Issue 725862 link

Starred by 1 user

Issue metadata

Status:	Archived
Owner:	groeck@chromium.org
Closed:	May 2017
Components:	OS>Kernel
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	2
Type:	Bug
merge-merged-chromeos-3.18 merge-merged-chromeos-3.10 Vomit merge-merged-chromeos-3.14 merge-merged-chromeos-3.8 M-60 merge-merged-release-R62-9901.B-chromeos-3.8 merge-merged-release-R62-9901.B-chromeos-3.18 merge-merged-release-R62-9901.B-chromeos-3.10 merge-merged-release-R62-9901.B-chromeos-3.14

CrOS: Vulnerability reported in Linux kernel (CVE-2017-7487)

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, May 24 2017

Issue description

VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. 

Advisory: CVE-2017-7487
  Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-7487
  CVSS severity score: 7.2/10.0
  Description:

The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel through 4.11.1 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a failed SIOCGIFADDR ioctl call for an IPX interface.



This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.

Comment 1 by kenrb@chromium.org, May 24 2017

Components: OS>Kernel
Labels: Security_Severity-High Security_Impact-Stable Pri-1

Setting severity to high based on this being described as a kernel UaF. Somebody with more context can update that if it doesn't look right.

Project Member

Comment 2 by sheriffbot@chromium.org, May 24 2017

Labels: M-58

Comment 3 by groeck@chromium.org, May 24 2017

Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)

We don't have CONFIG_IPX enabled in any of our kernel configurations (still need to check Lakitu though). Unless Lakitu enables it, we should get the problem fixed, but applying to stable releases would in that case appear unnecessary. I'll check the lakitu configuration later and update the bug accordingly.

Comment 4 by groeck@chromium.org, May 24 2017

Labels: -Pri-1 -Security_Impact-Stable -Security_Severity-High -M-58 M-60 Pri-2

Checked through Lakitu and other out-of-tree configurations. CONFIG_IPX is not enabled anywhere. Lowering severity and dropping M-58 as well as security-impact-stable.

Comment 5 by groeck@chromium.org, May 24 2017

Summary: CrOS: Vulnerability reported in Linux kernel (CVE-2017-7487) (was: CrOS: Vulnerability reported in Linux kernel)

Comment 6 by groeck@chromium.org, May 25 2017

Status: Started (was: Assigned)

Comment 7 by kenrb@chromium.org, May 25 2017

Labels: -Type-Bug-Security Type-Bug

Removing the Bug-Security type since this doesn't affect our users.

Comment 8 by groeck@chromium.org, May 25 2017

Status: Fixed (was: Started)

Project Member

Comment 9 by bugdroid1@chromium.org, Sep 9 2017

Labels: merge-merged-chromeos-3.18

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8f2bfa980ab0de1a9a91805a2eb599e67c9d860d

commit 8f2bfa980ab0de1a9a91805a2eb599e67c9d860d
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Sat Sep 09 00:35:41 2017

UPSTREAM: ipx: call ipxitf_put() in ioctl error path

We should call ipxitf_put() if the copy_to_user() fails.

BUG= chromium:725862 
TEST=Build and run

Change-Id: Id29ee7cc7d745b03cf66eb57d6e7d545056e5429
Reported-by:  <liqiang6-s@360.cn>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from upstream commit ee0d8d8482345ff97a75a7d747efc309f13b0d80)
Reviewed-on: https://chromium-review.googlesource.com/513420
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/653659
Commit-Ready: Bernie Thompson <bhthompson@chromium.org>
Tested-by: Bernie Thompson <bhthompson@chromium.org>

[modify] https://crrev.com/8f2bfa980ab0de1a9a91805a2eb599e67c9d860d/net/ipx/af_ipx.c

Project Member

Comment 10 by bugdroid1@chromium.org, Sep 9 2017

Labels: merge-merged-chromeos-3.14

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/858925ee7a2522e2adf6fe6c39961e8daca104e4

commit 858925ee7a2522e2adf6fe6c39961e8daca104e4
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Sat Sep 09 00:35:50 2017

UPSTREAM: ipx: call ipxitf_put() in ioctl error path

We should call ipxitf_put() if the copy_to_user() fails.

BUG= chromium:725862 
TEST=Build and run

Change-Id: Id29ee7cc7d745b03cf66eb57d6e7d545056e5429
Reported-by:  <liqiang6-s@360.cn>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from upstream commit ee0d8d8482345ff97a75a7d747efc309f13b0d80)
Reviewed-on: https://chromium-review.googlesource.com/513420
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/654219
Commit-Ready: Bernie Thompson <bhthompson@chromium.org>
Tested-by: Bernie Thompson <bhthompson@chromium.org>

[modify] https://crrev.com/858925ee7a2522e2adf6fe6c39961e8daca104e4/net/ipx/af_ipx.c

Project Member

Comment 11 by bugdroid1@chromium.org, Sep 9 2017

Labels: merge-merged-chromeos-3.10

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/1e365118add18f1e0b9d2f5b9253a84a59f59631

commit 1e365118add18f1e0b9d2f5b9253a84a59f59631
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Sat Sep 09 03:04:30 2017

UPSTREAM: ipx: call ipxitf_put() in ioctl error path

We should call ipxitf_put() if the copy_to_user() fails.

BUG= chromium:725862 
TEST=Build and run

Change-Id: Id29ee7cc7d745b03cf66eb57d6e7d545056e5429
Reported-by:  <liqiang6-s@360.cn>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from upstream commit ee0d8d8482345ff97a75a7d747efc309f13b0d80)
Reviewed-on: https://chromium-review.googlesource.com/513420
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/654218
Commit-Ready: Bernie Thompson <bhthompson@chromium.org>
Tested-by: Bernie Thompson <bhthompson@chromium.org>

[modify] https://crrev.com/1e365118add18f1e0b9d2f5b9253a84a59f59631/net/ipx/af_ipx.c

Project Member

Comment 12 by bugdroid1@chromium.org, Sep 9 2017

Labels: merge-merged-chromeos-3.8

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/f3c13afb18d481f63eb5a4db7a2f67be0f771fc8

commit f3c13afb18d481f63eb5a4db7a2f67be0f771fc8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Sat Sep 09 22:23:51 2017

UPSTREAM: ipx: call ipxitf_put() in ioctl error path

We should call ipxitf_put() if the copy_to_user() fails.

BUG= chromium:725862 
TEST=Build and run

Change-Id: Id29ee7cc7d745b03cf66eb57d6e7d545056e5429
Reported-by:  <liqiang6-s@360.cn>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from upstream commit ee0d8d8482345ff97a75a7d747efc309f13b0d80)
Reviewed-on: https://chromium-review.googlesource.com/513420
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/654002
Commit-Ready: Bernie Thompson <bhthompson@chromium.org>
Tested-by: Bernie Thompson <bhthompson@chromium.org>

[modify] https://crrev.com/f3c13afb18d481f63eb5a4db7a2f67be0f771fc8/net/ipx/af_ipx.c

Project Member

Comment 13 by bugdroid1@chromium.org, Sep 11 2017

Labels: merge-merged-release-R62-9901.B-chromeos-3.18

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/232357f544414542d81f65b539078b0b1b976116

commit 232357f544414542d81f65b539078b0b1b976116
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon Sep 11 17:24:00 2017

UPSTREAM: ipx: call ipxitf_put() in ioctl error path

We should call ipxitf_put() if the copy_to_user() fails.

BUG= chromium:725862 
TEST=Build and run

Change-Id: Id29ee7cc7d745b03cf66eb57d6e7d545056e5429
Reported-by:  <liqiang6-s@360.cn>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from upstream commit ee0d8d8482345ff97a75a7d747efc309f13b0d80)
Reviewed-on: https://chromium-review.googlesource.com/513420
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/653659
Commit-Ready: Bernie Thompson <bhthompson@chromium.org>
Tested-by: Bernie Thompson <bhthompson@chromium.org>
(cherry picked from commit 8f2bfa980ab0de1a9a91805a2eb599e67c9d860d)
Reviewed-on: https://chromium-review.googlesource.com/660869
Reviewed-by: Bernie Thompson <bhthompson@chromium.org>
Commit-Queue: Bernie Thompson <bhthompson@chromium.org>

[modify] https://crrev.com/232357f544414542d81f65b539078b0b1b976116/net/ipx/af_ipx.c

Project Member

Comment 14 by bugdroid1@chromium.org, Sep 11 2017

Labels: merge-merged-release-R62-9901.B-chromeos-3.14

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/0460440904907db5849fb3d6172b2f9de692932e

commit 0460440904907db5849fb3d6172b2f9de692932e
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon Sep 11 17:32:44 2017

UPSTREAM: ipx: call ipxitf_put() in ioctl error path

We should call ipxitf_put() if the copy_to_user() fails.

BUG= chromium:725862 
TEST=Build and run

Change-Id: Id29ee7cc7d745b03cf66eb57d6e7d545056e5429
Reported-by:  <liqiang6-s@360.cn>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from upstream commit ee0d8d8482345ff97a75a7d747efc309f13b0d80)
Reviewed-on: https://chromium-review.googlesource.com/513420
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/654219
Commit-Ready: Bernie Thompson <bhthompson@chromium.org>
Tested-by: Bernie Thompson <bhthompson@chromium.org>
(cherry picked from commit 858925ee7a2522e2adf6fe6c39961e8daca104e4)
Reviewed-on: https://chromium-review.googlesource.com/661037
Reviewed-by: Bernie Thompson <bhthompson@chromium.org>
Commit-Queue: Bernie Thompson <bhthompson@chromium.org>

[modify] https://crrev.com/0460440904907db5849fb3d6172b2f9de692932e/net/ipx/af_ipx.c

Project Member

Comment 15 by bugdroid1@chromium.org, Sep 11 2017

Labels: merge-merged-release-R62-9901.B-chromeos-3.10

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ef6f3d27c773db21dae2ae92dbae740dd20bc5b9

commit ef6f3d27c773db21dae2ae92dbae740dd20bc5b9
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon Sep 11 17:37:01 2017

UPSTREAM: ipx: call ipxitf_put() in ioctl error path

We should call ipxitf_put() if the copy_to_user() fails.

BUG= chromium:725862 
TEST=Build and run

Change-Id: Id29ee7cc7d745b03cf66eb57d6e7d545056e5429
Reported-by:  <liqiang6-s@360.cn>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from upstream commit ee0d8d8482345ff97a75a7d747efc309f13b0d80)
Reviewed-on: https://chromium-review.googlesource.com/513420
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/654218
Commit-Ready: Bernie Thompson <bhthompson@chromium.org>
Tested-by: Bernie Thompson <bhthompson@chromium.org>
(cherry picked from commit 1e365118add18f1e0b9d2f5b9253a84a59f59631)
Reviewed-on: https://chromium-review.googlesource.com/661046
Reviewed-by: Bernie Thompson <bhthompson@chromium.org>
Commit-Queue: Bernie Thompson <bhthompson@chromium.org>

[modify] https://crrev.com/ef6f3d27c773db21dae2ae92dbae740dd20bc5b9/net/ipx/af_ipx.c

Project Member

Comment 16 by bugdroid1@chromium.org, Sep 11 2017

Labels: merge-merged-release-R62-9901.B-chromeos-3.8

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/45d5aec18cebdd3f7bff96ea5d852001e3a0c8c8

commit 45d5aec18cebdd3f7bff96ea5d852001e3a0c8c8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon Sep 11 17:39:26 2017

UPSTREAM: ipx: call ipxitf_put() in ioctl error path

We should call ipxitf_put() if the copy_to_user() fails.

BUG= chromium:725862 
TEST=Build and run

Change-Id: Id29ee7cc7d745b03cf66eb57d6e7d545056e5429
Reported-by:  <liqiang6-s@360.cn>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from upstream commit ee0d8d8482345ff97a75a7d747efc309f13b0d80)
Reviewed-on: https://chromium-review.googlesource.com/513420
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/654002
Commit-Ready: Bernie Thompson <bhthompson@chromium.org>
Tested-by: Bernie Thompson <bhthompson@chromium.org>
(cherry picked from commit f3c13afb18d481f63eb5a4db7a2f67be0f771fc8)
Reviewed-on: https://chromium-review.googlesource.com/661050
Reviewed-by: Bernie Thompson <bhthompson@chromium.org>
Commit-Queue: Bernie Thompson <bhthompson@chromium.org>

[modify] https://crrev.com/45d5aec18cebdd3f7bff96ea5d852001e3a0c8c8/net/ipx/af_ipx.c

Comment 17 by dchan@chromium.org, Jan 22 2018

Status: Archived (was: Fixed)

►

Issue 725862 link

Issue metadata

CrOS: Vulnerability reported in Linux kernel (CVE-2017-7487)

Issue description

Comment 1 by kenrb@chromium.org, May 24 2017

Comment 1 Deleted

Comment 2 by sheriffbot@chromium.org, May 24 2017

Comment 2 Deleted

Comment 3 by groeck@chromium.org, May 24 2017

Comment 3 Deleted

Comment 4 by groeck@chromium.org, May 24 2017

Comment 4 Deleted

Comment 5 by groeck@chromium.org, May 24 2017

Comment 5 Deleted

Comment 6 by groeck@chromium.org, May 25 2017

Comment 6 Deleted

Comment 7 by kenrb@chromium.org, May 25 2017

Comment 7 Deleted

Comment 8 by groeck@chromium.org, May 25 2017

Comment 8 Deleted

Comment 9 by bugdroid1@chromium.org, Sep 9 2017

Comment 9 Deleted

Comment 10 by bugdroid1@chromium.org, Sep 9 2017

Comment 10 Deleted

Comment 11 by bugdroid1@chromium.org, Sep 9 2017

Comment 11 Deleted

Comment 12 by bugdroid1@chromium.org, Sep 9 2017

Comment 12 Deleted

Comment 13 by bugdroid1@chromium.org, Sep 11 2017

Comment 13 Deleted

Comment 14 by bugdroid1@chromium.org, Sep 11 2017

Comment 14 Deleted

Comment 15 by bugdroid1@chromium.org, Sep 11 2017

Comment 15 Deleted

Comment 16 by bugdroid1@chromium.org, Sep 11 2017

Comment 16 Deleted

Comment 17 by dchan@chromium.org, Jan 22 2018

Comment 17 Deleted

Sign in to add a comment