Issue metadata
Sign in to add a comment
|
CVE-2017-15649 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2017-15649 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-15649 CVSS severity score: 4.6/10.0 Description: net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Nov 10 2017
,
Nov 10 2017
Applied to chromeos-4.4/M-63 with b/69149598.
,
Nov 10 2017
,
Nov 22 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/62dfc4fa19f20850cace0ab85da2529c0d0c980a commit 62dfc4fa19f20850cace0ab85da2529c0d0c980a Author: Willem de Bruijn <willemb@google.com> Date: Tue Nov 21 23:58:37 2017 UPSTREAM: packet: hold bind lock when rebinding to fanout hook [ Upstream commit 008ba2a13f2d04c947adc536d19debb8fe66f110 ] Packet socket bind operations must hold the po->bind_lock. This keeps po->running consistent with whether the socket is actually on a ptype list to receive packets. fanout_add unbinds a socket and its packet_rcv/tpacket_rcv call, then binds the fanout object to receive through packet_rcv_fanout. Make it hold the po->bind_lock when testing po->running and rebinding. Else, it can race with other rebind operations, such as that in packet_set_ring from packet_rcv to tpacket_rcv. Concurrent updates can result in a socket being added to a fanout group twice, causing use-after-free KASAN bug reports, among others. Reported independently by both trinity and syzkaller. Verified that the syzkaller reproducer passes after this patch. Fixes: dc99f600698d ("packet: Add fanout support.") Reported-by: nixioaming <nixiaoming@huawei.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 5be6824b9704f926c26c844b373aacdc7e827ab6) Signed-off-by: Robert Kolchmeyer <rkolchmeyer@google.com> BUG=b:69149598, chromium:783729 CQ-DEPEND=CL:764580 Change-Id: I13f0d2a23ea39c3249fa58ef7d7301595a1dea95 Reviewed-on: https://chromium-review.googlesource.com/764500 Commit-Ready: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> Reviewed-by: Kevin Cernekee <cernekee@chromium.org> [modify] https://crrev.com/62dfc4fa19f20850cace0ab85da2529c0d0c980a/net/packet/af_packet.c
,
Nov 22 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/623b2e9f0fa2677dad61f7f33abef5d1e9a3a82b commit 623b2e9f0fa2677dad61f7f33abef5d1e9a3a82b Author: Willem de Bruijn <willemb@google.com> Date: Tue Nov 21 23:58:38 2017 BACKPORT: packet: only test po->has_vnet_hdr once in packet_snd [ Upstream commit da7c9561015e93d10fe6aab73e9288e0d09d65a6 ] Packet socket option po->has_vnet_hdr can be updated concurrently with other operations if no ring is attached. Do not test the option twice in packet_snd, as the value may change in between calls. A race on setsockopt disable may cause a packet > mtu to be sent without having GSO options set. Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.") Signed-off-by: Willem de Bruijn <willemb@google.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 1299f7e17e9e442be49a9b6011f6fe5259960ebb) Signed-off-by: Robert Kolchmeyer <rkolchmeyer@google.com> [backport: context conflicts] Signed-off-by: Guenter Roeck <groeck@chromium.org> BUG=b:69149598, chromium:783729 TEST=None Change-Id: Ib13f113c8721597707bde35a9587aec8173e5606 Reviewed-on: https://chromium-review.googlesource.com/764580 Commit-Ready: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> Reviewed-by: Kevin Cernekee <cernekee@chromium.org> [modify] https://crrev.com/623b2e9f0fa2677dad61f7f33abef5d1e9a3a82b/net/packet/af_packet.c
,
Nov 22 2017
,
Nov 22 2017
,
Feb 28 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by groeck@chromium.org
, Nov 10 2017Labels: Security_Severity-Medium Security_Impact-Stable M-63 Pri-1
Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)
Upstream commit 008ba2a13f2d ("packet: hold bind lock when rebinding to fanout hook"). Already fixed in chromeos-4.4 with merge of v4.4.96. Needed in M-63 and older kernels.