From 1e92b5e854c5768cca91532add7088f665193180 Mon Sep 17 00:00:00 2001 From: mason Date: Mon, 6 Nov 2023 09:28:08 -0500 Subject: [PATCH 01/17] Initial Curation Level Changes --- cves/kernel/CVE-2016-3135.yml | 44 +++++++++++++++++------------------ cves/kernel/CVE-2022-1975.yml | 38 +++++++++++++++--------------- 2 files changed, 41 insertions(+), 41 deletions(-) diff --git a/cves/kernel/CVE-2016-3135.yml b/cves/kernel/CVE-2016-3135.yml index c2935ddbe..34e8ec263 100644 --- a/cves/kernel/CVE-2016-3135.yml +++ b/cves/kernel/CVE-2016-3135.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that @@ -34,11 +34,11 @@ announced_instructions: | This is not the same as published date in the NVD - that is below. Please enter your date in YYYY-MM-DD format. -announced_date: '2016-04-27' +announced_date: "2016-04-27" published_instructions: | Is there a published fix or patch date for this vulnerability? Please enter your date in YYYY-MM-DD format. -published_date: '2016-04-27' +published_date: "2016-04-27" description_instructions: | You can get an initial description from the CVE entry on cve.mitre.org. These descriptions are a fine start, but they can be kind of jargony. @@ -84,14 +84,14 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: - note: -- commit: - note: -- commit: d157bd761585605b7882935ffb86286919f62ea1 - note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + - commit: + note: + - commit: + note: + - commit: d157bd761585605b7882935ffb86286919f62ea1 + note: | + Taken from NVD references list with Git commit. If you are + curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' vcc_instructions: | The vulnerability-contributing commits. @@ -105,12 +105,12 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: -- commit: 2e4e6a17af35be359cc8f1c924f8f198fbd478cc - note: Discovered automatically by archeogit. -- commit: 711bdde6a884354ddae8da2fcb495b2a9364cc90 - note: Discovered automatically by archeogit. -- commit: 4481374ce88ba8f460c8b89f2572027bd27057d0 - note: Discovered automatically by archeogit. + - commit: 2e4e6a17af35be359cc8f1c924f8f198fbd478cc + note: Discovered automatically by archeogit. + - commit: 711bdde6a884354ddae8da2fcb495b2a9364cc90 + note: Discovered automatically by archeogit. + - commit: 4481374ce88ba8f460c8b89f2572027bd27057d0 + note: Discovered automatically by archeogit. upvotes_instructions: | For the first round, ignore this upvotes number. @@ -239,10 +239,10 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: - - commit: - note: - - commit: - note: + - commit: + note: + - commit: + note: i18n: question: | Was the feature impacted by this vulnerability about internationalization @@ -469,7 +469,7 @@ CWE_instructions: | CWE: [123, 456] # also ok CWE: 123 # also ok CWE: -- 189 + - 189 CWE_note: | CWE as registered in the NVD. If you are curating, check that this is correct and replace this comment with "Manually confirmed". diff --git a/cves/kernel/CVE-2022-1975.yml b/cves/kernel/CVE-2022-1975.yml index f670f5781..7f867c2d9 100644 --- a/cves/kernel/CVE-2022-1975.yml +++ b/cves/kernel/CVE-2022-1975.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that @@ -34,11 +34,11 @@ announced_instructions: | This is not the same as published date in the NVD - that is below. Please enter your date in YYYY-MM-DD format. -announced_date: '2022-08-31' +announced_date: "2022-08-31" published_instructions: | Is there a published fix or patch date for this vulnerability? Please enter your date in YYYY-MM-DD format. -published_date: '2022-08-31' +published_date: "2022-08-31" description_instructions: | You can get an initial description from the CVE entry on cve.mitre.org. These descriptions are a fine start, but they can be kind of jargony. @@ -84,14 +84,14 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: - note: -- commit: - note: -- commit: 4071bf121d59944d5cd2238de0642f3d7995a997 - note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + - commit: + note: + - commit: + note: + - commit: 4071bf121d59944d5cd2238de0642f3d7995a997 + note: | + Taken from NVD references list with Git commit. If you are + curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' vcc_instructions: | The vulnerability-contributing commits. @@ -105,10 +105,10 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: -- commit: 9674da8759df0d6c0d24e1ede6e2a1acdef91e3c - note: Discovered automatically by archeogit. -- commit: 2a94fe48f32ccf7321450a2cc07f2b724a444e5b - note: Discovered automatically by archeogit. + - commit: 9674da8759df0d6c0d24e1ede6e2a1acdef91e3c + note: Discovered automatically by archeogit. + - commit: 2a94fe48f32ccf7321450a2cc07f2b724a444e5b + note: Discovered automatically by archeogit. upvotes_instructions: | For the first round, ignore this upvotes number. @@ -237,10 +237,10 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: - - commit: - note: - - commit: - note: + - commit: + note: + - commit: + note: i18n: question: | Was the feature impacted by this vulnerability about internationalization From 68ace8117c88b391e64e10cd5938cc33d2b274eb Mon Sep 17 00:00:00 2001 From: mason Date: Mon, 6 Nov 2023 09:36:09 -0500 Subject: [PATCH 02/17] Turned off auto-formater --- cves/kernel/CVE-2016-3135.yml | 42 +++++++++++++++++------------------ cves/kernel/CVE-2022-1975.yml | 36 +++++++++++++++--------------- 2 files changed, 39 insertions(+), 39 deletions(-) diff --git a/cves/kernel/CVE-2016-3135.yml b/cves/kernel/CVE-2016-3135.yml index 34e8ec263..8d48dbafd 100644 --- a/cves/kernel/CVE-2016-3135.yml +++ b/cves/kernel/CVE-2016-3135.yml @@ -34,11 +34,11 @@ announced_instructions: | This is not the same as published date in the NVD - that is below. Please enter your date in YYYY-MM-DD format. -announced_date: "2016-04-27" +announced_date: '2016-04-27' published_instructions: | Is there a published fix or patch date for this vulnerability? Please enter your date in YYYY-MM-DD format. -published_date: "2016-04-27" +published_date: '2016-04-27' description_instructions: | You can get an initial description from the CVE entry on cve.mitre.org. These descriptions are a fine start, but they can be kind of jargony. @@ -84,14 +84,14 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: - - commit: - note: - - commit: - note: - - commit: d157bd761585605b7882935ffb86286919f62ea1 - note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' +- commit: + note: +- commit: + note: +- commit: d157bd761585605b7882935ffb86286919f62ea1 + note: | + Taken from NVD references list with Git commit. If you are + curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' vcc_instructions: | The vulnerability-contributing commits. @@ -105,12 +105,12 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - - commit: 2e4e6a17af35be359cc8f1c924f8f198fbd478cc - note: Discovered automatically by archeogit. - - commit: 711bdde6a884354ddae8da2fcb495b2a9364cc90 - note: Discovered automatically by archeogit. - - commit: 4481374ce88ba8f460c8b89f2572027bd27057d0 - note: Discovered automatically by archeogit. +- commit: 2e4e6a17af35be359cc8f1c924f8f198fbd478cc + note: Discovered automatically by archeogit. +- commit: 711bdde6a884354ddae8da2fcb495b2a9364cc90 + note: Discovered automatically by archeogit. +- commit: 4481374ce88ba8f460c8b89f2572027bd27057d0 + note: Discovered automatically by archeogit. upvotes_instructions: | For the first round, ignore this upvotes number. @@ -239,10 +239,10 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: - - commit: - note: - - commit: - note: + - commit: + note: + - commit: + note: i18n: question: | Was the feature impacted by this vulnerability about internationalization @@ -469,7 +469,7 @@ CWE_instructions: | CWE: [123, 456] # also ok CWE: 123 # also ok CWE: - - 189 +- 189 CWE_note: | CWE as registered in the NVD. If you are curating, check that this is correct and replace this comment with "Manually confirmed". diff --git a/cves/kernel/CVE-2022-1975.yml b/cves/kernel/CVE-2022-1975.yml index 7f867c2d9..c268b4df9 100644 --- a/cves/kernel/CVE-2022-1975.yml +++ b/cves/kernel/CVE-2022-1975.yml @@ -34,11 +34,11 @@ announced_instructions: | This is not the same as published date in the NVD - that is below. Please enter your date in YYYY-MM-DD format. -announced_date: "2022-08-31" +announced_date: '2022-08-31' published_instructions: | Is there a published fix or patch date for this vulnerability? Please enter your date in YYYY-MM-DD format. -published_date: "2022-08-31" +published_date: '2022-08-31' description_instructions: | You can get an initial description from the CVE entry on cve.mitre.org. These descriptions are a fine start, but they can be kind of jargony. @@ -84,14 +84,14 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: - - commit: - note: - - commit: - note: - - commit: 4071bf121d59944d5cd2238de0642f3d7995a997 - note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' +- commit: + note: +- commit: + note: +- commit: 4071bf121d59944d5cd2238de0642f3d7995a997 + note: | + Taken from NVD references list with Git commit. If you are + curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' vcc_instructions: | The vulnerability-contributing commits. @@ -105,10 +105,10 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - - commit: 9674da8759df0d6c0d24e1ede6e2a1acdef91e3c - note: Discovered automatically by archeogit. - - commit: 2a94fe48f32ccf7321450a2cc07f2b724a444e5b - note: Discovered automatically by archeogit. +- commit: 9674da8759df0d6c0d24e1ede6e2a1acdef91e3c + note: Discovered automatically by archeogit. +- commit: 2a94fe48f32ccf7321450a2cc07f2b724a444e5b + note: Discovered automatically by archeogit. upvotes_instructions: | For the first round, ignore this upvotes number. @@ -237,10 +237,10 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: - - commit: - note: - - commit: - note: + - commit: + note: + - commit: + note: i18n: question: | Was the feature impacted by this vulnerability about internationalization From 2d47fb3639dd713c5710be3cd6969ee788da9cec Mon Sep 17 00:00:00 2001 From: mason Date: Mon, 6 Nov 2023 14:46:34 -0500 Subject: [PATCH 03/17] Updated CVE for 2022 --- cves/kernel/CVE-2022-1975.yml | 63 +++++++++++++++++++++-------------- 1 file changed, 38 insertions(+), 25 deletions(-) diff --git a/cves/kernel/CVE-2022-1975.yml b/cves/kernel/CVE-2022-1975.yml index c268b4df9..1a4d0ffc0 100644 --- a/cves/kernel/CVE-2022-1975.yml +++ b/cves/kernel/CVE-2022-1975.yml @@ -26,7 +26,7 @@ reported_instructions: | the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2022-05-04' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,14 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + The vulnerability occurred when the Linux kernel didn't prevent + context switches during certain context operations that should have been + resolved uninterrupted. An incorrect flag was set that gave instructions on + how memory allocation should be performed. It allowed sleeping during the + memory allocation which could leave the process suspended. This made it + possible for the context to switch during a vulnerable state which triggers an + expectation that goes uncaught. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -89,9 +96,7 @@ fixes: - commit: note: - commit: 4071bf121d59944d5cd2238de0642f3d7995a997 - note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + note: Manually Confirmed vcc_instructions: | The vulnerability-contributing commits. @@ -106,9 +111,7 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 9674da8759df0d6c0d24e1ede6e2a1acdef91e3c - note: Discovered automatically by archeogit. -- commit: 2a94fe48f32ccf7321450a2cc07f2b724a444e5b - note: Discovered automatically by archeogit. + note: Manually Confirmed upvotes_instructions: | For the first round, ignore this upvotes number. @@ -116,7 +119,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 6 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -221,8 +224,10 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: - note: + name: net + note: | + The vulnerability occurs within net/nfc/ and multiple emails and reports + mention it. interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -253,8 +258,10 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: | + No, as it is a problem caused by sleeping and context switching. + It has nothing to do with il8n. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -268,8 +275,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: The vulnerability does not violate any access controls or privileges. ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -280,8 +287,9 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: The vulnerability involves the Netlink socket family. It occurs during + the firmware download process where NFC devices are communicating together. discussion: question: | Was there any discussion surrounding this? @@ -322,8 +330,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: Within the commit, it mentions being reviewed and signed off by additional people. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -358,8 +366,10 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: | + The fix was more about restricting the operation options rather + than checking fail cases. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -371,8 +381,11 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: | + The fix for the vulnerability made sure the memory allocation occurred + first and without interruption. The original issue was that the allocation + wasn't finished when contexts were switched. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -466,8 +479,8 @@ CWE_instructions: | CWE: ["123", "456"] # this is ok CWE: [123, 456] # also ok CWE: 123 # also ok -CWE: -CWE_note: +CWE: 248 +CWE_note: The final result of the vulnerabilty is an uncaught exception. nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. From a1ee056fa43047283fdcbb9f1d6b23ce759b1a4d Mon Sep 17 00:00:00 2001 From: mason Date: Mon, 6 Nov 2023 14:56:15 -0500 Subject: [PATCH 04/17] Attempt to solve yaml issue --- cves/kernel/CVE-2022-1975.yml | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/cves/kernel/CVE-2022-1975.yml b/cves/kernel/CVE-2022-1975.yml index 1a4d0ffc0..1651a44e2 100644 --- a/cves/kernel/CVE-2022-1975.yml +++ b/cves/kernel/CVE-2022-1975.yml @@ -225,9 +225,7 @@ subsystem: name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok name: net - note: | - The vulnerability occurs within net/nfc/ and multiple emails and reports - mention it. + note: The vulnerability occurs within net/nfc/ and multiple emails and reports mention it. interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -259,9 +257,7 @@ i18n: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: | - No, as it is a problem caused by sleeping and context switching. - It has nothing to do with il8n. + note: No, as it is a problem caused by sleeping and context switching. It has nothing to do with il8n. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -288,8 +284,7 @@ ipc: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: The vulnerability involves the Netlink socket family. It occurs during - the firmware download process where NFC devices are communicating together. + note: The vulnerability involves the Netlink socket family. It occurs during the firmware download process where NFC devices are communicating together. discussion: question: | Was there any discussion surrounding this? @@ -367,9 +362,7 @@ forgotten_check: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: | - The fix was more about restricting the operation options rather - than checking fail cases. + note: The fix was more about restricting the operation options rather than checking fail cases. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -382,10 +375,7 @@ order_of_operations: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: true - note: | - The fix for the vulnerability made sure the memory allocation occurred - first and without interruption. The original issue was that the allocation - wasn't finished when contexts were switched. + note: The fix for the vulnerability made sure the memory allocation occurred first and without interruption. The original issue was that the allocation wasn't finished when contexts were switched. lessons: question: | Are there any common lessons we have learned from class that apply to this From 19322bb5c50ae6ba0c33c468c03ae2340475e36a Mon Sep 17 00:00:00 2001 From: mason Date: Mon, 6 Nov 2023 23:07:47 -0500 Subject: [PATCH 05/17] Fully updated yaml --- cves/kernel/CVE-2022-1975.yml | 105 +++++++++++++++++++++------------- 1 file changed, 66 insertions(+), 39 deletions(-) diff --git a/cves/kernel/CVE-2022-1975.yml b/cves/kernel/CVE-2022-1975.yml index 1651a44e2..03963a986 100644 --- a/cves/kernel/CVE-2022-1975.yml +++ b/cves/kernel/CVE-2022-1975.yml @@ -119,7 +119,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: 6 +upvotes: unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -134,10 +134,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: No tests were checking for this case or the surroundings. + fix: false + fix_answer: No tests added or improved as a result of this vulnerability. discovered: question: | How was this vulnerability discovered? @@ -152,10 +152,14 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: | + The vulnerability appears to have been discovered by a developer who was + looking for potential problems. This appears to be the case as the fix was + was quickly added on 2022-05-05. The emails from the key developer list + the bug, its effects, and how they found it. They do not work for Google. + automated: false + contest: false + developer: true autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -172,8 +176,10 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + The vulnerability requires knowledge of the domain to execute the + problem and it requires a high amount of complexity. + answer: false specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -189,8 +195,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: No mention of specification violations. + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -225,7 +231,9 @@ subsystem: name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok name: net - note: The vulnerability occurs within net/nfc/ and multiple emails and reports mention it. + note: | + The vulnerability occurs within net/nfc/ and multiple emails + and reports mention it. interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -240,8 +248,10 @@ interesting_commits: * Other commits that fixed a similar issue as this vulnerability * Anything else you find interesting. commits: - - commit: - note: + - commit: 4071bf121d59944d5cd2238de0642f3d7995a997 + note: | + No communication between the VCC and the fix. The original vulnerability + implementation occured nine years previous to the fix. - commit: note: i18n: @@ -257,7 +267,9 @@ i18n: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: No, as it is a problem caused by sleeping and context switching. It has nothing to do with il8n. + note: | + No, as it is a problem caused by sleeping and context switching. + It has nothing to do with il8n. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -284,7 +296,9 @@ ipc: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: The vulnerability involves the Netlink socket family. It occurs during the firmware download process where NFC devices are communicating together. + note: | + The vulnerability involves the Netlink socket family. It occurs during + the firmware download process where NFC devices are communicating together. discussion: question: | Was there any discussion surrounding this? @@ -310,8 +324,8 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: + discussed_as_security: false + any_discussion: false note: vouch: question: | @@ -326,7 +340,9 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: true - note: Within the commit, it mentions being reviewed and signed off by additional people. + note: | + Within the commit, it mentions being reviewed and signed off + by additional people. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -340,9 +356,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: true + stacktrace_with_fix: true + note: The fix mentions the stacktrace which points clearly to the fix file. forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -362,7 +378,9 @@ forgotten_check: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: The fix was more about restricting the operation options rather than checking fail cases. + note: | + The fix was more about restricting the operation options rather + than checking fail cases. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -375,7 +393,10 @@ order_of_operations: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: true - note: The fix for the vulnerability made sure the memory allocation occurred first and without interruption. The original issue was that the allocation wasn't finished when contexts were switched. + note: | + The fix for the vulnerability made sure the memory allocation + occurred first and without interruption. The original issue + was that the allocation wasn't finished when contexts were switched. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -392,37 +413,40 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: false note: least_privilege: - applies: + applies: false note: frameworks_are_optional: - applies: + applies: false note: native_wrappers: - applies: + applies: false note: distrust_input: - applies: + applies: false note: security_by_obscurity: - applies: + applies: false note: serial_killer: - applies: + applies: false note: environment_variables: - applies: + applies: false note: secure_by_default: - applies: - note: + applies: true + note: | + The solution involves reinstructing memory allocation how it should + operate or else it can cause a fatal error. Maybe the lower level issues + should be solved rather than patching up the symptoms. yagni: - applies: + applies: false note: complex_inputs: - applies: + applies: false note: mistakes: question: | @@ -453,7 +477,10 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + The mistake seems to originate from a small lack of understanding. If the + VCC understood the purpose of the different memory allocation flag options, + they might have been able to detect the vulnerability beforehand. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to From 973b6357960e3ab114a9f8c63c73936e4a314f57 Mon Sep 17 00:00:00 2001 From: mason Date: Mon, 6 Nov 2023 23:16:09 -0500 Subject: [PATCH 06/17] Validated yaml for 2022 --- cves/kernel/CVE-2022-1975.yml | 60 +++++++++++++++++------------------ 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/cves/kernel/CVE-2022-1975.yml b/cves/kernel/CVE-2022-1975.yml index 03963a986..f6b9afe3b 100644 --- a/cves/kernel/CVE-2022-1975.yml +++ b/cves/kernel/CVE-2022-1975.yml @@ -231,9 +231,9 @@ subsystem: name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok name: net - note: | - The vulnerability occurs within net/nfc/ and multiple emails - and reports mention it. + note: | + The vulnerability occurs within net/nfc/ and multiple emails + and reports mention it. interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -249,9 +249,9 @@ interesting_commits: * Anything else you find interesting. commits: - commit: 4071bf121d59944d5cd2238de0642f3d7995a997 - note: | - No communication between the VCC and the fix. The original vulnerability - implementation occured nine years previous to the fix. + note: | + No communication between the VCC and the fix. The original vulnerability + implementation occurred nine years previous to the fix. - commit: note: i18n: @@ -267,9 +267,9 @@ i18n: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: | - No, as it is a problem caused by sleeping and context switching. - It has nothing to do with il8n. + note: | + No, as it is a problem caused by sleeping and context switching. + It has nothing to do with il8n. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -297,8 +297,8 @@ ipc: what your answer was. answer: false note: | - The vulnerability involves the Netlink socket family. It occurs during - the firmware download process where NFC devices are communicating together. + The vulnerability involves the Netlink socket family. It occurs during + the firmware download process where NFC devices are communicating together. discussion: question: | Was there any discussion surrounding this? @@ -340,9 +340,9 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: true - note: | - Within the commit, it mentions being reviewed and signed off - by additional people. + note: | + Within the commit, it mentions being reviewed and signed off + by additional people. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -378,9 +378,9 @@ forgotten_check: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: | - The fix was more about restricting the operation options rather - than checking fail cases. + note: | + The fix was more about restricting the operation options rather + than checking fail cases. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -393,10 +393,10 @@ order_of_operations: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: true - note: | - The fix for the vulnerability made sure the memory allocation - occurred first and without interruption. The original issue - was that the allocation wasn't finished when contexts were switched. + note: | + The fix for the vulnerability made sure the memory allocation + occurred first and without interruption. The original issue + was that the allocation wasn't finished when contexts were switched. lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -438,10 +438,10 @@ lessons: note: secure_by_default: applies: true - note: | - The solution involves reinstructing memory allocation how it should - operate or else it can cause a fatal error. Maybe the lower level issues - should be solved rather than patching up the symptoms. + note: | + The solution involves reinstructing memory allocation and how it should + operate or else it can cause a fatal error. Maybe the lower-level issues + should be solved rather than patching up the symptoms. yagni: applies: false note: @@ -477,10 +477,10 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: | - The mistake seems to originate from a small lack of understanding. If the - VCC understood the purpose of the different memory allocation flag options, - they might have been able to detect the vulnerability beforehand. + answer: | + The mistake seems to originate from a small lack of understanding. If the + VCC understood the purpose of the different memory allocation flag options, + they might have been able to detect the vulnerability beforehand. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -497,7 +497,7 @@ CWE_instructions: | CWE: [123, 456] # also ok CWE: 123 # also ok CWE: 248 -CWE_note: The final result of the vulnerabilty is an uncaught exception. +CWE_note: The final result of the vulnerability is an uncaught exception. nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. From c17bf0432b4f68eb0d28345e83cd1dec5d341d0c Mon Sep 17 00:00:00 2001 From: mason Date: Mon, 6 Nov 2023 23:28:52 -0500 Subject: [PATCH 07/17] Trying to fix issues --- cves/kernel/CVE-2022-1975.yml | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/cves/kernel/CVE-2022-1975.yml b/cves/kernel/CVE-2022-1975.yml index f6b9afe3b..eac090e10 100644 --- a/cves/kernel/CVE-2022-1975.yml +++ b/cves/kernel/CVE-2022-1975.yml @@ -55,7 +55,7 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: | +description: | The vulnerability occurred when the Linux kernel didn't prevent context switches during certain context operations that should have been resolved uninterrupted. An incorrect flag was set that gave instructions on @@ -82,7 +82,7 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [] +bugs: [4071bf121d59944d5cd2238de0642f3d7995a997] fixes_instructions: | Please put the commit hash in "commit" below. @@ -91,10 +91,6 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: - note: -- commit: - note: - commit: 4071bf121d59944d5cd2238de0642f3d7995a997 note: Manually Confirmed vcc_instructions: | @@ -252,8 +248,6 @@ interesting_commits: note: | No communication between the VCC and the fix. The original vulnerability implementation occurred nine years previous to the fix. - - commit: - note: i18n: question: | Was the feature impacted by this vulnerability about internationalization @@ -326,7 +320,7 @@ discussion: comment you want to make. discussed_as_security: false any_discussion: false - note: + note: No discussion took place. The issue was spotted and fixed quickly vouch: question: | Was there any part of the fix that involved one person vouching for From 6fdd6e341b28340f16db1cd85e39b283e7281372 Mon Sep 17 00:00:00 2001 From: mason Date: Mon, 6 Nov 2023 23:44:51 -0500 Subject: [PATCH 08/17] Further attempts to try and satisfy --- cves/kernel/CVE-2022-1975.yml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/cves/kernel/CVE-2022-1975.yml b/cves/kernel/CVE-2022-1975.yml index eac090e10..e3ede2c78 100644 --- a/cves/kernel/CVE-2022-1975.yml +++ b/cves/kernel/CVE-2022-1975.yml @@ -61,8 +61,8 @@ description: | resolved uninterrupted. An incorrect flag was set that gave instructions on how memory allocation should be performed. It allowed sleeping during the memory allocation which could leave the process suspended. This made it - possible for the context to switch during a vulnerable state which triggers an - expectation that goes uncaught. + possible for the context to switch during a vulnerable state which + triggers an expectation that goes uncaught. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -82,7 +82,7 @@ bugs_instructions: | * Mentioned in mailing list discussions * References from NVD entry * Various other places -bugs: [4071bf121d59944d5cd2238de0642f3d7995a997] +bugs: ['4071bf121d59944d5cd2238de0642f3d7995a997'] fixes_instructions: | Please put the commit hash in "commit" below. @@ -92,7 +92,7 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: - commit: 4071bf121d59944d5cd2238de0642f3d7995a997 - note: Manually Confirmed + note: 'Manually Confirmed' vcc_instructions: | The vulnerability-contributing commits. @@ -107,7 +107,7 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 9674da8759df0d6c0d24e1ede6e2a1acdef91e3c - note: Manually Confirmed + note: 'Manually Confirmed' upvotes_instructions: | For the first round, ignore this upvotes number. @@ -131,9 +131,9 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. code: false - code_answer: No tests were checking for this case or the surroundings. + code_answer: 'No tests were checking for this case or the surroundings.' fix: false - fix_answer: No tests added or improved as a result of this vulnerability. + fix_answer: 'No tests added or improved as a result of this vulnerability.' discovered: question: | How was this vulnerability discovered? @@ -191,7 +191,7 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: No mention of specification violations. + note: 'No mention of specification violations.' answer: false subsystem: question: | @@ -278,7 +278,7 @@ sandbox: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: false - note: The vulnerability does not violate any access controls or privileges. + note: 'The vulnerability does not violate any access controls or privileges.' ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -320,7 +320,7 @@ discussion: comment you want to make. discussed_as_security: false any_discussion: false - note: No discussion took place. The issue was spotted and fixed quickly + note: 'No discussion took place. The issue was spotted and fixed quickly.' vouch: question: | Was there any part of the fix that involved one person vouching for @@ -352,7 +352,7 @@ stacktrace: what your answer was. any_stacktraces: true stacktrace_with_fix: true - note: The fix mentions the stacktrace which points clearly to the fix file. + note: 'The fix mentions the stacktrace which points clearly to the fix file.' forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -473,8 +473,8 @@ mistakes: industry would find interesting. answer: | The mistake seems to originate from a small lack of understanding. If the - VCC understood the purpose of the different memory allocation flag options, - they might have been able to detect the vulnerability beforehand. + VCC understood the purpose of the different memory allocation flag + options, they might have been able to detect the vulnerability beforehand. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -491,7 +491,7 @@ CWE_instructions: | CWE: [123, 456] # also ok CWE: 123 # also ok CWE: 248 -CWE_note: The final result of the vulnerability is an uncaught exception. +CWE_note: 'The final result of the vulnerability is an uncaught exception.' nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. From d24f0e84297f8d7b67be8d518a75adff2670256b Mon Sep 17 00:00:00 2001 From: mason Date: Mon, 6 Nov 2023 23:47:59 -0500 Subject: [PATCH 09/17] Adding quotes???? --- cves/kernel/CVE-2022-1975.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cves/kernel/CVE-2022-1975.yml b/cves/kernel/CVE-2022-1975.yml index e3ede2c78..eee5a5ca7 100644 --- a/cves/kernel/CVE-2022-1975.yml +++ b/cves/kernel/CVE-2022-1975.yml @@ -56,13 +56,13 @@ description_instructions: | Your target audience is people just like you before you took any course in security description: | - The vulnerability occurred when the Linux kernel didn't prevent + "The vulnerability occurred when the Linux kernel didn't prevent context switches during certain context operations that should have been resolved uninterrupted. An incorrect flag was set that gave instructions on how memory allocation should be performed. It allowed sleeping during the memory allocation which could leave the process suspended. This made it possible for the context to switch during a vulnerable state which - triggers an expectation that goes uncaught. + triggers an expectation that goes uncaught." bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -472,9 +472,9 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. answer: | - The mistake seems to originate from a small lack of understanding. If the + "The mistake seems to originate from a small lack of understanding. If the VCC understood the purpose of the different memory allocation flag - options, they might have been able to detect the vulnerability beforehand. + options, they might have been able to detect the vulnerability beforehand." CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to From d2eaef22bf0430b1200f21d2f3fd84bde000050c Mon Sep 17 00:00:00 2001 From: mason Date: Mon, 6 Nov 2023 23:56:32 -0500 Subject: [PATCH 10/17] There was no problem --- cves/kernel/CVE-2022-1975.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cves/kernel/CVE-2022-1975.yml b/cves/kernel/CVE-2022-1975.yml index eee5a5ca7..e3ede2c78 100644 --- a/cves/kernel/CVE-2022-1975.yml +++ b/cves/kernel/CVE-2022-1975.yml @@ -56,13 +56,13 @@ description_instructions: | Your target audience is people just like you before you took any course in security description: | - "The vulnerability occurred when the Linux kernel didn't prevent + The vulnerability occurred when the Linux kernel didn't prevent context switches during certain context operations that should have been resolved uninterrupted. An incorrect flag was set that gave instructions on how memory allocation should be performed. It allowed sleeping during the memory allocation which could leave the process suspended. This made it possible for the context to switch during a vulnerable state which - triggers an expectation that goes uncaught." + triggers an expectation that goes uncaught. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -472,9 +472,9 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. answer: | - "The mistake seems to originate from a small lack of understanding. If the + The mistake seems to originate from a small lack of understanding. If the VCC understood the purpose of the different memory allocation flag - options, they might have been able to detect the vulnerability beforehand." + options, they might have been able to detect the vulnerability beforehand. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to From 9317dfada74ec67ead415e6b953c1aabdb48f230 Mon Sep 17 00:00:00 2001 From: mason Date: Tue, 7 Nov 2023 19:37:22 -0500 Subject: [PATCH 11/17] Fully updated 3135 --- cves/kernel/CVE-2016-3135.yml | 149 ++++++++++++++++++++-------------- 1 file changed, 86 insertions(+), 63 deletions(-) diff --git a/cves/kernel/CVE-2016-3135.yml b/cves/kernel/CVE-2016-3135.yml index 8d48dbafd..d3beb069b 100644 --- a/cves/kernel/CVE-2016-3135.yml +++ b/cves/kernel/CVE-2016-3135.yml @@ -26,7 +26,7 @@ reported_instructions: | the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2016-03-09' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,11 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + The vulnerability occured during memory allocation where the size of the + struct being allocated was not properly checked. If the requested size of + the allocation was too small, the memory heap could be corrupted due + to integer overflow. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -84,14 +88,8 @@ fixes_instructions: | Place any notes you would like to make in the notes field. fixes: -- commit: - note: -- commit: - note: - commit: d157bd761585605b7882935ffb86286919f62ea1 - note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + note: 'Manually Confirmed' vcc_instructions: | The vulnerability-contributing commits. @@ -106,11 +104,9 @@ vcc_instructions: | Place any notes you would like to make in the notes field. vccs: - commit: 2e4e6a17af35be359cc8f1c924f8f198fbd478cc - note: Discovered automatically by archeogit. + note: 'Manually Confirmed' - commit: 711bdde6a884354ddae8da2fcb495b2a9364cc90 - note: Discovered automatically by archeogit. -- commit: 4481374ce88ba8f460c8b89f2572027bd27057d0 - note: Discovered automatically by archeogit. + note: 'Manually Confirmed' upvotes_instructions: | For the first round, ignore this upvotes number. @@ -133,10 +129,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: 'No tests were checking for this case or the surroundings.' + fix: false + fix_answer: 'No tests added or improved as a result of this vulnerability.' discovered: question: | How was this vulnerability discovered? @@ -151,10 +147,14 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: | + This vulnerability was found by a Google employee working on Project Zero. + They informed the Linux team on 2016-03-09 of two vulnerabilities including + this one and gave the dev team 90 days to fix the issue before it would + go public. + automated: false + contest: false + developer: false autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -171,8 +171,10 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + The issue is deep within the linux system and would require some + expertise to trigger the vulnerability. + answer: false specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -188,8 +190,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: 'No mention of specification violations.' + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -223,8 +225,9 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: - note: + name: ["net", "netfilter"] + note: | + The vulnerability takes place within both net and netfilter subsystems. interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -241,8 +244,6 @@ interesting_commits: commits: - commit: note: - - commit: - note: i18n: question: | Was the feature impacted by this vulnerability about internationalization @@ -255,8 +256,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: It does not involve translation or unicode problems. sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -270,8 +271,11 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: | + It is mentioned that the memory heap corruption could be used to + gain privileges. + ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -282,8 +286,10 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: | + The vulnerability involves sockets althought the issue + is not an IPC problem directly. discussion: question: | Was there any discussion surrounding this? @@ -309,9 +315,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: false + any_discussion: false + note: 'No discussions about this vulnerability.' vouch: question: | Was there any part of the fix that involved one person vouching for @@ -324,8 +330,10 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: | + The commits reference Google's advice and there are sign-offs + and reviewers. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -339,9 +347,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: 'No stacktraces are mentioned.' forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -360,8 +368,10 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: | + The fix involves a small if statement that checks whether the size + is correct. If not, it returns NULL. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -373,8 +383,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: 'The order of operations stay the same.' lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -391,38 +401,45 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: - note: + applies: true + note: | + More layers of defense could have been in place. Once this one part + failed, a lot of issues could arise. least_privilege: - applies: + applies: false note: frameworks_are_optional: - applies: + applies: false note: native_wrappers: - applies: + applies: false note: distrust_input: - applies: - note: + applies: true + note: | + The size to allocate memory for was not distrusted and invalid values + could be entered into it creating heap corruption. The fix involved + lowering the trust. security_by_obscurity: - applies: + applies: false note: serial_killer: - applies: + applies: false note: environment_variables: - applies: + applies: false note: secure_by_default: - applies: + applies: false note: yagni: - applies: + applies: false note: complex_inputs: - applies: - note: + applies: true + note: | + Unintended inputs were not being checked which lead to this + vulnerability. mistakes: question: | In your opinion, after all of this research, what mistakes were made that @@ -452,7 +469,13 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + The mistake made is one that all coders run into at some point. Failing + to recognize situations where inputs could break the system are easy to + come across and often takes a lot of extra time and brainpower to find. + This vulnerability seem to have been brought about by inattention. The + CWE-190 suggest mitigations like strictly defining the bounds and this was + not performed correctly until the fix. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -469,7 +492,7 @@ CWE_instructions: | CWE: [123, 456] # also ok CWE: 123 # also ok CWE: -- 189 +- [189, 190] CWE_note: | CWE as registered in the NVD. If you are curating, check that this is correct and replace this comment with "Manually confirmed". From 7b741140b33d67672dcd0bf7d0634185a5307621 Mon Sep 17 00:00:00 2001 From: mason Date: Tue, 7 Nov 2023 19:41:08 -0500 Subject: [PATCH 12/17] Fixed minor issues --- cves/kernel/CVE-2016-3135.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/cves/kernel/CVE-2016-3135.yml b/cves/kernel/CVE-2016-3135.yml index d3beb069b..e56cdbb49 100644 --- a/cves/kernel/CVE-2016-3135.yml +++ b/cves/kernel/CVE-2016-3135.yml @@ -56,7 +56,7 @@ description_instructions: | Your target audience is people just like you before you took any course in security description: | - The vulnerability occured during memory allocation where the size of the + The vulnerability occurred during memory allocation where the size of the struct being allocated was not properly checked. If the requested size of the allocation was too small, the memory heap could be corrupted due to integer overflow. @@ -172,7 +172,7 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: | - The issue is deep within the linux system and would require some + The issue is deep within the Linux system and would require some expertise to trigger the vulnerability. answer: false specification: @@ -288,7 +288,7 @@ ipc: what your answer was. answer: true note: | - The vulnerability involves sockets althought the issue + The vulnerability involves sockets although the issue is not an IPC problem directly. discussion: question: | @@ -404,7 +404,7 @@ lessons: applies: true note: | More layers of defense could have been in place. Once this one part - failed, a lot of issues could arise. + fails, a lot of issues could arise. least_privilege: applies: false note: @@ -438,7 +438,7 @@ lessons: complex_inputs: applies: true note: | - Unintended inputs were not being checked which lead to this + Unintended inputs were not being checked which led to this vulnerability. mistakes: question: | @@ -471,10 +471,10 @@ mistakes: industry would find interesting. answer: | The mistake made is one that all coders run into at some point. Failing - to recognize situations where inputs could break the system are easy to + to recognize situations where inputs could break the system is easy to come across and often takes a lot of extra time and brainpower to find. - This vulnerability seem to have been brought about by inattention. The - CWE-190 suggest mitigations like strictly defining the bounds and this was + This vulnerability seems to have been brought about by inattention. The + CWE-190 suggests mitigations like strictly defining the bounds and this was not performed correctly until the fix. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE From 8bff5b4606f63c7a9c55d36b6501bce2f3adf251 Mon Sep 17 00:00:00 2001 From: mason Date: Wed, 8 Nov 2023 08:46:06 -0500 Subject: [PATCH 13/17] Updated from Feedback --- cves/kernel/CVE-2016-3135.yml | 34 +++++++++++++++++++++------------- cves/kernel/CVE-2022-1975.yml | 20 +++++++++++--------- 2 files changed, 32 insertions(+), 22 deletions(-) diff --git a/cves/kernel/CVE-2016-3135.yml b/cves/kernel/CVE-2016-3135.yml index e56cdbb49..07820fca7 100644 --- a/cves/kernel/CVE-2016-3135.yml +++ b/cves/kernel/CVE-2016-3135.yml @@ -57,9 +57,11 @@ description_instructions: | security description: | The vulnerability occurred during memory allocation where the size of the - struct being allocated was not properly checked. If the requested size of - the allocation was too small, the memory heap could be corrupted due - to integer overflow. + object being allocated was not properly checked. If the requested size of + the allocation was too small, the memory heap (The place where programs + store information) could be corrupted due to integer overflow. Integer + overflow is where the size of an integer is greater than the memory + allocated for it and can corrupt other pieces of information within the heap. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -114,7 +116,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 2 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -172,9 +174,12 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. note: | - The issue is deep within the Linux system and would require some - expertise to trigger the vulnerability. - answer: false + The developer could use tools to discover the potential for integer + overflow. Since the problem was a common missing check, tools have + been developed that can detect these issues. A fuzzing tool could input + values that typically cause integer overflows and the vulnerability could + have been spotted earlier. + answer: true specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -243,7 +248,9 @@ interesting_commits: * Anything else you find interesting. commits: - commit: - note: + note: | + No interesting commits or conversations between the fixers and + the VCC. i18n: question: | Was the feature impacted by this vulnerability about internationalization @@ -332,8 +339,8 @@ vouch: Write a note about how you came to the conclusions you did, regardless of what your answer was. answer: true note: | - The commits reference Google's advice and there are sign-offs - and reviewers. + The commits reference advice from Ben Hawkes (Google employee) and there are sign-offs + from Florian Westphal and Pablo Neira Ayuso. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -473,9 +480,10 @@ mistakes: The mistake made is one that all coders run into at some point. Failing to recognize situations where inputs could break the system is easy to come across and often takes a lot of extra time and brainpower to find. - This vulnerability seems to have been brought about by inattention. The - CWE-190 suggests mitigations like strictly defining the bounds and this was - not performed correctly until the fix. + This vulnerability seems to have been brought about by small lapse in + attention that had far reaching consequences. The CWE-190 suggests + mitigations like strictly defining the bounds and this was not performed + correctly until the fix. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to diff --git a/cves/kernel/CVE-2022-1975.yml b/cves/kernel/CVE-2022-1975.yml index e3ede2c78..2b9fb0dd0 100644 --- a/cves/kernel/CVE-2022-1975.yml +++ b/cves/kernel/CVE-2022-1975.yml @@ -57,12 +57,13 @@ description_instructions: | security description: | The vulnerability occurred when the Linux kernel didn't prevent - context switches during certain context operations that should have been - resolved uninterrupted. An incorrect flag was set that gave instructions on - how memory allocation should be performed. It allowed sleeping during the - memory allocation which could leave the process suspended. This made it - possible for the context to switch during a vulnerable state which - triggers an expectation that goes uncaught. + context switches (When a CPU switches tasks/processes) during + certain operations that should have been resolved uninterrupted. + An incorrect flag was set that gave instructions on how memory allocation + should be performed. It allowed sleeping (When a task/process waits for + a given amount of time in seconds) during the memory allocation. + This made it possible for the context to switch during a vulnerable + state which triggers an expectation that goes uncaught. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -115,7 +116,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: +upvotes: 4 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -336,7 +337,8 @@ vouch: answer: true note: | Within the commit, it mentions being reviewed and signed off - by additional people. + by additional people. Reviewed by Krzysztof Kozlowski and sign-off by + Paolo Abeni and Duoming Zhou. stacktrace: question: | Are there any stacktraces in the bug reports? @@ -472,7 +474,7 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. answer: | - The mistake seems to originate from a small lack of understanding. If the + The mistake seems to originate from a small lapse of understanding. If the VCC understood the purpose of the different memory allocation flag options, they might have been able to detect the vulnerability beforehand. CWE_instructions: | From 6834359544c43791f64724a5de5290b593cc2bf5 Mon Sep 17 00:00:00 2001 From: mason Date: Wed, 8 Nov 2023 08:50:49 -0500 Subject: [PATCH 14/17] Minor Changes --- cves/kernel/CVE-2016-3135.yml | 4 ++-- cves/kernel/CVE-2022-1975.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cves/kernel/CVE-2016-3135.yml b/cves/kernel/CVE-2016-3135.yml index 07820fca7..db6443ee8 100644 --- a/cves/kernel/CVE-2016-3135.yml +++ b/cves/kernel/CVE-2016-3135.yml @@ -480,8 +480,8 @@ mistakes: The mistake made is one that all coders run into at some point. Failing to recognize situations where inputs could break the system is easy to come across and often takes a lot of extra time and brainpower to find. - This vulnerability seems to have been brought about by small lapse in - attention that had far reaching consequences. The CWE-190 suggests + This vulnerability seems to have been brought about by a small lapse in + attention that had far-reaching consequences. The CWE-190 suggests mitigations like strictly defining the bounds and this was not performed correctly until the fix. CWE_instructions: | diff --git a/cves/kernel/CVE-2022-1975.yml b/cves/kernel/CVE-2022-1975.yml index 2b9fb0dd0..7613f4d88 100644 --- a/cves/kernel/CVE-2022-1975.yml +++ b/cves/kernel/CVE-2022-1975.yml @@ -151,7 +151,7 @@ discovered: explain where you looked. answer: | The vulnerability appears to have been discovered by a developer who was - looking for potential problems. This appears to be the case as the fix was + looking for potential problems. This appears to be the case as the fix was quickly added on 2022-05-05. The emails from the key developer list the bug, its effects, and how they found it. They do not work for Google. automated: false From 123c81c8baa6f38347949c104add6ab0337b9aa6 Mon Sep 17 00:00:00 2001 From: mason Date: Tue, 14 Nov 2023 17:48:25 -0500 Subject: [PATCH 15/17] Further update from comments. --- cves/kernel/CVE-2016-3135.yml | 8 +++++--- cves/kernel/CVE-2022-1975.yml | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/cves/kernel/CVE-2016-3135.yml b/cves/kernel/CVE-2016-3135.yml index db6443ee8..65b3254d3 100644 --- a/cves/kernel/CVE-2016-3135.yml +++ b/cves/kernel/CVE-2016-3135.yml @@ -62,6 +62,7 @@ description: | store information) could be corrupted due to integer overflow. Integer overflow is where the size of an integer is greater than the memory allocated for it and can corrupt other pieces of information within the heap. + This can lead to various attacks all throughout the system. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -116,7 +117,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: 2 +upvotes: 3 unit_tested: question: | Were automated unit tests involved in this vulnerability? @@ -281,7 +282,8 @@ sandbox: answer: true note: | It is mentioned that the memory heap corruption could be used to - gain privileges. + gain privileges. This can be done by manipulating environment variables + or taking information leaking from the heap to gain privileges. ipc: question: | @@ -378,7 +380,7 @@ forgotten_check: answer: true note: | The fix involves a small if statement that checks whether the size - is correct. If not, it returns NULL. + of the memory allocated for the object is correct. If not, it returns NULL. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of diff --git a/cves/kernel/CVE-2022-1975.yml b/cves/kernel/CVE-2022-1975.yml index 7613f4d88..09a63260a 100644 --- a/cves/kernel/CVE-2022-1975.yml +++ b/cves/kernel/CVE-2022-1975.yml @@ -116,7 +116,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: 4 +upvotes: 7 unit_tested: question: | Were automated unit tests involved in this vulnerability? From fdd6846889e5019840ae5db209dcd508cea09901 Mon Sep 17 00:00:00 2001 From: mason Date: Wed, 15 Nov 2023 08:11:54 -0500 Subject: [PATCH 16/17] Updated upvotes --- cves/kernel/CVE-2016-3135.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2016-3135.yml b/cves/kernel/CVE-2016-3135.yml index 65b3254d3..8fb6bf374 100644 --- a/cves/kernel/CVE-2016-3135.yml +++ b/cves/kernel/CVE-2016-3135.yml @@ -117,7 +117,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: 3 +upvotes: 4 unit_tested: question: | Were automated unit tests involved in this vulnerability? From c14b34e9d684ad18fadc342321e4021e0b229292 Mon Sep 17 00:00:00 2001 From: mason Date: Wed, 15 Nov 2023 09:16:32 -0500 Subject: [PATCH 17/17] Updated upvotes again --- cves/kernel/CVE-2022-1975.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/kernel/CVE-2022-1975.yml b/cves/kernel/CVE-2022-1975.yml index 09a63260a..c747cae3a 100644 --- a/cves/kernel/CVE-2022-1975.yml +++ b/cves/kernel/CVE-2022-1975.yml @@ -116,7 +116,7 @@ upvotes_instructions: | upvotes to each vulnerability you see. Your peers will tell you how interesting they think this vulnerability is, and you'll add that to the upvotes score on your branch. -upvotes: 7 +upvotes: 9 unit_tested: question: | Were automated unit tests involved in this vulnerability?