Issue metadata
Sign in to add a comment
|
CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2017-7472 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-7472 CVSS severity score: 4.9/10.0 Description: The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
May 16 2017
,
May 16 2017
Fix is already in chromeos-4.4 (through merge). Needed for older kernels.
,
May 16 2017
,
May 16 2017
,
May 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/afbf7a1671398bfa62d4c6eb4fa4d38fde4c1362 commit afbf7a1671398bfa62d4c6eb4fa4d38fde4c1362 Author: Eric Biggers <ebiggers@google.com> Date: Wed May 17 03:55:51 2017 UPSTREAM: KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings This fixes CVE-2017-7472. Running the following program as an unprivileged user exhausts kernel memory by leaking thread keyrings: #include <keyutils.h> int main() { for (;;) keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING); } Fix it by only creating a new thread keyring if there wasn't one before. To make things more consistent, make install_thread_keyring_to_cred() and install_process_keyring_to_cred() both return 0 if the corresponding keyring is already present. BUG= chromium:722785 TEST=Build and run Change-Id: If518f2f199c125ccce7b73f6d3df000a18b24a06 Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials") Cc: stable@vger.kernel.org # 2.6.29+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit c9f838d104fed6f2) Reviewed-on: https://chromium-review.googlesource.com/506711 [modify] https://crrev.com/afbf7a1671398bfa62d4c6eb4fa4d38fde4c1362/security/keys/process_keys.c [modify] https://crrev.com/afbf7a1671398bfa62d4c6eb4fa4d38fde4c1362/security/keys/keyctl.c
,
May 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/2eff9dc9ee49c0cb5ca9718934e5dd8108d99a97 commit 2eff9dc9ee49c0cb5ca9718934e5dd8108d99a97 Author: Eric Biggers <ebiggers@google.com> Date: Wed May 17 07:17:20 2017 UPSTREAM: KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings This fixes CVE-2017-7472. Running the following program as an unprivileged user exhausts kernel memory by leaking thread keyrings: #include <keyutils.h> int main() { for (;;) keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING); } Fix it by only creating a new thread keyring if there wasn't one before. To make things more consistent, make install_thread_keyring_to_cred() and install_process_keyring_to_cred() both return 0 if the corresponding keyring is already present. BUG= chromium:722785 TEST=Build and run Change-Id: If518f2f199c125ccce7b73f6d3df000a18b24a06 Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials") Cc: stable@vger.kernel.org # 2.6.29+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit c9f838d104fed6f2) Reviewed-on: https://chromium-review.googlesource.com/506713 [modify] https://crrev.com/2eff9dc9ee49c0cb5ca9718934e5dd8108d99a97/security/keys/process_keys.c [modify] https://crrev.com/2eff9dc9ee49c0cb5ca9718934e5dd8108d99a97/security/keys/keyctl.c
,
May 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/2eff9dc9ee49c0cb5ca9718934e5dd8108d99a97 commit 2eff9dc9ee49c0cb5ca9718934e5dd8108d99a97 Author: Eric Biggers <ebiggers@google.com> Date: Wed May 17 07:17:20 2017 UPSTREAM: KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings This fixes CVE-2017-7472. Running the following program as an unprivileged user exhausts kernel memory by leaking thread keyrings: #include <keyutils.h> int main() { for (;;) keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING); } Fix it by only creating a new thread keyring if there wasn't one before. To make things more consistent, make install_thread_keyring_to_cred() and install_process_keyring_to_cred() both return 0 if the corresponding keyring is already present. BUG= chromium:722785 TEST=Build and run Change-Id: If518f2f199c125ccce7b73f6d3df000a18b24a06 Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials") Cc: stable@vger.kernel.org # 2.6.29+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit c9f838d104fed6f2) Reviewed-on: https://chromium-review.googlesource.com/506713 [modify] https://crrev.com/2eff9dc9ee49c0cb5ca9718934e5dd8108d99a97/security/keys/process_keys.c [modify] https://crrev.com/2eff9dc9ee49c0cb5ca9718934e5dd8108d99a97/security/keys/keyctl.c
,
May 17 2017
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/89e98ffa9aeb1f0926afef50330446e0dbc1e3a6 commit 89e98ffa9aeb1f0926afef50330446e0dbc1e3a6 Author: Eric Biggers <ebiggers@google.com> Date: Thu May 18 02:06:22 2017 UPSTREAM: KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings This fixes CVE-2017-7472. Running the following program as an unprivileged user exhausts kernel memory by leaking thread keyrings: #include <keyutils.h> int main() { for (;;) keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING); } Fix it by only creating a new thread keyring if there wasn't one before. To make things more consistent, make install_thread_keyring_to_cred() and install_process_keyring_to_cred() both return 0 if the corresponding keyring is already present. BUG= chromium:722785 TEST=Build and run Change-Id: If518f2f199c125ccce7b73f6d3df000a18b24a06 Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials") Cc: stable@vger.kernel.org # 2.6.29+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit c9f838d104fed6f2) Reviewed-on: https://chromium-review.googlesource.com/506465 Reviewed-by: Sonny Rao <sonnyrao@chromium.org> [modify] https://crrev.com/89e98ffa9aeb1f0926afef50330446e0dbc1e3a6/security/keys/process_keys.c [modify] https://crrev.com/89e98ffa9aeb1f0926afef50330446e0dbc1e3a6/security/keys/keyctl.c
,
May 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a905e51dad2cc80d5551223ff186e437f80dc8f1 commit a905e51dad2cc80d5551223ff186e437f80dc8f1 Author: Eric Biggers <ebiggers@google.com> Date: Thu May 18 02:06:29 2017 UPSTREAM: KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings This fixes CVE-2017-7472. Running the following program as an unprivileged user exhausts kernel memory by leaking thread keyrings: #include <keyutils.h> int main() { for (;;) keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING); } Fix it by only creating a new thread keyring if there wasn't one before. To make things more consistent, make install_thread_keyring_to_cred() and install_process_keyring_to_cred() both return 0 if the corresponding keyring is already present. BUG= chromium:722785 TEST=Build and run Change-Id: If518f2f199c125ccce7b73f6d3df000a18b24a06 Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials") Cc: stable@vger.kernel.org # 2.6.29+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit c9f838d104fed6f2) Reviewed-on: https://chromium-review.googlesource.com/506712 [modify] https://crrev.com/a905e51dad2cc80d5551223ff186e437f80dc8f1/security/keys/process_keys.c [modify] https://crrev.com/a905e51dad2cc80d5551223ff186e437f80dc8f1/security/keys/keyctl.c
,
May 18 2017
,
May 18 2017
,
May 18 2017
,
May 18 2017
,
May 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/1b20166e00bc72a6461855c0a787ce7a59b2b951 commit 1b20166e00bc72a6461855c0a787ce7a59b2b951 Author: Eric Biggers <ebiggers@google.com> Date: Thu May 18 21:15:58 2017 UPSTREAM: KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings This fixes CVE-2017-7472. Running the following program as an unprivileged user exhausts kernel memory by leaking thread keyrings: #include <keyutils.h> int main() { for (;;) keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING); } Fix it by only creating a new thread keyring if there wasn't one before. To make things more consistent, make install_thread_keyring_to_cred() and install_process_keyring_to_cred() both return 0 if the corresponding keyring is already present. BUG= chromium:722785 TEST=Build and run Change-Id: If518f2f199c125ccce7b73f6d3df000a18b24a06 Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials") Cc: stable@vger.kernel.org # 2.6.29+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit c9f838d104fed6f2) Reviewed-on: https://chromium-review.googlesource.com/506465 Reviewed-by: Sonny Rao <sonnyrao@chromium.org> (cherry picked from commit 89e98ffa9aeb1f0926afef50330446e0dbc1e3a6) Reviewed-on: https://chromium-review.googlesource.com/508893 [modify] https://crrev.com/1b20166e00bc72a6461855c0a787ce7a59b2b951/security/keys/process_keys.c [modify] https://crrev.com/1b20166e00bc72a6461855c0a787ce7a59b2b951/security/keys/keyctl.c
,
May 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/72a2792f325bc5e6694f8c293660926bf65012e2 commit 72a2792f325bc5e6694f8c293660926bf65012e2 Author: Eric Biggers <ebiggers@google.com> Date: Thu May 18 21:16:02 2017 UPSTREAM: KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings This fixes CVE-2017-7472. Running the following program as an unprivileged user exhausts kernel memory by leaking thread keyrings: #include <keyutils.h> int main() { for (;;) keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING); } Fix it by only creating a new thread keyring if there wasn't one before. To make things more consistent, make install_thread_keyring_to_cred() and install_process_keyring_to_cred() both return 0 if the corresponding keyring is already present. BUG= chromium:722785 TEST=Build and run Change-Id: If518f2f199c125ccce7b73f6d3df000a18b24a06 Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials") Cc: stable@vger.kernel.org # 2.6.29+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit c9f838d104fed6f2) Reviewed-on: https://chromium-review.googlesource.com/506711 (cherry picked from commit afbf7a1671398bfa62d4c6eb4fa4d38fde4c1362) Reviewed-on: https://chromium-review.googlesource.com/508894 [modify] https://crrev.com/72a2792f325bc5e6694f8c293660926bf65012e2/security/keys/process_keys.c [modify] https://crrev.com/72a2792f325bc5e6694f8c293660926bf65012e2/security/keys/keyctl.c
,
May 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d52baab8a50e38997a9b88c4079d92cff373efaf commit d52baab8a50e38997a9b88c4079d92cff373efaf Author: Eric Biggers <ebiggers@google.com> Date: Thu May 18 21:16:07 2017 UPSTREAM: KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings This fixes CVE-2017-7472. Running the following program as an unprivileged user exhausts kernel memory by leaking thread keyrings: #include <keyutils.h> int main() { for (;;) keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING); } Fix it by only creating a new thread keyring if there wasn't one before. To make things more consistent, make install_thread_keyring_to_cred() and install_process_keyring_to_cred() both return 0 if the corresponding keyring is already present. BUG= chromium:722785 TEST=Build and run Change-Id: If518f2f199c125ccce7b73f6d3df000a18b24a06 Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials") Cc: stable@vger.kernel.org # 2.6.29+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit c9f838d104fed6f2) Reviewed-on: https://chromium-review.googlesource.com/506712 (cherry picked from commit a905e51dad2cc80d5551223ff186e437f80dc8f1) Reviewed-on: https://chromium-review.googlesource.com/508895 [modify] https://crrev.com/d52baab8a50e38997a9b88c4079d92cff373efaf/security/keys/process_keys.c [modify] https://crrev.com/d52baab8a50e38997a9b88c4079d92cff373efaf/security/keys/keyctl.c
,
May 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/7d65e5097860d5ff16ba1a7d7a1c805dbddda7ea commit 7d65e5097860d5ff16ba1a7d7a1c805dbddda7ea Author: Eric Biggers <ebiggers@google.com> Date: Thu May 18 21:16:11 2017 UPSTREAM: KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings This fixes CVE-2017-7472. Running the following program as an unprivileged user exhausts kernel memory by leaking thread keyrings: #include <keyutils.h> int main() { for (;;) keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING); } Fix it by only creating a new thread keyring if there wasn't one before. To make things more consistent, make install_thread_keyring_to_cred() and install_process_keyring_to_cred() both return 0 if the corresponding keyring is already present. BUG= chromium:722785 TEST=Build and run Change-Id: If518f2f199c125ccce7b73f6d3df000a18b24a06 Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials") Cc: stable@vger.kernel.org # 2.6.29+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit c9f838d104fed6f2) Reviewed-on: https://chromium-review.googlesource.com/506713 (cherry picked from commit 2eff9dc9ee49c0cb5ca9718934e5dd8108d99a97) Reviewed-on: https://chromium-review.googlesource.com/508896 [modify] https://crrev.com/7d65e5097860d5ff16ba1a7d7a1c805dbddda7ea/security/keys/process_keys.c [modify] https://crrev.com/7d65e5097860d5ff16ba1a7d7a1c805dbddda7ea/security/keys/keyctl.c
,
Aug 24 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 22 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by wfh@chromium.org
, May 16 2017