CVE-2017-12193 and CVE-2013-6376

cves/kernel/CVE-2013-6376.yml

@@ -19,7 +19,7 @@ curated_instructions: |
   This will enable additional editorial checks on this file to make sure you
   fill everything out properly. If you are a student, we cannot accept your work
   as finished unless curated is properly updated.
-curation_level: 0
+curation_level: 2
 reported_instructions: |
   What date was the vulnerability reported to the security team? Look at the
   security bulletins and bug reports. It is not necessarily the same day that
@@ -34,7 +34,7 @@ announced_instructions: |
   This is not the same as published date in the NVD - that is below.
 
   Please enter your date in YYYY-MM-DD format.
-announced_date: '2013-12-14'
+announced_date: '2013-12-21'
 published_instructions: |
   Is there a published fix or patch date for this vulnerability?
   Please enter your date in YYYY-MM-DD format.
@@ -55,7 +55,16 @@ description_instructions: |
 
   Your target audience is people just like you before you took any course in
   security
-description:
+description: |
+  The recalculate_apic_map function within the KVM subsystem of the Linux
+  kernel (specifically found in arch/x86/kvm/lapic.c) up to version 3.12.5
+  could be exploited by users of a guest operating system. This vulnerability
+  is associated with the Interrupt Command Register (ICR), a component related
+  to Advanced Programmable Interrupt Controllers (APICs), which are responsible
+  for managing interrupts. The vulnerability arises when a write operation
+  is performed on the ICR in a malicious manner. In x2apic mode, an extended
+  version of the Advanced Programmable Interrupt Controller (APIC) interface,
+  this can lead to a denial of service.
 bounty_instructions: |
   If you came across any indications that a bounty was paid out for this
   vulnerability, fill it out here. Or correct it if the information already here
@@ -89,9 +98,7 @@ fixes:
 - commit:
   note:
 - commit: 17d68b763f09a9ce824ae23eb62c9efc57b69271
-  note: |
-    Taken from NVD references list with Git commit. If you are
-    curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed'
+  note: 'Manually confirmed'
 vcc_instructions: |
   The vulnerability-contributing commits.
 
@@ -133,10 +140,10 @@ unit_tested:
 
     For the fix_answer below, check if the fix for the vulnerability involves
     adding or improving an automated test to ensure this doesn't happen again.
-  code:
-  code_answer:
-  fix:
-  fix_answer:
+  code: false
+  code_answer: 'No evidance of Code unit tests'
+  fix: false
+  fix_answer: 'No evidance'
 discovered:
   question: |
     How was this vulnerability discovered?
@@ -151,10 +158,10 @@ discovered:
 
     If there is no evidence as to how this vulnerability was found, then please
     explain where you looked.
-  answer:
-  automated:
-  contest:
-  developer:
+  answer: 'Lars Bull of Google (Google employee) reported this issue'
+  automated: false
+  contest: false
+  developer: true
 autodiscoverable:
   instructions: |
     Is it plausible that a fully automated tool could have discovered
@@ -171,8 +178,8 @@ autodiscoverable:
 
     The answer field should be boolean. In answer_note, please explain
     why you come to that conclusion.
-  note:
-  answer:
+  note: 'It was noted that Lars Bull of Google discovered this issue, not an automated tool'
+  answer: false
 specification:
   instructions: |
     Is there mention of a violation of a specification? For example, the POSIX
@@ -188,8 +195,8 @@ specification:
 
     The answer field should be boolean. In answer_note, please explain
     why you come to that conclusion.
-  note:
-  answer:
+  note: 'I could not find any information on a violation of a specification'
+  answer: false
 subsystem:
   question: |
     What subsystems was the mistake in? These are WITHIN linux kernel
@@ -223,8 +230,8 @@ subsystem:
     e.g.
         name: ["subsystemA", "subsystemB"] # ok
         name: subsystemA # also ok
-  name:
-  note:
+  name: 'kvm'
+  note: 'The description of the vulnerability specifies the kvm subsystem'
 interesting_commits:
   question: |
     Are there any interesting commits between your VCC(s) and fix(es)?
@@ -255,8 +262,8 @@ i18n:
     Answer should be true or false
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: false
+  note: 'No evidance that this feature was impacted by internationalization'
 sandbox:
   question: |
     Did this vulnerability violate a sandboxing feature that the system
@@ -270,8 +277,10 @@ sandbox:
     Answer should be true or false
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: false
+  note: |
+    This vulnerability involves certian guest users (limited access to some users)
+    performing a write operation, so it does violate a sandboxing feature
 ipc:
   question: |
     Did the feature that this vulnerability affected use inter-process
@@ -282,8 +291,11 @@ ipc:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: true
+  note: |
+    The feature affected by this vulnerability did use inter-process communication,
+    as it involved certian guest users performing a write operation, which is a form
+    of inter-process communication.
 discussion:
   question: |
     Was there any discussion surrounding this?
@@ -309,9 +321,9 @@ discussion:
 
     Put any links to disagreements you found in the notes section, or any other
     comment you want to make.
-  discussed_as_security:
-  any_discussion:
-  note:
+  discussed_as_security: false
+  any_discussion: false
+  note: 'No evidance of any disagreements'
 vouch:
   question: |
     Was there any part of the fix that involved one person vouching for
@@ -324,8 +336,8 @@ vouch:
 
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of what your answer was.
-  answer:
-  note:
+  answer: false
+  note: 'No evidance that the fix involved one person vouching for another'
 stacktrace:
   question: |
     Are there any stacktraces in the bug reports?
@@ -339,9 +351,9 @@ stacktrace:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  any_stacktraces:
-  stacktrace_with_fix:
-  note:
+  any_stacktraces: false
+  stacktrace_with_fix: false
+  note: 'I did not find any stacktraces in the bug report'
 forgotten_check:
   question: |
     Does the fix for the vulnerability involve adding a forgotten check?
@@ -360,8 +372,10 @@ forgotten_check:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: true
+  note: |
+    Forgotten check within the recalculate_apic_map function to ensure that the ICR 
+    write operation is properly validated.
 order_of_operations:
   question: |
     Does the fix for the vulnerability involve correcting an order of
@@ -373,8 +387,8 @@ order_of_operations:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: false
+  note: 'No evidance this vulnerability invoved correcting an order of operations'
 lessons:
   question: |
     Are there any common lessons we have learned from class that apply to this
@@ -391,37 +405,43 @@ lessons:
     If you think of another lesson we covered in class that applies here, feel
     free to give it a small name and add one in the same format as these.
   defense_in_depth:
-    applies:
+    applies: false
     note:
   least_privilege:
-    applies:
-    note:
+    applies: true
+    note: |
+      Limiting the privileges of guest operating system users can help mitigate the
+      impact of vulnerabilities. By providing the minimum level of access necessary
+      for functionality, the potential damage from the exploitation is reduced.
   frameworks_are_optional:
-    applies:
+    applies: false
     note:
   native_wrappers:
-    applies:
+    applies: false
     note:
   distrust_input:
-    applies:
-    note:
+    applies: true
+    note: |
+      Since this vulnerability arises from a crafted ICR write operation, distrust in input
+      is critical. Thoroughly validating and sanitizing inputs can help prevent malicious
+      data from being processed in this way.
   security_by_obscurity:
-    applies:
+    applies: false
     note:
   serial_killer:
-    applies:
+    applies: false
     note:
   environment_variables:
-    applies:
+    applies: false
     note:
   secure_by_default:
-    applies:
+    applies: false
     note:
   yagni:
-    applies:
+    applies: false
     note:
   complex_inputs:
-    applies:
+    applies: false
     note:
 mistakes:
   question: |
@@ -452,7 +472,14 @@ mistakes:
 
     Write a thoughtful entry here that people in the software engineering
     industry would find interesting.
-  answer:
+  answer: |
+    The CVE-2013-6376 vulnerability in the Linux kernel's KVM subsystem reveals
+    potential issues, including insufficient input validation in handling the
+    Interrupt Command Register during x2apic mode. The oversight in thoroughly validating
+    and sanitizing user inputs could lead to a crafted ICR write operation, constituting
+    a security flaw. Additionally, the presence of a vulnerability allowing guest OS users
+    to exploit the system suggests potential miscommunication or collaboration gaps between
+    system components.
 CWE_instructions: |
   Please go to http://cwe.mitre.org and find the most specific, appropriate CWE
   entry that describes your vulnerability. We recommend going to
@@ -470,9 +497,7 @@ CWE_instructions: |
     CWE: 123            # also ok
 CWE:
 - 189
-CWE_note: |
-  CWE as registered in the NVD. If you are curating, check that this
-  is correct and replace this comment with "Manually confirmed".
+CWE_note: 'Manually confirmed'
 nickname_instructions: |
   A catchy name for this vulnerability that would draw attention it.
   If the report mentions a nickname, use that.