Issue metadata
Sign in to add a comment
|
CVE-2017-13715 CrOS: Vulnerability reported in Linux kernel |
|||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2017-13715 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-13715 CVSS severity score: 10/10.0 Description: The __skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel before 4.3 does not ensure that n_proto, ip_proto, and thoff are initialized, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a single crafted MPLS packet. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Sep 9 2017
,
Sep 9 2017
,
Sep 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/bdcc22077867d796099f61391c2a99f65bd908a7 commit bdcc22077867d796099f61391c2a99f65bd908a7 Author: Tom Herbert <tom@herbertland.com> Date: Tue Sep 12 05:47:14 2017 BACKPORT: flow_dissector: Jump to exit code in __skb_flow_dissect Instead of returning immediately (on a parsing failure for instance) we jump to cleanup code. This always sets protocol values in key_control (even on a failure there is still valid information in the key_tags that was set before the problem was hit). BUG= chromium:763645 TEST=Build and run Change-Id: If00aa1704cc260f47d541c974c0fbf31e859d89c Signed-off-by: Tom Herbert <tom@herbertland.com> Signed-off-by: David S. Miller <davem@davemloft.net> [backport: Various code flow changes] Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit a6e544b0a88b) Reviewed-on: https://chromium-review.googlesource.com/658997 Reviewed-by: Dylan Reid <dgreid@chromium.org> [modify] https://crrev.com/bdcc22077867d796099f61391c2a99f65bd908a7/net/core/flow_dissector.c
,
Sep 12 2017
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 12 2017
,
Sep 12 2017
This bug requires manual review: Request affecting a post-stable build Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 12 2017
Still need to apply (or at least try to apply) to older kernels.
,
Sep 12 2017
Approving merge to M61.
,
Sep 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/1b4ebab9a00b58f642dc639ef63a447e6b9dfb5d commit 1b4ebab9a00b58f642dc639ef63a447e6b9dfb5d Author: Tom Herbert <tom@herbertland.com> Date: Tue Sep 12 20:41:08 2017 BACKPORT: flow_dissector: Jump to exit code in __skb_flow_dissect Instead of returning immediately (on a parsing failure for instance) we jump to cleanup code. This always sets protocol values in key_control (even on a failure there is still valid information in the key_tags that was set before the problem was hit). BUG= chromium:763645 TEST=Build and run Change-Id: If00aa1704cc260f47d541c974c0fbf31e859d89c Signed-off-by: Tom Herbert <tom@herbertland.com> Signed-off-by: David S. Miller <davem@davemloft.net> [backport: Various code flow changes] Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit a6e544b0a88b) Reviewed-on: https://chromium-review.googlesource.com/658997 Reviewed-by: Dylan Reid <dgreid@chromium.org> (cherry picked from commit bdcc22077867d796099f61391c2a99f65bd908a7) Reviewed-on: https://chromium-review.googlesource.com/664052 [modify] https://crrev.com/1b4ebab9a00b58f642dc639ef63a447e6b9dfb5d/net/core/flow_dissector.c
,
Sep 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/6007f2f3d3a0ceff683375e976e2a7819b3ec6c9 commit 6007f2f3d3a0ceff683375e976e2a7819b3ec6c9 Author: Tom Herbert <tom@herbertland.com> Date: Tue Sep 12 20:41:13 2017 BACKPORT: flow_dissector: Jump to exit code in __skb_flow_dissect Instead of returning immediately (on a parsing failure for instance) we jump to cleanup code. This always sets protocol values in key_control (even on a failure there is still valid information in the key_tags that was set before the problem was hit). BUG= chromium:763645 TEST=Build and run Change-Id: If00aa1704cc260f47d541c974c0fbf31e859d89c Signed-off-by: Tom Herbert <tom@herbertland.com> Signed-off-by: David S. Miller <davem@davemloft.net> [backport: Various code flow changes] Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit a6e544b0a88b) Reviewed-on: https://chromium-review.googlesource.com/658997 Reviewed-by: Dylan Reid <dgreid@chromium.org> (cherry picked from commit bdcc22077867d796099f61391c2a99f65bd908a7) Reviewed-on: https://chromium-review.googlesource.com/664053 [modify] https://crrev.com/6007f2f3d3a0ceff683375e976e2a7819b3ec6c9/net/core/flow_dissector.c
,
Sep 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/fd2668d8c0a0e2e730c80a11896c05711b1cafc5 commit fd2668d8c0a0e2e730c80a11896c05711b1cafc5 Author: Tom Herbert <tom@herbertland.com> Date: Tue Sep 12 23:17:03 2017 BACKPORT: flow_dissector: Jump to exit code in __skb_flow_dissect Instead of returning immediately (on a parsing failure for instance) we jump to cleanup code. This always sets protocol values in key_control (even on a failure there is still valid information in the key_tags that was set before the problem was hit). BUG= chromium:763645 TEST=Build and run Change-Id: If00aa1704cc260f47d541c974c0fbf31e859d89c Signed-off-by: Tom Herbert <tom@herbertland.com> Signed-off-by: David S. Miller <davem@davemloft.net> [backport: Various code flow changes] Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit a6e544b0a88b) Reviewed-on: https://chromium-review.googlesource.com/658997 Reviewed-by: Dylan Reid <dgreid@chromium.org> Conflicts: net/core/flow_dissector.c Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/663200 [modify] https://crrev.com/fd2668d8c0a0e2e730c80a11896c05711b1cafc5/net/core/flow_dissector.c
,
Sep 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/3a080eaf27b2094ae104f392b4cefbbe9382b8ee commit 3a080eaf27b2094ae104f392b4cefbbe9382b8ee Author: Tom Herbert <tom@herbertland.com> Date: Wed Sep 13 02:27:56 2017 BACKPORT: flow_dissector: Jump to exit code in __skb_flow_dissect Instead of returning immediately (on a parsing failure for instance) we jump to cleanup code. This always sets protocol values in key_control (even on a failure there is still valid information in the key_tags that was set before the problem was hit). BUG= chromium:763645 TEST=Build and run Change-Id: If00aa1704cc260f47d541c974c0fbf31e859d89c Signed-off-by: Tom Herbert <tom@herbertland.com> Signed-off-by: David S. Miller <davem@davemloft.net> [backport: Various code flow changes] Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit a6e544b0a88b) Reviewed-on: https://chromium-review.googlesource.com/658997 Reviewed-by: Dylan Reid <dgreid@chromium.org> Conflicts: net/core/flow_dissector.c Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/663525 [modify] https://crrev.com/3a080eaf27b2094ae104f392b4cefbbe9382b8ee/net/core/flow_dissector.c
,
Sep 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/fb794f8ec39df4a399e5afb2253112918f423202 commit fb794f8ec39df4a399e5afb2253112918f423202 Author: Tom Herbert <tom@herbertland.com> Date: Wed Sep 13 02:28:01 2017 BACKPORT: flow_dissector: Jump to exit code in __skb_flow_dissect Instead of returning immediately (on a parsing failure for instance) we jump to cleanup code. This always sets protocol values in key_control (even on a failure there is still valid information in the key_tags that was set before the problem was hit). BUG= chromium:763645 TEST=Build and run Change-Id: If00aa1704cc260f47d541c974c0fbf31e859d89c Signed-off-by: Tom Herbert <tom@herbertland.com> Signed-off-by: David S. Miller <davem@davemloft.net> [backport: Various code flow changes] Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit a6e544b0a88b) Reviewed-on: https://chromium-review.googlesource.com/658997 Reviewed-by: Dylan Reid <dgreid@chromium.org> Conflicts: net/core/flow_dissector.c Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/663526 [modify] https://crrev.com/fb794f8ec39df4a399e5afb2253112918f423202/net/core/flow_dissector.c
,
Sep 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5129b81ef289ed38e19d715207a34233557696f3 commit 5129b81ef289ed38e19d715207a34233557696f3 Author: Tom Herbert <tom@herbertland.com> Date: Wed Sep 13 04:37:12 2017 BACKPORT: flow_dissector: Jump to exit code in __skb_flow_dissect Instead of returning immediately (on a parsing failure for instance) we jump to cleanup code. This always sets protocol values in key_control (even on a failure there is still valid information in the key_tags that was set before the problem was hit). BUG= chromium:763645 TEST=Build and run Change-Id: If00aa1704cc260f47d541c974c0fbf31e859d89c Signed-off-by: Tom Herbert <tom@herbertland.com> Signed-off-by: David S. Miller <davem@davemloft.net> [backport: Various code flow changes] Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit a6e544b0a88b) Reviewed-on: https://chromium-review.googlesource.com/658997 Reviewed-by: Dylan Reid <dgreid@chromium.org> Conflicts: net/core/flow_dissector.c Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/663198 [modify] https://crrev.com/5129b81ef289ed38e19d715207a34233557696f3/net/core/flow_dissector.c
,
Sep 13 2017
,
Sep 13 2017
,
Sep 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/6885f4907f0b5eff894484308f8b27b8d369a962 commit 6885f4907f0b5eff894484308f8b27b8d369a962 Author: Tom Herbert <tom@herbertland.com> Date: Wed Sep 13 05:22:25 2017 BACKPORT: flow_dissector: Jump to exit code in __skb_flow_dissect Instead of returning immediately (on a parsing failure for instance) we jump to cleanup code. This always sets protocol values in key_control (even on a failure there is still valid information in the key_tags that was set before the problem was hit). BUG= chromium:763645 TEST=Build and run Change-Id: If00aa1704cc260f47d541c974c0fbf31e859d89c Signed-off-by: Tom Herbert <tom@herbertland.com> Signed-off-by: David S. Miller <davem@davemloft.net> [backport: Various code flow changes] Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit a6e544b0a88b) Reviewed-on: https://chromium-review.googlesource.com/658997 Reviewed-by: Dylan Reid <dgreid@chromium.org> Conflicts: net/core/flow_dissector.c Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/664054 [modify] https://crrev.com/6885f4907f0b5eff894484308f8b27b8d369a962/net/core/flow_dissector.c
,
Sep 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/fa20187f0e2733cb504b92d0aecee22e2980741b commit fa20187f0e2733cb504b92d0aecee22e2980741b Author: Tom Herbert <tom@herbertland.com> Date: Wed Sep 13 05:22:29 2017 BACKPORT: flow_dissector: Jump to exit code in __skb_flow_dissect Instead of returning immediately (on a parsing failure for instance) we jump to cleanup code. This always sets protocol values in key_control (even on a failure there is still valid information in the key_tags that was set before the problem was hit). BUG= chromium:763645 TEST=Build and run Change-Id: If00aa1704cc260f47d541c974c0fbf31e859d89c Signed-off-by: Tom Herbert <tom@herbertland.com> Signed-off-by: David S. Miller <davem@davemloft.net> [backport: Various code flow changes] Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit a6e544b0a88b) Reviewed-on: https://chromium-review.googlesource.com/658997 Reviewed-by: Dylan Reid <dgreid@chromium.org> Conflicts: net/core/flow_dissector.c Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/663524 [modify] https://crrev.com/fa20187f0e2733cb504b92d0aecee22e2980741b/net/core/flow_dissector.c
,
Sep 13 2017
,
Dec 20 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 22 2018
,
Jan 23 2018
,
Mar 27 2018
|
||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||
Comment 1 by groeck@chromium.org
, Sep 9 2017Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)
Upstream a6e544b0a88b ("flow_dissector: Jump to exit code in __skb_flow_dissect"). Affects chromeos-3.18 and older kernels.