Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631

[Greg KH <greg () kroah com>]

On Tue, Jan 30, 2024 at 10:45:00PM +0100, Solar Designer wrote:
> Thank you Greg for looking into these issues.  It's great that most
> longterm kernel trees appear already fixed.

I've taken the one remaining missing fix into the next round of kernel
releases, so all should be good now.

> For CVE-2021-33631 (the ext4 BUG), both the distro vendor's and NVD's
> CVSS input vectors specify AV:L/AC:L/PR:L/UI:N, which means the
> vulnerability can be triggered by a local system user at will and
> without additional privileges.  I'd say that deliberately getting the
> kernel to work on a corrupted filesystem requires at least one of:
> physical access (AV:P) or privileges on the system (PR:H) or user
> interaction (UI:R).  However, there's no way to encode this in one CVSS
> vector.  Also, in the physical access case, at least the availability
> impact typically does not apply (would be A:N).

The "interesting" thing here is that the project in question (the
kernel) does not consider "mounting a corrupted filesystem" as a real
attack vector at all.  There's been long discussions about it, the most
recent being last year on the kernel summit discuss mailing list, and at
the kernel summit itself.

So while CVSS might consider this a real issue, the developers of the
project itself do not.  The disconnect is one that drives people who use
sysbot tools to create fancy corrupted filesystem images with the goal
of getting a CVE for their CV, crazy on a weekly basis when the issues
they report get constantly ignored.

Good times :)

thanks,

greg k-h