Issue metadata
Sign in to add a comment
|
Security: CVE-2017-16939 Linux Kernel XFRM Privilege Escalation |
||||||||||||||||||||||
Issue descriptionPer https://blogs.securiteam.com/index.php/archives/3535. Potential local privilege escalation via netlink. Can be exploited from unprivileged users using a network namespace. POC code doesn't actually achieve privilege escalation AFAICT, so setting Medium severity for now. Fix is at https://github.com/torvalds/linux/commit/1137b5e2529a8f5ca8ee709288ecba3e68044df2 and present in 4.14 already. We we should apply to all older kernel trees and try and get this into 63.
,
Nov 27 2017
Will apply to 3.14 and later. 3.10 and earlier result in conflicts, suggesting other changes in the same area of code. The risk of changing that code is not worth the gain.
,
Nov 27 2017
Further study reveals that the upstream patch relies on infrastructure changes which are not available in the v4.4 linux kernel series. Will wait for backport in upstream stable release to avoid risk and deviation from stable releases.
,
Nov 30 2017
Missing infra patch is fc9e50f5a5a4e ("netlink: add a start callback for starting a netlink dump"). Will give this another shot.
,
Nov 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/84bd880d08d6131bb4b56bb5df7e53cbcde49730 commit 84bd880d08d6131bb4b56bb5df7e53cbcde49730 Author: Tom Herbert <tom@herbertland.com> Date: Thu Nov 30 22:18:35 2017 UPSTREAM: netlink: add a start callback for starting a netlink dump The start callback allows the caller to set up a context for the dump callbacks. Presumably, the context can then be destroyed in the done callback. BUG= chromium:788304 TEST=Build and run Change-Id: I00f5b818438c594b9d4cb94d5e369ff77b22a312 Signed-off-by: Tom Herbert <tom@herbertland.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit fc9e50f5a5a4e) Reviewed-on: https://chromium-review.googlesource.com/800990 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> [modify] https://crrev.com/84bd880d08d6131bb4b56bb5df7e53cbcde49730/include/linux/netlink.h [modify] https://crrev.com/84bd880d08d6131bb4b56bb5df7e53cbcde49730/net/netlink/genetlink.c [modify] https://crrev.com/84bd880d08d6131bb4b56bb5df7e53cbcde49730/net/netlink/af_netlink.c [modify] https://crrev.com/84bd880d08d6131bb4b56bb5df7e53cbcde49730/include/net/genetlink.h
,
Dec 1 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e39c513a47eb5bbe779494b532d8f4bbeccf2282 commit e39c513a47eb5bbe779494b532d8f4bbeccf2282 Author: Tom Herbert <tom@herbertland.com> Date: Fri Dec 01 04:30:24 2017 UPSTREAM: netlink: add a start callback for starting a netlink dump The start callback allows the caller to set up a context for the dump callbacks. Presumably, the context can then be destroyed in the done callback. BUG= chromium:788304 TEST=Build and run Change-Id: I00f5b818438c594b9d4cb94d5e369ff77b22a312 Signed-off-by: Tom Herbert <tom@herbertland.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit fc9e50f5a5a4e) Reviewed-on: https://chromium-review.googlesource.com/801253 [modify] https://crrev.com/e39c513a47eb5bbe779494b532d8f4bbeccf2282/include/linux/netlink.h [modify] https://crrev.com/e39c513a47eb5bbe779494b532d8f4bbeccf2282/net/netlink/genetlink.c [modify] https://crrev.com/e39c513a47eb5bbe779494b532d8f4bbeccf2282/net/netlink/af_netlink.c [modify] https://crrev.com/e39c513a47eb5bbe779494b532d8f4bbeccf2282/include/net/genetlink.h
,
Dec 1 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4cb4d23867a4d2b498692c7cda937ef5416c8cd8 commit 4cb4d23867a4d2b498692c7cda937ef5416c8cd8 Author: Tom Herbert <tom@herbertland.com> Date: Fri Dec 01 04:30:25 2017 UPSTREAM: netlink: add a start callback for starting a netlink dump The start callback allows the caller to set up a context for the dump callbacks. Presumably, the context can then be destroyed in the done callback. BUG= chromium:788304 TEST=Build and run Change-Id: I00f5b818438c594b9d4cb94d5e369ff77b22a312 Signed-off-by: Tom Herbert <tom@herbertland.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit fc9e50f5a5a4e) Reviewed-on: https://chromium-review.googlesource.com/801252 [modify] https://crrev.com/4cb4d23867a4d2b498692c7cda937ef5416c8cd8/include/linux/netlink.h [modify] https://crrev.com/4cb4d23867a4d2b498692c7cda937ef5416c8cd8/net/netlink/genetlink.c [modify] https://crrev.com/4cb4d23867a4d2b498692c7cda937ef5416c8cd8/net/netlink/af_netlink.c [modify] https://crrev.com/4cb4d23867a4d2b498692c7cda937ef5416c8cd8/include/net/genetlink.h
,
Dec 1 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b566e07bdd3b1a5e808892e8287a044db4442020 commit b566e07bdd3b1a5e808892e8287a044db4442020 Author: Herbert Xu <herbert@gondor.apana.org.au> Date: Thu Nov 30 22:18:36 2017 UPSTREAM: ipsec: Fix aborted xfrm policy dump crash An independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Security's SecuriTeam Secure Disclosure program. The xfrm_dump_policy_done function expects xfrm_dump_policy to have been called at least once or it will crash. This can be triggered if a dump fails because the target socket's receive buffer is full. This patch fixes it by using the cb->start mechanism to ensure that the initialisation is always done regardless of the buffer situation. Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list") BUG= chromium:788304 TEST=Build and run Change-Id: Iad254b7b289804f75fba17a3c7c6d17480a11ab6 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2) Reviewed-on: https://chromium-review.googlesource.com/790150 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> [modify] https://crrev.com/b566e07bdd3b1a5e808892e8287a044db4442020/net/xfrm/xfrm_user.c
,
Dec 2 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c8f241dffbffa226404c56f74a80205f8f46a8da commit c8f241dffbffa226404c56f74a80205f8f46a8da Author: Herbert Xu <herbert@gondor.apana.org.au> Date: Sat Dec 02 04:32:40 2017 UPSTREAM: ipsec: Fix aborted xfrm policy dump crash An independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Security's SecuriTeam Secure Disclosure program. The xfrm_dump_policy_done function expects xfrm_dump_policy to have been called at least once or it will crash. This can be triggered if a dump fails because the target socket's receive buffer is full. This patch fixes it by using the cb->start mechanism to ensure that the initialisation is always done regardless of the buffer situation. Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list") BUG= chromium:788304 TEST=Build and run Change-Id: Iad254b7b289804f75fba17a3c7c6d17480a11ab6 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2) Reviewed-on: https://chromium-review.googlesource.com/789912 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> [modify] https://crrev.com/c8f241dffbffa226404c56f74a80205f8f46a8da/net/xfrm/xfrm_user.c
,
Dec 2 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d155a52ee15e8de51ab82e8046ba829b4a1698a6 commit d155a52ee15e8de51ab82e8046ba829b4a1698a6 Author: Herbert Xu <herbert@gondor.apana.org.au> Date: Sat Dec 02 04:32:35 2017 UPSTREAM: ipsec: Fix aborted xfrm policy dump crash An independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Security's SecuriTeam Secure Disclosure program. The xfrm_dump_policy_done function expects xfrm_dump_policy to have been called at least once or it will crash. This can be triggered if a dump fails because the target socket's receive buffer is full. This patch fixes it by using the cb->start mechanism to ensure that the initialisation is always done regardless of the buffer situation. Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list") BUG= chromium:788304 TEST=Build and run Change-Id: Iad254b7b289804f75fba17a3c7c6d17480a11ab6 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2) Reviewed-on: https://chromium-review.googlesource.com/789911 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> [modify] https://crrev.com/d155a52ee15e8de51ab82e8046ba829b4a1698a6/net/xfrm/xfrm_user.c
,
Dec 2 2017
,
Dec 2 2017
This bug requires manual review: We are only 2 days from stable. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 3 2017
Your change meets the bar and is auto-approved for M64. Please go ahead and merge the CL to branch 3282 manually. Please contact milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4ffebefcbbdb8a2f19d85de2f8eba75437c05f15 commit 4ffebefcbbdb8a2f19d85de2f8eba75437c05f15 Author: Herbert Xu <herbert@gondor.apana.org.au> Date: Mon Dec 04 01:20:16 2017 UPSTREAM: ipsec: Fix aborted xfrm policy dump crash An independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Security's SecuriTeam Secure Disclosure program. The xfrm_dump_policy_done function expects xfrm_dump_policy to have been called at least once or it will crash. This can be triggered if a dump fails because the target socket's receive buffer is full. This patch fixes it by using the cb->start mechanism to ensure that the initialisation is always done regardless of the buffer situation. Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list") BUG= chromium:788304 TEST=Build and run Change-Id: Iad254b7b289804f75fba17a3c7c6d17480a11ab6 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2) Reviewed-on: https://chromium-review.googlesource.com/789911 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> (cherry picked from commit d155a52ee15e8de51ab82e8046ba829b4a1698a6) Reviewed-on: https://chromium-review.googlesource.com/804608 [modify] https://crrev.com/4ffebefcbbdb8a2f19d85de2f8eba75437c05f15/net/xfrm/xfrm_user.c
,
Dec 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b6c8d754781df49d5f353e238cd24b2714e2b1df commit b6c8d754781df49d5f353e238cd24b2714e2b1df Author: Herbert Xu <herbert@gondor.apana.org.au> Date: Mon Dec 04 01:20:40 2017 UPSTREAM: ipsec: Fix aborted xfrm policy dump crash An independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Security's SecuriTeam Secure Disclosure program. The xfrm_dump_policy_done function expects xfrm_dump_policy to have been called at least once or it will crash. This can be triggered if a dump fails because the target socket's receive buffer is full. This patch fixes it by using the cb->start mechanism to ensure that the initialisation is always done regardless of the buffer situation. Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list") BUG= chromium:788304 TEST=Build and run Change-Id: Iad254b7b289804f75fba17a3c7c6d17480a11ab6 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2) Reviewed-on: https://chromium-review.googlesource.com/789912 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> (cherry picked from commit c8f241dffbffa226404c56f74a80205f8f46a8da) Reviewed-on: https://chromium-review.googlesource.com/804609 [modify] https://crrev.com/b6c8d754781df49d5f353e238cd24b2714e2b1df/net/xfrm/xfrm_user.c
,
Dec 4 2017
M63 goes stable this week. If this isn't absolutely essential, I lean towards not merging.
,
Dec 4 2017
#16: Ok with me. Marking fixed. Copying lakitu for reference.
,
Dec 5 2017
,
Dec 11 2017
Issue 793579 has been merged into this issue.
,
Jan 3 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/be4bae4fda60e3f1db240e0c6b5dd73dbbb060d1 commit be4bae4fda60e3f1db240e0c6b5dd73dbbb060d1 Author: Tom Herbert <tom@herbertland.com> Date: Wed Jan 03 19:02:11 2018 UPSTREAM: netlink: add a start callback for starting a netlink dump The start callback allows the caller to set up a context for the dump callbacks. Presumably, the context can then be destroyed in the done callback. BUG= chromium:788304 ,b:70422312 TEST=Build and run Change-Id: I00f5b818438c594b9d4cb94d5e369ff77b22a312 Signed-off-by: Tom Herbert <tom@herbertland.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit fc9e50f5a5a4e) Reviewed-on: https://chromium-review.googlesource.com/800990 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> (cherry picked from commit 84bd880d08d6131bb4b56bb5df7e53cbcde49730) Reviewed-on: https://chromium-review.googlesource.com/823087 Commit-Queue: Robert Kolchmeyer <rkolchmeyer@google.com> Tested-by: Robert Kolchmeyer <rkolchmeyer@google.com> [modify] https://crrev.com/be4bae4fda60e3f1db240e0c6b5dd73dbbb060d1/include/linux/netlink.h [modify] https://crrev.com/be4bae4fda60e3f1db240e0c6b5dd73dbbb060d1/net/netlink/genetlink.c [modify] https://crrev.com/be4bae4fda60e3f1db240e0c6b5dd73dbbb060d1/net/netlink/af_netlink.c [modify] https://crrev.com/be4bae4fda60e3f1db240e0c6b5dd73dbbb060d1/include/net/genetlink.h
,
Jan 3 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/09b49365a3c4f884c48162ffe7c4c73839c2c611 commit 09b49365a3c4f884c48162ffe7c4c73839c2c611 Author: Herbert Xu <herbert@gondor.apana.org.au> Date: Wed Jan 03 19:02:26 2018 UPSTREAM: ipsec: Fix aborted xfrm policy dump crash An independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Security's SecuriTeam Secure Disclosure program. The xfrm_dump_policy_done function expects xfrm_dump_policy to have been called at least once or it will crash. This can be triggered if a dump fails because the target socket's receive buffer is full. This patch fixes it by using the cb->start mechanism to ensure that the initialisation is always done regardless of the buffer situation. Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list") BUG= chromium:788304 ,b:70422312 TEST=Build and run CQ-DEPEND=CL:823087 Change-Id: Iad254b7b289804f75fba17a3c7c6d17480a11ab6 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2) Reviewed-on: https://chromium-review.googlesource.com/790150 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> (cherry picked from commit b566e07bdd3b1a5e808892e8287a044db4442020) Reviewed-on: https://chromium-review.googlesource.com/820133 Trybot-Ready: Robert Kolchmeyer <rkolchmeyer@google.com> Commit-Queue: Robert Kolchmeyer <rkolchmeyer@google.com> Tested-by: Robert Kolchmeyer <rkolchmeyer@google.com> [modify] https://crrev.com/09b49365a3c4f884c48162ffe7c4c73839c2c611/net/xfrm/xfrm_user.c
,
Mar 13 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Nov 24 2017