Issue metadata
Sign in to add a comment
|
CrOS: Vulnerability reported in sys-kernel/chromeos-kernel-3_14 |
||||||||||||||||||||||
Issue descriptionAutomated analysis has detected that the following third party packages have had vulnerabilities publicly reported. NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package. Package Name: sys-kernel/chromeos-kernel-3_14 Package Version: [cpe:/o:linux:linux_kernel:3.14] Advisory: CVE-2017-5897 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-5897 CVSS severity score: 7.5/10.0 Confidence: high Description: The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access.
,
Sep 11 2017
Issue 763706 has been merged into this issue.
,
Sep 11 2017
Issue 763705 has been merged into this issue.
,
Sep 11 2017
Issue 763702 has been merged into this issue.
,
Sep 11 2017
Issue 763703 has been merged into this issue. Issue 763704 has been merged into this issue.
,
Sep 11 2017
,
Sep 11 2017
> Does ChromeOS's kernel enable GRE routing? Currently, it looks like CONFIG_IPV6_GRE is disabled on all of our kernels. v4.4 has the fix already. The Fixes: line points to a commit in v3.7 which introduced the bug. The backport from the 3.18 -stable tree seems to apply cleanly to v3.8, v3.10, v3.14, and v3.18 so I sent out (untested) CLs for review in case we want to pick this up anyway.
,
Sep 19 2017
Judging by #7, this doesn't affect Chrome OS, right? Do we gain anything by patching it anyway?
,
Sep 20 2017
#8: I usually do apply such security patches if they apply cleanly. This way I know that just in case someone _does_ enable the feature in the future, it is fixed. I don't apply such patches to stable releases, though. This probably doesn't matter that much for older kernels, but is quite important in 4.4 and later since we now have secondary users (Lakitu) and VM configurations which may change more often. If there is no plan to apply the patches, I would suggest to mark the patch WontFix.
,
Sep 20 2017
Thanks, #9! cernekee: Please either patch or WontFix as you see fit.
,
Sep 25 2017
If we don't patch we should update the kernel_ConfigVerify test to ensure this feature doesn't get accidentally enabled.
,
Sep 25 2017
,
Sep 26 2017
,
Sep 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/44aa50fbf23a3bbc9364e03b70df7e9e7b19307a commit 44aa50fbf23a3bbc9364e03b70df7e9e7b19307a Author: Eric Dumazet <edumazet@google.com> Date: Tue Sep 26 20:36:07 2017 UPSTREAM: ip6_gre: fix ip6gre_err() invalid reads [ Upstream commit 7892032cfe67f4bde6fc2ee967e45a8fbaf33756 ] Andrey Konovalov reported out of bound accesses in ip6gre_err() If GRE flags contains GRE_KEY, the following expression *(((__be32 *)p) + (grehlen / 4) - 1) accesses data ~40 bytes after the expected point, since grehlen includes the size of IPv6 headers. Let's use a "struct gre_base_hdr *greh" pointer to make this code more readable. p[1] becomes greh->protocol. grhlen is the GRE header length. Fixes: c12b395a4664 ("gre: Support GRE over IPv6") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 3bbaa8061856b883c9deb16d1942188ef2608850) BUG= chromium:763707 TEST=none Change-Id: I4d7c216b216c3ea3dd66c488daf7adfc08fedf9f Reviewed-on: https://chromium-review.googlesource.com/660887 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/44aa50fbf23a3bbc9364e03b70df7e9e7b19307a/net/ipv6/ip6_gre.c
,
Sep 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/39e4a545c18a0dc3c66315314b39ad5ab8c8ea92 commit 39e4a545c18a0dc3c66315314b39ad5ab8c8ea92 Author: Eric Dumazet <edumazet@google.com> Date: Tue Sep 26 20:36:14 2017 UPSTREAM: ip6_gre: fix ip6gre_err() invalid reads [ Upstream commit 7892032cfe67f4bde6fc2ee967e45a8fbaf33756 ] Andrey Konovalov reported out of bound accesses in ip6gre_err() If GRE flags contains GRE_KEY, the following expression *(((__be32 *)p) + (grehlen / 4) - 1) accesses data ~40 bytes after the expected point, since grehlen includes the size of IPv6 headers. Let's use a "struct gre_base_hdr *greh" pointer to make this code more readable. p[1] becomes greh->protocol. grhlen is the GRE header length. Fixes: c12b395a4664 ("gre: Support GRE over IPv6") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 3bbaa8061856b883c9deb16d1942188ef2608850) BUG= chromium:763707 TEST=none Change-Id: I4d7c216b216c3ea3dd66c488daf7adfc08fedf9f Reviewed-on: https://chromium-review.googlesource.com/660888 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/39e4a545c18a0dc3c66315314b39ad5ab8c8ea92/net/ipv6/ip6_gre.c
,
Sep 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/1f59add29ead1a6bfe38963c30ed04daaa8612de commit 1f59add29ead1a6bfe38963c30ed04daaa8612de Author: Eric Dumazet <edumazet@google.com> Date: Tue Sep 26 20:36:12 2017 UPSTREAM: ip6_gre: fix ip6gre_err() invalid reads [ Upstream commit 7892032cfe67f4bde6fc2ee967e45a8fbaf33756 ] Andrey Konovalov reported out of bound accesses in ip6gre_err() If GRE flags contains GRE_KEY, the following expression *(((__be32 *)p) + (grehlen / 4) - 1) accesses data ~40 bytes after the expected point, since grehlen includes the size of IPv6 headers. Let's use a "struct gre_base_hdr *greh" pointer to make this code more readable. p[1] becomes greh->protocol. grhlen is the GRE header length. Fixes: c12b395a4664 ("gre: Support GRE over IPv6") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 3bbaa8061856b883c9deb16d1942188ef2608850) BUG= chromium:763707 TEST=none Change-Id: I4d7c216b216c3ea3dd66c488daf7adfc08fedf9f Reviewed-on: https://chromium-review.googlesource.com/660886 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/1f59add29ead1a6bfe38963c30ed04daaa8612de/net/ipv6/ip6_gre.c
,
Sep 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e6720794c41ac8327dc4b78b62b34086b9ced277 commit e6720794c41ac8327dc4b78b62b34086b9ced277 Author: Eric Dumazet <edumazet@google.com> Date: Tue Sep 26 23:14:14 2017 UPSTREAM: ip6_gre: fix ip6gre_err() invalid reads [ Upstream commit 7892032cfe67f4bde6fc2ee967e45a8fbaf33756 ] Andrey Konovalov reported out of bound accesses in ip6gre_err() If GRE flags contains GRE_KEY, the following expression *(((__be32 *)p) + (grehlen / 4) - 1) accesses data ~40 bytes after the expected point, since grehlen includes the size of IPv6 headers. Let's use a "struct gre_base_hdr *greh" pointer to make this code more readable. p[1] becomes greh->protocol. grhlen is the GRE header length. Fixes: c12b395a4664 ("gre: Support GRE over IPv6") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 3bbaa8061856b883c9deb16d1942188ef2608850) BUG= chromium:763707 TEST=none Change-Id: I4d7c216b216c3ea3dd66c488daf7adfc08fedf9f Reviewed-on: https://chromium-review.googlesource.com/661386 Commit-Ready: Kevin Cernekee <cernekee@chromium.org> Tested-by: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/e6720794c41ac8327dc4b78b62b34086b9ced277/net/ipv6/ip6_gre.c
,
Sep 26 2017
,
Sep 27 2017
,
Jan 3 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by nparker@chromium.org
, Sep 11 2017Components: OS>Kernel