Message ID | 20200810145724.51067-1-benjamin.romer@canonical.com |
---|---|
Headers | show |
Series | CVE-2020-0067 and CVE-2019-9453 | expand |
lgtm Acked-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com> On Mon, Aug 10, 2020 at 10:57:22AM -0400, Benjamin M Romer wrote: > The patch for CVE-2020-0067 requires the patch for CVE-2019-9453. > > CVE-2019-9453: > > In the Android kernel in F2FS touch driver there is a possible out of > bounds read due to improper input validation. This could lead to local > information disclosure with system execution privileges needed. User > interaction is not needed for exploitation. > > CVE-2020-0067: > > In f2fs_xattr_generic_list of xattr.c, there is a possible out of > bounds read due to a missing bounds check. This could lead to local > information disclosure with System execution privileges needed. User > interaction is not required for exploitation.Product: Android. > Versions: Android kernel. Android ID: A-120551147. > > Randall Huang (2): > f2fs: fix to avoid accessing xattr across the boundary > f2fs: fix to avoid memory leakage in f2fs_listxattr > > fs/f2fs/xattr.c | 43 ++++++++++++++++++++++++++++++++++++------- > fs/f2fs/xattr.h | 4 +++- > 2 files changed, 39 insertions(+), 8 deletions(-) > > -- > 2.25.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
LGTM. Acked-by: Kamal Mostafa <kamal@canonical.com> -Kamal On Mon, Aug 10, 2020 at 10:57:22AM -0400, Benjamin M Romer wrote: > The patch for CVE-2020-0067 requires the patch for CVE-2019-9453. > > CVE-2019-9453: > > In the Android kernel in F2FS touch driver there is a possible out of > bounds read due to improper input validation. This could lead to local > information disclosure with system execution privileges needed. User > interaction is not needed for exploitation. > > CVE-2020-0067: > > In f2fs_xattr_generic_list of xattr.c, there is a possible out of > bounds read due to a missing bounds check. This could lead to local > information disclosure with System execution privileges needed. User > interaction is not required for exploitation.Product: Android. > Versions: Android kernel. Android ID: A-120551147. > > Randall Huang (2): > f2fs: fix to avoid accessing xattr across the boundary > f2fs: fix to avoid memory leakage in f2fs_listxattr > > fs/f2fs/xattr.c | 43 ++++++++++++++++++++++++++++++++++++------- > fs/f2fs/xattr.h | 4 +++- > 2 files changed, 39 insertions(+), 8 deletions(-) > > -- > 2.25.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
Applied to Xenial/master-next. Thanks! Thanks! Ian On 2020-08-10 10:57:22 , Benjamin M Romer wrote: > The patch for CVE-2020-0067 requires the patch for CVE-2019-9453. > > CVE-2019-9453: > > In the Android kernel in F2FS touch driver there is a possible out of > bounds read due to improper input validation. This could lead to local > information disclosure with system execution privileges needed. User > interaction is not needed for exploitation. > > CVE-2020-0067: > > In f2fs_xattr_generic_list of xattr.c, there is a possible out of > bounds read due to a missing bounds check. This could lead to local > information disclosure with System execution privileges needed. User > interaction is not required for exploitation.Product: Android. > Versions: Android kernel. Android ID: A-120551147. > > Randall Huang (2): > f2fs: fix to avoid accessing xattr across the boundary > f2fs: fix to avoid memory leakage in f2fs_listxattr > > fs/f2fs/xattr.c | 43 ++++++++++++++++++++++++++++++++++++------- > fs/f2fs/xattr.h | 4 +++- > 2 files changed, 39 insertions(+), 8 deletions(-) > > -- > 2.25.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team