diff --git a/cves/kernel/CVE-2013-6376.yml b/cves/kernel/CVE-2013-6376.yml index ef4764663..423ca62b5 100644 --- a/cves/kernel/CVE-2013-6376.yml +++ b/cves/kernel/CVE-2013-6376.yml @@ -19,7 +19,7 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that @@ -34,7 +34,7 @@ announced_instructions: | This is not the same as published date in the NVD - that is below. Please enter your date in YYYY-MM-DD format. -announced_date: '2013-12-14' +announced_date: '2013-12-21' published_instructions: | Is there a published fix or patch date for this vulnerability? Please enter your date in YYYY-MM-DD format. @@ -55,7 +55,16 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + The recalculate_apic_map function within the KVM subsystem of the Linux + kernel (specifically found in arch/x86/kvm/lapic.c) up to version 3.12.5 + could be exploited by users of a guest operating system. This vulnerability + is associated with the Interrupt Command Register (ICR), a component related + to Advanced Programmable Interrupt Controllers (APICs), which are responsible + for managing interrupts. The vulnerability arises when a write operation + is performed on the ICR in a malicious manner. In x2apic mode, an extended + version of the Advanced Programmable Interrupt Controller (APIC) interface, + this can lead to a denial of service. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -89,9 +98,7 @@ fixes: - commit: note: - commit: 17d68b763f09a9ce824ae23eb62c9efc57b69271 - note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + note: 'Manually confirmed' vcc_instructions: | The vulnerability-contributing commits. @@ -133,10 +140,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: 'No evidance of Code unit tests' + fix: false + fix_answer: 'No evidance' discovered: question: | How was this vulnerability discovered? @@ -151,10 +158,10 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: 'Lars Bull of Google (Google employee) reported this issue' + automated: false + contest: false + developer: true autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -171,8 +178,8 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: 'It was noted that Lars Bull of Google discovered this issue, not an automated tool' + answer: false specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -188,8 +195,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: 'I could not find any information on a violation of a specification' + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -223,8 +230,8 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: - note: + name: 'kvm' + note: 'The description of the vulnerability specifies the kvm subsystem' interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -255,8 +262,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: 'No evidance that this feature was impacted by internationalization' sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -270,8 +277,10 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: | + This vulnerability involves certian guest users (limited access to some users) + performing a write operation, so it does violate a sandboxing feature ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -282,8 +291,11 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: | + The feature affected by this vulnerability did use inter-process communication, + as it involved certian guest users performing a write operation, which is a form + of inter-process communication. discussion: question: | Was there any discussion surrounding this? @@ -309,9 +321,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: false + any_discussion: false + note: 'No evidance of any disagreements' vouch: question: | Was there any part of the fix that involved one person vouching for @@ -324,8 +336,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: 'No evidance that the fix involved one person vouching for another' stacktrace: question: | Are there any stacktraces in the bug reports? @@ -339,9 +351,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: 'I did not find any stacktraces in the bug report' forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -360,8 +372,10 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: | + Forgotten check within the recalculate_apic_map function to ensure that the ICR + write operation is properly validated. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -373,8 +387,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: 'No evidance this vulnerability invoved correcting an order of operations' lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -391,37 +405,43 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: + applies: false note: least_privilege: - applies: - note: + applies: true + note: | + Limiting the privileges of guest operating system users can help mitigate the + impact of vulnerabilities. By providing the minimum level of access necessary + for functionality, the potential damage from the exploitation is reduced. frameworks_are_optional: - applies: + applies: false note: native_wrappers: - applies: + applies: false note: distrust_input: - applies: - note: + applies: true + note: | + Since this vulnerability arises from a crafted ICR write operation, distrust in input + is critical. Thoroughly validating and sanitizing inputs can help prevent malicious + data from being processed in this way. security_by_obscurity: - applies: + applies: false note: serial_killer: - applies: + applies: false note: environment_variables: - applies: + applies: false note: secure_by_default: - applies: + applies: false note: yagni: - applies: + applies: false note: complex_inputs: - applies: + applies: false note: mistakes: question: | @@ -452,7 +472,14 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + The CVE-2013-6376 vulnerability in the Linux kernel's KVM subsystem reveals + potential issues, including insufficient input validation in handling the + Interrupt Command Register during x2apic mode. The oversight in thoroughly validating + and sanitizing user inputs could lead to a crafted ICR write operation, constituting + a security flaw. Additionally, the presence of a vulnerability allowing guest OS users + to exploit the system suggests potential miscommunication or collaboration gaps between + system components. CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to @@ -470,9 +497,7 @@ CWE_instructions: | CWE: 123 # also ok CWE: - 189 -CWE_note: | - CWE as registered in the NVD. If you are curating, check that this - is correct and replace this comment with "Manually confirmed". +CWE_note: 'Manually confirmed' nickname_instructions: | A catchy name for this vulnerability that would draw attention it. If the report mentions a nickname, use that. diff --git a/cves/kernel/CVE-2017-12193.yml b/cves/kernel/CVE-2017-12193.yml index b05b7bf1d..0506eb7c1 100644 --- a/cves/kernel/CVE-2017-12193.yml +++ b/cves/kernel/CVE-2017-12193.yml @@ -19,14 +19,14 @@ curated_instructions: | This will enable additional editorial checks on this file to make sure you fill everything out properly. If you are a student, we cannot accept your work as finished unless curated is properly updated. -curation_level: 0 +curation_level: 2 reported_instructions: | What date was the vulnerability reported to the security team? Look at the security bulletins and bug reports. It is not necessarily the same day that the CVE was created. Leave blank if no date is given. Please enter your date in YYYY-MM-DD format. -reported_date: +reported_date: '2017-10-12' announced_instructions: | Was there a date that this vulnerability was announced to the world? You can find this in changelogs, blogs, bug reports, or perhaps the CVE date. @@ -55,7 +55,20 @@ description_instructions: | Your target audience is people just like you before you took any course in security -description: +description: | + This vulnerability contains a flaw when adding a new leaf to a full node. The issue happened + when existing leaves cluster together, hindering the addition of a new leaf. + The problem occurs during the relocation of existing leaves to a new node (N1) at level + 1 + and the replacement of the existing node (N0) with pointers to the new leaf and N1. + Two critical errors in the code are identified; + + 1.) Incorrectly setting the pointer from N0 to N1, pointing recursively to N0. + 2.) Failing to set the backpointer from N0 correctly, particularly when N0 is the root node + or reached through a shortcut. + + To rectify this, the problematic code path is removed, and the split_node path is used instead. + This correction ensures accurate handling of the node splitting process, preventing kernel NULL + pointer dereference and associated system errors. bounty_instructions: | If you came across any indications that a bounty was paid out for this vulnerability, fill it out here. Or correct it if the information already here @@ -89,9 +102,7 @@ fixes: - commit: note: - commit: ea6789980fdaa610d7eb63602c746bf6ec70cd2b - note: | - Taken from NVD references list with Git commit. If you are - curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' + note: 'Manually confirmed' vcc_instructions: | The vulnerability-contributing commits. @@ -129,10 +140,10 @@ unit_tested: For the fix_answer below, check if the fix for the vulnerability involves adding or improving an automated test to ensure this doesn't happen again. - code: - code_answer: - fix: - fix_answer: + code: false + code_answer: 'This test was discovered by several university students so automated unit tests were very likely not involuved in this vulnerability' + fix: false + fix_answer: 'I assume tests would have been put in place but I could not find evidance to affirm this was the case.' discovered: question: | How was this vulnerability discovered? @@ -147,10 +158,12 @@ discovered: If there is no evidence as to how this vulnerability was found, then please explain where you looked. - answer: - automated: - contest: - developer: + answer: | + Several students from the University of Hong Kong were credited with discovering this vulnerability + The students creditied were: Fan Wu, Haoran Qiu, Heming Cui, and Shixiong Zhao. + automated: false + contest: true + developer: false autodiscoverable: instructions: | Is it plausible that a fully automated tool could have discovered @@ -167,8 +180,10 @@ autodiscoverable: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: | + Several students from the University of Honk Kong were credited with the + discovery of the bug, so a fully automated tool did not discover this vulerability + answer: false specification: instructions: | Is there mention of a violation of a specification? For example, the POSIX @@ -184,8 +199,8 @@ specification: The answer field should be boolean. In answer_note, please explain why you come to that conclusion. - note: - answer: + note: "No evidance of a violation of a specification" + answer: false subsystem: question: | What subsystems was the mistake in? These are WITHIN linux kernel @@ -219,8 +234,8 @@ subsystem: e.g. name: ["subsystemA", "subsystemB"] # ok name: subsystemA # also ok - name: - note: + name: lib + note: 'Found the fix path within the bug report' interesting_commits: question: | Are there any interesting commits between your VCC(s) and fix(es)? @@ -251,8 +266,8 @@ i18n: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: 'No evidance the feature impacted by this vulnerability involved internationalization' sandbox: question: | Did this vulnerability violate a sandboxing feature that the system @@ -266,8 +281,8 @@ sandbox: Answer should be true or false Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: "No evidance this vulnerability violated any sandboxing features" ipc: question: | Did the feature that this vulnerability affected use inter-process @@ -278,8 +293,8 @@ ipc: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: "No evidance the feature that this vulnerability affected used inter-process communication, as it only involved a null-pointer dereference" discussion: question: | Was there any discussion surrounding this? @@ -305,9 +320,9 @@ discussion: Put any links to disagreements you found in the notes section, or any other comment you want to make. - discussed_as_security: - any_discussion: - note: + discussed_as_security: false + any_discussion: false + note: 'No evidance of any disagreements' vouch: question: | Was there any part of the fix that involved one person vouching for @@ -320,8 +335,8 @@ vouch: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: 'The fix was noted as being signed off by Linus Torvalds ' stacktrace: question: | Are there any stacktraces in the bug reports? @@ -335,9 +350,9 @@ stacktrace: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - any_stacktraces: - stacktrace_with_fix: - note: + any_stacktraces: false + stacktrace_with_fix: false + note: 'No stacktraces found in the bug reports' forgotten_check: question: | Does the fix for the vulnerability involve adding a forgotten check? @@ -356,8 +371,10 @@ forgotten_check: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: true + note: | + The vulnerability stems from a missing null pointer check in the assoc_array_apply_edit() function. + Implementing a proper null pointer check in the function is essential to address this issue. order_of_operations: question: | Does the fix for the vulnerability involve correcting an order of @@ -369,8 +386,8 @@ order_of_operations: Answer must be true or false. Write a note about how you came to the conclusions you did, regardless of what your answer was. - answer: - note: + answer: false + note: 'No evidance that the fix for the vulnerability invoved correcting an order of operations' lessons: question: | Are there any common lessons we have learned from class that apply to this @@ -387,38 +404,43 @@ lessons: If you think of another lesson we covered in class that applies here, feel free to give it a small name and add one in the same format as these. defense_in_depth: - applies: - note: + applies: true + note: | + The vulnerability highlights the importance of having multiple layers of defense. + A missing null pointer check in a specific function could have been prevented by additional + defensive measures at different levels of the system. least_privilege: - applies: + applies: false note: frameworks_are_optional: - applies: + applies: false note: native_wrappers: - applies: + applies: false note: distrust_input: - applies: + applies: false note: security_by_obscurity: - applies: + applies: false note: serial_killer: - applies: + applies: false note: environment_variables: - applies: + applies: false note: secure_by_default: - applies: + applies: false note: yagni: - applies: + applies: false note: complex_inputs: - applies: - note: + applies: true + note: | + The issue suggests that handling complex inputs, such as those involving associative arrays, + which requires careful attention to prevent vulnerabilities. mistakes: question: | In your opinion, after all of this research, what mistakes were made that @@ -448,7 +470,12 @@ mistakes: Write a thoughtful entry here that people in the software engineering industry would find interesting. - answer: + answer: | + The vulnerability can be attributed to a lapse in attention, as seen by a + missing null pointer check in the assoc_array_apply_edit() function. + This slip highlights the importance of meticulous coding practices, thorough code reviews, + and comprehensive testing. + CWE_instructions: | Please go to http://cwe.mitre.org and find the most specific, appropriate CWE entry that describes your vulnerability. We recommend going to