New issue
Advanced search Search tips

Issue 690139 link

Starred by 1 user
Status: Fixed
Owner:
groeck@chromium.org
Closed: Feb 2017
Cc:
chromeos-kernel-security-bug-access@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: CVE-2016-8468

Project Member Reported by groeck@chromium.org, Feb 8 2017 
Advisory: CVE-2016-8468
  Details: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8468
  CVSS severity score: 7.6/10.0
  Confidence: high
  Description:

An elevation of privilege vulnerability in Binder could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations.
Product: Android. Versions: Kernel-3.18. Android ID: A-32394425.

Only affects chromeos-3.18.

Comment 1 by groeck@chromium.org, Feb 8 2017

Description: Show this description

Comment 2 by groeck@chromium.org, Feb 8 2017

Description: Show this description

Comment 3 by palmer@chromium.org, Feb 9 2017 

Is this purely an Android bug, or does it affect ChromeOS also because of ARC++? Will it be fixed in 56 or 57? (Just use 1 M- label.)

Comment 4 by groeck@chromium.org, Feb 9 2017

Labels: -M-56 -M-57 M-58
All I can say is that the code is enabled in chromeos. I do not know if it is actually _used_. However, since it is enabled, presumably it does offer an attack surface.

I am replacing the M-tag with M-58 as the first releases where the fix will land. Hope this understanding is correct.
Project Member

Comment 5 by bugdroid1@chromium.org, Feb 9 2017

Labels: merge-merged-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a66404bb978aacebb840278eaaa5e07b1700ea7e

commit a66404bb978aacebb840278eaaa5e07b1700ea7e
Author: Martijn Coenen <maco@android.com>
Date: Thu Feb 09 04:31:54 2017

Android: binder: check set_context_mgr permission on time.

BUG=b/32394425, chromium:690139
TEST=Build image with Andriod Binder enabled

Change-Id: I860c6aab97850bff05a56e96cd3f4b41691bfd96
Signed-off-by: Martijn Coenen <maco@android.com>
(cherry picked from https://android.googlesource.com/kernel/msm
 commit 0d37d64f02e18a301867ae7684c3801bd99c5df2)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/439554
Reviewed-by: Bernie Thompson <bhthompson@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/a66404bb978aacebb840278eaaa5e07b1700ea7e/drivers/staging/android/binder.c

Comment 6 by groeck@chromium.org, Feb 9 2017

Status: Fixed (was: Started)

Comment 7 by awhalley@google.com, Apr 18 2017

Labels: Release-0-M58
Project Member

Comment 8 by sheriffbot@chromium.org, May 18 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment