LKL is potentially affected by 10 known CVEs

Question

LKL is potentially affected by 10 known CVEs

FVF-research opened this issue a year ago · comments

Hi LKL team,

I'm from a research team which focuses on OSS similar vulnerability detection. Our team observes 10 similar vulnerability in master branch. Sorry that we did not find the security policy in this project and have to post the information here. Could you help verify that are the functions detected are impacted, and can we directly apply the patches to fix the vulnerabilities? Following we list the detail of each similar vulnerability, including the CVE, relevant patch, the vulnerable functions in LKL. Note that the listed functions are the same as the unpatched version in the relevant patch.

(1)

Vulnerability info:

CVE-2018-1000026 (7.7 HIGH): Linux Linux kernel version at least v4.8 onwards, probably well before contains a Insufficient input validation vulnerability in bnx2x network card driver that can result in DoS: Network card firmware assertion takes card off-line. This attack appear to be exploitable via An attacker on a must pass a very large, specially crafted packet to the bnx2x card. This can be done from an untrusted guest VM.

The relevant patch info:

Commit URL: torvalds@8914a59.
Patch reference: https://ubuntu.com/security/CVE-2018-1000026.

Similar vulnerable function info:

drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c ～ qlcnic_features_check

(2)

Vulnerability info:

CVE-2022-1852 (5.5 MEDIUM): A NULL pointer dereference flaw was found in the Linux kernel’s KVM module, which can lead to a denial of service in the x86_emulate_insn in arch/x86/kvm/emulate.c. This flaw occurs while executing an illegal instruction in guest in the Intel CPU.

The relevant patch info:

Commit URL: torvalds@fee060c.
Patch reference: https://nvd.nist.gov/vuln/detail/CVE-2022-1852.

Similar vulnerable function info:

arch/x86/kvm/x86.c ~ kvm_vcpu_check_breakpoint
arch/x86/kvm/x86.c ~ x86_decode_emulated_instruction
arch/x86/kvm/x86.c ~ x86_emulate_instruction

(3)

Vulnerability info:

CVE-2022-2318 (5.5 MEDIUM): There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges.

The relevant patch info:

Commit URL: torvalds@9cc02ed.
Patch reference: https://nvd.nist.gov/vuln/detail/CVE-2022-2318.

Similar vulnerable function info:

net/rose/rose_timer.c ~ rose_heartbeat_expiry
net/rose/rose_timer.c ~ rose_idletimer_expiry
net/rose/rose_timer.c ~ rose_start_hbtimer
net/rose/rose_timer.c ~ rose_start_heartbeat
net/rose/rose_timer.c ~ rose_start_idletimer
net/rose/rose_timer.c ~ rose_start_t1timer
net/rose/rose_timer.c ~ rose_start_t2timer
net/rose/rose_timer.c ~ rose_start_t3timer
net/rose/rose_timer.c ~ rose_timer_expiry

(4)

Vulnerability info:

CVE-2022-2959 (7.0 HIGH): A race condition was found in the Linux kernel's watch queue due to a missing lock in pipe_resize_ring(). The specific flaw exists within the handling of pipe buffers. The issue results from the lack of proper locking when performing operations on an object. This flaw allows a local user to crash the system or escalate their privileges on the system.

The relevant patch info:

Commit URL: torvalds@189b0dd.
Patch reference: https://nvd.nist.gov/vuln/detail/CVE-2022-2959.

Similar vulnerable function info:

fs/pipe.c ~ pipe_resize_ring

(5)

Vulnerability info:

CVE-2022-3077 (5.5 MEDIUM): A buffer overflow vulnerability was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way it handled the I2C_SMBUS_BLOCK_PROC_CALL case (via the ioctl I2C_SMBUS) with malicious input data. This flaw could allow a local user to crash the system.

The relevant patch info:

Commit URL: torvalds@690b254.
Patch reference: https://nvd.nist.gov/vuln/detail/CVE-2022-3077.

Similar vulnerable function info:

drivers/i2c/busses/i2c-ismt.c ~ ismt_access

(6)

Vulnerability info:

CVE-2022-34494 (5.5 MEDIUM): rpmsg_virtio_add_ctrl_dev in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.

The relevant patch info:

Commit URL: torvalds@1680939.
Patch reference: https://nvd.nist.gov/vuln/detail/CVE-2022-34494.

Similar vulnerable function info:

drivers/rpmsg/virtio_rpmsg_bus.c ~ rpmsg_virtio_add_ctrl_dev

(7)

Vulnerability info:

CVE-2022-34495 (5.5 MEDIUM): rpmsg_probe in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.

The relevant patch info:

Commit URL: torvalds@c2eecef.
Patch reference: https://nvd.nist.gov/vuln/detail/CVE-2022-34495.

Similar vulnerable function info:

drivers/rpmsg/virtio_rpmsg_bus.c ~ rpmsg_probe

(8)

Vulnerability info:

CVE-2022-36123 (7.8 HIGH): The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges.

The relevant patch info:

Commit URL: torvalds@96e8fc5.
Patch reference: https://nvd.nist.gov/vuln/detail/CVE-2022-36123.

Similar vulnerable function info:

arch/x86/kernel/head64.c ~ clear_bss
arch/x86/xen/enlighten_pv.c ~ xen_start_kernel

(9)

Vulnerability info:

CVE-2022-36879 (5.5 MEDIUM): An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice.

The relevant patch info:

Commit URL: torvalds@f85daf0.
Patch reference: https://nvd.nist.gov/vuln/detail/CVE-2022-36879.

Similar vulnerable function info:

net/xfrm/xfrm_policy.c ~ xfrm_expand_policies

(10)

Vulnerability info:

CVE-2022-39189 (7.8 HIGH): An issue was discovered the x86 KVM subsystem in the Linux kernel before 5.18.17. Unprivileged guest users can compromise the guest kernel because TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED situations.

The relevant patch info:

Commit URL: torvalds@6cd8824.
Patch reference: https://nvd.nist.gov/vuln/detail/CVE-2022-39189.

Similar vulnerable function info:

arch/x86/kvm/vmx/vmx.c ~ handle_external_interrupt_irqoff
arch/x86/kvm/x86.c ~ kvm_steal_time_set_preempted
arch/x86/kvm/x86.c ~ vcpu_run

Thanks,

FVF research team

Hajime Tazaki · Answer 1 · Thu Aug 10 2023 23:24:28 GMT+0800 (China Standard Time)

@FVF-research thank you for the report !

One question: which LKL version did you use for the checks ?

We have recently pulled the upstream linus tree to our branch (Jun 24, 2023), and I guess the most of the CVEs (all?) have already fixed in the LKL branch.

again, thanks for letting us know.

Hajime Tazaki · Answer 2 · Wed May 15 2024 08:43:04 GMT+0800 (China Standard Time)

@FVF-research please reopen this if you still think it's an issue.

David Disseldorp · Answer 3 · Wed May 15 2024 10:01:23 GMT+0800 (China Standard Time)

Given that (currently) lkl follows somewhat dated mainline releases, there will likely always be a bunch of applicable CVEs. For this to change we'd probably need to follow Linus's releases quite closely or switch to something like https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/?h=linux-rolling-stable ... Merging lkl into mainline would of course be the ideal solution 😄