CVE-2022-3104 and CVE-2016-5400

cves/kernel/CVE-2016-5400.yml

@@ -19,14 +19,14 @@ curated_instructions: |
   This will enable additional editorial checks on this file to make sure you
   fill everything out properly. If you are a student, we cannot accept your work
   as finished unless curated is properly updated.
-curation_level: 0
+curation_level: 2
 reported_instructions: |
   What date was the vulnerability reported to the security team? Look at the
   security bulletins and bug reports. It is not necessarily the same day that
   the CVE was created.  Leave blank if no date is given.
 
   Please enter your date in YYYY-MM-DD format.
-reported_date:
+reported_date: 2016-06-10
 announced_instructions: |
   Was there a date that this vulnerability was announced to the world? You can
   find this in changelogs, blogs, bug reports, or perhaps the CVE date.
@@ -55,7 +55,11 @@ description_instructions: |
 
   Your target audience is people just like you before you took any course in
   security
-description:
+description: |
+  This error is caused by a memory overflow, which means the system ran out of RAM.
+  The function to copy the information from a USB didn't properly delete (free) 
+  the data when it was suppose to. This allowed a badusb device to emulate a lot of
+  fake usb devices and overflow the system, causing a memory overflow
 bounty_instructions: |
   If you came across any indications that a bounty was paid out for this
   vulnerability, fill it out here. Or correct it if the information already here
@@ -75,7 +79,7 @@ bugs_instructions: |
     * Mentioned in mailing list discussions
     * References from NVD entry
     * Various other places
-bugs: []
+bugs: [1358184]
 fixes_instructions: |
   Please put the commit hash in "commit" below.
 
@@ -89,9 +93,7 @@ fixes:
 - commit:
   note:
 - commit: aa93d1fee85c890a34f2510a310e55ee76a27848
-  note: |
-    Taken from NVD references list with Git commit. If you are
-    curating, please fact-check that this commit fixes the vulnerability and replace this comment with 'Manually confirmed'
+  note: Manually confirmed
 vcc_instructions: |
   The vulnerability-contributing commits.
 
@@ -114,7 +116,7 @@ upvotes_instructions: |
   upvotes to each vulnerability you see. Your peers will tell you how
   interesting they think this vulnerability is, and you'll add that to the
   upvotes score on your branch.
-upvotes:
+upvotes: 2
 unit_tested:
   question: |
     Were automated unit tests involved in this vulnerability?
@@ -129,10 +131,10 @@ unit_tested:
 
     For the fix_answer below, check if the fix for the vulnerability involves
     adding or improving an automated test to ensure this doesn't happen again.
-  code:
-  code_answer:
-  fix:
-  fix_answer:
+  code: false
+  code_answer: false
+  fix: false
+  fix_answer: false
 discovered:
   question: |
     How was this vulnerability discovered?
@@ -147,10 +149,14 @@ discovered:
 
     If there is no evidence as to how this vulnerability was found, then please
     explain where you looked.
-  answer:
-  automated:
-  contest:
-  developer:
+  answer: |
+    The first comment on the issue was about how an attack can use a badusb
+    device is cause a memory leak. They had found a memory leak and noticing concluded
+    that you're able to cause if memory overflow if the code is fixed
+
+  automated: false
+  contest: false
+  developer: true
 autodiscoverable:
   instructions: |
     Is it plausible that a fully automated tool could have discovered
@@ -167,8 +173,10 @@ autodiscoverable:
 
     The answer field should be boolean. In answer_note, please explain
     why you come to that conclusion.
-  note:
-  answer:
+  note: |
+    Because it involves a buffer overflow so you could test it using 
+    a bad usb device
+  answer: true
 specification:
   instructions: |
     Is there mention of a violation of a specification? For example, the POSIX
@@ -184,8 +192,10 @@ specification:
 
     The answer field should be boolean. In answer_note, please explain
     why you come to that conclusion.
-  note:
-  answer:
+  note: |
+    The improper usage of operations outside the scope of the usb.
+    The system was writing memory in a place it wasn't suppose to. 
+  answer: true
 subsystem:
   question: |
     What subsystems was the mistake in? These are WITHIN linux kernel
@@ -219,8 +229,8 @@ subsystem:
     e.g.
         name: ["subsystemA", "subsystemB"] # ok
         name: subsystemA # also ok
-  name:
-  note:
+  name: ["drivers", "usb"]
+  note: 'This problem was in the drivers directory'
 interesting_commits:
   question: |
     Are there any interesting commits between your VCC(s) and fix(es)?
@@ -235,8 +245,10 @@ interesting_commits:
       * Other commits that fixed a similar issue as this vulnerability
       * Anything else you find interesting.
   commits:
-  - commit:
-    note:
+  - commit: eca2d34b9d2ce70165a50510659838e28ca22742
+    note: |
+      This commit was in the comments with developers saying it this was also
+      the fix to the bug even though it was a fix to another big
   - commit:
     note:
 i18n:
@@ -251,8 +263,8 @@ i18n:
     Answer should be true or false
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: false
+  note: "this bugged involved out of bound operations"
 sandbox:
   question: |
     Did this vulnerability violate a sandboxing feature that the system
@@ -266,8 +278,8 @@ sandbox:
     Answer should be true or false
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: false
+  note: "The bug involved excuting operations outside of the bound of memory"
 ipc:
   question: |
     Did the feature that this vulnerability affected use inter-process
@@ -278,8 +290,8 @@ ipc:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: false
+  note: "The bug involved excuting operations outside of the bound of memory"
 discussion:
   question: |
     Was there any discussion surrounding this?
@@ -305,9 +317,12 @@ discussion:
 
     Put any links to disagreements you found in the notes section, or any other
     comment you want to make.
-  discussed_as_security:
-  any_discussion:
-  note:
+  discussed_as_security: false
+  any_discussion: true
+  note: |
+    there was a discussion on if the issue was fixed yet and how it was fixed
+    the reporter of the issue mentioned it was fixed along with another
+    issue and sent a link to the commit
 vouch:
   question: |
     Was there any part of the fix that involved one person vouching for
@@ -320,8 +335,11 @@ vouch:
 
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of what your answer was.
-  answer:
-  note:
+  answer: true
+  note: |
+    It was signed off and reviewed on git.kernal
+    Signed off by James Patrick-Evans
+    Reviewed-by Kees Cook
 stacktrace:
   question: |
     Are there any stacktraces in the bug reports?
@@ -335,9 +353,11 @@ stacktrace:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  any_stacktraces:
-  stacktrace_with_fix:
-  note:
+  any_stacktraces: true
+  stacktrace_with_fix: false
+  note: |
+    Could not find stacktrace on redhat, bugzilla, git.kernal, or in any
+    of the logs
 forgotten_check:
   question: |
     Does the fix for the vulnerability involve adding a forgotten check?
@@ -356,8 +376,10 @@ forgotten_check:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: false
+  note: |
+    This bug involves operating in out of bounds memory, 
+    there could be a check to check if the system is operating in the correct space
 order_of_operations:
   question: |
     Does the fix for the vulnerability involve correcting an order of
@@ -369,8 +391,9 @@ order_of_operations:
     Answer must be true or false.
     Write a note about how you came to the conclusions you did, regardless of
     what your answer was.
-  answer:
-  note:
+  answer: true
+  note: |
+    The big didn't the correct clean up operation order leading to a memory leak
 lessons:
   question: |
     Are there any common lessons we have learned from class that apply to this
@@ -386,12 +409,14 @@ lessons:
 
     If you think of another lesson we covered in class that applies here, feel
     free to give it a small name and add one in the same format as these.
-  defense_in_depth:
-    applies:
-    note:
-  least_privilege:
-    applies:
-    note:
+  defense_in_depth: 
+    applies: true
+    note: |
+      should keep track of the bounds of the memory you're changing
+      the bug here changed memory outside bounds so it caused a leak
+  least_privilege: 
+    applies: 
+    note: 
   frameworks_are_optional:
     applies:
     note:
@@ -411,8 +436,10 @@ lessons:
     applies:
     note:
   secure_by_default:
-    applies:
-    note:
+    applies: true
+    note: |
+      The code should also be handle errors better since an error 
+      when copying the usb would cuase the leak
   yagni:
     applies:
     note:
@@ -448,7 +475,11 @@ mistakes:
 
     Write a thoughtful entry here that people in the software engineering
     industry would find interesting.
-  answer:
+  answer: |
+    The biggest lesson in thie bug is error handling since mishandling the 
+    errors caused the memory leak leading to the buffer overlow. This error
+    caused it so it wouldn't finish the function therefore the memory was not freed.
+
 CWE_instructions: |
   Please go to http://cwe.mitre.org and find the most specific, appropriate CWE
   entry that describes your vulnerability. We recommend going to
@@ -473,5 +504,5 @@ nickname_instructions: |
   A catchy name for this vulnerability that would draw attention it.
   If the report mentions a nickname, use that.
   Must be under 30 characters. Optional.
-nickname:
+nickname: free_my_memory
 CVSS: