Issue metadata
Sign in to add a comment
|
CrOS: CVE-2017-1000380: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2017-1000380 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-1000380 CVSS severity score: 2.1/10.0 Description: sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Jun 22 2017
Upstream: ba3021b2c79b ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT d11662f4f798 ALSA: timer: Fix race between read and ioctl
,
Jun 30 2017
,
Jun 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ea24638d45be6c2e14398b94e2a1e7ee6eece96e commit ea24638d45be6c2e14398b94e2a1e7ee6eece96e Author: Takashi Iwai <tiwai@suse.de> Date: Fri Jun 30 23:02:44 2017 UPSTREAM: ALSA: timer: Fix race between read and ioctl The read from ALSA timer device, the function snd_timer_user_tread(), may access to an uninitialized struct snd_timer_user fields when the read is concurrently performed while the ioctl like snd_timer_user_tselect() is invoked. We have already fixed the races among ioctls via a mutex, but we seem to have forgotten the race between read vs ioctl. This patch simply applies (more exactly extends the already applied range of) tu->ioctl_lock in snd_timer_user_tread() for closing the race window. BUG= chromium:735884 TEST=Build and run Change-Id: I2467894c9c454ec12b6a945147061d41387fd2c6 Reported-by: Alexander Potapenko <glider@google.com> Tested-by: Alexander Potapenko <glider@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit d11662f4f798) Reviewed-on: https://chromium-review.googlesource.com/558208 Reviewed-by: Dylan Reid <dgreid@chromium.org> [modify] https://crrev.com/ea24638d45be6c2e14398b94e2a1e7ee6eece96e/sound/core/timer.c
,
Jun 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8bed77951e0ee530eecd9a88ad59643590bc0cd4 commit 8bed77951e0ee530eecd9a88ad59643590bc0cd4 Author: Takashi Iwai <tiwai@suse.de> Date: Fri Jun 30 23:02:45 2017 UPSTREAM: ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT snd_timer_user_tselect() reallocates the queue buffer dynamically, but it forgot to reset its indices. Since the read may happen concurrently with ioctl and snd_timer_user_tselect() allocates the buffer via kmalloc(), this may lead to the leak of uninitialized kernel-space data, as spotted via KMSAN: BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10 CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x143/0x1b0 lib/dump_stack.c:52 kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007 kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086 copy_to_user ./arch/x86/include/asm/uaccess.h:725 snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004 do_loop_readv_writev fs/read_write.c:716 __do_readv_writev+0x94c/0x1380 fs/read_write.c:864 do_readv_writev fs/read_write.c:894 vfs_readv fs/read_write.c:908 do_readv+0x52a/0x5d0 fs/read_write.c:934 SYSC_readv+0xb6/0xd0 fs/read_write.c:1021 SyS_readv+0x87/0xb0 fs/read_write.c:1018 This patch adds the missing reset of queue indices. Together with the previous fix for the ioctl/read race, we cover the whole problem. BUG= chromium:735884 TEST=Build and run Change-Id: Icd282df3dc60155668621bd4abdc9b5875dd75df Reported-by: Alexander Potapenko <glider@google.com> Tested-by: Alexander Potapenko <glider@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit ba3021b2c79b) Reviewed-on: https://chromium-review.googlesource.com/558209 Reviewed-by: Dylan Reid <dgreid@chromium.org> [modify] https://crrev.com/8bed77951e0ee530eecd9a88ad59643590bc0cd4/sound/core/timer.c
,
Jul 1 2017
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 2 2017
,
Oct 8 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 22 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Jun 22 2017Labels: Security_Severity-Low Security_Impact-Stable Pri-2
Owner: snanda@chromium.org