CVE-2016-2547 & CVE-2018-20961 #212
Conversation
| description: | ||
| description: The Advanced Linux Sound Architecture (ALSA) is a framework in the linux kernal that provides | ||
| an interface for sound cards devices. The framework used a resource locking approach that did not | ||
| consider slave timer instances. The instacne could still be accessed, creating race condition |
There was a problem hiding this comment.
Misspelled instance here & creating a race condition
There was a problem hiding this comment.
You describe the ALSA subsystem well, but should also go into detail for terms like "slave timer" and "race condition" for those who may not be familiar with them.
| @@ -227,7 +232,7 @@ subsystem: | |||
| e.g. | |||
| name: ["subsystemA", "subsystemB"] # ok | |||
| name: subsystemA # also ok | |||
| name: | |||
| name: sound | |||
There was a problem hiding this comment.
Instead of sound, you likely want to put drivers as the subsystem or ASLA, as you mentioned before. Sound is made up of ASLA drivers and utilities, and is not technically a subsystem.
There was a problem hiding this comment.
Looking at the repository, I think it's fine actually. Sound is certainly a subsystem, and it appears that no other subsystems were involved.
| answer: | ||
| note: | ||
| answer: false | ||
| note: only systems using the Advanced Linux Sound Architecture (ALSA) |
There was a problem hiding this comment.
This reads funny. I would recommend rephrasing
There was a problem hiding this comment.
Yeah I'm unsure how this relates to i18n. Definitely review, but since it is a general sound framework, I doubt it has any notable relation to i18n.
| answer: | ||
| note: | ||
| answer: true | ||
| note: check if all instances are locked |
There was a problem hiding this comment.
In general, notes like this should be more complete to add confidence in your work
| @@ -456,7 +461,7 @@ mistakes: | |||
|
|
|||
| Write a thoughtful entry here that people in the software engineering | |||
| industry would find interesting. | |||
| answer: | |||
| answer: This is a coding lapse. The developer forgot to lock all instances | |||
There was a problem hiding this comment.
I would elaborate on locking and instances and what role they play
| @@ -482,4 +487,4 @@ nickname_instructions: | | |||
| If the report mentions a nickname, use that. | |||
| Must be under 30 characters. Optional. | |||
| nickname: | |||
| CVSS: | |||
| CVSS: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H | |||
There was a problem hiding this comment.
Add to upvotes (since not changed in commit): I give this a 2
| @@ -106,7 +108,7 @@ vcc_instructions: | | |||
| Place any notes you would like to make in the notes field. | |||
| vccs: | |||
| - commit: ad0d1a058eac46503edbc510d1ce44c5df8e0c91 | |||
| note: Discovered automatically by archeogit. | |||
| note: Patch meant to fix memory leak when system fails | |||
| - commit: '079fe5a6da616891cca1a26e803e1df2a87e9ae5' | |||
| note: Discovered automatically by archeogit. | |||
There was a problem hiding this comment.
Did you manually confirm this? Be sure to mention that if so!
| automated: | ||
| contest: | ||
| developer: | ||
| answer: Greg Kroah-Hartman from linux foundations |
There was a problem hiding this comment.
How was it discovered? If that's not mentioned, bring that up.
| answer: | ||
| note: | ||
| answer: true | ||
| note: double-free can cause arbitrary code exe. |
| @@ -454,7 +456,7 @@ mistakes: | |||
|
|
|||
| Write a thoughtful entry here that people in the software engineering | |||
| industry would find interesting. | |||
| answer: | |||
| answer: This is a coding lapse. The developer forgot to check if resource was already free | |||
| CWE_instructions: | | |||
| Please go to http://cwe.mitre.org and find the most specific, appropriate CWE | |||
| entry that describes your vulnerability. We recommend going to | |||
There was a problem hiding this comment.
Add to Upvotes (since not changed in commit): I give this a 2
| fix: | ||
| fix_answer: | ||
| code: false | ||
| code_answer: no unit tests found in commits |
There was a problem hiding this comment.
In general, check your capitalization for your notes.
| reported_instructions: | | ||
| What date was the vulnerability reported to the security team? Look at the | ||
| security bulletins and bug reports. It is not necessarily the same day that | ||
| the CVE was created. Leave blank if no date is given. | ||
|
|
||
| Please enter your date in YYYY-MM-DD format. | ||
| reported_date: | ||
| reported_date: '2016-02-24' |
There was a problem hiding this comment.
Unsure what the exact "reported" date might be, but I found bug reports as early as January 13th from the NVD references: https://lore.kernel.org/all/CACT4Y+ZrVvE3dgcYHRdHDG0X316VgC-=pr2U-233vVn_QbHZHw@mail.gmail.com/T/#u
| description: | ||
| description: The Advanced Linux Sound Architecture (ALSA) is a framework in the linux kernal that provides | ||
| an interface for sound cards devices. The framework used a resource locking approach that did not | ||
| consider slave timer instances. The instacne could still be accessed, creating race condition |
There was a problem hiding this comment.
You describe the ALSA subsystem well, but should also go into detail for terms like "slave timer" and "race condition" for those who may not be familiar with them.
| developer: | ||
| answer: Dmitry Vyukov, Google developer, discovered that the Advanced Linux Sound Architecture (ALSA) | ||
| framework's handling of high resolution timers did not properly manage its | ||
| data structures 2016-01-15 |
There was a problem hiding this comment.
At the bottom of the fix commit, a system call fuzzer from Google (known as syzkaller) is referenced. It may be worth mentioning as it likely played a role in detecting this bug.
There was a problem hiding this comment.
"Dmitry Vyukov reported a series of kernel bugs in ALSA core that have been
triggered by syzkaller fuzzer" - https://www.openwall.com/lists/oss-security/2016/01/19/1
| @@ -175,8 +180,8 @@ autodiscoverable: | |||
|
|
|||
| The answer field should be boolean. In answer_note, please explain | |||
| why you come to that conclusion. | |||
| note: | |||
| answer: | |||
| note: fuzzer, use-after-free | |||
There was a problem hiding this comment.
This may need some expanding. Maybe give sentences, along with any related thoughts.
| @@ -227,7 +232,7 @@ subsystem: | |||
| e.g. | |||
| name: ["subsystemA", "subsystemB"] # ok | |||
| name: subsystemA # also ok | |||
| name: | |||
| name: sound | |||
There was a problem hiding this comment.
Looking at the repository, I think it's fine actually. Sound is certainly a subsystem, and it appears that no other subsystems were involved.
| answer: | ||
| note: | ||
| answer: true | ||
| note: access instance that should be locked for privileged resources |
There was a problem hiding this comment.
It's hard to say, but I would disagree here. Privilege doesn't seem to be the issue, instead more careful management of that resource in a multi-threaded environment.
| reported_instructions: | | ||
| What date was the vulnerability reported to the security team? Look at the | ||
| security bulletins and bug reports. It is not necessarily the same day that | ||
| the CVE was created. Leave blank if no date is given. | ||
|
|
||
| Please enter your date in YYYY-MM-DD format. | ||
| reported_date: | ||
| reported_date: '2019-08-07' |
There was a problem hiding this comment.
It seems you didn't look very hard
| description: | ||
| description: Some USB gadgets have multiple 'modes' devices that can switch between modes | ||
| and possibly cause a double-free flaw. Subsequently the USB gadget Midi driver | ||
| in the Linux kernel created a double-free when handling certain errors. |
There was a problem hiding this comment.
Good, but if nothing else maybe explain what a double free means/why it crashes and how it crashes
| @@ -173,8 +175,8 @@ autodiscoverable: | |||
|
|
|||
| The answer field should be boolean. In answer_note, please explain | |||
| why you come to that conclusion. | |||
| note: | |||
| answer: | |||
| note: no tools/tests mentioned in commits | |||
There was a problem hiding this comment.
It mentions MOXCAFE. I see little info on it, but it should be mentioned as it is in the fix commit
| answer: | ||
| note: | ||
| answer: true | ||
| note: usb instance freed when process failed |
There was a problem hiding this comment.
Maybe a few more details for understanding.
First draft... Need further digging