CVE-2017-5548 and CVE-2016-5728

cves/kernel/CVE-2016-5728.yml

@@ -19,14 +19,14 @@ curated_instructions: |
   This will enable additional editorial checks on this file to make sure you
   fill everything out properly. If you are a student, we cannot accept your work
   as finished unless curated is properly updated.
-curation_level: 0
+curation_level: 2
 reported_instructions: |
   What date was the vulnerability reported to the security team? Look at the
   security bulletins and bug reports. It is not necessarily the same day that
   the CVE was created.  Leave blank if no date is given.
 
   Please enter your date in YYYY-MM-DD format.
-reported_date:
+reported_date: '2016-04-27'
 announced_instructions: |
   Was there a date that this vulnerability was announced to the world? You can
   find this in changelogs, blogs, bug reports, or perhaps the CVE date.
@@ -55,7 +55,14 @@ description_instructions: |
 
   Your target audience is people just like you before you took any course in
   security
-description:
+description: |
+  An undesirable situation in one of the functions in a certain driver attempts 
+  to fetch a value that is already being fetched by another function at the same time. 
+  This is an example of a race condition and it allows users to obtain senstive information
+  from memory or cause memory corruption or a system crash. If one user thread modifies 
+  the header of a file, the function might incorrectly fetch the wrong value since there's
+  another point in the file where the old value has been fetched. This incorrect reading 
+  in the value may lead to information leakage or a system crash.
 bounty_instructions: |
   If you came across any indications that a bounty was paid out for this
   vulnerability, fill it out here. Or correct it if the information already here
@@ -75,7 +82,7 @@ bugs_instructions: |
     * Mentioned in mailing list discussions
     * References from NVD entry
     * Various other places
-bugs: []
+bugs: [116651]
 fixes_instructions: |
   Please put the commit hash in "commit" below.
 
@@ -90,8 +97,7 @@ fixes:
   note:
 - commit: 9bf292bfca94694a721449e3fd752493856710f6
   note: |
-    Taken from NVD references list with Git commit. If you are
-    curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed'
+    Taken from NVD references list with Git commit. Manually confirmed.
 vcc_instructions: |
   The vulnerability-contributing commits.
 
@@ -106,15 +112,17 @@ vcc_instructions: |
   Place any notes you would like to make in the notes field.
 vccs:
 - commit: 61e9c905df78c253752971e200f0ac6d8667dda6
-  note: Discovered automatically by archeogit.
+  note: | 
+    Discovered automatically by archeogit. Manually Confirmed, was the initial commit 
+    for this patch to enable VOP host side functionality.
 upvotes_instructions: |
   For the first round, ignore this upvotes number.
 
   For the second round of reviewing, you will be giving a certain amount of
   upvotes to each vulnerability you see. Your peers will tell you how
   interesting they think this vulnerability is, and you'll add that to the
   upvotes score on your branch.
-upvotes:
+upvotes: 3
 unit_tested:
   question: |
     Were automated unit tests involved in this vulnerability?
@@ -129,10 +137,10 @@ unit_tested:
 
     For the fix_answer below, check if the fix for the vulnerability involves
     adding or improving an automated test to ensure this doesn't happen again.
-  code:
-  code_answer:
-  fix:
-  fix_answer:
+  code: False 
+  code_answer: No observable unit testing done.
+  fix: False
+  fix_answer: No observable unit testing done.
 discovered:
   question: |
     How was this vulnerability discovered?
@@ -147,11 +155,13 @@ discovered:
 
     If there is no evidence as to how this vulnerability was found, then please
     explain where you looked.
-  answer:
-  automated:
-  contest:
-  developer:
-autodiscoverable:
+  answer: |
+    '2016-04-18' An email was sent on Kernal.org Bugzilla from Pengfei Wang that 
+    detailed them finding the bug while examining the source code. 
+  automated: False
+  contest: False
+  developer: False
+autodiscoverable: 
   instructions: |
     Is it plausible that a fully automated tool could have discovered
     this? These are tools that require little knowledge of the domain,
@@ -167,8 +177,10 @@ autodiscoverable:
 
     The answer field should be boolean. In answer_note, please explain
     why you come to that conclusion.
-  note:
-  answer:
+  note: | 
+    If a fuzzer modifed the header in some way, then it might be able to cause this 
+    exploit. 
+  answer: True
 specification:
   instructions: |
     Is there mention of a violation of a specification? For example, the POSIX
@@ -184,8 +196,10 @@ specification:
 
     The answer field should be boolean. In answer_note, please explain
     why you come to that conclusion.
-  note:
-  answer:
+  note: |
+    After checking the only mailing list, it didn't specify that any specification was 
+    violated.
+  answer: False
 subsystem:
   question: |
     What subsystems was the mistake in? These are WITHIN linux kernel
@@ -219,7 +233,7 @@ subsystem:
     e.g.
         name: ["subsystemA", "subsystemB"] # ok
         name: subsystemA # also ok
-  name:
+  name: drivers
   note:
 interesting_commits:
   question: |
@@ -251,8 +265,10 @@ i18n:
     Answer should be true or false
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: False
+  note: | 
+    This vulnerability doesn't have anything to do with the locale of the user 
+    or any conversion to the user's preferences.
 sandbox:
   question: |
     Did this vulnerability violate a sandboxing feature that the system
@@ -266,8 +282,10 @@ sandbox:
     Answer should be true or false
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: False
+  note: |
+    This vulnerability does not work with permissions, rather improper variable/memory
+    management.
 ipc:
   question: |
     Did the feature that this vulnerability affected use inter-process
@@ -278,8 +296,10 @@ ipc:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: False
+  note: | 
+    This function does not communicate with any other process or system, it's an 
+    error in its own system.
 discussion:
   question: |
     Was there any discussion surrounding this?
@@ -305,9 +325,12 @@ discussion:
 
     Put any links to disagreements you found in the notes section, or any other
     comment you want to make.
-  discussed_as_security:
-  any_discussion:
-  note:
+  discussed_as_security: False
+  any_discussion: False
+  note: | 
+    This was reported only one time and no back and forth discussion. An report was 
+    sent and reviewed, once reviewed a bug was reported and a fix was followed up. Recommendations 
+    were given in the report message.
 vouch:
   question: |
     Was there any part of the fix that involved one person vouching for
@@ -320,8 +343,8 @@ vouch:
 
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of what your answer was.
-  answer:
-  note:
+  answer: True
+  note: Sudeep Dutt and Ashutosh Dixit, both from Intel, had signed off on the commit that fixed the issue.
 stacktrace:
   question: |
     Are there any stacktraces in the bug reports?
@@ -335,9 +358,12 @@ stacktrace:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  any_stacktraces:
-  stacktrace_with_fix:
-  note:
+  any_stacktraces: False
+  stacktrace_with_fix: False
+  note: | 
+    No stacktraces were found, however there might have been one since the original 
+    person that found the fix knew specific line numbers that pointed out the issues in the 
+    race condition.
 forgotten_check:
   question: |
     Does the fix for the vulnerability involve adding a forgotten check?
@@ -356,8 +382,9 @@ forgotten_check:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: True
+  note: This fix involves checking if a certain value has not changed in between two 
+    reads from different functions. If not checked, a race condition would occur.
 order_of_operations:
   question: |
     Does the fix for the vulnerability involve correcting an order of
@@ -369,8 +396,11 @@ order_of_operations:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: True
+  note: |
+    This fix involves changing a variable if the check was passed. Once this variable is 
+    changed to a certain value, it can then be written over correctly, or get used with the 
+    correct data that it contains.
 lessons:
   question: |
     Are there any common lessons we have learned from class that apply to this
@@ -387,37 +417,39 @@ lessons:
     If you think of another lesson we covered in class that applies here, feel
     free to give it a small name and add one in the same format as these.
   defense_in_depth:
-    applies:
+    applies: False
     note:
   least_privilege:
-    applies:
+    applies: False
     note:
   frameworks_are_optional:
-    applies:
+    applies: False
     note:
   native_wrappers:
-    applies:
+    applies: False
     note:
   distrust_input:
-    applies:
+    applies: False
     note:
   security_by_obscurity:
-    applies:
+    applies: False
     note:
   serial_killer:
-    applies:
+    applies: False
     note:
   environment_variables:
-    applies:
-    note:
+    applies: True
+    note: |
+      There seems to be an added environment variable to assist checking for the race 
+      condition before continuing code execution.
   secure_by_default:
-    applies:
+    applies: False
     note:
   yagni:
-    applies:
+    applies: False
     note:
   complex_inputs:
-    applies:
+    applies: False
     note:
 mistakes:
   question: |
@@ -448,7 +480,11 @@ mistakes:
 
     Write a thoughtful entry here that people in the software engineering
     industry would find interesting.
-  answer:
+  answer: | 
+    Not completing checks to see if the variable is being written multiple times may lead 
+    to undesirable outcomes when handling lots of data that the system, or the user controls. 
+    Since memory and variables can be changed by the user, it's important to check whether 
+    the system is changing those variable as well to see if there is a conflict.
 CWE_instructions: |
   Please go to http://cwe.mitre.org and find the most specific, appropriate CWE
   entry that describes your vulnerability. We recommend going to