Issue metadata
Sign in to add a comment
|
CrOS: CVE-2017-11176: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2017-11176 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-11176 CVSS severity score: 10/10.0 Description: The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Jul 16 2017
upstream commit f991af3daabaecff34684fd51fac80319d1baad1
,
Jul 16 2017
,
Jul 16 2017
,
Jul 18 2017
also in buganizer as b:63722644.
,
Jul 18 2017
,
Jul 18 2017
,
Jul 18 2017
This bug requires manual review: We are only 6 days from stable. Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 19 2017
,
Jul 19 2017
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 19 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/be1bd93f07fd608d163b0c52489bef699e278ed9 commit be1bd93f07fd608d163b0c52489bef699e278ed9 Author: Cong Wang <xiyou.wangcong@gmail.com> Date: Wed Jul 19 23:26:53 2017 UPSTREAM: mqueue: fix a use-after-free in sys_mq_notify() The retry logic for netlink_attachskb() inside sys_mq_notify() is nasty and vulnerable: 1) The sock refcnt is already released when retry is needed 2) The fd is controllable by user-space because we already release the file refcnt so we when retry but the fd has been just closed by user-space during this small window, we end up calling netlink_detachskb() on the error path which releases the sock again, later when the user-space closes this socket a use-after-free could be triggered. Setting 'sock' to NULL here should be sufficient to fix it. Reported-by: GeneBlue <geneblue.mail@gmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Ulanov <andreyu@google.com> (cherry-picked from commit f991af3daabaecff34684fd51fac80319d1baad1) BUG=b:63722644 BUG= chromium:743614 TEST=kernel compiles Change-Id: I402633e3308eb80c40ae881b13b2353eece0db8b Reviewed-on: https://chromium-review.googlesource.com/575443 Commit-Ready: Andrey Ulanov <andreyu@google.com> Tested-by: Andrey Ulanov <andreyu@google.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 1ae3ecacc8e915b702ee85a29935a1e4594e2582) Reviewed-on: https://chromium-review.googlesource.com/578149 [modify] https://crrev.com/be1bd93f07fd608d163b0c52489bef699e278ed9/ipc/mqueue.c
,
Jul 19 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c73275083b3042272ee8f52b89797ca090404640 commit c73275083b3042272ee8f52b89797ca090404640 Author: Cong Wang <xiyou.wangcong@gmail.com> Date: Wed Jul 19 23:26:58 2017 UPSTREAM: mqueue: fix a use-after-free in sys_mq_notify() The retry logic for netlink_attachskb() inside sys_mq_notify() is nasty and vulnerable: 1) The sock refcnt is already released when retry is needed 2) The fd is controllable by user-space because we already release the file refcnt so we when retry but the fd has been just closed by user-space during this small window, we end up calling netlink_detachskb() on the error path which releases the sock again, later when the user-space closes this socket a use-after-free could be triggered. Setting 'sock' to NULL here should be sufficient to fix it. Reported-by: GeneBlue <geneblue.mail@gmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Ulanov <andreyu@google.com> (cherry-picked from commit f991af3daabaecff34684fd51fac80319d1baad1) BUG=b:63722644 BUG= chromium:743614 TEST=kernel compiles Change-Id: I402633e3308eb80c40ae881b13b2353eece0db8b Reviewed-on: https://chromium-review.googlesource.com/575443 Commit-Ready: Andrey Ulanov <andreyu@google.com> Tested-by: Andrey Ulanov <andreyu@google.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 1ae3ecacc8e915b702ee85a29935a1e4594e2582) Reviewed-on: https://chromium-review.googlesource.com/578148 [modify] https://crrev.com/c73275083b3042272ee8f52b89797ca090404640/ipc/mqueue.c
,
Jul 19 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/116728a6b84c42452a3c80337abd59faace99da9 commit 116728a6b84c42452a3c80337abd59faace99da9 Author: Cong Wang <xiyou.wangcong@gmail.com> Date: Wed Jul 19 23:26:59 2017 UPSTREAM: mqueue: fix a use-after-free in sys_mq_notify() The retry logic for netlink_attachskb() inside sys_mq_notify() is nasty and vulnerable: 1) The sock refcnt is already released when retry is needed 2) The fd is controllable by user-space because we already release the file refcnt so we when retry but the fd has been just closed by user-space during this small window, we end up calling netlink_detachskb() on the error path which releases the sock again, later when the user-space closes this socket a use-after-free could be triggered. Setting 'sock' to NULL here should be sufficient to fix it. Reported-by: GeneBlue <geneblue.mail@gmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Ulanov <andreyu@google.com> (cherry-picked from commit f991af3daabaecff34684fd51fac80319d1baad1) BUG=b:63722644 BUG= chromium:743614 TEST=kernel compiles Change-Id: I402633e3308eb80c40ae881b13b2353eece0db8b Reviewed-on: https://chromium-review.googlesource.com/575443 Commit-Ready: Andrey Ulanov <andreyu@google.com> Tested-by: Andrey Ulanov <andreyu@google.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 1ae3ecacc8e915b702ee85a29935a1e4594e2582) Reviewed-on: https://chromium-review.googlesource.com/578167 [modify] https://crrev.com/116728a6b84c42452a3c80337abd59faace99da9/ipc/mqueue.c
,
Jul 19 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/385f6208e14345d81df71164abc1e142db54c5e7 commit 385f6208e14345d81df71164abc1e142db54c5e7 Author: Cong Wang <xiyou.wangcong@gmail.com> Date: Wed Jul 19 23:36:20 2017 UPSTREAM: mqueue: fix a use-after-free in sys_mq_notify() The retry logic for netlink_attachskb() inside sys_mq_notify() is nasty and vulnerable: 1) The sock refcnt is already released when retry is needed 2) The fd is controllable by user-space because we already release the file refcnt so we when retry but the fd has been just closed by user-space during this small window, we end up calling netlink_detachskb() on the error path which releases the sock again, later when the user-space closes this socket a use-after-free could be triggered. Setting 'sock' to NULL here should be sufficient to fix it. Reported-by: GeneBlue <geneblue.mail@gmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Ulanov <andreyu@google.com> (cherry-picked from commit f991af3daabaecff34684fd51fac80319d1baad1) BUG=b:63722644 BUG= chromium:743614 TEST=kernel compiles Change-Id: I402633e3308eb80c40ae881b13b2353eece0db8b Reviewed-on: https://chromium-review.googlesource.com/575443 Commit-Ready: Andrey Ulanov <andreyu@google.com> Tested-by: Andrey Ulanov <andreyu@google.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 1ae3ecacc8e915b702ee85a29935a1e4594e2582) Reviewed-on: https://chromium-review.googlesource.com/578133 Commit-Queue: Andrey Ulanov <andreyu@google.com> [modify] https://crrev.com/385f6208e14345d81df71164abc1e142db54c5e7/ipc/mqueue.c
,
Jul 19 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b9f131caa4a8a857f9c0a3b0bbb046796a788f1c commit b9f131caa4a8a857f9c0a3b0bbb046796a788f1c Author: Cong Wang <xiyou.wangcong@gmail.com> Date: Wed Jul 19 23:36:24 2017 UPSTREAM: mqueue: fix a use-after-free in sys_mq_notify() The retry logic for netlink_attachskb() inside sys_mq_notify() is nasty and vulnerable: 1) The sock refcnt is already released when retry is needed 2) The fd is controllable by user-space because we already release the file refcnt so we when retry but the fd has been just closed by user-space during this small window, we end up calling netlink_detachskb() on the error path which releases the sock again, later when the user-space closes this socket a use-after-free could be triggered. Setting 'sock' to NULL here should be sufficient to fix it. Reported-by: GeneBlue <geneblue.mail@gmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Ulanov <andreyu@google.com> (cherry-picked from commit f991af3daabaecff34684fd51fac80319d1baad1) BUG=b:63722644 BUG= chromium:743614 TEST=kernel compiles Change-Id: I402633e3308eb80c40ae881b13b2353eece0db8b Reviewed-on: https://chromium-review.googlesource.com/575443 Commit-Ready: Andrey Ulanov <andreyu@google.com> Tested-by: Andrey Ulanov <andreyu@google.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 1ae3ecacc8e915b702ee85a29935a1e4594e2582) Reviewed-on: https://chromium-review.googlesource.com/578130 Commit-Queue: Andrey Ulanov <andreyu@google.com> [modify] https://crrev.com/b9f131caa4a8a857f9c0a3b0bbb046796a788f1c/ipc/mqueue.c
,
Jul 19 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/0dd6a2f2b12aa2fc1fe319ceb7c01ef32651d447 commit 0dd6a2f2b12aa2fc1fe319ceb7c01ef32651d447 Author: Cong Wang <xiyou.wangcong@gmail.com> Date: Wed Jul 19 23:36:27 2017 UPSTREAM: mqueue: fix a use-after-free in sys_mq_notify() The retry logic for netlink_attachskb() inside sys_mq_notify() is nasty and vulnerable: 1) The sock refcnt is already released when retry is needed 2) The fd is controllable by user-space because we already release the file refcnt so we when retry but the fd has been just closed by user-space during this small window, we end up calling netlink_detachskb() on the error path which releases the sock again, later when the user-space closes this socket a use-after-free could be triggered. Setting 'sock' to NULL here should be sufficient to fix it. Reported-by: GeneBlue <geneblue.mail@gmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Ulanov <andreyu@google.com> (cherry-picked from commit f991af3daabaecff34684fd51fac80319d1baad1) BUG=b:63722644 BUG= chromium:743614 TEST=kernel compiles Change-Id: I402633e3308eb80c40ae881b13b2353eece0db8b Reviewed-on: https://chromium-review.googlesource.com/575443 Commit-Ready: Andrey Ulanov <andreyu@google.com> Tested-by: Andrey Ulanov <andreyu@google.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 1ae3ecacc8e915b702ee85a29935a1e4594e2582) Reviewed-on: https://chromium-review.googlesource.com/578132 Commit-Queue: Andrey Ulanov <andreyu@google.com> [modify] https://crrev.com/0dd6a2f2b12aa2fc1fe319ceb7c01ef32651d447/ipc/mqueue.c
,
Jul 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/7ee71375712b15d775f5e0d84bfbc7fb7edfa642 commit 7ee71375712b15d775f5e0d84bfbc7fb7edfa642 Author: Cong Wang <xiyou.wangcong@gmail.com> Date: Thu Jul 20 02:03:51 2017 UPSTREAM: mqueue: fix a use-after-free in sys_mq_notify() The retry logic for netlink_attachskb() inside sys_mq_notify() is nasty and vulnerable: 1) The sock refcnt is already released when retry is needed 2) The fd is controllable by user-space because we already release the file refcnt so we when retry but the fd has been just closed by user-space during this small window, we end up calling netlink_detachskb() on the error path which releases the sock again, later when the user-space closes this socket a use-after-free could be triggered. Setting 'sock' to NULL here should be sufficient to fix it. Reported-by: GeneBlue <geneblue.mail@gmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Ulanov <andreyu@google.com> (cherry-picked from commit f991af3daabaecff34684fd51fac80319d1baad1) BUG=b:63722644 BUG= chromium:743614 TEST=kernel compiles Change-Id: I402633e3308eb80c40ae881b13b2353eece0db8b Reviewed-on: https://chromium-review.googlesource.com/575443 Commit-Ready: Andrey Ulanov <andreyu@google.com> Tested-by: Andrey Ulanov <andreyu@google.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 1ae3ecacc8e915b702ee85a29935a1e4594e2582) Reviewed-on: https://chromium-review.googlesource.com/578147 [modify] https://crrev.com/7ee71375712b15d775f5e0d84bfbc7fb7edfa642/ipc/mqueue.c
,
Jul 20 2017
,
Jul 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/63094a3fd3db8189111af26fa7f75d81abadb562 commit 63094a3fd3db8189111af26fa7f75d81abadb562 Author: Cong Wang <xiyou.wangcong@gmail.com> Date: Thu Jul 20 17:06:32 2017 UPSTREAM: mqueue: fix a use-after-free in sys_mq_notify() The retry logic for netlink_attachskb() inside sys_mq_notify() is nasty and vulnerable: 1) The sock refcnt is already released when retry is needed 2) The fd is controllable by user-space because we already release the file refcnt so we when retry but the fd has been just closed by user-space during this small window, we end up calling netlink_detachskb() on the error path which releases the sock again, later when the user-space closes this socket a use-after-free could be triggered. Setting 'sock' to NULL here should be sufficient to fix it. Reported-by: GeneBlue <geneblue.mail@gmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Ulanov <andreyu@google.com> (cherry-picked from commit f991af3daabaecff34684fd51fac80319d1baad1) BUG=b:63722644 BUG= chromium:743614 TEST=kernel compiles Change-Id: I402633e3308eb80c40ae881b13b2353eece0db8b Reviewed-on: https://chromium-review.googlesource.com/575443 Commit-Ready: Andrey Ulanov <andreyu@google.com> Tested-by: Andrey Ulanov <andreyu@google.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 1ae3ecacc8e915b702ee85a29935a1e4594e2582) Reviewed-on: https://chromium-review.googlesource.com/578131 Commit-Queue: Andrey Ulanov <andreyu@google.com> [modify] https://crrev.com/63094a3fd3db8189111af26fa7f75d81abadb562/ipc/mqueue.c
,
Jul 20 2017
,
Oct 26 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 22 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by raymes@chromium.org
, Jul 15 2017Owner: sonnyrao@chromium.org
Status: Assigned (was: Untriaged)