New issue
Advanced search Search tips

Issue 724768 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: May 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 0
Type: Bug-Security



Sign in to add a comment

CrOS: CVE-2017-0605 - Vulnerability reported in Linux kernel - kernel trace subsystem

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, May 20 2017

Issue description

VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. 

Advisory: CVE-2017-0605
  Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0605
  CVSS severity score: 9.3/10.0
  Description:

An elevation of privilege vulnerability in the kernel trace subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35399704. References: QC-CR#1048480.



This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.

 

Comment 1 by wfh@chromium.org, May 22 2017

Components: OS>Kernel

Comment 2 by wfh@chromium.org, May 22 2017

Labels: Pri-0
Summary: CrOS: CVE-2017-0605 - Vulnerability reported in Linux kernel - kernel trace subsystem (was: CrOS: Vulnerability reported in Linux kernel)

Comment 3 by wfh@chromium.org, May 22 2017

Labels: Security_Severity-Critical

Comment 4 by wfh@chromium.org, May 22 2017

Status: Available (was: Untriaged)
Owner: groeck@chromium.org
Mass-assigning Android May security bulletin issues to groeck@ to triage.
Project Member

Comment 6 by sheriffbot@chromium.org, May 22 2017

Status: Assigned (was: Available)

Comment 7 by groeck@chromium.org, May 22 2017

Upstream commit e09e28671cda ("tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()"). All Chrome OS versions affected.

Comment 8 by groeck@chromium.org, May 22 2017

Labels: M-58
Project Member

Comment 9 by bugdroid1@chromium.org, May 22 2017

Labels: merge-merged-chromeos-3.8
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/1e7a69876452fc07c2c6d276d747790a42167b28

commit 1e7a69876452fc07c2c6d276d747790a42167b28
Author: Amey Telawane <ameyt@codeaurora.org>
Date: Mon May 22 23:30:18 2017

BACKPORT: tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()

Strcpy is inherently not safe, and strlcpy() should be used instead.
__trace_find_cmdline() uses strcpy() because the comms saved must have a
terminating nul character, but it doesn't hurt to add the extra protection
of using strlcpy() instead of strcpy().

Link: http://lkml.kernel.org/r/1493806274-13936-1-git-send-email-amit.pundir@linaro.org

Signed-off-by: Amey Telawane <ameyt@codeaurora.org>
[AmitP: Cherry-picked this commit from CodeAurora kernel/msm-3.10
https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
[ Updated change log and removed the "- 1" from len parameter ]
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>

BUG= chromium:724768 
TEST=Build and run

Change-Id: I9feef3d00ada8f8ba65f2576f061d298b763fdc5
[backport: saved_cmdlines changed to function in later kernels]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit e09e28671cda)
Reviewed-on: https://chromium-review.googlesource.com/510806

[modify] https://crrev.com/1e7a69876452fc07c2c6d276d747790a42167b28/kernel/trace/trace.c

Project Member

Comment 10 by bugdroid1@chromium.org, May 22 2017

Labels: merge-merged-chromeos-3.10
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/2cee50853ff8e709f172dd29feea1309b67137a0

commit 2cee50853ff8e709f172dd29feea1309b67137a0
Author: Amey Telawane <ameyt@codeaurora.org>
Date: Mon May 22 23:30:19 2017

BACKPORT: tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()

Strcpy is inherently not safe, and strlcpy() should be used instead.
__trace_find_cmdline() uses strcpy() because the comms saved must have a
terminating nul character, but it doesn't hurt to add the extra protection
of using strlcpy() instead of strcpy().

Link: http://lkml.kernel.org/r/1493806274-13936-1-git-send-email-amit.pundir@linaro.org

Signed-off-by: Amey Telawane <ameyt@codeaurora.org>
[AmitP: Cherry-picked this commit from CodeAurora kernel/msm-3.10
https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
[ Updated change log and removed the "- 1" from len parameter ]
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>

BUG= chromium:724768 
TEST=Build and run

Change-Id: I9feef3d00ada8f8ba65f2576f061d298b763fdc5
[backport: saved_cmdlines changed to function in later kernels]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit e09e28671cda)
Reviewed-on: https://chromium-review.googlesource.com/510805
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/2cee50853ff8e709f172dd29feea1309b67137a0/kernel/trace/trace.c

Project Member

Comment 11 by bugdroid1@chromium.org, May 23 2017

Labels: merge-merged-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a3efa8f706cb5deadcbc5c1abe90ea5905067aa0

commit a3efa8f706cb5deadcbc5c1abe90ea5905067aa0
Author: Amey Telawane <ameyt@codeaurora.org>
Date: Tue May 23 02:31:23 2017

UPSTREAM: tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()

Strcpy is inherently not safe, and strlcpy() should be used instead.
__trace_find_cmdline() uses strcpy() because the comms saved must have a
terminating nul character, but it doesn't hurt to add the extra protection
of using strlcpy() instead of strcpy().

Link: http://lkml.kernel.org/r/1493806274-13936-1-git-send-email-amit.pundir@linaro.org

Signed-off-by: Amey Telawane <ameyt@codeaurora.org>
[AmitP: Cherry-picked this commit from CodeAurora kernel/msm-3.10
https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
[ Updated change log and removed the "- 1" from len parameter ]
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>

BUG= chromium:724768 
TEST=Build and run

Change-Id: I303856b04223d9f1addaea77d1742dc42af83471
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit e09e28671cda)
Reviewed-on: https://chromium-review.googlesource.com/510803

[modify] https://crrev.com/a3efa8f706cb5deadcbc5c1abe90ea5905067aa0/kernel/trace/trace.c

Project Member

Comment 12 by bugdroid1@chromium.org, May 23 2017

Labels: merge-merged-chromeos-3.14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/7d83f7c9131c7408bb83240edf1801ba58e6fe1f

commit 7d83f7c9131c7408bb83240edf1801ba58e6fe1f
Author: Amey Telawane <ameyt@codeaurora.org>
Date: Tue May 23 07:15:10 2017

BACKPORT: tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()

Strcpy is inherently not safe, and strlcpy() should be used instead.
__trace_find_cmdline() uses strcpy() because the comms saved must have a
terminating nul character, but it doesn't hurt to add the extra protection
of using strlcpy() instead of strcpy().

Link: http://lkml.kernel.org/r/1493806274-13936-1-git-send-email-amit.pundir@linaro.org

Signed-off-by: Amey Telawane <ameyt@codeaurora.org>
[AmitP: Cherry-picked this commit from CodeAurora kernel/msm-3.10
https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
[ Updated change log and removed the "- 1" from len parameter ]
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>

BUG= chromium:724768 
TEST=Build and run

Change-Id: I9feef3d00ada8f8ba65f2576f061d298b763fdc5
[backport: saved_cmdlines changed to function in later kernels]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit e09e28671cda)
Reviewed-on: https://chromium-review.googlesource.com/510783
Reviewed-by: Andrey Ulanov <andreyu@google.com>

[modify] https://crrev.com/7d83f7c9131c7408bb83240edf1801ba58e6fe1f/kernel/trace/trace.c

Project Member

Comment 13 by sheriffbot@chromium.org, May 23 2017

Labels: Security_Impact-Stable
Project Member

Comment 14 by sheriffbot@chromium.org, May 23 2017

Status: Fixed (was: Assigned)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: Merge-Request-58
Project Member

Comment 16 by sheriffbot@chromium.org, May 24 2017

Labels: Restrict-View-SecurityNotify
Project Member

Comment 17 by sheriffbot@chromium.org, Jun 6 2017

Labels: -M-58 M-59
Project Member

Comment 18 by sheriffbot@chromium.org, Jul 26 2017

Labels: -M-59 M-60
Project Member

Comment 19 by sheriffbot@chromium.org, Aug 30 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 20 by sheriffbot@chromium.org, Sep 6 2017

Labels: -M-60 M-61
Project Member

Comment 21 by sheriffbot@chromium.org, Oct 18 2017

Labels: -M-61 M-62
Labels: Release-0-M62
Project Member

Comment 23 by sheriffbot@chromium.org, Dec 7 2017

Labels: -M-62 M-63
Project Member

Comment 24 by sheriffbot@chromium.org, Jan 25 2018

Labels: -M-63 M-64
Project Member

Comment 25 by sheriffbot@chromium.org, Mar 7 2018

Labels: -M-64 M-65
Project Member

Comment 26 by sheriffbot@chromium.org, Apr 19 2018

Labels: -M-65 M-66
Project Member

Comment 27 by sheriffbot@chromium.org, May 30 2018

Labels: -M-66 M-67
Project Member

Comment 28 by sheriffbot@chromium.org, Jul 25

Labels: -M-67 Target-68 M-68
Project Member

Comment 29 by sheriffbot@chromium.org, Sep 5

Labels: -M-68 M-69 Target-69
Project Member

Comment 30 by sheriffbot@chromium.org, Oct 17

Labels: -M-69 Target-70 M-70
Project Member

Comment 31 by sheriffbot@chromium.org, Dec 5

Labels: -M-70 Target-71 M-71
Labels: -Merge-Request-58
Labels: -Target-68 -Target-69 -Target-70 -M-71 -Target-71 M-58

Sign in to add a comment