Issue metadata
Sign in to add a comment
|
CrOS: CVE-2017-0605 - Vulnerability reported in Linux kernel - kernel trace subsystem |
|||||||||||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2017-0605 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0605 CVSS severity score: 9.3/10.0 Description: An elevation of privilege vulnerability in the kernel trace subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35399704. References: QC-CR#1048480. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
May 22 2017
,
May 22 2017
,
May 22 2017
,
May 22 2017
Mass-assigning Android May security bulletin issues to groeck@ to triage.
,
May 22 2017
,
May 22 2017
Upstream commit e09e28671cda ("tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()"). All Chrome OS versions affected.
,
May 22 2017
,
May 22 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/1e7a69876452fc07c2c6d276d747790a42167b28 commit 1e7a69876452fc07c2c6d276d747790a42167b28 Author: Amey Telawane <ameyt@codeaurora.org> Date: Mon May 22 23:30:18 2017 BACKPORT: tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline() Strcpy is inherently not safe, and strlcpy() should be used instead. __trace_find_cmdline() uses strcpy() because the comms saved must have a terminating nul character, but it doesn't hurt to add the extra protection of using strlcpy() instead of strcpy(). Link: http://lkml.kernel.org/r/1493806274-13936-1-git-send-email-amit.pundir@linaro.org Signed-off-by: Amey Telawane <ameyt@codeaurora.org> [AmitP: Cherry-picked this commit from CodeAurora kernel/msm-3.10 https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477] Signed-off-by: Amit Pundir <amit.pundir@linaro.org> [ Updated change log and removed the "- 1" from len parameter ] Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> BUG= chromium:724768 TEST=Build and run Change-Id: I9feef3d00ada8f8ba65f2576f061d298b763fdc5 [backport: saved_cmdlines changed to function in later kernels] Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e09e28671cda) Reviewed-on: https://chromium-review.googlesource.com/510806 [modify] https://crrev.com/1e7a69876452fc07c2c6d276d747790a42167b28/kernel/trace/trace.c
,
May 22 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/2cee50853ff8e709f172dd29feea1309b67137a0 commit 2cee50853ff8e709f172dd29feea1309b67137a0 Author: Amey Telawane <ameyt@codeaurora.org> Date: Mon May 22 23:30:19 2017 BACKPORT: tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline() Strcpy is inherently not safe, and strlcpy() should be used instead. __trace_find_cmdline() uses strcpy() because the comms saved must have a terminating nul character, but it doesn't hurt to add the extra protection of using strlcpy() instead of strcpy(). Link: http://lkml.kernel.org/r/1493806274-13936-1-git-send-email-amit.pundir@linaro.org Signed-off-by: Amey Telawane <ameyt@codeaurora.org> [AmitP: Cherry-picked this commit from CodeAurora kernel/msm-3.10 https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477] Signed-off-by: Amit Pundir <amit.pundir@linaro.org> [ Updated change log and removed the "- 1" from len parameter ] Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> BUG= chromium:724768 TEST=Build and run Change-Id: I9feef3d00ada8f8ba65f2576f061d298b763fdc5 [backport: saved_cmdlines changed to function in later kernels] Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e09e28671cda) Reviewed-on: https://chromium-review.googlesource.com/510805 Reviewed-by: Dylan Reid <dgreid@chromium.org> [modify] https://crrev.com/2cee50853ff8e709f172dd29feea1309b67137a0/kernel/trace/trace.c
,
May 23 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a3efa8f706cb5deadcbc5c1abe90ea5905067aa0 commit a3efa8f706cb5deadcbc5c1abe90ea5905067aa0 Author: Amey Telawane <ameyt@codeaurora.org> Date: Tue May 23 02:31:23 2017 UPSTREAM: tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline() Strcpy is inherently not safe, and strlcpy() should be used instead. __trace_find_cmdline() uses strcpy() because the comms saved must have a terminating nul character, but it doesn't hurt to add the extra protection of using strlcpy() instead of strcpy(). Link: http://lkml.kernel.org/r/1493806274-13936-1-git-send-email-amit.pundir@linaro.org Signed-off-by: Amey Telawane <ameyt@codeaurora.org> [AmitP: Cherry-picked this commit from CodeAurora kernel/msm-3.10 https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477] Signed-off-by: Amit Pundir <amit.pundir@linaro.org> [ Updated change log and removed the "- 1" from len parameter ] Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> BUG= chromium:724768 TEST=Build and run Change-Id: I303856b04223d9f1addaea77d1742dc42af83471 Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e09e28671cda) Reviewed-on: https://chromium-review.googlesource.com/510803 [modify] https://crrev.com/a3efa8f706cb5deadcbc5c1abe90ea5905067aa0/kernel/trace/trace.c
,
May 23 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/7d83f7c9131c7408bb83240edf1801ba58e6fe1f commit 7d83f7c9131c7408bb83240edf1801ba58e6fe1f Author: Amey Telawane <ameyt@codeaurora.org> Date: Tue May 23 07:15:10 2017 BACKPORT: tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline() Strcpy is inherently not safe, and strlcpy() should be used instead. __trace_find_cmdline() uses strcpy() because the comms saved must have a terminating nul character, but it doesn't hurt to add the extra protection of using strlcpy() instead of strcpy(). Link: http://lkml.kernel.org/r/1493806274-13936-1-git-send-email-amit.pundir@linaro.org Signed-off-by: Amey Telawane <ameyt@codeaurora.org> [AmitP: Cherry-picked this commit from CodeAurora kernel/msm-3.10 https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477] Signed-off-by: Amit Pundir <amit.pundir@linaro.org> [ Updated change log and removed the "- 1" from len parameter ] Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> BUG= chromium:724768 TEST=Build and run Change-Id: I9feef3d00ada8f8ba65f2576f061d298b763fdc5 [backport: saved_cmdlines changed to function in later kernels] Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e09e28671cda) Reviewed-on: https://chromium-review.googlesource.com/510783 Reviewed-by: Andrey Ulanov <andreyu@google.com> [modify] https://crrev.com/7d83f7c9131c7408bb83240edf1801ba58e6fe1f/kernel/trace/trace.c
,
May 23 2017
,
May 23 2017
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 23 2017
,
May 24 2017
,
Jun 6 2017
,
Jul 26 2017
,
Aug 30 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 6 2017
,
Oct 18 2017
,
Nov 6 2017
,
Dec 7 2017
,
Jan 25 2018
,
Mar 7 2018
,
Apr 19 2018
,
May 30 2018
,
Jul 25
,
Sep 5
,
Oct 17
,
Dec 5
,
Dec 6
,
Dec 13
|
||||||||||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||||||||||
Comment 1 by wfh@chromium.org
, May 22 2017