USB + descriptor is used. This patch avoids it simply by adding a sanity check of + bNumEndpoints before the accesses. - commit: note: - commit: @@ -125,7 +125,8 @@ upvotes_instructions: | interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. upvotes: -unit_tested: false + unit_tested: + false question: | Were automated unit tests involved in this vulnerability? Was the original code unit tested, or not unit tested? Did the fix involve @@ -141,12 +142,12 @@ unit_tested: false adding or improving an automated test to ensure this doesn't happen again. code: false code_answer: - added a check to make sure that the number of endpoints is greater than 1 - then taking action based on that + added a check to make sure that the number of endpoints is greater than 1 + then taking action based on that fix: fix_answer: - The fix was adding a check to make sure that the number of endpoints was - greater than 1 + The fix was adding a check to make sure that the number of endpoints was + greater than 1 discovered: question: | How was this vulnerability discovered? @@ -162,12 +163,12 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. answer: - The bug was found using the USB-fuzzing frramework from SergeJ Shumilo. This - found out that the crash was caused by a zero value for bNumEndpoints. + The bug was found using the USB-fuzzing frramework from SergeJ Shumilo. This + found out that the crash was caused by a zero value for bNumEndpoints. automated: true contest: nil developer: nil -autodiscoverable: nil +autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered this? These are tools that require little knowledge of the domain, @@ -184,10 +185,10 @@ autodiscoverable: nil The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: - https://seclists.org/bugtraq/2016/Mar/89 The developers used a - USB-fuzzing framework to discover the bug. + https://seclists.org/bugtraq/2016/Mar/89 The developers used a + USB-fuzzing framework to discover the bug. answer: - true + true specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -204,8 +205,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: - This is because the application does not check for endpoints which is - a very realistic possiblity that can occur. + This is because the application does not check for endpoints which is + a very realistic possiblity that can occur. answer: true subsystem: question: | @@ -274,8 +275,8 @@ i18n: what your answer was. answer: false note: - This bug does not affect internationalization as it only impacts - being able to connect to USB devices + This bug does not affect internationalization as it only impacts + being able to connect to USB devices sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -291,8 +292,8 @@ sandbox: what your answer was. answer: true note: - This is because the user might not be able to connect to the application - via USB and be able to use the audio. + This is because the user might not be able to connect to the application + via USB and be able to use the audio. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -305,7 +306,7 @@ ipc: what your answer was. answer: ture note: - This is because the bug impacts the usb connection which transfers data using packets + This is because the bug impacts the usb connection which transfers data using packets discussion: question: | Was there any discussion surrounding this? @@ -348,7 +349,7 @@ vouch: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: true note: - Takashi Iwai signed off the commit that fixed the error in github. + Takashi Iwai signed off the commit that fixed the error in github. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -365,8 +366,8 @@ stacktrace: any_stacktraces: true stacktrace_with_fix: false note: - There was a message sent explaing the details of the bug that included a - stacktrace. https://seclists.org/bugtraq/2016/Mar/88 + There was a message sent explaing the details of the bug that included a + stacktrace. https://seclists.org/bugtraq/2016/Mar/88 forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -387,8 +388,8 @@ forgotten_check: what your answer was. answer: true note: - This is because there was a forgotten check if the number of endpoints is - greater than 0. + This is because there was a forgotten check if the number of endpoints is + greater than 0. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -402,8 +403,8 @@ order_of_operations: what your answer was. answer: false note: - The only fix that was needed was to make sure that there were more than - one endpoints. + The only fix that was needed was to make sure that there were more than + one endpoints. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -442,8 +443,9 @@ lessons: note: environment_variables: applies: true - note: The reason the error was happening was because there was nothing checking - the endpoint value + note: + The reason the error was happening was because there was nothing checking + the endpoint value secure_by_default: applies: false note: @@ -483,9 +485,9 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. answer: - The main mistake that was made in this application was not sanitizng - the inputs to check and see if there was moe than one endpoint connected - via USB + The main mistake that was made in this application was not sanitizng + the inputs to check and see if there was moe than one endpoint connected + via USB CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to From c4678d630dd87f338f1d24a6fd50e926b5c75db2 Mon Sep 17 00:00:00 2001 From: Borna5356 Date: Sun, 12 Nov 2023 12:09:14 -0500 Subject: [PATCH 5/7] Fixed the lines 'jym2584' commented on --- cves/kernel/CVE-2015-5366.yml | 10 +++++----- cves/kernel/CVE-2016-2184.yml | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/cves/kernel/CVE-2015-5366.yml b/cves/kernel/CVE-2015-5366.yml index e06a3c04e..4d7511b34 100644 --- a/cves/kernel/CVE-2015-5366.yml +++ b/cves/kernel/CVE-2015-5366.yml @@ -56,7 +56,7 @@ description_instructions: | Your target audience is people just like you before you took any course in security description: - The udp_revmsg and udpv6_recvmsg functions in the linuz kernel that provide + The udp_revmsg and udpv6_recvmsg functions in the linux kernel that provide inappropriate EAGAIN return values. This allows attackers to perform a DOS via incorrect checksum in a UDP packet bounty_instructions: | @@ -310,7 +310,7 @@ ipc: what your answer was. answer: true note: - This vulnerability directly affected UDP connection as it was interuptin the + This vulnerability directly affected UDP connection as it was interrupting the UDP stack causing trouble with communication. discussion: question: | @@ -339,7 +339,7 @@ discussion: comment you want to make. discussed_as_security: The discussion is talking about the security risk of the invalid checksum and - what threath it is to the system + what threat it is to the system any_discussion: note: https://seclists.org/oss-sec/2015/q3/10 @@ -357,8 +357,8 @@ vouch: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: true note: - This is because the on the commit message fixing the bug it was signed off bu both Eric Dumazet and - David S. Miller + This is because the on the commit message fixing the bug it was signed off by both Eric Dumazet and + David S. Miller. https://github.com/torvalds/linux/commit/beb39db59d14990e401e235faf66a6b9b31240b0 stacktrace: question: | Are there any stacktraces in the bug reports? diff --git a/cves/kernel/CVE-2016-2184.yml b/cves/kernel/CVE-2016-2184.yml index 7cb059873..1f36d1e9d 100644 --- a/cves/kernel/CVE-2016-2184.yml +++ b/cves/kernel/CVE-2016-2184.yml @@ -163,7 +163,7 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. answer: - The bug was found using the USB-fuzzing frramework from SergeJ Shumilo. This + The bug was found using the USB-fuzzing framework from SergeJ Shumilo. This found out that the crash was caused by a zero value for bNumEndpoints. automated: true contest: nil @@ -241,7 +241,7 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: The subsystem that the bug was apart of was the sound subsystem + name: Sound note: interesting_commits: question: | From f25805960b794e48352a5e681952daf6f0950d0a Mon Sep 17 00:00:00 2001 From: Borna5356 Date: Sun, 12 Nov 2023 13:40:48 -0500 Subject: [PATCH 6/7] Fixed the lines 'Nolan White' commented on --- cves/kernel/CVE-2016-2184.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/cves/kernel/CVE-2016-2184.yml b/cves/kernel/CVE-2016-2184.yml index 1f36d1e9d..1a76da6a6 100644 --- a/cves/kernel/CVE-2016-2184.yml +++ b/cves/kernel/CVE-2016-2184.yml @@ -56,10 +56,9 @@ description_instructions: | Your target audience is people just like you before you took any course in security description: - The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio - driver in the Linux kernel before 4.5.1 allows physicaaly prximate attackers to - cause a DOS (NULL pointer dereference or double free and system crash) via a - crafted endpoints value in a USB device descriptor + This is a bug that causes a null-pointer error when there are no USB devices + connected. This allows a threat actor to crash the system and cause a denial + of service in the system. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -79,7 +78,7 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [971125] +bugs: [1317012] fixes_instructions: | Please put the commit hash in "commit" below. @@ -90,7 +89,7 @@ fixes_instructions: | fixes: - commit: '0f886ca12765d20124bd06291c82951fd49a33be' note: - create_fixed_stream_quirk() may cause a NULL-pointer dereference by + This bug causes a NULL-pointer dereference by accessing the non-existing endpoint when a USB device with a malformed USB descriptor is used. This patch avoids it simply by adding a sanity check of bNumEndpoints before the accesses. @@ -124,7 +123,8 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: + +upvotes: unit_tested: false question: | @@ -144,7 +144,7 @@ upvotes: code_answer: added a check to make sure that the number of endpoints is greater than 1 then taking action based on that - fix: + fix: true fix_answer: The fix was adding a check to make sure that the number of endpoints was greater than 1 @@ -164,7 +164,7 @@ discovered: explain where you looked. answer: The bug was found using the USB-fuzzing framework from SergeJ Shumilo. This - found out that the crash was caused by a zero value for bNumEndpoints. + found out that the crash was caused by a zero value for the number of endpoints. automated: true contest: nil developer: nil @@ -205,8 +205,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: - This is because the application does not check for endpoints which is - a very realistic possiblity that can occur. + This is because the application did not check the number of endpoints + when they should have. answer: true subsystem: question: | @@ -276,7 +276,7 @@ i18n: answer: false note: This bug does not affect internationalization as it only impacts - being able to connect to USB devices + being able to connect to USB devices. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -304,9 +304,9 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: ture + answer: true note: - This is because the bug impacts the usb connection which transfers data using packets + This is because the bug impacts the USB connection which transfers data using packets. discussion: question: | Was there any discussion surrounding this? @@ -366,7 +366,7 @@ stacktrace: any_stacktraces: true stacktrace_with_fix: false note: - There was a message sent explaing the details of the bug that included a + There was a message sent explaning the details of the bug that included a stacktrace. https://seclists.org/bugtraq/2016/Mar/88 forgotten_check: question: | @@ -485,9 +485,9 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. answer: - The main mistake that was made in this application was not sanitizng + The main mistake that was made in this application was not sanitizing the inputs to check and see if there was moe than one endpoint connected - via USB + via USB. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to From 8d8179c667fb8df4a7223e314f2b9e27ac1c7e6f Mon Sep 17 00:00:00 2001 From: Borna5356 Date: Mon, 13 Nov 2023 12:24:12 -0500 Subject: [PATCH 7/7] Added the number of upvotes to my CVE --- cves/kernel/CVE-2016-2184.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2016-2184.yml b/cves/kernel/CVE-2016-2184.yml index 1a76da6a6..89ca5ce8c 100644 --- a/cves/kernel/CVE-2016-2184.yml +++ b/cves/kernel/CVE-2016-2184.yml @@ -124,7 +124,8 @@ upvotes_instructions: | interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: + upvotes: 7 unit_tested: false question: |