Issue metadata
Sign in to add a comment
|
CVE-2017-14340 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2017-14340 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-14340 CVSS severity score: 4.9/10.0 Description: The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux kernel before 4.13.2 does not verify that a filesystem has a realtime device, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via vectors related to setting an RHINHERIT flag on a directory. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Sep 27 2017
Upstream b31ff3cdf540 ("xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present"). Fixed in chromeos-4.12. Needed in older kernels.
,
Sep 27 2017
,
Sep 27 2017
Systems with CONFIG_XFS_RT disabled are not affected by this CVE. CONFIG_XFS_RT is disabled in all ChromeOS configurations (virtual and real). No stable/beta impact.
,
Sep 27 2017
,
Oct 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5d55886df9588acd292456be778cc3c3ea88c151 commit 5d55886df9588acd292456be778cc3c3ea88c151 Author: Richard Wareing <rwareing@fb.com> Date: Tue Oct 03 03:25:40 2017 UPSTREAM: xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present If using a kernel with CONFIG_XFS_RT=y and we set the RHINHERIT flag on a directory in a filesystem that does not have a realtime device and create a new file in that directory, it gets marked as a real time file. When data is written and a fsync is issued, the filesystem attempts to flush a non-existent rt device during the fsync process. This results in a crash dereferencing a null buftarg pointer in xfs_blkdev_issue_flush(): BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: xfs_blkdev_issue_flush+0xd/0x20 ..... Call Trace: xfs_file_fsync+0x188/0x1c0 vfs_fsync_range+0x3b/0xa0 do_fsync+0x3d/0x70 SyS_fsync+0x10/0x20 do_syscall_64+0x4d/0xb0 entry_SYSCALL64_slow_path+0x25/0x25 Setting RT inode flags does not require special privileges so any unprivileged user can cause this oops to occur. To reproduce, confirm kernel is compiled with CONFIG_XFS_RT=y and run: # mkfs.xfs -f /dev/pmem0 # mount /dev/pmem0 /mnt/test # mkdir /mnt/test/foo # xfs_io -c 'chattr +t' /mnt/test/foo # xfs_io -f -c 'pwrite 0 5m' -c fsync /mnt/test/foo/bar Or just run xfstests with MKFS_OPTIONS="-d rtinherit=1" and wait. Kernels built with CONFIG_XFS_RT=n are not exposed to this bug. BUG= chromium:769252 TEST=Build and run Change-Id: Id4253009cccb621cd543c636f603f025892dcc70 Fixes: f538d4da8d52 ("[XFS] write barrier support") Cc: <stable@vger.kernel.org> Signed-off-by: Richard Wareing <rwareing@fb.com> Signed-off-by: Dave Chinner <david@fromorbit.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit b31ff3cdf540) Reviewed-on: https://chromium-review.googlesource.com/688014 Reviewed-by: Daniel Wang <wonderfly@google.com> Reviewed-by: Dylan Reid <dgreid@chromium.org> [modify] https://crrev.com/5d55886df9588acd292456be778cc3c3ea88c151/fs/xfs/xfs_linux.h
,
Oct 4 2017
Fixed in chromeos-4.4. Conflicts observed when applying to older kernels; WontFix there.
,
Oct 4 2017
,
Jan 10 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by infe...@chromium.org
, Sep 27 2017Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)