Issue metadata
Sign in to add a comment
|
CrOS: CVE-2017-7533: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2017-7533 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-7533 CVSS severity score: 6.9/10.0 Description: Race condition in the fsnotify implementation in the Linux kernel through 4.12.4 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Aug 10 2017
,
Aug 10 2017
Upstream 49d31c2f389 ("dentry name snapshots"). Post-4.4.79, needed in all kernel versions.
,
Aug 10 2017
,
Aug 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/9cb7a61dceeb06c15a47ccdb57b9c5f66a588a1f commit 9cb7a61dceeb06c15a47ccdb57b9c5f66a588a1f Author: Al Viro <viro@zeniv.linux.org.uk> Date: Thu Aug 10 22:39:48 2017 UPSTREAM: dentry name snapshots take_dentry_name_snapshot() takes a safe snapshot of dentry name; if the name is a short one, it gets copied into caller-supplied structure, otherwise an extra reference to external name is grabbed (those are never modified). In either case the pointer to stable string is stored into the same structure. dentry must be held by the caller of take_dentry_name_snapshot(), but may be freely dropped afterwards - the snapshot will stay until destroyed by release_dentry_name_snapshot(). Intended use: struct name_snapshot s; take_dentry_name_snapshot(&s, dentry); ... access s.name ... release_dentry_name_snapshot(&s); Replaces fsnotify_oldname_...(), gets used in fsnotify to obtain the name to pass down with event. BUG= chromium:754205 TEST=Build and run Change-Id: Ic11a9c94b484d10ae8d7b04ec00ec0dd3e45ef59 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 49d31c2f389) Reviewed-on: https://chromium-review.googlesource.com/610515 Reviewed-by: Sonny Rao <sonnyrao@chromium.org> [modify] https://crrev.com/9cb7a61dceeb06c15a47ccdb57b9c5f66a588a1f/include/linux/dcache.h [modify] https://crrev.com/9cb7a61dceeb06c15a47ccdb57b9c5f66a588a1f/fs/notify/fsnotify.c [modify] https://crrev.com/9cb7a61dceeb06c15a47ccdb57b9c5f66a588a1f/fs/namei.c [modify] https://crrev.com/9cb7a61dceeb06c15a47ccdb57b9c5f66a588a1f/fs/dcache.c [modify] https://crrev.com/9cb7a61dceeb06c15a47ccdb57b9c5f66a588a1f/fs/debugfs/inode.c [modify] https://crrev.com/9cb7a61dceeb06c15a47ccdb57b9c5f66a588a1f/include/linux/fsnotify.h
,
Aug 11 2017
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 12 2017
,
Aug 14 2017
"needed in all kernel versions". It would be great if sheriffbot would not be as aggressive.
,
Aug 14 2017
Will only apply to 4.4 and 3.18. Changes in older kernels are substantial and would add more risk than the problem solved.
,
Aug 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/3e5ac8a02327df46a5a8bc7ea6464905fe7d8f06 commit 3e5ac8a02327df46a5a8bc7ea6464905fe7d8f06 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Wed Aug 16 22:03:03 2017 UPSTREAM: dentry name snapshots commit 49d31c2f389acfe83417083e1208422b4091cd9e upstream. take_dentry_name_snapshot() takes a safe snapshot of dentry name; if the name is a short one, it gets copied into caller-supplied structure, otherwise an extra reference to external name is grabbed (those are never modified). In either case the pointer to stable string is stored into the same structure. dentry must be held by the caller of take_dentry_name_snapshot(), but may be freely dropped afterwards - the snapshot will stay until destroyed by release_dentry_name_snapshot(). Intended use: struct name_snapshot s; take_dentry_name_snapshot(&s, dentry); ... access s.name ... release_dentry_name_snapshot(&s); Replaces fsnotify_oldname_...(), gets used in fsnotify to obtain the name to pass down with event. BUG= chromium:754205 TEST=Build and run Change-Id: Ic11a9c94b484d10ae8d7b04ec00ec0dd3e45ef59 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit a1dbc0979b4f in linux-stable) Reviewed-on: https://chromium-review.googlesource.com/617419 [modify] https://crrev.com/3e5ac8a02327df46a5a8bc7ea6464905fe7d8f06/include/linux/dcache.h [modify] https://crrev.com/3e5ac8a02327df46a5a8bc7ea6464905fe7d8f06/fs/notify/fsnotify.c [modify] https://crrev.com/3e5ac8a02327df46a5a8bc7ea6464905fe7d8f06/fs/namei.c [modify] https://crrev.com/3e5ac8a02327df46a5a8bc7ea6464905fe7d8f06/fs/dcache.c [modify] https://crrev.com/3e5ac8a02327df46a5a8bc7ea6464905fe7d8f06/fs/debugfs/inode.c [modify] https://crrev.com/3e5ac8a02327df46a5a8bc7ea6464905fe7d8f06/include/linux/fsnotify.h
,
Aug 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/f64189f5892631ee7e731426b708445a3f68542f commit f64189f5892631ee7e731426b708445a3f68542f Author: Al Viro <viro@zeniv.linux.org.uk> Date: Wed Aug 16 22:03:08 2017 UPSTREAM: dentry name snapshots take_dentry_name_snapshot() takes a safe snapshot of dentry name; if the name is a short one, it gets copied into caller-supplied structure, otherwise an extra reference to external name is grabbed (those are never modified). In either case the pointer to stable string is stored into the same structure. dentry must be held by the caller of take_dentry_name_snapshot(), but may be freely dropped afterwards - the snapshot will stay until destroyed by release_dentry_name_snapshot(). Intended use: struct name_snapshot s; take_dentry_name_snapshot(&s, dentry); ... access s.name ... release_dentry_name_snapshot(&s); Replaces fsnotify_oldname_...(), gets used in fsnotify to obtain the name to pass down with event. BUG= chromium:754205 TEST=Build and run Change-Id: Ic11a9c94b484d10ae8d7b04ec00ec0dd3e45ef59 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 49d31c2f389) Reviewed-on: https://chromium-review.googlesource.com/610515 Reviewed-by: Sonny Rao <sonnyrao@chromium.org> (cherry picked from commit 9cb7a61dceeb06c15a47ccdb57b9c5f66a588a1f) Reviewed-on: https://chromium-review.googlesource.com/617418 [modify] https://crrev.com/f64189f5892631ee7e731426b708445a3f68542f/include/linux/dcache.h [modify] https://crrev.com/f64189f5892631ee7e731426b708445a3f68542f/fs/notify/fsnotify.c [modify] https://crrev.com/f64189f5892631ee7e731426b708445a3f68542f/fs/namei.c [modify] https://crrev.com/f64189f5892631ee7e731426b708445a3f68542f/fs/dcache.c [modify] https://crrev.com/f64189f5892631ee7e731426b708445a3f68542f/fs/debugfs/inode.c [modify] https://crrev.com/f64189f5892631ee7e731426b708445a3f68542f/include/linux/fsnotify.h
,
Aug 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/3e4c5da25ac9d89f8701fc14a3aa9116e91d9c96 commit 3e4c5da25ac9d89f8701fc14a3aa9116e91d9c96 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Thu Aug 17 06:37:55 2017 UPSTREAM: dentry name snapshots commit 49d31c2f389acfe83417083e1208422b4091cd9e upstream. take_dentry_name_snapshot() takes a safe snapshot of dentry name; if the name is a short one, it gets copied into caller-supplied structure, otherwise an extra reference to external name is grabbed (those are never modified). In either case the pointer to stable string is stored into the same structure. dentry must be held by the caller of take_dentry_name_snapshot(), but may be freely dropped afterwards - the snapshot will stay until destroyed by release_dentry_name_snapshot(). Intended use: struct name_snapshot s; take_dentry_name_snapshot(&s, dentry); ... access s.name ... release_dentry_name_snapshot(&s); Replaces fsnotify_oldname_...(), gets used in fsnotify to obtain the name to pass down with event. BUG= chromium:754205 TEST=Build and run Change-Id: Ic11a9c94b484d10ae8d7b04ec00ec0dd3e45ef59 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit a1dbc0979b4f in linux-stable) Reviewed-on: https://chromium-review.googlesource.com/614480 [modify] https://crrev.com/3e4c5da25ac9d89f8701fc14a3aa9116e91d9c96/include/linux/dcache.h [modify] https://crrev.com/3e4c5da25ac9d89f8701fc14a3aa9116e91d9c96/fs/notify/fsnotify.c [modify] https://crrev.com/3e4c5da25ac9d89f8701fc14a3aa9116e91d9c96/fs/namei.c [modify] https://crrev.com/3e4c5da25ac9d89f8701fc14a3aa9116e91d9c96/fs/dcache.c [modify] https://crrev.com/3e4c5da25ac9d89f8701fc14a3aa9116e91d9c96/fs/debugfs/inode.c [modify] https://crrev.com/3e4c5da25ac9d89f8701fc14a3aa9116e91d9c96/include/linux/fsnotify.h
,
Aug 18 2017
,
Nov 25 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 22 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by kenrb@chromium.org
, Aug 10 2017Status: Assigned (was: Untriaged)