-
Notifications
You must be signed in to change notification settings - Fork 150
CVE-2013-3302 and CVE-2016-8630 #206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Nathan-Gilbert6917
wants to merge
7
commits into
VulnerabilityHistoryProject:dev
Choose a base branch
from
Nathan-Gilbert6917:nathan-gilbert
base: dev
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
33eb916
initial commit setting curation level to 2
Nathan-Gilbert6917 a3ef351
Modified CVE-2026-8630 with details
Nathan-Gilbert6917 eeca98f
Potential Fix to YAML
Nathan-Gilbert6917 4832371
Potential fix to level 2 compliance
Nathan-Gilbert6917 cff6b62
Fix to yaml
Nathan-Gilbert6917 b8bb8d5
Updated CVE-2013-3302 with details
Nathan-Gilbert6917 9c37db2
Fixes bases on comments by aisgbnok
Nathan-Gilbert6917 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -19,26 +19,26 @@ curated_instructions: | | |
| This will enable additional editorial checks on this file to make sure you | ||
| fill everything out properly. If you are a student, we cannot accept your work | ||
| as finished unless curated is properly updated. | ||
| curation_level: 0 | ||
| curation_level: 2 | ||
| reported_instructions: | | ||
| What date was the vulnerability reported to the security team? Look at the | ||
| security bulletins and bug reports. It is not necessarily the same day that | ||
| the CVE was created. Leave blank if no date is given. | ||
|
|
||
| Please enter your date in YYYY-MM-DD format. | ||
| reported_date: | ||
| reported_date: "2012-01-30" | ||
| announced_instructions: | | ||
| Was there a date that this vulnerability was announced to the world? You can | ||
| find this in changelogs, blogs, bug reports, or perhaps the CVE date. | ||
|
|
||
| This is not the same as published date in the NVD - that is below. | ||
|
|
||
| Please enter your date in YYYY-MM-DD format. | ||
| announced_date: '2013-04-29' | ||
| announced_date: "2013-04-29" | ||
| published_instructions: | | ||
| Is there a published fix or patch date for this vulnerability? | ||
| Please enter your date in YYYY-MM-DD format. | ||
| published_date: '2013-04-29' | ||
| published_date: "2013-04-29" | ||
| description_instructions: | | ||
| You can get an initial description from the CVE entry on cve.mitre.org. These | ||
| descriptions are a fine start, but they can be kind of jargony. | ||
|
|
@@ -55,7 +55,15 @@ description_instructions: | | |
|
|
||
| Your target audience is people just like you before you took any course in | ||
| security | ||
| description: | ||
| description: | | ||
| This issue is caused by a race condition for the ssocket. If the respource is | ||
| reached and is NULL before it was set then it can cause a crash from a NULL pointer | ||
| dereference or potentially open the system up to other security issues. | ||
|
|
||
| The fix moves the NULL socket check into the `smb_send_rqst` function, which | ||
| handles server requests. This ensures the check is conducted earlier, | ||
| preventing a NULL socket from being passed to the `kernel_setsockopt` | ||
| function. This mitigates the risk of a kernel crash due to the race condition. | ||
| bounty_instructions: | | ||
| If you came across any indications that a bounty was paid out for this | ||
| vulnerability, fill it out here. Or correct it if the information already here | ||
|
|
@@ -84,14 +92,8 @@ fixes_instructions: | | |
|
|
||
| Place any notes you would like to make in the notes field. | ||
| fixes: | ||
| - commit: | ||
| note: | ||
| - commit: | ||
| note: | ||
| - commit: ea702b80e0bbb2448e201472127288beb82ca2fe | ||
| note: | | ||
| Taken from NVD references list with Git commit. If you are | ||
| curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed' | ||
| - commit: ea702b80e0bbb2448e201472127288beb82ca2fe | ||
| note: Manually Confirmed | ||
| vcc_instructions: | | ||
| The vulnerability-contributing commits. | ||
|
|
||
|
|
@@ -105,22 +107,22 @@ vcc_instructions: | | |
|
|
||
| Place any notes you would like to make in the notes field. | ||
| vccs: | ||
| - commit: 6f49f46b187df34539f1e5df2469b8a541897700 | ||
| note: Discovered automatically by archeogit. | ||
| - commit: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 | ||
| note: Discovered automatically by archeogit. | ||
| - commit: b8eed28375a43e1c9aaa9d15af2a052aae0d0725 | ||
| note: Discovered automatically by archeogit. | ||
| - commit: 3e84469d0101456caceffc6b22218a49017fcd3f | ||
| note: Discovered automatically by archeogit. | ||
| - commit: 6f49f46b187df34539f1e5df2469b8a541897700 | ||
| note: Manually Confirmed | ||
| - commit: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 | ||
| note: Manually Confirmed | ||
| - commit: b8eed28375a43e1c9aaa9d15af2a052aae0d0725 | ||
| note: Manually Confirmed | ||
| - commit: 3e84469d0101456caceffc6b22218a49017fcd3f | ||
| note: Manually Confirmed | ||
| upvotes_instructions: | | ||
| For the first round, ignore this upvotes number. | ||
|
|
||
| For the second round of reviewing, you will be giving a certain amount of | ||
| upvotes to each vulnerability you see. Your peers will tell you how | ||
| interesting they think this vulnerability is, and you'll add that to the | ||
| upvotes score on your branch. | ||
| upvotes: | ||
| upvotes: 3 | ||
| unit_tested: | ||
| question: | | ||
| Were automated unit tests involved in this vulnerability? | ||
|
|
@@ -135,10 +137,14 @@ unit_tested: | |
|
|
||
| For the fix_answer below, check if the fix for the vulnerability involves | ||
| adding or improving an automated test to ensure this doesn't happen again. | ||
| code: | ||
| code_answer: | ||
| fix: | ||
| fix_answer: | ||
| code: false | ||
| code_answer: | | ||
| I was unable to find any unit tests for this module. It does not seem like | ||
| any automated tests were made to ensure this does not happen again. | ||
| fix: false | ||
| fix_answer: | | ||
| I was unable to find any unit tests for this module. It does not seem like | ||
| any automated tests were made to ensure this does not happen again. | ||
| discovered: | ||
| question: | | ||
| How was this vulnerability discovered? | ||
|
|
@@ -153,10 +159,12 @@ discovered: | |
|
|
||
| If there is no evidence as to how this vulnerability was found, then please | ||
| explain where you looked. | ||
| answer: | ||
| automated: | ||
| contest: | ||
| developer: | ||
| answer: | | ||
| The commit that fixed the vulnerability states the vulnerability was | ||
| reported and tested by CAI Qian <[email protected]>. | ||
| automated: false | ||
| contest: false | ||
| developer: false | ||
| autodiscoverable: | ||
| instructions: | | ||
| Is it plausible that a fully automated tool could have discovered | ||
|
|
@@ -173,8 +181,17 @@ autodiscoverable: | |
|
|
||
| The answer field should be boolean. In answer_note, please explain | ||
| why you come to that conclusion. | ||
| note: | ||
| answer: | ||
| note: | | ||
| The vulnerability involves a race condition and NULL pointer dereference. | ||
| Detection tools such as fuzzers, static analysis tools, and stress testing | ||
| could potentially identify these issues. | ||
|
|
||
| Fuzzers can detect unexpected behavior caused by race conditions and NULL | ||
| pointer dereferences. Static analysis tools can identify code paths that may | ||
| lead to race conditions and NULL pointer dereferences. Stress testing can | ||
| expose potential race condition issues by simulating real-world scenarios | ||
| and usage patterns. | ||
| answer: true | ||
| specification: | ||
| instructions: | | ||
| Is there mention of a violation of a specification? For example, the POSIX | ||
|
|
@@ -190,8 +207,8 @@ specification: | |
|
|
||
| The answer field should be boolean. In answer_note, please explain | ||
| why you come to that conclusion. | ||
| note: | ||
| answer: | ||
| note: No mention of a violation of a specification found. | ||
| answer: false | ||
| subsystem: | ||
| question: | | ||
| What subsystems was the mistake in? These are WITHIN linux kernel | ||
|
|
@@ -225,8 +242,10 @@ subsystem: | |
| e.g. | ||
| name: ["subsystemA", "subsystemB"] # ok | ||
| name: subsystemA # also ok | ||
| name: | ||
| note: | ||
| name: ["sf", "cifs"] | ||
| note: | | ||
| Looking at the file path on github. | ||
| (https://github.com/torvalds/linux/commit/ea702b80e0bbb2448e201472127288beb82ca2fe) | ||
| interesting_commits: | ||
| question: | | ||
| Are there any interesting commits between your VCC(s) and fix(es)? | ||
|
|
@@ -241,10 +260,10 @@ interesting_commits: | |
| * Other commits that fixed a similar issue as this vulnerability | ||
| * Anything else you find interesting. | ||
| commits: | ||
| - commit: | ||
| note: | ||
| - commit: | ||
| note: | ||
| - commit: | ||
| note: | ||
| - commit: | ||
| note: | ||
| i18n: | ||
| question: | | ||
| Was the feature impacted by this vulnerability about internationalization | ||
|
|
@@ -257,8 +276,12 @@ i18n: | |
| Answer should be true or false | ||
| Write a note about how you came to the conclusions you did, regardless of | ||
| what your answer was. | ||
| answer: | ||
| note: | ||
| answer: false | ||
| note: | | ||
| The vulnerability primarily involves a race condition in the Linux kernel, | ||
| which could potentially lead to system failure due to NULL pointer | ||
| dereference. It does not pertain to the kernel's internationalization | ||
| features. | ||
| sandbox: | ||
| question: | | ||
| Did this vulnerability violate a sandboxing feature that the system | ||
|
|
@@ -272,8 +295,11 @@ sandbox: | |
| Answer should be true or false | ||
| Write a note about how you came to the conclusions you did, regardless of | ||
| what your answer was. | ||
| answer: | ||
| note: | ||
| answer: false | ||
| note: | | ||
| This vulnerability does not violate a sandboxing feature. The issue is | ||
| due to a race condition that can cause a failure in the system and open up | ||
| to a NULL pointer dereference. | ||
| ipc: | ||
| question: | | ||
| Did the feature that this vulnerability affected use inter-process | ||
|
|
@@ -284,8 +310,11 @@ ipc: | |
| Answer must be true or false. | ||
| Write a note about how you came to the conclusions you did, regardless of | ||
| what your answer was. | ||
| answer: | ||
| note: | ||
| answer: true | ||
| note: | | ||
| This vulnerability is caused by a race condition when the ssocket is NULL | ||
| when the system tries to connect. The code checks to see if the ssocket is | ||
| available too late causing it to fail. | ||
| discussion: | ||
| question: | | ||
| Was there any discussion surrounding this? | ||
|
|
@@ -311,9 +340,12 @@ discussion: | |
|
|
||
| Put any links to disagreements you found in the notes section, or any other | ||
| comment you want to make. | ||
| discussed_as_security: | ||
| any_discussion: | ||
| note: | ||
| discussed_as_security: false | ||
| any_discussion: false | ||
| note: | | ||
| There are notes on the commit that fixes the issue but I could not find any | ||
| discussion regarding the issues brought up. | ||
| (https://github.com/torvalds/linux/commit/ea702b80e0bbb2448e201472127288beb82ca2fe) | ||
| vouch: | ||
| question: | | ||
| Was there any part of the fix that involved one person vouching for | ||
|
|
@@ -326,8 +358,11 @@ vouch: | |
|
|
||
| Answer must be true or false. | ||
| Write a note about how you came to the conclusions you did, regardless of what your answer was. | ||
| answer: | ||
| note: | ||
| answer: true | ||
| note: | | ||
| The commit that fixed the issue was signed off by Steve French <[email protected]>, | ||
| on Dec 30th 2012 Commit ID: | ||
| (ea702b80e0bbb2448e201472127288beb82ca2fe). | ||
| stacktrace: | ||
| question: | | ||
| Are there any stacktraces in the bug reports? | ||
|
|
@@ -341,9 +376,10 @@ stacktrace: | |
| Answer must be true or false. | ||
| Write a note about how you came to the conclusions you did, regardless of | ||
| what your answer was. | ||
| any_stacktraces: | ||
| stacktrace_with_fix: | ||
| note: | ||
| any_stacktraces: false | ||
| stacktrace_with_fix: false | ||
| note: | | ||
| I checked the changelog and github commits and could not find a stacktrace. | ||
| forgotten_check: | ||
| question: | | ||
| Does the fix for the vulnerability involve adding a forgotten check? | ||
|
|
@@ -362,8 +398,12 @@ forgotten_check: | |
| Answer must be true or false. | ||
| Write a note about how you came to the conclusions you did, regardless of | ||
| what your answer was. | ||
| answer: | ||
| note: | ||
| answer: false | ||
| note: | | ||
| While the fix involves an if statement, the issue wasn't a forgotten check, | ||
| but the placement of the check. The if statement was moved to check for | ||
| NULL earlier in the data flow. This prevents a race condition and potential | ||
| NULL pointer dereference. | ||
| order_of_operations: | ||
| question: | | ||
| Does the fix for the vulnerability involve correcting an order of | ||
|
|
@@ -375,8 +415,13 @@ order_of_operations: | |
| Answer must be true or false. | ||
| Write a note about how you came to the conclusions you did, regardless of | ||
| what your answer was. | ||
| answer: | ||
| note: | ||
| answer: true | ||
| note: | | ||
| The fix for the vulnerability involves moving around an if statement that | ||
| check to see if the ssocket is NULL in smb_send_kvec to smb_send_rqst. | ||
| The initial if statement was checking for NULL too late in the data flow. | ||
| This means that they needed the NULL check to be move to much earlier in | ||
| the data flow. | ||
| lessons: | ||
| question: | | ||
| Are there any common lessons we have learned from class that apply to this | ||
|
|
@@ -454,7 +499,15 @@ mistakes: | |
|
|
||
| Write a thoughtful entry here that people in the software engineering | ||
| industry would find interesting. | ||
| answer: | ||
| answer: | | ||
| The mistake that caused this issue seems to be on misunderstanding of the | ||
| systems flow and how things interact inside. As well as a poorly designed | ||
| system that led to this issue. The developer (Jeff Layton | ||
| <[email protected]>) that fixed the issue says something simular to this, | ||
| saying that the ssocket locking rules documentation is unclear. They also | ||
| think the code seems like it could benefit refactoring the code for how | ||
| the socket handling should behave. | ||
| (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ea702b80e0bbb2448e201472127288beb82ca2fe) | ||
| CWE_instructions: | | ||
| Please go to http://cwe.mitre.org and find the most specific, appropriate CWE | ||
| entry that describes your vulnerability. We recommend going to | ||
|
|
@@ -471,13 +524,11 @@ CWE_instructions: | | |
| CWE: [123, 456] # also ok | ||
| CWE: 123 # also ok | ||
| CWE: | ||
| - 362 | ||
| CWE_note: | | ||
| CWE as registered in the NVD. If you are curating, check that this | ||
| is correct and replace this comment with "Manually confirmed". | ||
| - ["362", "476"] | ||
| CWE_note: Manually Confirmed | ||
| nickname_instructions: | | ||
| A catchy name for this vulnerability that would draw attention it. | ||
| If the report mentions a nickname, use that. | ||
| Must be under 30 characters. Optional. | ||
| nickname: | ||
| CVSS: | ||
| nickname: RaceCrash3302 | ||
| CVSS: CVSS:2.0/AV:L/AC:M/Au:N/C:P/I:P/A:P | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.