CVE-2016-9754 and CVE-2022-0516 #225
Conversation
|
Looks like this needs to be worked on. Keep going! |
cves/kernel/CVE-2016-9754.yml
Outdated
| @@ -169,8 +171,8 @@ autodiscoverable: | |||
|
|
|||
| The answer field should be boolean. In answer_note, please explain | |||
| why you come to that conclusion. | |||
| note: | |||
| answer: | |||
| note: 'Buffer overflows can be found by automated tools.' | |||
There was a problem hiding this comment.
This is not a buffer overflow, but rather an integer overflow - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=59643d1535eb220668692a5359de22545af579f6
This, under certain situations, can still be found by certain automated testers such as syzkaller
There was a problem hiding this comment.
You're right. The integer in question controls the buffer size for the ring buffer, which caused me to misidentify the issue. Fixed the note.
cves/kernel/CVE-2016-9754.yml
Outdated
| - commit: | ||
| note: | ||
| - commit: 9b94a8fba501f38368aef6ac1b30e7335252a220 | ||
| note: This seems to be an attempt at fixing the buffer overflow. Howvwer it didnt cover every cause, so overflow was still possible. |
There was a problem hiding this comment.
Same comment as above. This is an integer overflow.
There was a problem hiding this comment.
You're right. The integer in question controls the buffer size for the ring buffer, which caused me to misidentify the issue. Fixed the note.
| answer: | ||
| note: | ||
| answer: true | ||
| note: 'The exploit involves user input to modify a file controlling buffer size.' |
There was a problem hiding this comment.
How did you come to this conclusion?
This seems to be a vulnerability in a kernel data structure.
There was a problem hiding this comment.
Yes, but the exploit noted in the fix commit involves editing a file that controls the buffer size used in the ring buffer, /sys/kernel/debug/tracing/buffer_size_kb. This is also noted in the vulnerability description on NVD.
cves/kernel/CVE-2016-9754.yml
Outdated
| applies: | ||
| note: | ||
| applies: true | ||
| note: The functionality lacks boundary checks for the buffer. |
There was a problem hiding this comment.
There does not seem to be a buffer involved here.
There was a problem hiding this comment.
I meant the integer that controls the buffer size. Fixed to clarify that better.
cves/kernel/CVE-2022-0516.yml
Outdated
| @@ -114,7 +115,7 @@ upvotes_instructions: | | |||
| upvotes to each vulnerability you see. Your peers will tell you how | |||
| interesting they think this vulnerability is, and you'll add that to the | |||
| upvotes score on your branch. | |||
| upvotes: | |||
| upvotes: false | |||
| - commit: 83f40318dab00e3298a1f6d0b12ac025e84e478d | ||
| note: Discovered automatically by archeogit. | ||
| note: 'Discovered automatically by archeogit. Adds the capability to remove pages from a ring buffer without destroying any existing data in it.' | ||
| upvotes_instructions: | |
Co-authored-by: Sharad Khanna <[email protected]>
While the vuln regards an int that controls a buffer size, it is not a buffer overflow
This reverts commit afd6a55.
| answer: 'The issue was reported by a Red Hat employee' | ||
| automated: false | ||
| contest: false | ||
| developer: false |
There was a problem hiding this comment.
Was the method of discovery mentioned by the employee?
There was a problem hiding this comment.
It was not. I assume it was a manual find.
cves/kernel/CVE-2016-9754.yml
Outdated
| upvotes_instructions: | | ||
| For the first round, ignore this upvotes number. | ||
|
|
||
| For the second round of reviewing, you will be giving a certain amount of | ||
| upvotes to each vulnerability you see. Your peers will tell you how | ||
| interesting they think this vulnerability is, and you'll add that to the | ||
| upvotes score on your branch. | ||
| upvotes: | ||
| upvotes: 1 |
| @@ -106,17 +108,17 @@ vcc_instructions: | | |||
| Place any notes you would like to make in the notes field. | |||
| vccs: | |||
| - commit: 7a8e76a3829f1067b70f715771ff88baf2fbf3c3 | |||
| note: Discovered automatically by archeogit. | |||
| note: 'Discovered automatically by archeogit. Introduces the ring buffer.' | |||
| - commit: 83f40318dab00e3298a1f6d0b12ac025e84e478d | |||
There was a problem hiding this comment.
This bug was in the system for 4 years before being detected. I had a similar CVE with very old code containing a bug. Who knows how many undiscovered bugs are tucked away in large systems. Very interesting.
| - commit: a43b80b782c9f56b3bcc2e5e51261dc3980839ec | ||
| note: | | ||
| There is 2 years worth of work on this subsystem and even file from the origin | ||
| to the fix, but none of them really did anything with the Guest users functionality | ||
| except this one. This one adds a global for debugging, KVM_GUESTDBG_VALID_MASK. | ||
| Though it has no effect on the specific function of the bug, it is interesting that | ||
| permissions debugging systems were made in the bug's subsystem, and yet the bug | ||
| remained elusive. |
There was a problem hiding this comment.
Do you think they were aware there might have been a bug but didn't know the exact location and couldn't replicate it? Or was this preemptive yet still didn't locate it. Either way its unfortunate they walked right over it without seeing the bug.
cves/kernel/CVE-2022-0516.yml
Outdated
| @@ -114,7 +115,7 @@ upvotes_instructions: | | |||
| upvotes to each vulnerability you see. Your peers will tell you how | |||
| interesting they think this vulnerability is, and you'll add that to the | |||
| upvotes score on your branch. | |||
| upvotes: | |||
| upvotes: 2 | |||
| answer: | | ||
| This is likely a simple lapse. The function used for making the check on the virtual cpu was created | ||
| and intnded to be used, but the check was never placed in along with the rest. The fix was simply adding the check in. | ||
| CWE 280 recommends using "safe areas" surrounded by trust boundaries in the design of the subsystem. These were assumably | ||
| already in place given the specificness of the other checks in the permissions functionality. The CWE also recommends always | ||
| checking that a resource was properlly and successfully accessed. This is now followed since such a check was added. |
There was a problem hiding this comment.
Was the function to make the check used anywhere after its implementation?
There was a problem hiding this comment.
I'm not sure. It was not used anywhere in the subsystem at least.
There was a problem hiding this comment.
Great work overall, and definitely an interesting vulnerability. Just added a couple minor suggestions to help with consistency and readability, looks like the majority of your information is laid out quite well otherwise though!
Also please add 2 upvotes to CVE-2022-0516
- I found it interesting how long it took them to finally fix the issue, even after they knew they had a bug in their system
| @@ -105,7 +106,7 @@ vcc_instructions: | | |||
|
|
|||
| Place any notes you would like to make in the notes field. | |||
| vccs: | |||
| - commit: 19e1227768863a1469797c13ef8fea1af7beac2c | |||
| - commit: '19e1227768863a1469797c13ef8fea1af7beac2c' | |||
There was a problem hiding this comment.
The quotes are unnecessary here since it's a hash value. Not sure if it makes a difference but they can be removed both here and for the hash on line 91
| code: false | ||
| code_answer: 'There were no surrounding tests. Since this subsystem surrounds permissions. Unit tests handling this type of defect would be difficult.' | ||
| fix: false | ||
| fix_answer: 'No tests were added. Since this subsystem surrounds permissions. Unit tests handling this type of defect would be difficult.' |
There was a problem hiding this comment.
Could be refactored into paragraph format just to stay under the 80 char line limit. Same can be said for lines 320, 334, 350, etc.
| and intnded to be used, but the check was never placed in along with the rest. The fix was simply adding the check in. | ||
| CWE 280 recommends using "safe areas" surrounded by trust boundaries in the design of the subsystem. These were assumably | ||
| already in place given the specificness of the other checks in the permissions functionality. The CWE also recommends always | ||
| checking that a resource was properlly and successfully accessed. This is now followed since such a check was added. |
There was a problem hiding this comment.
Just a couple grammatical updates here as well that could help with readability, intended and properly
cves/kernel/CVE-2016-9754.yml
Outdated
| description: | | ||
| The ring_buffer_resize function used for converting a buffer for use in a userspace | ||
| in the profiling subsystem mishandles certain integer calculations. This | ||
| misculaculation is capable of causing an overflow during ineger rounding. This |
There was a problem hiding this comment.
There are some typos here:
"misculaculation" -> "miscalculation"
"ineger rounding" -> "integer rounding"
cves/kernel/CVE-2016-9754.yml
Outdated
| The ring_buffer_resize function used for converting a buffer for use in a userspace | ||
| in the profiling subsystem mishandles certain integer calculations. This | ||
| misculaculation is capable of causing an overflow during ineger rounding. This | ||
| allows users to gain unintended privileges by changing the buffer suze by |
There was a problem hiding this comment.
Typo:
"buffer suze" -> "buffer size"
cves/kernel/CVE-2016-9754.yml
Outdated
| note: | ||
| any_stacktraces: false | ||
| stacktrace_with_fix: false | ||
| note: The commit and mail chain do not have a stacktrace, only instructions for repriduction and likely cause. |
There was a problem hiding this comment.
Typo: "repriduction" -> "reproduction"
cves/kernel/CVE-2016-9754.yml
Outdated
| answer: | | ||
| This was likely a planning error. The issue was caused by a mixup in algebraic logic. | ||
| I suspect this was simply a lack of oversight and concept testing when designing said | ||
| logic. The CWE recommends that a bahvior that is seen as 'out-of-bounds' is strictly |
cves/kernel/CVE-2016-9754.yml
Outdated
| logic. The CWE recommends that a bahvior that is seen as 'out-of-bounds' is strictly | ||
| defined. This is not seen in the code itself, but is possibly present in some planning | ||
| documentation. There is also no check to make sure the buffer is in bounds. The other | ||
| mitigations, however, about learly understanding the behavior of the signed integers |
There was a problem hiding this comment.
"learly understanding"? Maybe it was supposed to be "clearly understanding"
cves/kernel/CVE-2016-9754.yml
Outdated
| upvotes_instructions: | | ||
| For the first round, ignore this upvotes number. | ||
|
|
||
| For the second round of reviewing, you will be giving a certain amount of | ||
| upvotes to each vulnerability you see. Your peers will tell you how | ||
| interesting they think this vulnerability is, and you'll add that to the | ||
| upvotes score on your branch. | ||
| upvotes: | ||
| upvotes: 3 |
There was a problem hiding this comment.
Overall great! Your explanations are clear and easy to understand. The minor errors are consistency in capitalization and punctuation across the document.
I would give this a 5.
| @@ -389,38 +389,38 @@ lessons: | |||
| If you think of another lesson we covered in class that applies here, feel | |||
| free to give it a small name and add one in the same format as these. | |||
| defense_in_depth: | |||
| applies: | |||
| applies: false | |||
| note: | |||
There was a problem hiding this comment.
Consider adding a note for why it's false. Other documents I've reviewed included this, so it might be good to have it.
No description provided.