Issue metadata
Sign in to add a comment
|
CrOS: CVE-2017-0648: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2017-0648 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-0648 CVSS severity score: 9.3/10.0 Description: An elevation of privilege vulnerability in the kernel FIQ debugger could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-36101220. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Jun 21 2017
Hmmm over to Guenter as well. Looks like this is present in 3.10 kernels, but not sure if we have the FIQ debugger enabled in our kernels.
,
Jun 21 2017
,
Jun 21 2017
,
Jun 21 2017
Maybe I am missing something, but I don't see the FIQ debugger code in chromeos-3.10. It exists in chromeos-3.18, but is not enabled. Either case, the fix in Android is to set SYSRQ_DEFAULT_ENABLE to 0. This define is already set to 0 in chromeos-{3.10,3.14,3.18,4.4}.
,
Jun 21 2017
Sounds like a reasonable analysis. Thanks Guenter. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Jun 21 2017Owner: jorgelo@chromium.org
Status: Assigned (was: Untriaged)