“CVE-2012-6657 and CVE-2019-15216”. #219
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -19,7 +19,7 @@ curated_instructions: | | |||||
| This will enable additional editorial checks on this file to make sure you | ||||||
| fill everything out properly. If you are a student, we cannot accept your work | ||||||
| as finished unless curated is properly updated. | ||||||
| curation_level: 2 | ||||||
| reported_instructions: | | ||||||
| What date was the vulnerability reported to the security team? Look at the | ||||||
| security bulletins and bug reports. It is not necessarily the same day that | ||||||
|
|
@@ -55,7 +55,8 @@ description_instructions: | | |||||
|
|
||||||
| Your target audience is people just like you before you took any course in | ||||||
| security | ||||||
| description: The function sock_setsockopt does not check the type of socket before running tcp_set_keepalive | ||||||
| on it, users could use a RAW socket to crash the system. | ||||||
| bounty_instructions: | | ||||||
| If you came across any indications that a bounty was paid out for this | ||||||
| vulnerability, fill it out here. Or correct it if the information already here | ||||||
|
|
@@ -84,14 +85,8 @@ fixes_instructions: | | |||||
|
|
||||||
| Place any notes you would like to make in the notes field. | ||||||
| fixes: | ||||||
| - commit: 3e10986d1d698140747fcfc2761ec9cb64c1d582 | ||||||
| note: Manually Confirmed | ||||||
| vcc_instructions: | | ||||||
| The vulnerability-contributing commits. | ||||||
|
|
||||||
|
|
@@ -106,15 +101,15 @@ vcc_instructions: | | |||||
| Place any notes you would like to make in the notes field. | ||||||
| vccs: | ||||||
| - commit: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 | ||||||
| note: Manually verified | ||||||
| upvotes_instructions: | | ||||||
|
There was a problem hiding this comment. For this vulnerability, I'd give it a 2. |
||||||
| For the first round, ignore this upvotes number. | ||||||
|
|
||||||
| For the second round of reviewing, you will be giving a certain amount of | ||||||
| upvotes to each vulnerability you see. Your peers will tell you how | ||||||
| interesting they think this vulnerability is, and you'll add that to the | ||||||
| upvotes score on your branch. | ||||||
| upvotes: 7 | ||||||
| unit_tested: | ||||||
| question: | | ||||||
| Were automated unit tests involved in this vulnerability? | ||||||
|
|
@@ -129,10 +124,10 @@ unit_tested: | |||||
|
|
||||||
| For the fix_answer below, check if the fix for the vulnerability involves | ||||||
| adding or improving an automated test to ensure this doesn't happen again. | ||||||
| code: false | ||||||
| code_answer: No automated unit tests were involved. | ||||||
| fix: false | ||||||
| fix_answer: Only the change to the function was part of the commit. | ||||||
| discovered: | ||||||
| question: | | ||||||
| How was this vulnerability discovered? | ||||||
|
|
@@ -147,10 +142,10 @@ discovered: | |||||
|
|
||||||
| If there is no evidence as to how this vulnerability was found, then please | ||||||
| explain where you looked. | ||||||
| answer: Discovered by a developer, no used of tools were mentioned. | ||||||
|
There was a problem hiding this comment. Small rewording change could be made here for clarification
Suggested change
|
||||||
| automated: false | ||||||
| contest: false | ||||||
| developer: false | ||||||
|
There was a problem hiding this comment. The fix commit was signed off by a google employee so the developer flag should be true |
||||||
| autodiscoverable: | ||||||
| instructions: | | ||||||
| Is it plausible that a fully automated tool could have discovered | ||||||
|
|
@@ -167,8 +162,9 @@ autodiscoverable: | |||||
|
|
||||||
| The answer field should be boolean. In answer_note, please explain | ||||||
| why you come to that conclusion. | ||||||
| note: The vulnerability relies on a specific type of socket to be used, | ||||||
| a fully automated tool could not find the issue. | ||||||
| answer: false | ||||||
| specification: | ||||||
| instructions: | | ||||||
| Is there mention of a violation of a specification? For example, the POSIX | ||||||
|
|
@@ -184,8 +180,8 @@ specification: | |||||
|
|
||||||
| The answer field should be boolean. In answer_note, please explain | ||||||
| why you come to that conclusion. | ||||||
| note: No mention of a violation of a specification. | ||||||
| answer: false | ||||||
| subsystem: | ||||||
| question: | | ||||||
| What subsystems was the mistake in? These are WITHIN linux kernel | ||||||
|
|
@@ -219,7 +215,7 @@ subsystem: | |||||
| e.g. | ||||||
| name: ["subsystemA", "subsystemB"] # ok | ||||||
| name: subsystemA # also ok | ||||||
| name: net | ||||||
| note: | ||||||
| interesting_commits: | ||||||
| question: | | ||||||
|
|
@@ -237,8 +233,6 @@ interesting_commits: | |||||
| commits: | ||||||
| - commit: | ||||||
| note: | ||||||
| i18n: | ||||||
| question: | | ||||||
| Was the feature impacted by this vulnerability about internationalization | ||||||
|
|
@@ -251,8 +245,8 @@ i18n: | |||||
| Answer should be true or false | ||||||
| Write a note about how you came to the conclusions you did, regardless of | ||||||
| what your answer was. | ||||||
| answer: false | ||||||
| note: Issue was purely about socket types. | ||||||
| sandbox: | ||||||
| question: | | ||||||
| Did this vulnerability violate a sandboxing feature that the system | ||||||
|
|
@@ -266,8 +260,9 @@ sandbox: | |||||
| Answer should be true or false | ||||||
| Write a note about how you came to the conclusions you did, regardless of | ||||||
| what your answer was. | ||||||
| answer: true | ||||||
| note: The funtion in question (sock_setsockopt) is used to control socket behavior. | ||||||
| It was not properly checking if the socket was RAW | ||||||
| ipc: | ||||||
| question: | | ||||||
| Did the feature that this vulnerability affected use inter-process | ||||||
|
|
@@ -278,8 +273,8 @@ ipc: | |||||
| Answer must be true or false. | ||||||
| Write a note about how you came to the conclusions you did, regardless of | ||||||
| what your answer was. | ||||||
| answer: false | ||||||
| note: Not part of IPC | ||||||
|
There was a problem hiding this comment. How so? It is my understanding that sockets are inherently inter-process. There was a problem hiding this comment. I believe this should instead be true, as the vulnerability was caused by an improper passing of sockets which is an IPC mechanism |
||||||
| discussion: | ||||||
| question: | | ||||||
| Was there any discussion surrounding this? | ||||||
|
|
@@ -305,9 +300,9 @@ discussion: | |||||
|
|
||||||
| Put any links to disagreements you found in the notes section, or any other | ||||||
| comment you want to make. | ||||||
| discussed_as_security: false | ||||||
| any_discussion: false | ||||||
| note: First mention was that it was an issue and required a quick fix. | ||||||
| vouch: | ||||||
| question: | | ||||||
| Was there any part of the fix that involved one person vouching for | ||||||
|
|
@@ -320,8 +315,8 @@ vouch: | |||||
|
|
||||||
| Answer must be true or false. | ||||||
| Write a note about how you came to the conclusions you did, regardless of what your answer was. | ||||||
| answer: false | ||||||
| note: n/a | ||||||
|
There was a problem hiding this comment. Check the commit message. I see two acknowledgements of people that signed off. There was a problem hiding this comment. I believe this would be true, as the fix commit has three developers who reviewed and signed off on it |
||||||
| stacktrace: | ||||||
| question: | | ||||||
| Are there any stacktraces in the bug reports? | ||||||
|
|
@@ -335,9 +330,9 @@ stacktrace: | |||||
| Answer must be true or false. | ||||||
| Write a note about how you came to the conclusions you did, regardless of | ||||||
| what your answer was. | ||||||
| any_stacktraces: false | ||||||
| stacktrace_with_fix: false | ||||||
| note: No stacktrace given in report | ||||||
| forgotten_check: | ||||||
| question: | | ||||||
| Does the fix for the vulnerability involve adding a forgotten check? | ||||||
|
|
@@ -356,8 +351,8 @@ forgotten_check: | |||||
| Answer must be true or false. | ||||||
| Write a note about how you came to the conclusions you did, regardless of | ||||||
| what your answer was. | ||||||
| answer: true | ||||||
| note: Yes, system forgets to check if Socket is RAW. | ||||||
| order_of_operations: | ||||||
| question: | | ||||||
| Does the fix for the vulnerability involve correcting an order of | ||||||
|
|
@@ -369,8 +364,8 @@ order_of_operations: | |||||
| Answer must be true or false. | ||||||
| Write a note about how you came to the conclusions you did, regardless of | ||||||
| what your answer was. | ||||||
| answer: false | ||||||
| note: Fix adds one new check. | ||||||
| lessons: | ||||||
| question: | | ||||||
| Are there any common lessons we have learned from class that apply to this | ||||||
|
|
@@ -387,37 +382,37 @@ lessons: | |||||
| If you think of another lesson we covered in class that applies here, feel | ||||||
| free to give it a small name and add one in the same format as these. | ||||||
| defense_in_depth: | ||||||
| applies: false | ||||||
| note: | ||||||
| least_privilege: | ||||||
| applies: false | ||||||
| note: | ||||||
| frameworks_are_optional: | ||||||
| applies: false | ||||||
| note: | ||||||
| native_wrappers: | ||||||
| applies: false | ||||||
| note: | ||||||
| distrust_input: | ||||||
| applies: false | ||||||
|
There was a problem hiding this comment. The socket type being sent by the user/process counts as input. This input is not being checked fully. I would propose this to count under |
||||||
| note: | ||||||
| security_by_obscurity: | ||||||
| applies: false | ||||||
| note: | ||||||
| serial_killer: | ||||||
| applies: false | ||||||
| note: | ||||||
| environment_variables: | ||||||
| applies: false | ||||||
| note: | ||||||
| secure_by_default: | ||||||
| applies: false | ||||||
| note: | ||||||
| yagni: | ||||||
| applies: false | ||||||
| note: | ||||||
| complex_inputs: | ||||||
| applies: false | ||||||
| note: | ||||||
| mistakes: | ||||||
| question: | | ||||||
|
|
@@ -448,7 +443,7 @@ mistakes: | |||||
|
|
||||||
| Write a thoughtful entry here that people in the software engineering | ||||||
| industry would find interesting. | ||||||
| answer: lapse - Forgot to check if socket was RAW | ||||||
| CWE_instructions: | | ||||||
|
Comment on lines
+446
to
447
There was a problem hiding this comment. Try and go more in depth about the specifics of this issue. |
||||||
| Please go to http://cwe.mitre.org and find the most specific, appropriate CWE | ||||||
|
There was a problem hiding this comment. CWE 264 is a category. It may be worth looking for a specific CWE in that category. |
||||||
| entry that describes your vulnerability. We recommend going to | ||||||
|
|
@@ -473,5 +468,5 @@ nickname_instructions: | | |||||
| A catchy name for this vulnerability that would draw attention it. | ||||||
| If the report mentions a nickname, use that. | ||||||
| Must be under 30 characters. Optional. | ||||||
| nickname: Socket type non check. | ||||||
| CVSS: | ||||||
|
There was a problem hiding this comment. Looks like this vulnerability has not yet been provided a 3.1 CVSS score, but instead you could use the 2.0 CVSS from "https://nvd.nist.gov/vuln/detail/CVE-2012-6657"
Suggested change
|
||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a good start, but consider going into more detail here. Especially could explain a bit better:
From the question description, this section should be explained as if you don't have a background in security. From just reading this response it's not quite clear what the vulnerability was. Adding details in layman's terms describing what this issue actually was would be more helpful for future readers.