New issue
Advanced search Search tips

Issue 762904 link

Starred by 1 user
Status: Fixed
Owner:
groeck@chromium.org
Closed: Sep 2017
Cc:
chromeos-kernel-security-bug-access@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security



Sign in to add a comment

CVE-2017-14156 CrOS: Vulnerability reported in Linux kernel

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Sep 7 2017 
VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. 

Advisory: CVE-2017-14156
  Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-14156
  CVSS severity score: 2.1/10.0
  Description:

The atyfb_ioctl function in drivers/video/fbdev/aty/atyfb_base.c in the Linux kernel through 4.12.10 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading locations associated with padding bytes.



This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.

Comment 1 by groeck@chromium.org, Sep 7 2017

Labels: Security_Severity-Low M-62 Security_Impact-None Pri-2
Owner: groeck@chromium.org
Status: ExternalDependency (was: Untriaged)
Fix not yet upstream. We are not affected, but should apply the patch once available upstream.

Comment 2 by groeck@chromium.org, Sep 8 2017 

 Issue 763338  has been merged into this issue.

Comment 3 by groeck@chromium.org, Sep 19 2017

Labels: -M-62 M-63
Status: Started (was: ExternalDependency)
Upstream 8e75f7a7a004 ("video: fbdev: aty: do not leak uninitialized padding in clk to userspace").

Comment 4 by groeck@chromium.org, Sep 19 2017 

Will fix in chromeos-3.18 and later only; conflicts in earlier kernels add too much risk, and those kernels are full of information leaks anyway.
Project Member

Comment 5 by bugdroid1@chromium.org, Sep 19 2017

Labels: merge-merged-chromeos-4.12
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/22919b10b70d4271d0bdfaae040c18da0bd84c5c

commit 22919b10b70d4271d0bdfaae040c18da0bd84c5c
Author: Vladis Dronov <vdronov@redhat.com>
Date: Tue Sep 19 22:42:36 2017

UPSTREAM: video: fbdev: aty: do not leak uninitialized padding in clk to userspace

'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
field unitialized, leaking data from the stack. Fix this ensuring all of
'clk' is initialized to zero.

BUG= chromium:762904 
TEST=Build and run

Change-Id: I414c8ad7057bfb560bfd15d5342e45e4ea0edb52
References: https://github.com/torvalds/linux/pull/441
Reported-by: sohu0106 <sohu0106@126.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 8e75f7a7a004)
Reviewed-on: https://chromium-review.googlesource.com/673367
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/22919b10b70d4271d0bdfaae040c18da0bd84c5c/drivers/video/fbdev/aty/atyfb_base.c
Project Member

Comment 6 by bugdroid1@chromium.org, Sep 19 2017

Labels: merge-merged-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/10b3b7d0ea2634762ef4dff4a3a7ceadf652f1b3

commit 10b3b7d0ea2634762ef4dff4a3a7ceadf652f1b3
Author: Vladis Dronov <vdronov@redhat.com>
Date: Tue Sep 19 22:42:38 2017

UPSTREAM: video: fbdev: aty: do not leak uninitialized padding in clk to userspace

'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
field unitialized, leaking data from the stack. Fix this ensuring all of
'clk' is initialized to zero.

BUG= chromium:762904 
TEST=Build and run

Change-Id: I414c8ad7057bfb560bfd15d5342e45e4ea0edb52
References: https://github.com/torvalds/linux/pull/441
Reported-by: sohu0106 <sohu0106@126.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 8e75f7a7a004)
Reviewed-on: https://chromium-review.googlesource.com/673348
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/10b3b7d0ea2634762ef4dff4a3a7ceadf652f1b3/drivers/video/fbdev/aty/atyfb_base.c
Project Member

Comment 7 by bugdroid1@chromium.org, Sep 19 2017

Labels: merge-merged-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/30e775d6aa74b8c95b6de13a11f2c109add09922

commit 30e775d6aa74b8c95b6de13a11f2c109add09922
Author: Vladis Dronov <vdronov@redhat.com>
Date: Tue Sep 19 22:42:41 2017

UPSTREAM: video: fbdev: aty: do not leak uninitialized padding in clk to userspace

'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
field unitialized, leaking data from the stack. Fix this ensuring all of
'clk' is initialized to zero.

BUG= chromium:762904 
TEST=Build and run

Change-Id: I414c8ad7057bfb560bfd15d5342e45e4ea0edb52
References: https://github.com/torvalds/linux/pull/441
Reported-by: sohu0106 <sohu0106@126.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 8e75f7a7a004)
Reviewed-on: https://chromium-review.googlesource.com/673347
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/30e775d6aa74b8c95b6de13a11f2c109add09922/drivers/video/fbdev/aty/atyfb_base.c

Comment 8 by groeck@chromium.org, Sep 19 2017

Status: Fixed (was: Started)
Project Member

Comment 9 by sheriffbot@chromium.org, Sep 20 2017

Labels: Restrict-View-SecurityNotify
Project Member

Comment 10 by sheriffbot@chromium.org, Dec 27 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment