We'll get at least the random example with the merge of v4.4.96. One of the reasons for doing that merge early is the number of CVEs it fixes.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16525
    upstream commit 299d7572e ("USB: serial: console: fix use-after-free after failed setup")
    in chromeos-4.4
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16526
    upstream commit 5a21af11c ("uwb: properly check kthread_run return value")
    in chromeos-4.4
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16527
    upstream commit 124751d5e ("ALSA: usb-audio: Kill stray URB at exiting")
    in chromeos-4.4
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16528
    upstream commit fc27fe7e8 ("ALSA: seq: Cancel pending autoload work at unbinding device")
    not in chromeos-4.4 or linux-4.4.y, possibly because the affected file was moved.
    Need to explore.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16529
    upstream commit bfc81a8bc ("ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor")
    in chromeos-4.4
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16530
    upstream commit 786de92b3 ("USB: uas: fix bug in handling of alternate settings")
    in chromeos-4.4
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16531
    upstream commit bd7a3fe770ebd ("USB: fix out-of-bounds in usb_set_configuration")
    in chromeos-4.4
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16532
    upstream commit 7c80f9e4a5 ("usb: usbtest: fix NULL pointer dereference")
    not tagged for -stable, not in 4.4.y. Need to check if it applies to chromeos-4.4
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16533
    upstream commit f043bfc98c ("HID: usbhid: fix out-of-bounds bug")
    in chromeos-4.4
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16534
    upstream commit 2e1c42391ff ("USB: core: harden cdc_parse_cdc_header")
    not in chromeos-4.4 or in 4.4.y; need to check if it applies.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16535
    upstream commit 1c0edc3633b ("USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()")
    in chromeos-4.4
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16536
    https://patchwork.kernel.org/patch/9963527/
    Queued in linux-next but not yet applied to upstream kernel.
    Need to check if it applies to us.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16537
    https://patchwork.kernel.org/patch/9994017/
    Queued for linux-next but not applied to upstream kernel.
    Need to check if it applies to us.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16538
    https://patchwork.linuxtv.org/patch/44566/
    https://patchwork.linuxtv.org/patch/44567/
    Patch not upstream nor in linux-next. Need to check if it applies to us and follow up if needed.

I believe syzkaller does these fuzz tests for lakitu as well and we get bugs if (and only if) they impact lakitu? Aditya?

syzkaller for lakitu uses lakitu's kernel config .. which has USB support disabled.

> syzkaller for lakitu uses lakitu's kernel config .. which has USB support disabled.

In other words, these ones don't impact Lakitu, and if they did, we'd have got bugs filed on buganizer, right?

> In other words, these ones don't impact Lakitu, and if they did, we'd have got bugs filed on buganizer, right?

Yes, I think so.

CVE-2017-16536: Driver only enabled in beaglebone configuration. Will pick up fix into chromeos-4.4 with stable release merge if/when applied. WontFix for older kernels.
CVE-2017-16532: Driver only enabled in beaglebone configuration. Same as above.
CVE-2017-16537: Driver only enabled in beaglebone configuration. Same as above.
CVE-2017-16538: Driver only enabled in beaglebone configuration. Same as above.

CVE-2017-16528: Split to separate bug:  chromium:783243 
CVE-2017-16534: In chromeos-4.4 with merge of v4.4.92. Not found initially because the affected function was moved from one file to another.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ee5900de84118b7532502ea1e115a6c240dd391d

commit ee5900de84118b7532502ea1e115a6c240dd391d
Author: Takashi Iwai <tiwai@suse.de>
Date: Fri Nov 10 03:16:29 2017

UPSTREAM: ALSA: seq: Cancel pending autoload work at unbinding device

ALSA sequencer core has a mechanism to load the enumerated devices
automatically, and it's performed in an off-load work.  This seems
causing some race when a sequencer is removed while the pending
autoload work is running.  As syzkaller spotted, it may lead to some
use-after-free:
  BUG: KASAN: use-after-free in snd_rawmidi_dev_seq_free+0x69/0x70
  sound/core/rawmidi.c:1617
  Write of size 8 at addr ffff88006c611d90 by task kworker/2:1/567

  CPU: 2 PID: 567 Comm: kworker/2:1 Not tainted 4.13.0+ #29
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Workqueue: events autoload_drivers
  Call Trace:
   __dump_stack lib/dump_stack.c:16 [inline]
   dump_stack+0x192/0x22c lib/dump_stack.c:52
   print_address_description+0x78/0x280 mm/kasan/report.c:252
   kasan_report_error mm/kasan/report.c:351 [inline]
   kasan_report+0x230/0x340 mm/kasan/report.c:409
   __asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435
   snd_rawmidi_dev_seq_free+0x69/0x70 sound/core/rawmidi.c:1617
   snd_seq_dev_release+0x4f/0x70 sound/core/seq_device.c:192
   device_release+0x13f/0x210 drivers/base/core.c:814
   kobject_cleanup lib/kobject.c:648 [inline]
   kobject_release lib/kobject.c:677 [inline]
   kref_put include/linux/kref.h:70 [inline]
   kobject_put+0x145/0x240 lib/kobject.c:694
   put_device+0x25/0x30 drivers/base/core.c:1799
   klist_devices_put+0x36/0x40 drivers/base/bus.c:827
   klist_next+0x264/0x4a0 lib/klist.c:403
   next_device drivers/base/bus.c:270 [inline]
   bus_for_each_dev+0x17e/0x210 drivers/base/bus.c:312
   autoload_drivers+0x3b/0x50 sound/core/seq_device.c:117
   process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097
   worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231
   kthread+0x324/0x3f0 kernel/kthread.c:231
   ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425

The fix is simply to assure canceling the autoload work at removing
the device.

BUG= chromium:782594 ,  chromium:783243 
TEST=Build and run

Change-Id: Ia1abce523b818e2d85345b3215560050c0d6fc12
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit fc27fe7e8)
Reviewed-on: https://chromium-review.googlesource.com/760401
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/ee5900de84118b7532502ea1e115a6c240dd391d/sound/core/seq/seq_device.c

 Issue 786334  has been merged into this issue.

 Issue 786338  has been merged into this issue.

 Issue 786337  has been merged into this issue.

 Issue 786335  has been merged into this issue.

 Issue 786702  has been merged into this issue.

 Issue 786704  has been merged into this issue.

 Issue 786705  has been merged into this issue.

 Issue 786706  has been merged into this issue.

 Issue 786707  has been merged into this issue.

groeck: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot