groeck: I'm wondering if you could clarify the status on this and  issue 684626 . Are you tracking a fix? Thanks.

#1: Yes for both. I was waiting for feedback from the Android team if the fixes for CVE-2017-0403 and CVE-2017-0404 will be submitted upstream, to avoid potential conflicts if possible. Unfortunately, I have not heard back. I'll ping again this week.

Labeled as Security_Severity-Medium because the exploitation of this issues requires compromising a privileged process first.

#1: Waiting for code review (CL:439418)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/bae6b341d097d5a8d7a280a44b26f78bcb354259

commit bae6b341d097d5a8d7a280a44b26f78bcb354259
Author: John Dias <joaodias@google.com>
Date: Thu Feb 09 00:24:31 2017

CHROMIUM: perf: don't leave group_entry on sibling list (use-after-free)

When perf_group_detach is called on a group leader,
it should empty its sibling list. Otherwise, when
a sibling is later deallocated, list_del_event()
removes the sibling's group_entry from its current
list, which can be the now-deallocated group leader's
sibling list (use-after-free bug).

BUG=b/32402548, chromium:684625
TEST=Build and test image with perf enabled

Change-Id: I99f6bc97c8518df1cb0035814368012ba72ab1f1
Signed-off-by: John Dias <joaodias@google.com>
(cherry-picked from https://android.googlesource.com/kernel/msm
	e50fdd282473d11837fb877fcda5bcf667010e70)
[Rebase note: Do not apply to later kernels unless the PoC
 (see b/32402548) still works. The changes in this area of code
 are so substantial that it is all but impossible to determine
 if the problem has been fixed or not by looking at the code.]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/439418

[modify] https://crrev.com/bae6b341d097d5a8d7a280a44b26f78bcb354259/kernel/events/core.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/48c54a06235b5907d8999ea05d5ec54afc8259c1

commit 48c54a06235b5907d8999ea05d5ec54afc8259c1
Author: John Dias <joaodias@google.com>
Date: Thu Feb 09 00:24:39 2017

CHROMIUM: perf: don't leave group_entry on sibling list (use-after-free)

When perf_group_detach is called on a group leader,
it should empty its sibling list. Otherwise, when
a sibling is later deallocated, list_del_event()
removes the sibling's group_entry from its current
list, which can be the now-deallocated group leader's
sibling list (use-after-free bug).

BUG=b/32402548, chromium:684625
TEST=Build and test image with perf enabled

Change-Id: I99f6bc97c8518df1cb0035814368012ba72ab1f1
Signed-off-by: John Dias <joaodias@google.com>
(cherry-picked from https://android.googlesource.com/kernel/msm
	e50fdd282473d11837fb877fcda5bcf667010e70)
[Rebase note: Do not apply to later kernels unless the PoC
 (see b/32402548) still works. The changes in this area of code
 are so substantial that it is all but impossible to determine
 if the problem has been fixed or not by looking at the code.]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/439402

[modify] https://crrev.com/48c54a06235b5907d8999ea05d5ec54afc8259c1/kernel/events/core.c

Will initially land in M-58.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/837f6d747e4e742004591db772604ed61d608a4c

commit 837f6d747e4e742004591db772604ed61d608a4c
Author: John Dias <joaodias@google.com>
Date: Thu Feb 09 04:31:52 2017

CHROMIUM: perf: don't leave group_entry on sibling list (use-after-free)

When perf_group_detach is called on a group leader,
it should empty its sibling list. Otherwise, when
a sibling is later deallocated, list_del_event()
removes the sibling's group_entry from its current
list, which can be the now-deallocated group leader's
sibling list (use-after-free bug).

BUG=b/32402548, chromium:684625
TEST=Build and test image with perf enabled

Change-Id: I99f6bc97c8518df1cb0035814368012ba72ab1f1
Signed-off-by: John Dias <joaodias@google.com>
(cherry-picked from https://android.googlesource.com/kernel/msm
	e50fdd282473d11837fb877fcda5bcf667010e70)
[Rebase note: Do not apply to later kernels unless the PoC
 (see b/32402548) still works. The changes in this area of code
 are so substantial that it is all but impossible to determine
 if the problem has been fixed or not by looking at the code.]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/439400
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/837f6d747e4e742004591db772604ed61d608a4c/kernel/events/core.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a57ecc1f74af3b5b8b6852faff6167d4d6b144f2

commit a57ecc1f74af3b5b8b6852faff6167d4d6b144f2
Author: John Dias <joaodias@google.com>
Date: Thu Feb 09 04:31:45 2017

CHROMIUM: perf: don't leave group_entry on sibling list (use-after-free)

When perf_group_detach is called on a group leader,
it should empty its sibling list. Otherwise, when
a sibling is later deallocated, list_del_event()
removes the sibling's group_entry from its current
list, which can be the now-deallocated group leader's
sibling list (use-after-free bug).

BUG=b/32402548, chromium:684625
TEST=Build and test image with perf enabled

Change-Id: I99f6bc97c8518df1cb0035814368012ba72ab1f1
Signed-off-by: John Dias <joaodias@google.com>
(cherry-picked from https://android.googlesource.com/kernel/msm
	e50fdd282473d11837fb877fcda5bcf667010e70)
[Rebase note: Do not apply to later kernels unless the PoC
 (see b/32402548) still works. The changes in this area of code
 are so substantial that it is all but impossible to determine
 if the problem has been fixed or not by looking at the code.]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/439401

[modify] https://crrev.com/a57ecc1f74af3b5b8b6852faff6167d4d6b144f2/kernel/events/core.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/fea3715e6da5c69eec2574eb8168c8e28d51e081

commit fea3715e6da5c69eec2574eb8168c8e28d51e081
Author: John Dias <joaodias@google.com>
Date: Thu Feb 09 04:31:47 2017

CHROMIUM: perf: don't leave group_entry on sibling list (use-after-free)

When perf_group_detach is called on a group leader,
it should empty its sibling list. Otherwise, when
a sibling is later deallocated, list_del_event()
removes the sibling's group_entry from its current
list, which can be the now-deallocated group leader's
sibling list (use-after-free bug).

BUG=b/32402548, chromium:684625
TEST=Build and test image with perf enabled

Change-Id: I99f6bc97c8518df1cb0035814368012ba72ab1f1
Signed-off-by: John Dias <joaodias@google.com>
(cherry-picked from https://android.googlesource.com/kernel/msm
	e50fdd282473d11837fb877fcda5bcf667010e70)
[Rebase note: Do not apply to later kernels unless the PoC
 (see b/32402548) still works. The changes in this area of code
 are so substantial that it is all but impossible to determine
 if the problem has been fixed or not by looking at the code.]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/439403

[modify] https://crrev.com/fea3715e6da5c69eec2574eb8168c8e28d51e081/kernel/events/core.c

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot