From 38894ba2efe5a5bf419111153bc035cad2ac4413 Mon Sep 17 00:00:00 2001 From: LiSijia Date: Tue, 14 Mar 2023 22:06:48 +0800 Subject: [PATCH 1/2] Add CVE-2022-45934 --- .../2022/CVE-2022-45934/README.md | 79 +++ .../2022/CVE-2022-45934/gen_init_cpio.c | 623 ++++++++++++++++++ ...VE-2022-36946.yaml => CVE-2022-36946.yaml} | 34 +- .../2022/yaml/CVE-2022-45934.yaml | 23 + openkylin_list.yaml | 1 + 5 files changed, 743 insertions(+), 17 deletions(-) create mode 100644 cve/linux-kernel/2022/CVE-2022-45934/README.md create mode 100644 cve/linux-kernel/2022/CVE-2022-45934/gen_init_cpio.c rename cve/linux-kernel/2022/yaml/{ CVE-2022-36946.yaml => CVE-2022-36946.yaml} (98%) create mode 100644 cve/linux-kernel/2022/yaml/CVE-2022-45934.yaml diff --git a/cve/linux-kernel/2022/CVE-2022-45934/README.md b/cve/linux-kernel/2022/CVE-2022-45934/README.md new file mode 100644 index 00000000..958c6bcd --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-45934/README.md @@ -0,0 +1,79 @@ +## Linux kernel release 4.x + + These are the release notes for Linux version 4. Read them carefully, as they tell you what this is all about, explain how to install the kernel, and what to do if something goes wrong. + +## WHAT IS LINUX? + + Linux is a clone of the operating system Unix, written from scratch by Linus Torvalds with assistance from a loosely-knit team of hackers across the Net. It aims towards POSIX and Single UNIX Specification compliance. It has all the features you would expect in a modern fully-fledged Unix,including true multitasking, virtual memory, shared libraries, demand loading, shared copy-on-write executables, proper memory management, and multistack networking including IPv4 and IPv6. + + It is distributed under the GNU General Public License - see the accompanying COPYING file for more details. + +## ON WHAT HARDWARE DOES IT RUN? + + Although originally developed first for 32-bit x86-based PCs (386 or higher), today Linux also runs on (at least) the Compaq Alpha AXP, Sun SPARC and UltraSPARC, Motorola 68000, PowerPC, PowerPC64, ARM, Hitachi SuperH, Cell, IBM S/390, MIPS, HP PA-RISC, Intel IA-64, DEC VAX, AMD x86-64, AXIS CRIS, Xtensa, Tilera TILE, AVR32 and Renesas M32R architectures. + Linux is easily portable to most general-purpose 32- or 64-bit architectures as long as they have a paged memory management unit (PMMU) and a port of the GNU C compiler (gcc) (part of The GNU Compiler Collection, GCC). Linux has also been ported to a number of architectures without a PMMU, although functionality is then obviously somewhat limited. Linux has also been ported to itself. You can now run the kernel as a userspace application - this is called UserMode Linux (UML). + +## DOCUMENTATION: + + - There is a lot of documentation available both in electronic form on the Internet and in books, both Linux-specific and pertaining to general UNIX questions. I'd recommend looking into the documentation subdirectories on any Linux FTP site for the LDP (Linux Documentation + Project) books. This README is not meant to be documentation on the system: there are much better sources available. + + - There are various README files in the Documentation/ subdirectory: these typically contain kernel-specific installation notes for some drivers for example. See Documentation/00-INDEX for a list of what is contained in each file. Please read the Changes file, as it + contains information about the problems, which may result by upgrading your kernel. + + - The Documentation/DocBook/ subdirectory contains several guides for + kernel developers and users. These guides can be rendered in a + number of formats: PostScript (.ps), PDF, HTML, & man-pages, among others. + After installation, "make psdocs", "make pdfdocs", "make htmldocs", + or "make mandocs" will render the documentation in the requested format. + +## INSTALLING the kernel source: + + - If you install the full sources, put the kernel tarball in a directory where you have permissions (eg. your home directory) and + unpack it: + + xz -cd linux-4.X.tar.xz | tar xvf - + + Replace "X" with the version number of the latest kernel. + + Do NOT use the /usr/src/linux area! This area has a (usually incomplete) set of kernel headers that are used by the library header + files. They should match the library, and not get messed up by whatever the kernel-du-jour happens to be. + + - You can also upgrade between 4.x releases by patching. Patches are distributed in the xz format. To install by patching, get all the + newer patch files, enter the top level directory of the kernel source (linux-4.X) and execute: + + xz -cd ../patch-4.x.xz | patch -p1 + + Replace "x" for all versions bigger than the version "X" of your current source tree, _in_order_, and you should be ok. You may want to remove + the backup files (some-file-name~ or some-file-name.orig), and make sure that there are no failed patches (some-file-name# or some-file-name.rej). + If there are, either you or I have made a mistake. + + Unlike patches for the 4.x kernels, patches for the 4.x.y kernels (also known as the -stable kernels) are not incremental but instead apply + directly to the base 4.x kernel. For example, if your base kernel is 4.0 and you want to apply the 4.0.3 patch, you must not first apply the 4.0.1 and 4.0.2 patches. Similarly, if you are running kernel version 4.0.2 and + want to jump to 4.0.3, you must first reverse the 4.0.2 patch (that is, patch -R) _before_ applying the 4.0.3 patch. You can read more on this in + Documentation/applying-patches.txt + + Alternatively, the script patch-kernel can be used to automate this process. It determines the current kernel version and applies any + patches found. + + linux/scripts/patch-kernel linux + + The first argument in the command above is the location of the kernel source. Patches are applied from the current directory, but an alternative directory can be specified as the second argument. + + - Make sure you have no stale .o files and dependencies lying around: + + cd linux + make mrproper + + You should now have the sources correctly installed. + +## SOFTWARE REQUIREMENTS + + Compiling and running the 4.x kernels requires up-to-date versions of various software packages. Consult Documentation/Changes for the minimum version numbers required and how to get updates for these packages. + Beware that using excessively old versions of these packages can cause indirect errors that are very difficult to track down, so don't assume that you can just update packages when obvious problems arise during build or operation. + +## BUILD directory for the kernel: + + When compiling the kernel, all output files will per default be stored together with the kernel source code. Using the option "make O=output/dir" allow you to specify an alternate place for the output files (including .config). + + diff --git a/cve/linux-kernel/2022/CVE-2022-45934/gen_init_cpio.c b/cve/linux-kernel/2022/CVE-2022-45934/gen_init_cpio.c new file mode 100644 index 00000000..225ad244 --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-45934/gen_init_cpio.c @@ -0,0 +1,623 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* + * Original work by Jeff Garzik + * + * External file lists, symlink, pipe and fifo support by Thayne Harbaugh + * Hard link support by Luciano Rocha + */ + +#define xstr(s) #s +#define str(s) xstr(s) + +static unsigned int offset; +static unsigned int ino = 721; +static time_t default_mtime; + +struct file_handler { + const char *type; + int (*handler)(const char *line); +}; + +static void push_string(const char *name) +{ + unsigned int name_len = strlen(name) + 1; + + fputs(name, stdout); + putchar(0); + offset += name_len; +} + +static void push_pad (void) +{ + while (offset & 3) { + putchar(0); + offset++; + } +} + +static void push_rest(const char *name) +{ + unsigned int name_len = strlen(name) + 1; + unsigned int tmp_ofs; + + fputs(name, stdout); + putchar(0); + offset += name_len; + + tmp_ofs = name_len + 110; + while (tmp_ofs & 3) { + putchar(0); + offset++; + tmp_ofs++; + } +} + +static void push_hdr(const char *s) +{ + fputs(s, stdout); + offset += 110; +} + +static void cpio_trailer(void) +{ + char s[256]; + const char name[] = "TRAILER!!!"; + + sprintf(s, "%s%08X%08X%08lX%08lX%08X%08lX" + "%08X%08X%08X%08X%08X%08X%08X", + "070701", /* magic */ + 0, /* ino */ + 0, /* mode */ + (long) 0, /* uid */ + (long) 0, /* gid */ + 1, /* nlink */ + (long) 0, /* mtime */ + 0, /* filesize */ + 0, /* major */ + 0, /* minor */ + 0, /* rmajor */ + 0, /* rminor */ + (unsigned)strlen(name)+1, /* namesize */ + 0); /* chksum */ + push_hdr(s); + push_rest(name); + + while (offset % 512) { + putchar(0); + offset++; + } +} + +static int cpio_mkslink(const char *name, const char *target, + unsigned int mode, uid_t uid, gid_t gid) +{ + char s[256]; + + if (name[0] == '/') + name++; + sprintf(s,"%s%08X%08X%08lX%08lX%08X%08lX" + "%08X%08X%08X%08X%08X%08X%08X", + "070701", /* magic */ + ino++, /* ino */ + S_IFLNK | mode, /* mode */ + (long) uid, /* uid */ + (long) gid, /* gid */ + 1, /* nlink */ + (long) default_mtime, /* mtime */ + (unsigned)strlen(target)+1, /* filesize */ + 3, /* major */ + 1, /* minor */ + 0, /* rmajor */ + 0, /* rminor */ + (unsigned)strlen(name) + 1,/* namesize */ + 0); /* chksum */ + push_hdr(s); + push_string(name); + push_pad(); + push_string(target); + push_pad(); + return 0; +} + +static int cpio_mkslink_line(const char *line) +{ + char name[PATH_MAX + 1]; + char target[PATH_MAX + 1]; + unsigned int mode; + int uid; + int gid; + int rc = -1; + + if (5 != sscanf(line, "%" str(PATH_MAX) "s %" str(PATH_MAX) "s %o %d %d", name, target, &mode, &uid, &gid)) { + fprintf(stderr, "Unrecognized dir format '%s'", line); + goto fail; + } + rc = cpio_mkslink(name, target, mode, uid, gid); + fail: + return rc; +} + +static int cpio_mkgeneric(const char *name, unsigned int mode, + uid_t uid, gid_t gid) +{ + char s[256]; + + if (name[0] == '/') + name++; + sprintf(s,"%s%08X%08X%08lX%08lX%08X%08lX" + "%08X%08X%08X%08X%08X%08X%08X", + "070701", /* magic */ + ino++, /* ino */ + mode, /* mode */ + (long) uid, /* uid */ + (long) gid, /* gid */ + 2, /* nlink */ + (long) default_mtime, /* mtime */ + 0, /* filesize */ + 3, /* major */ + 1, /* minor */ + 0, /* rmajor */ + 0, /* rminor */ + (unsigned)strlen(name) + 1,/* namesize */ + 0); /* chksum */ + push_hdr(s); + push_rest(name); + return 0; +} + +enum generic_types { + GT_DIR, + GT_PIPE, + GT_SOCK +}; + +struct generic_type { + const char *type; + mode_t mode; +}; + +static struct generic_type generic_type_table[] = { + [GT_DIR] = { + .type = "dir", + .mode = S_IFDIR + }, + [GT_PIPE] = { + .type = "pipe", + .mode = S_IFIFO + }, + [GT_SOCK] = { + .type = "sock", + .mode = S_IFSOCK + } +}; + +static int cpio_mkgeneric_line(const char *line, enum generic_types gt) +{ + char name[PATH_MAX + 1]; + unsigned int mode; + int uid; + int gid; + int rc = -1; + + if (4 != sscanf(line, "%" str(PATH_MAX) "s %o %d %d", name, &mode, &uid, &gid)) { + fprintf(stderr, "Unrecognized %s format '%s'", + line, generic_type_table[gt].type); + goto fail; + } + mode |= generic_type_table[gt].mode; + rc = cpio_mkgeneric(name, mode, uid, gid); + fail: + return rc; +} + +static int cpio_mkdir_line(const char *line) +{ + return cpio_mkgeneric_line(line, GT_DIR); +} + +static int cpio_mkpipe_line(const char *line) +{ + return cpio_mkgeneric_line(line, GT_PIPE); +} + +static int cpio_mksock_line(const char *line) +{ + return cpio_mkgeneric_line(line, GT_SOCK); +} + +static int cpio_mknod(const char *name, unsigned int mode, + uid_t uid, gid_t gid, char dev_type, + unsigned int maj, unsigned int min) +{ + char s[256]; + + if (dev_type == 'b') + mode |= S_IFBLK; + else + mode |= S_IFCHR; + + if (name[0] == '/') + name++; + sprintf(s,"%s%08X%08X%08lX%08lX%08X%08lX" + "%08X%08X%08X%08X%08X%08X%08X", + "070701", /* magic */ + ino++, /* ino */ + mode, /* mode */ + (long) uid, /* uid */ + (long) gid, /* gid */ + 1, /* nlink */ + (long) default_mtime, /* mtime */ + 0, /* filesize */ + 3, /* major */ + 1, /* minor */ + maj, /* rmajor */ + min, /* rminor */ + (unsigned)strlen(name) + 1,/* namesize */ + 0); /* chksum */ + push_hdr(s); + push_rest(name); + return 0; +} + +static int cpio_mknod_line(const char *line) +{ + char name[PATH_MAX + 1]; + unsigned int mode; + int uid; + int gid; + char dev_type; + unsigned int maj; + unsigned int min; + int rc = -1; + + if (7 != sscanf(line, "%" str(PATH_MAX) "s %o %d %d %c %u %u", + name, &mode, &uid, &gid, &dev_type, &maj, &min)) { + fprintf(stderr, "Unrecognized nod format '%s'", line); + goto fail; + } + rc = cpio_mknod(name, mode, uid, gid, dev_type, maj, min); + fail: + return rc; +} + +static int cpio_mkfile(const char *name, const char *location, + unsigned int mode, uid_t uid, gid_t gid, + unsigned int nlinks) +{ + char s[256]; + char *filebuf = NULL; + struct stat buf; + long size; + int file = -1; + int retval; + int rc = -1; + int namesize; + unsigned int i; + + mode |= S_IFREG; + + file = open (location, O_RDONLY); + if (file < 0) { + fprintf (stderr, "File %s could not be opened for reading\n", location); + goto error; + } + + retval = fstat(file, &buf); + if (retval) { + fprintf(stderr, "File %s could not be stat()'ed\n", location); + goto error; + } + + filebuf = malloc(buf.st_size); + if (!filebuf) { + fprintf (stderr, "out of memory\n"); + goto error; + } + + retval = read (file, filebuf, buf.st_size); + if (retval < 0) { + fprintf (stderr, "Can not read %s file\n", location); + goto error; + } + + size = 0; + for (i = 1; i <= nlinks; i++) { + /* data goes on last link */ + if (i == nlinks) size = buf.st_size; + + if (name[0] == '/') + name++; + namesize = strlen(name) + 1; + sprintf(s,"%s%08X%08X%08lX%08lX%08X%08lX" + "%08lX%08X%08X%08X%08X%08X%08X", + "070701", /* magic */ + ino, /* ino */ + mode, /* mode */ + (long) uid, /* uid */ + (long) gid, /* gid */ + nlinks, /* nlink */ + (long) buf.st_mtime, /* mtime */ + size, /* filesize */ + 3, /* major */ + 1, /* minor */ + 0, /* rmajor */ + 0, /* rminor */ + namesize, /* namesize */ + 0); /* chksum */ + push_hdr(s); + push_string(name); + push_pad(); + + if (size) { + if (fwrite(filebuf, size, 1, stdout) != 1) { + fprintf(stderr, "writing filebuf failed\n"); + goto error; + } + offset += size; + push_pad(); + } + + name += namesize; + } + ino++; + rc = 0; + +error: + if (filebuf) free(filebuf); + if (file >= 0) close(file); + return rc; +} + +static char *cpio_replace_env(char *new_location) +{ + char expanded[PATH_MAX + 1]; + char *start, *end, *var; + + while ((start = strstr(new_location, "${")) && + (end = strchr(start + 2, '}'))) { + *start = *end = 0; + var = getenv(start + 2); + snprintf(expanded, sizeof expanded, "%s%s%s", + new_location, var ? var : "", end + 1); + strcpy(new_location, expanded); + } + + return new_location; +} + +static int cpio_mkfile_line(const char *line) +{ + char name[PATH_MAX + 1]; + char *dname = NULL; /* malloc'ed buffer for hard links */ + char location[PATH_MAX + 1]; + unsigned int mode; + int uid; + int gid; + int nlinks = 1; + int end = 0, dname_len = 0; + int rc = -1; + + if (5 > sscanf(line, "%" str(PATH_MAX) "s %" str(PATH_MAX) + "s %o %d %d %n", + name, location, &mode, &uid, &gid, &end)) { + fprintf(stderr, "Unrecognized file format '%s'", line); + goto fail; + } + if (end && isgraph(line[end])) { + int len; + int nend; + + dname = malloc(strlen(line)); + if (!dname) { + fprintf (stderr, "out of memory (%d)\n", dname_len); + goto fail; + } + + dname_len = strlen(name) + 1; + memcpy(dname, name, dname_len); + + do { + nend = 0; + if (sscanf(line + end, "%" str(PATH_MAX) "s %n", + name, &nend) < 1) + break; + len = strlen(name) + 1; + memcpy(dname + dname_len, name, len); + dname_len += len; + nlinks++; + end += nend; + } while (isgraph(line[end])); + } else { + dname = name; + } + rc = cpio_mkfile(dname, cpio_replace_env(location), + mode, uid, gid, nlinks); + fail: + if (dname_len) free(dname); + return rc; +} + +static void usage(const char *prog) +{ + fprintf(stderr, "Usage:\n" + "\t%s [-t ] \n" + "\n" + " is a file containing newline separated entries that\n" + "describe the files to be included in the initramfs archive:\n" + "\n" + "# a comment\n" + "file []\n" + "dir \n" + "nod \n" + "slink \n" + "pipe \n" + "sock \n" + "\n" + " name of the file/dir/nod/etc in the archive\n" + " location of the file in the current filesystem\n" + " expands shell variables quoted with ${}\n" + " link target\n" + " mode/permissions of the file\n" + " user id (0=root)\n" + " group id (0=root)\n" + " device type (b=block, c=character)\n" + " major number of nod\n" + " minor number of nod\n" + " space separated list of other links to file\n" + "\n" + "example:\n" + "# A simple initramfs\n" + "dir /dev 0755 0 0\n" + "nod /dev/console 0600 0 0 c 5 1\n" + "dir /root 0700 0 0\n" + "dir /sbin 0755 0 0\n" + "file /sbin/kinit /usr/src/klibc/kinit/kinit 0755 0 0\n" + "\n" + " is time in seconds since Epoch that will be used\n" + "as mtime for symlinks, special files and directories. The default\n" + "is to use the current time for these entries.\n", + prog); +} + +struct file_handler file_handler_table[] = { + { + .type = "file", + .handler = cpio_mkfile_line, + }, { + .type = "nod", + .handler = cpio_mknod_line, + }, { + .type = "dir", + .handler = cpio_mkdir_line, + }, { + .type = "slink", + .handler = cpio_mkslink_line, + }, { + .type = "pipe", + .handler = cpio_mkpipe_line, + }, { + .type = "sock", + .handler = cpio_mksock_line, + }, { + .type = NULL, + .handler = NULL, + } +}; + +#define LINE_SIZE (2 * PATH_MAX + 50) + +int main (int argc, char *argv[]) +{ + FILE *cpio_list; + char line[LINE_SIZE]; + char *args, *type; + int ec = 0; + int line_nr = 0; + const char *filename; + + default_mtime = time(NULL); + while (1) { + int opt = getopt(argc, argv, "t:h"); + char *invalid; + + if (opt == -1) + break; + switch (opt) { + case 't': + default_mtime = strtol(optarg, &invalid, 10); + if (!*optarg || *invalid) { + fprintf(stderr, "Invalid timestamp: %s\n", + optarg); + usage(argv[0]); + exit(1); + } + break; + case 'h': + case '?': + usage(argv[0]); + exit(opt == 'h' ? 0 : 1); + } + } + + if (argc - optind != 1) { + usage(argv[0]); + exit(1); + } + filename = argv[optind]; + if (!strcmp(filename, "-")) + cpio_list = stdin; + else if (!(cpio_list = fopen(filename, "r"))) { + fprintf(stderr, "ERROR: unable to open '%s': %s\n\n", + filename, strerror(errno)); + usage(argv[0]); + exit(1); + } + + while (fgets(line, LINE_SIZE, cpio_list)) { + int type_idx; + size_t slen = strlen(line); + + line_nr++; + + if ('#' == *line) { + /* comment - skip to next line */ + continue; + } + + if (! (type = strtok(line, " \t"))) { + fprintf(stderr, + "ERROR: incorrect format, could not locate file type line %d: '%s'\n", + line_nr, line); + ec = -1; + break; + } + + if ('\n' == *type) { + /* a blank line */ + continue; + } + + if (slen == strlen(type)) { + /* must be an empty line */ + continue; + } + + if (! (args = strtok(NULL, "\n"))) { + fprintf(stderr, + "ERROR: incorrect format, newline required line %d: '%s'\n", + line_nr, line); + ec = -1; + } + + for (type_idx = 0; file_handler_table[type_idx].type; type_idx++) { + int rc; + if (! strcmp(line, file_handler_table[type_idx].type)) { + if ((rc = file_handler_table[type_idx].handler(args))) { + ec = rc; + fprintf(stderr, " line %d\n", line_nr); + } + break; + } + } + + if (NULL == file_handler_table[type_idx].type) { + fprintf(stderr, "unknown file type line %d: '%s'\n", + line_nr, line); + } + } + if (ec == 0) + cpio_trailer(); + + exit(ec); +} diff --git a/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-36946.yaml similarity index 98% rename from cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml rename to cve/linux-kernel/2022/yaml/CVE-2022-36946.yaml index eb773fd6..2c0bf1f0 100644 --- a/cve/linux-kernel/2022/yaml/ CVE-2022-36946.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-36946.yaml @@ -1,18 +1,18 @@ -id: CVE-2022-36946 -source: https://github.com/Pwnzer0tt1/CVE-2022-36946 -info: - name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 - severity: 高危 - description: | - Linux5.18.14 内核中 net/netfilter/nfnetlink_queue.c 的nfqnl_mangle允许远程攻击者造成拒绝服务 (panic),因为在具有单字节nfta_payload属性的nf_queue判定的情况下,skb_pull可能会遇到负的 skb->len。 - scope-of-influence: - 5.18.14 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-36946 - - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=722d94847de29310e8aa03fcbdb41fc92c521756 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - cvss-score: 7.5 - cve-id: CVE-2022-36946 +id: CVE-2022-36946 +source: https://github.com/Pwnzer0tt1/CVE-2022-36946 +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: 高危 + description: | + Linux5.18.14 内核中 net/netfilter/nfnetlink_queue.c 的nfqnl_mangle允许远程攻击者造成拒绝服务 (panic),因为在具有单字节nfta_payload属性的nf_queue判定的情况下,skb_pull可能会遇到负的 skb->len。 + scope-of-influence: + 5.18.14 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-36946 + - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=722d94847de29310e8aa03fcbdb41fc92c521756 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + cvss-score: 7.5 + cve-id: CVE-2022-36946 tags: 拒绝服务,cve2022 \ No newline at end of file diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-45934.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-45934.yaml new file mode 100644 index 00000000..0d5895c1 --- /dev/null +++ b/cve/linux-kernel/2022/yaml/CVE-2022-45934.yaml @@ -0,0 +1,23 @@ +id: CVE-2022-45934 +source: https://github.com/Trinadh465/linux-4.1.15_CVE-2022-45934 +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: high + description: | + 在Linux内核中通过6.0.10发现一个问题。网络/蓝牙/l2cap_core.c中的l2cap_config_req通过L2CAP_CONF_REQ数据包进行整数环绕。 + scope-of-influence: + Linux kernel(6.0.10) + reference: + - https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=ae4569813a6e931258db627cdfe50dfb4f917d5d + - https://lists.debian.org/debian-lts-announce/2023/03/msg00000.html + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAKCGDW6CQ6G3RZWYZJO454R3L5CTQB/ + - https://security.netapp.com/advisory/ntap-20230113-0008/ + - https://www.debian.org/security/2023/dsa-5324 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2022-45934 + cwe-id: CWE-190 + cnvd-id: None + kve-id: None + tags: 整数环绕 \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 897401df..9a973044 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -40,6 +40,7 @@ cve: - CVE-2022-0435 - CVE-2021-26708 - CVE-2022-2078 + - CVE-2022-45934 sudo: - CVE-2021-3156 - CVE-2023-22809 -- Gitee From ff73bffe7d8bc606facba1d63cf1c25aef1387f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E6=80=9D=E4=BD=B3?= Date: Tue, 14 Mar 2023 14:15:41 +0000 Subject: [PATCH 2/2] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?linux-kernel/2022/yaml/CVE-2022-36946.yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2022/yaml/CVE-2022-36946.yaml | 18 ------------------ 1 file changed, 18 deletions(-) delete mode 100644 cve/linux-kernel/2022/yaml/CVE-2022-36946.yaml diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-36946.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-36946.yaml deleted file mode 100644 index 2c0bf1f0..00000000 --- a/cve/linux-kernel/2022/yaml/CVE-2022-36946.yaml +++ /dev/null @@ -1,18 +0,0 @@ -id: CVE-2022-36946 -source: https://github.com/Pwnzer0tt1/CVE-2022-36946 -info: - name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 - severity: 高危 - description: | - Linux5.18.14 内核中 net/netfilter/nfnetlink_queue.c 的nfqnl_mangle允许远程攻击者造成拒绝服务 (panic),因为在具有单字节nfta_payload属性的nf_queue判定的情况下,skb_pull可能会遇到负的 skb->len。 - scope-of-influence: - 5.18.14 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-36946 - - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=722d94847de29310e8aa03fcbdb41fc92c521756 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - cvss-score: 7.5 - cve-id: CVE-2022-36946 - tags: 拒绝服务,cve2022 \ No newline at end of file -- Gitee