Issue metadata
Sign in to add a comment
|
CrOS: CVE-2017-8924 - Vulnerability reported in Linux kernel - usb edge_bulk_in_callback |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2017-8924 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-8924 CVSS severity score: 2.1/10.0 Description: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel before 4.10.4 allows local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
May 23 2017
,
May 24 2017
,
May 24 2017
Upstream commit 654b404f2a2 ("USB: serial: io_ti: fix information leak in completion handler"). Already fixed in chromeos-4.4, needed in older kernels. Configuration (CONFIG_USB_SERIAL_EDGEPORT_TI) is not enabled in chromeos, thus no immediate security risk; changing security severity to low and M-60 as target release.
Note that the configuration is enabled for the beaglebone build.
,
May 25 2017
,
May 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/684dbc9bd2478f727cbd712bcad8e3fd0343a561 commit 684dbc9bd2478f727cbd712bcad8e3fd0343a561 Author: Johan Hovold <johan@kernel.org> Date: Thu May 25 09:33:06 2017 UPSTREAM: USB: serial: io_ti: fix information leak in completion handler Add missing sanity check to the bulk-in completion handler to avoid an integer underflow that can be triggered by a malicious device. This avoids leaking 128 kB of memory content from after the URB transfer buffer to user space. BUG= chromium:725017 TEST=Build and run Change-Id: I5e6c6c6f09b06637f1f96bf7c7dfe32bf4ec14ff Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32") Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> # 2.6.30 Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 654b404f2a2) Reviewed-on: https://chromium-review.googlesource.com/514444 Reviewed-by: Dylan Reid <dgreid@chromium.org> [modify] https://crrev.com/684dbc9bd2478f727cbd712bcad8e3fd0343a561/drivers/usb/serial/io_ti.c
,
May 25 2017
,
May 25 2017
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/7cb9f1ba6af767620ded214d0391169d192e43b2 commit 7cb9f1ba6af767620ded214d0391169d192e43b2 Author: Johan Hovold <johan@kernel.org> Date: Thu May 25 17:24:46 2017 UPSTREAM: USB: serial: io_ti: fix information leak in completion handler Add missing sanity check to the bulk-in completion handler to avoid an integer underflow that can be triggered by a malicious device. This avoids leaking 128 kB of memory content from after the URB transfer buffer to user space. BUG= chromium:725017 TEST=Build and run Change-Id: I5e6c6c6f09b06637f1f96bf7c7dfe32bf4ec14ff Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32") Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> # 2.6.30 Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 654b404f2a2) Reviewed-on: https://chromium-review.googlesource.com/514444 Reviewed-by: Dylan Reid <dgreid@chromium.org> (cherry picked from commit 684dbc9bd2478f727cbd712bcad8e3fd0343a561) Reviewed-on: https://chromium-review.googlesource.com/515204 [modify] https://crrev.com/7cb9f1ba6af767620ded214d0391169d192e43b2/drivers/usb/serial/io_ti.c
,
May 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/880fd3e1a60e604976461bdc971cdf35b762f1f8 commit 880fd3e1a60e604976461bdc971cdf35b762f1f8 Author: Johan Hovold <johan@kernel.org> Date: Thu May 25 17:24:47 2017 UPSTREAM: USB: serial: io_ti: fix information leak in completion handler Add missing sanity check to the bulk-in completion handler to avoid an integer underflow that can be triggered by a malicious device. This avoids leaking 128 kB of memory content from after the URB transfer buffer to user space. BUG= chromium:725017 TEST=Build and run Change-Id: I5e6c6c6f09b06637f1f96bf7c7dfe32bf4ec14ff Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32") Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> # 2.6.30 Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 654b404f2a2) Reviewed-on: https://chromium-review.googlesource.com/514444 Reviewed-by: Dylan Reid <dgreid@chromium.org> (cherry picked from commit 684dbc9bd2478f727cbd712bcad8e3fd0343a561) Reviewed-on: https://chromium-review.googlesource.com/515205 [modify] https://crrev.com/880fd3e1a60e604976461bdc971cdf35b762f1f8/drivers/usb/serial/io_ti.c
,
May 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/98e95a310eefcb8ac0a059aaa9e802ab39049ab3 commit 98e95a310eefcb8ac0a059aaa9e802ab39049ab3 Author: Johan Hovold <johan@kernel.org> Date: Thu May 25 19:25:31 2017 UPSTREAM: USB: serial: io_ti: fix information leak in completion handler Add missing sanity check to the bulk-in completion handler to avoid an integer underflow that can be triggered by a malicious device. This avoids leaking 128 kB of memory content from after the URB transfer buffer to user space. BUG= chromium:725017 TEST=Build and run Change-Id: I5e6c6c6f09b06637f1f96bf7c7dfe32bf4ec14ff Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32") Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable <stable@vger.kernel.org> # 2.6.30 Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 654b404f2a2) Reviewed-on: https://chromium-review.googlesource.com/514444 Reviewed-by: Dylan Reid <dgreid@chromium.org> (cherry picked from commit 684dbc9bd2478f727cbd712bcad8e3fd0343a561) Reviewed-on: https://chromium-review.googlesource.com/515203 [modify] https://crrev.com/98e95a310eefcb8ac0a059aaa9e802ab39049ab3/drivers/usb/serial/io_ti.c
,
May 26 2017
,
Sep 1 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 22 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by wfh@chromium.org
, May 22 2017Labels: Security_Severity-Medium Pri-2
Summary: CrOS: CVE-2017-8924 - Vulnerability reported in Linux kernel - usb edge_bulk_in_callback (was: CrOS: Vulnerability reported in Linux kernel)