Thanks for the report. Has this been reported upstream?

groeck, could you please take a look to see if this affects ChromeOS?

It doesn't immediately affect ChromeOS since we don't ship anything above chromeos-4.4 at this time. Our latest development version is chromeos-4.12 which is not affected either. It _will_ affect chromeos-4.14 unless fixed.

However, unless I am really missing something, the bug is absolutely valid, critical, and does affect v4.13 and later kernels. I set severity and impact fields accordingly.

Kees, are you aware of this problem ? Do you know if it is already being worked on, and if there is a CVE ?

[ I assigned the bug to myself, primarily for tracking. Strictly speaking this would be a WontFix, since it doesn't apply to existing ChromeOS versions, but it is too critical to ignore. ]

This is the first I've seen the issue. Introduced upstream in commit 4c48abe91be03d191d0c20cc755877da2cb35622. Assigned as CVE-2017-5123.

Thanks for investigating.

Removing Security-Impact-None since users using Linux would be impacted too. 

Severity-High for sandbox escape, since Critical is reserved for full chain exploits.

I think ExternalDependency is the right status here since there's nothing actionable for us right now.

Thanks for the quick response. Has this been reported upstream or to someone who
 will fix it? Or is that something I need to do?

Fix should be straightforward and a two-liner. I'll be happy to do it unless someone else wants to pick it up. Kees - is it ok to submit a patch upstream ? If so, anything to watch out for ?

... and if I submit a patch, can/should I add the submitter of this bug as Reported-by: ?

Of course I'd like to be acknowledged in the "reported by" field if possible :)

I've reported this upstream (with credit to Chris), it should be publish on the 12th. (Technically a 4 line change, since it's needed in two places, but yes.) :)

#13: I assume that means that someone else (Al Viro ?) will submit a patch ?

I submitted the patch already, but tried to open discussion about just doing a revert. I think they're going to just go with the patch instead.

Great, thanks!

Fixed upstream with commit 96ca579a1ecc ("waitid(): Add missing access_ok() checks"). Fixed in v4.13.7 with commit sha 3da54587cf4c. Marking as WontFix (not applicable to any chromeos kernels, and fixed in all affected upstream kernels).

Doesn't this qualify for the Vulnerability Rewards Program?

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Congratulations chrissalls5@! The VRP panel decided to award $15,000 for this bug!  A member of our finance team will be in touch to arrange for payment.

Wow. Thank you very much!!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot