Missing critical patches of several high-risk bugs
SyzScope
syzscope at gmail.com
Sat May 8 00:47:51 UTC 2021
Hi developers,
This is SyzScope, a research project that aims to reveal high-risk
primitives from a low-risk bug.
We noticed that Ubuntu did a good jobs of applying patches from
high-risk bugs(CVEs, OOB/UAF write), but in our research, we found some
low-risk bugs even WARNING may compromise the kernel.
SyzScope discovered at least one high-risk primitive(memory
write/func-ptr-deref) in the low-risk bugs bugs below, their patches
seems haven't been applied on Ubuntu-groovy.
Regarding the bug "KASAN: use-after-free Read in hci_send_acl"
(https://syzkaller.appspot.com/bug?id=2e1943a94647f7732dd6fc60368642d6e8dc91b1),
SyzScope reports 51 memory write primitives. The detailed comments can
be found at
https://sites.google.com/view/syzscope/kasan-use-after-free-read-in-hci_send_acl
Regarding the bug "KASAN: use-after-free Read in cipso_v4_genopt"
(https://syzkaller.appspot.com/bug?id=96e7d345748d8814901c91cd92084ed04b46701e),
SyzScope reports 6 memory write primitives. The detailed comments can be
found at
https://sites.google.com/view/syzscope/kasan-use-after-free-read-in-cipso_v4_genopt
Regarding the bug "KASAN: use-after-free Read in path_init (2)"
(https://syzkaller.appspot.com/bug?id=a13951ba83ba7ba6e67fa8b504e8bc31f61616cb),
SyzScope reports 86 memory write primitives. The detailed comments can
be found at
https://sites.google.com/view/syzscope/kasan-use-after-free-read-in-path_init-2
Regarding the bug"KASAN: slab-out-of-bounds Read in
hci_extended_inquiry_result_evt"(https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2),
SyzScope reports 8 memory write primitives. The detailed comments can be
found at
https://sites.google.com/view/syzscope/kasan-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.
The bugs above are a portion of our findings, we are happy to provide
more if they benefit the community .
Please let us know if SyzScope indeed helps, and any suggestions/feedback.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20210507/aef2ae42/attachment.html>
More information about the kernel-team
mailing list