Bugs & Patches

Following are the security issues found in various open source projects and list of CVEs
Cooperated directly with MITRE in the process of evaluating and assigning the following CVEs. Additionally personally triaged them, evaluated their security impact and reported the issues to upstream developers with the suggested fixes, providing guidance with understanding the issue and often testing upstream provided fixes

• md4c - Use of uninitialized value in md_analyze_line() - CVE-2021-30027
• samurai - Null pointer dereference in writefile() - CVE-2021-30218
• samurai - Null pointer dereference in printstatus() - CVE-2021-30219
• discount - Stack overflow in islist()
• tidy-html5 - Heap Use-After-Free in CleanNode()
• schismtracker - Heap-based buffer overflow - Out-of-Bound Read in fmt_mtm_load_song()
• nsd - Buffer overflow (Out-of-Bound Write) in dname_to_string()
• dpic - Heap-based buffer overflow in storestring()
• dpic - Buffer overflow (Out-of-Bound Read) in yylex()
• dpic - Heap Use After Free in deletestringbox() [file: dpic.y:L5716]
• dpic - Heap-based Buffer Overflow in makevar()
• dpic - Heap Use After Free in cmpstring()
• dpic - Heap Use After Free in deletestringbox() [file: dpic.y:L5724]
• dpic - Buffer overflow (Out-of-Bound Write) in trimname()
• saschahauer/barebox - Stack buffer overflow (Out-of-bound Write) in nfs_start()
• saschahauer/barebox - Stack buffer overflow (Out of bound Read) in __d_alloc()
• saschahauer/barebox - Stack buffer overflow (Out-of-bound Write) in barebox_printf()

FreeBSD (no cves)⌗

• UFS FileSystem

  • Kernel panic observed while plugging the UFS USB drive on FreeBSD13-CURRENT, FreeBSD 12.1-RELEASE r354233 and FreeBSD 12.1-STABLE r358121
  • Kernel panic observed while plugging the UFS USB drive on FreeBSD13-CURRENT, FreeBSD 12.1-RELEASE r354233 and FreeBSD 12.1-STABLE r358121
  • Kernel panic observed with crash signature “vm_fault_lookup: fault on nofault entry, addr: 0xfffffe0032000000” while plugging the UFS USB drive on FreeBSD13-CURRENT
  • Kernel panic observed while plugging the UFS USB drive on FreeBSD13-CURRENT, FreeBSD 12.1-RELEASE r354233 and FreeBSD 12.1-STABLE r358121
  • Kernel panic observed with crash signature “wrong length 34560 for sectorsize 512” while plugging the UFS USB drive on FreeBSD 13-CURRENT
  • Kernel panic observed with crash signature “getblk: size(75776) > maxbcachebuf(65536)” while mouting the UFS USB drive on FreeBSD13-CURRENT, FreeBSD 12.1-RELEASE r354233 and FreeBSD 12.1-STABLE r358121
  • Kernel panic observed while plugging the UFS USB drive on FreeBSD13-CURRENT, FreeBSD 12.1-RELEASE r354233 and FreeBSD 12.1-STABLE r358121
  • Kernel panic observed with crash signature “ufs_dirbad: /mnt/test: bad dir ino 2 at offset 154: mangled entry” while mouting the UFS USB drive on FreeBSD13-CURRENT, FreeBSD 12.1-RELEASE r354233 and FreeBSD 12.1-STABLE r358121

• Kernel Crash: due to device_get_ivars(9) returns NULL which leads to Null pointer dereference for multiple USB drivers

• ping(8)

  • Segmentation fault due to Out-of-Bounds Write
  • Integer truncation with otion “-s”
  • Integer Overflow with option “-G” and “-g”
  • Integer Overflow with option “-h”
  • Segmentation fault due to Out-of-Bounds Read

Patches⌗

• FreeBSD

  • Approved and accepted patch for the issue integer truncation with otion “-s”
  • Submitted fix for the issue segmentation fault due to Out-of-Bounds Write
  • Submitted fix for the issue segmentation fault due to Out-of-Bounds Read
  • Submitted fix for the issue integer overflow with option “-G” and “-g”
  • Submitted fix for the issue integer overflow with option “-h”

• saschahauer/barebox bootloader

  • Removed Unreachable code: net/net.c: net_handle_arp()
  • Submitted documentation patch for running barebox bootloader in sandbox mode

Discussions for my queries and issues on (L|U)nix mailing lists⌗