Issue metadata
Sign in to add a comment
|
CVE-2017-1000111 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2017-1000111 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-1000111 CVSS severity score: 7.2/10.0 Description: Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Nov 2 2017
Already fixed in chromeos-4.4 M-63 (commit 63364a508d24). Required in older kernel releases.
,
Nov 2 2017
Requesting merge to 62 and 62 v4.4 as well, for lakitu. Thanks.
,
Nov 2 2017
,
Nov 2 2017
Note: M-62 and M-61 merge requests are only for chromeos-4.4.
,
Nov 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/712116d40a530fc68a25f7feec756202c223c325 commit 712116d40a530fc68a25f7feec756202c223c325 Author: Willem de Bruijn <willemb@google.com> Date: Fri Nov 03 01:36:46 2017 UPSTREAM: packet: fix tp_reserve race in packet_set_ring [ Upstream commit c27927e372f0785f3303e8fad94b85945e2c97b7 ] Updates to tp_reserve can race with reads of the field in packet_set_ring. Avoid this by holding the socket lock during updates in setsockopt PACKET_RESERVE. This bug was discovered by syzkaller. BUG= chromium:780782 TEST=Run syszcaller reproducer Change-Id: I1006e6d4716f912aee319ebb0491330bcebd9c23 Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/751810 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> [modify] https://crrev.com/712116d40a530fc68a25f7feec756202c223c325/net/packet/af_packet.c
,
Nov 3 2017
,
Nov 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/eb7f086c814368e30ee838b7a7893774be182ceb commit eb7f086c814368e30ee838b7a7893774be182ceb Author: Willem de Bruijn <willemb@google.com> Date: Fri Nov 03 23:29:01 2017 UPSTREAM: packet: fix tp_reserve race in packet_set_ring [ Upstream commit c27927e372f0785f3303e8fad94b85945e2c97b7 ] Updates to tp_reserve can race with reads of the field in packet_set_ring. Avoid this by holding the socket lock during updates in setsockopt PACKET_RESERVE. This bug was discovered by syzkaller. BUG= chromium:780782 TEST=Run syszcaller reproducer Change-Id: I1006e6d4716f912aee319ebb0491330bcebd9c23 Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/751810 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> (cherry picked from commit 712116d40a530fc68a25f7feec756202c223c325) Reviewed-on: https://chromium-review.googlesource.com/753961 [modify] https://crrev.com/eb7f086c814368e30ee838b7a7893774be182ceb/net/packet/af_packet.c
,
Nov 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b69a720d550bbd6dea91209577746e79d6d89851 commit b69a720d550bbd6dea91209577746e79d6d89851 Author: Willem de Bruijn <willemb@google.com> Date: Fri Nov 03 23:29:03 2017 UPSTREAM: packet: fix tp_reserve race in packet_set_ring [ Upstream commit c27927e372f0785f3303e8fad94b85945e2c97b7 ] Updates to tp_reserve can race with reads of the field in packet_set_ring. Avoid this by holding the socket lock during updates in setsockopt PACKET_RESERVE. This bug was discovered by syzkaller. BUG= chromium:780782 TEST=Run syszcaller reproducer Change-Id: I1006e6d4716f912aee319ebb0491330bcebd9c23 Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/751810 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> (cherry picked from commit 712116d40a530fc68a25f7feec756202c223c325) Reviewed-on: https://chromium-review.googlesource.com/753962 [modify] https://crrev.com/b69a720d550bbd6dea91209577746e79d6d89851/net/packet/af_packet.c
,
Nov 4 2017
M-63 merge request for chromeos-3.18 and older.
,
Nov 4 2017
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 4 2017
,
Nov 6 2017
Adding back the merge requests for 61 and 62 chromeos-4.4. Needed for lakitu.
,
Nov 6 2017
Too late for M61 in CrOS but approving M-62/M-63
,
Nov 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4575fcb28a0976c9a7276239b885e0460d24f4cb commit 4575fcb28a0976c9a7276239b885e0460d24f4cb Author: Willem de Bruijn <willemb@google.com> Date: Mon Nov 06 20:49:27 2017 UPSTREAM: packet: fix tp_reserve race in packet_set_ring [ Upstream commit c27927e372f0785f3303e8fad94b85945e2c97b7 ] Updates to tp_reserve can race with reads of the field in packet_set_ring. Avoid this by holding the socket lock during updates in setsockopt PACKET_RESERVE. This bug was discovered by syzkaller. BUG= chromium:780782 TEST=Run syszcaller reproducer Change-Id: I1006e6d4716f912aee319ebb0491330bcebd9c23 Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/751810 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> (cherry picked from commit 712116d40a530fc68a25f7feec756202c223c325) Reviewed-on: https://chromium-review.googlesource.com/753961 (cherry picked from commit eb7f086c814368e30ee838b7a7893774be182ceb) Reviewed-on: https://chromium-review.googlesource.com/755737 [modify] https://crrev.com/4575fcb28a0976c9a7276239b885e0460d24f4cb/net/packet/af_packet.c
,
Nov 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/799619bf9354d090dd61f5b597108c4d3acec7bd commit 799619bf9354d090dd61f5b597108c4d3acec7bd Author: Willem de Bruijn <willemb@google.com> Date: Mon Nov 06 20:49:35 2017 UPSTREAM: packet: fix tp_reserve race in packet_set_ring [ Upstream commit c27927e372f0785f3303e8fad94b85945e2c97b7 ] Updates to tp_reserve can race with reads of the field in packet_set_ring. Avoid this by holding the socket lock during updates in setsockopt PACKET_RESERVE. This bug was discovered by syzkaller. BUG= chromium:780782 TEST=Run syszcaller reproducer Change-Id: I1006e6d4716f912aee319ebb0491330bcebd9c23 Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/751810 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> (cherry picked from commit 712116d40a530fc68a25f7feec756202c223c325) Reviewed-on: https://chromium-review.googlesource.com/755734 [modify] https://crrev.com/799619bf9354d090dd61f5b597108c4d3acec7bd/net/packet/af_packet.c
,
Nov 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/305d9fa321e5aca4b5120a0614399841067426b2 commit 305d9fa321e5aca4b5120a0614399841067426b2 Author: Willem de Bruijn <willemb@google.com> Date: Mon Nov 06 20:49:45 2017 UPSTREAM: packet: fix tp_reserve race in packet_set_ring [ Upstream commit c27927e372f0785f3303e8fad94b85945e2c97b7 ] Updates to tp_reserve can race with reads of the field in packet_set_ring. Avoid this by holding the socket lock during updates in setsockopt PACKET_RESERVE. This bug was discovered by syzkaller. BUG= chromium:780782 TEST=Run syszcaller reproducer Change-Id: I1006e6d4716f912aee319ebb0491330bcebd9c23 Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/751810 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> (cherry picked from commit 712116d40a530fc68a25f7feec756202c223c325) Reviewed-on: https://chromium-review.googlesource.com/753962 (cherry picked from commit b69a720d550bbd6dea91209577746e79d6d89851) Reviewed-on: https://chromium-review.googlesource.com/755739 [modify] https://crrev.com/305d9fa321e5aca4b5120a0614399841067426b2/net/packet/af_packet.c
,
Nov 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/62bee4b1de1b8f0efba0d02f921520599e862c21 commit 62bee4b1de1b8f0efba0d02f921520599e862c21 Author: Willem de Bruijn <willemb@google.com> Date: Mon Nov 06 20:49:52 2017 UPSTREAM: packet: fix tp_reserve race in packet_set_ring [ Upstream commit c27927e372f0785f3303e8fad94b85945e2c97b7 ] Updates to tp_reserve can race with reads of the field in packet_set_ring. Avoid this by holding the socket lock during updates in setsockopt PACKET_RESERVE. This bug was discovered by syzkaller. BUG= chromium:780782 TEST=Run syszcaller reproducer Change-Id: I1006e6d4716f912aee319ebb0491330bcebd9c23 Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/751810 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> (cherry picked from commit 712116d40a530fc68a25f7feec756202c223c325) Reviewed-on: https://chromium-review.googlesource.com/753962 (cherry picked from commit b69a720d550bbd6dea91209577746e79d6d89851) Reviewed-on: https://chromium-review.googlesource.com/755738 [modify] https://crrev.com/62bee4b1de1b8f0efba0d02f921520599e862c21/net/packet/af_packet.c
,
Nov 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/f59ef0b48a680962d592d83e2a770753f5b2f1ca commit f59ef0b48a680962d592d83e2a770753f5b2f1ca Author: Willem de Bruijn <willemb@google.com> Date: Mon Nov 06 20:49:59 2017 UPSTREAM: packet: fix tp_reserve race in packet_set_ring [ Upstream commit c27927e372f0785f3303e8fad94b85945e2c97b7 ] Updates to tp_reserve can race with reads of the field in packet_set_ring. Avoid this by holding the socket lock during updates in setsockopt PACKET_RESERVE. This bug was discovered by syzkaller. BUG= chromium:780782 TEST=Run syszcaller reproducer Change-Id: I1006e6d4716f912aee319ebb0491330bcebd9c23 Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/751810 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> (cherry picked from commit 712116d40a530fc68a25f7feec756202c223c325) Reviewed-on: https://chromium-review.googlesource.com/755735 [modify] https://crrev.com/f59ef0b48a680962d592d83e2a770753f5b2f1ca/net/packet/af_packet.c
,
Nov 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8624862c677a46e719a6b569074f6dd5457b0d9f commit 8624862c677a46e719a6b569074f6dd5457b0d9f Author: Willem de Bruijn <willemb@google.com> Date: Mon Nov 06 20:50:03 2017 UPSTREAM: packet: fix tp_reserve race in packet_set_ring [ Upstream commit c27927e372f0785f3303e8fad94b85945e2c97b7 ] Updates to tp_reserve can race with reads of the field in packet_set_ring. Avoid this by holding the socket lock during updates in setsockopt PACKET_RESERVE. This bug was discovered by syzkaller. BUG= chromium:780782 TEST=Run syszcaller reproducer Change-Id: I1006e6d4716f912aee319ebb0491330bcebd9c23 Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/751810 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> (cherry picked from commit 712116d40a530fc68a25f7feec756202c223c325) Reviewed-on: https://chromium-review.googlesource.com/753961 (cherry picked from commit eb7f086c814368e30ee838b7a7893774be182ceb) Reviewed-on: https://chromium-review.googlesource.com/755736 [modify] https://crrev.com/8624862c677a46e719a6b569074f6dd5457b0d9f/net/packet/af_packet.c
,
Nov 6 2017
,
Nov 6 2017
,
Nov 6 2017
Considering this is a 7 point CVE, and 61 is a month away from deprecation (maybe even longer due to the holiday production freezes), we'd like the fix to be cherry-picked to 61 as well, for lakitu. We still have A LOT of users on it, and will have to continue supporting it. The merge request is for chromeos-4.4 only.
,
Nov 7 2017
,
Nov 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a677c8633c4359de285448f29ce15994cbad1a75 commit a677c8633c4359de285448f29ce15994cbad1a75 Author: Willem de Bruijn <willemb@google.com> Date: Wed Nov 08 22:49:48 2017 UPSTREAM: packet: fix tp_reserve race in packet_set_ring [ Upstream commit c27927e372f0785f3303e8fad94b85945e2c97b7 ] Updates to tp_reserve can race with reads of the field in packet_set_ring. Avoid this by holding the socket lock during updates in setsockopt PACKET_RESERVE. This bug was discovered by syzkaller. BUG= chromium:780782 TEST=trybot Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 63364a508d24944abb0975bd823cb11367c56283) Signed-off-by: Daniel Wang <wonderfly@google.com> Change-Id: I1636d162aa698769aa0dc5cabf0a902677422f53 Reviewed-on: https://chromium-review.googlesource.com/759138 Tested-by: Daniel Wang <wonderfly@google.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> Commit-Queue: Daniel Wang <wonderfly@google.com> [modify] https://crrev.com/a677c8633c4359de285448f29ce15994cbad1a75/net/packet/af_packet.c
,
Nov 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/957c2ec5c7b906973b8bf5be3dd066524569b1ec commit 957c2ec5c7b906973b8bf5be3dd066524569b1ec Author: Willem de Bruijn <willemb@google.com> Date: Wed Nov 08 22:49:53 2017 UPSTREAM: packet: fix tp_reserve race in packet_set_ring [ Upstream commit c27927e372f0785f3303e8fad94b85945e2c97b7 ] Updates to tp_reserve can race with reads of the field in packet_set_ring. Avoid this by holding the socket lock during updates in setsockopt PACKET_RESERVE. This bug was discovered by syzkaller. BUG= chromium:780782 TEST=trybot Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 63364a508d24944abb0975bd823cb11367c56283) Signed-off-by: Daniel Wang <wonderfly@google.com> Change-Id: I427f6c69ac1a57859be921bd3914a62de29ed7f4 Reviewed-on: https://chromium-review.googlesource.com/759137 Tested-by: Daniel Wang <wonderfly@google.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> Commit-Queue: Daniel Wang <wonderfly@google.com> [modify] https://crrev.com/957c2ec5c7b906973b8bf5be3dd066524569b1ec/net/packet/af_packet.c
,
Nov 8 2017
,
Nov 9 2017
,
Nov 9 2017
,
Nov 13 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 17 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 15 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
|
|||||||||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||||||||
Comment 1 by groeck@chromium.org
, Nov 2 2017Labels: Security_Severity-High Security_Impact-Stable M-63 Pri-1
Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)
Upstream c27927e372f07 ("packet: fix tp_reserve race in packet_set_ring").