Issue 789494 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	groeck@chromium.org
Closed:	Nov 2017
Cc:	wonderfly@google.com chromeos-kernel-security-bug-access@google.com
Components:	OS>Kernel
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	1
Type:	Bug-Security
Hotlist-Merge-Review merge-merged-chromeos-3.18 merge-merged-chromeos-3.10 Vomit Security_Impact-Stable merge-merged-chromeos-3.14 merge-merged-chromeos-3.8 Security_Severity-High allpublic merge-merged-chromeos-4.4 M-65 merge-merged-release-R63-10032.B-chromeos-3.14 merge-merged-release-R63-10032.B-chromeos-4.4 merge-merged-release-R63-10032.B-chromeos-3.10 merge-merged-release-R63-10032.B-chromeos-3.8 merge-merged-release-R63-10032.B-chromeos-3.18

CVE-2017-16649 CrOS: Vulnerability reported in Linux kernel

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Nov 29 2017

Issue description

VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. 

Advisory: CVE-2017-16649
  Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-16649
  CVSS severity score: 7.2/10.0
  Description:

The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device.



This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.

Comment 1 by groeck@chromium.org, Nov 29 2017

Cc: wonderfly@google.com
Labels: Security_Severity-High Security_Impact-Stable M-63 Pri-1
Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)

Upstream commit 2cb80187ba06 ("net: cdc_ether: fix divide by 0 on bad descriptors"). Already fixed in chromeos-4.14. Required in older kernels.

Comment 2 by groeck@chromium.org, Nov 29 2017

Status: Started (was: Assigned)

Project Member

Comment 3 by bugdroid1@chromium.org, Nov 30 2017

Labels: merge-merged-chromeos-3.14

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c599af055a4958689c14e214488e5465e7c2a5e3

commit c599af055a4958689c14e214488e5465e7c2a5e3
Author: Bjørn Mork <bjorn@mork.no>
Date: Thu Nov 30 02:05:07 2017

BACKPORT: net: cdc_ether: fix divide by 0 on bad descriptors

Setting dev->hard_mtu to 0 will cause a divide error in
usbnet_probe. Protect against devices with bogus CDC Ethernet
functional descriptors by ignoring a zero wMaxSegmentSize.

BUG= chromium:789494 
TEST=Build and run

Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c
Signed-off-by: Bjrn Mork <bjorn@mork.no>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from upstream commit 2cb80187ba06)
(cherry picked from commit 0839b4b24f92fd42e4de351dd36636713b8e750a
 chromeos-4.4; fixed conflicts)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/797230

[modify] https://crrev.com/c599af055a4958689c14e214488e5465e7c2a5e3/drivers/net/usb/cdc_ether.c

Project Member

Comment 4 by bugdroid1@chromium.org, Nov 30 2017

Labels: merge-merged-chromeos-3.10

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/aebfc04b610b670623d23f0a2a1f9907938f40bd

commit aebfc04b610b670623d23f0a2a1f9907938f40bd
Author: Bjørn Mork <bjorn@mork.no>
Date: Thu Nov 30 02:04:45 2017

BACKPORT: net: cdc_ether: fix divide by 0 on bad descriptors

Setting dev->hard_mtu to 0 will cause a divide error in
usbnet_probe. Protect against devices with bogus CDC Ethernet
functional descriptors by ignoring a zero wMaxSegmentSize.

BUG= chromium:789494 
TEST=Build and run

Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c
Signed-off-by: Bjrn Mork <bjorn@mork.no>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from upstream commit 2cb80187ba06)
(cherry picked from commit 0839b4b24f92fd42e4de351dd36636713b8e750a
 chromeos-4.4; fixed conflicts)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/797231

[modify] https://crrev.com/aebfc04b610b670623d23f0a2a1f9907938f40bd/drivers/net/usb/cdc_ether.c

Project Member

Comment 5 by bugdroid1@chromium.org, Nov 30 2017

Labels: merge-merged-chromeos-3.18

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5a79f25f1796c37895d5e1719c1f97d861e8b8ad

commit 5a79f25f1796c37895d5e1719c1f97d861e8b8ad
Author: Bjørn Mork <bjorn@mork.no>
Date: Thu Nov 30 02:05:03 2017

BACKPORT: net: cdc_ether: fix divide by 0 on bad descriptors

Setting dev->hard_mtu to 0 will cause a divide error in
usbnet_probe. Protect against devices with bogus CDC Ethernet
functional descriptors by ignoring a zero wMaxSegmentSize.

BUG= chromium:789494 
TEST=Build and run

Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c
Signed-off-by: Bjrn Mork <bjorn@mork.no>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from upstream commit 2cb80187ba06)
(cherry picked from commit 0839b4b24f92fd42e4de351dd36636713b8e750a
 chromeos-4.4; fixed conflicts)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/797210
Reviewed-by: Kevin Cernekee <cernekee@chromium.org>

[modify] https://crrev.com/5a79f25f1796c37895d5e1719c1f97d861e8b8ad/drivers/net/usb/cdc_ether.c

Project Member

Comment 6 by bugdroid1@chromium.org, Nov 30 2017

Labels: merge-merged-chromeos-3.8

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/cae050958189dc297cd82c3eb9662f0c71aeb53a

commit cae050958189dc297cd82c3eb9662f0c71aeb53a
Author: Bjørn Mork <bjorn@mork.no>
Date: Thu Nov 30 02:04:36 2017

BACKPORT: net: cdc_ether: fix divide by 0 on bad descriptors

Setting dev->hard_mtu to 0 will cause a divide error in
usbnet_probe. Protect against devices with bogus CDC Ethernet
functional descriptors by ignoring a zero wMaxSegmentSize.

BUG= chromium:789494 
TEST=Build and run

Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c
Signed-off-by: Bjrn Mork <bjorn@mork.no>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from upstream commit 2cb80187ba06)
(cherry picked from commit 0839b4b24f92fd42e4de351dd36636713b8e750a
 chromeos-4.4; fixed conflicts)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/797232

[modify] https://crrev.com/cae050958189dc297cd82c3eb9662f0c71aeb53a/drivers/net/usb/cdc_ether.c

Project Member

Comment 7 by bugdroid1@chromium.org, Nov 30 2017

Labels: merge-merged-chromeos-4.4

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e10015b729e9e211ccc0f19af0bbf7540df19e17

commit e10015b729e9e211ccc0f19af0bbf7540df19e17
Author: Bjørn Mork <bjorn@mork.no>
Date: Thu Nov 30 02:04:52 2017

UPSTREAM: net: cdc_ether: fix divide by 0 on bad descriptors

Setting dev->hard_mtu to 0 will cause a divide error in
usbnet_probe. Protect against devices with bogus CDC Ethernet
functional descriptors by ignoring a zero wMaxSegmentSize.

BUG= chromium:789494 
TEST=Build and run

Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c
Signed-off-by: Bjrn Mork <bjorn@mork.no>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 2cb80187ba06)
Reviewed-on: https://chromium-review.googlesource.com/797112
Reviewed-by: Daniel Wang <wonderfly@google.com>
Reviewed-by: Kevin Cernekee <cernekee@chromium.org>

[modify] https://crrev.com/e10015b729e9e211ccc0f19af0bbf7540df19e17/drivers/net/usb/cdc_ether.c

Comment 8 by groeck@chromium.org, Nov 30 2017

Labels: Merge-Request-63

Project Member

Comment 9 by sheriffbot@chromium.org, Nov 30 2017

Labels: -Merge-Request-63 Merge-Review-63 Hotlist-Merge-Review

This bug requires manual review: We are only 4 days from stable.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 10 by gkihumba@google.com, Nov 30 2017

Labels: -Merge-Review-63 Merge-Approved-63

Project Member

Comment 11 by bugdroid1@chromium.org, Nov 30 2017

Labels: merge-merged-release-R63-10032.B-chromeos-3.8

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/cfddeddb57b8a5bd0e795d9d29cd247959779ef0

commit cfddeddb57b8a5bd0e795d9d29cd247959779ef0
Author: Bjørn Mork <bjorn@mork.no>
Date: Thu Nov 30 19:07:50 2017

BACKPORT: net: cdc_ether: fix divide by 0 on bad descriptors

Setting dev->hard_mtu to 0 will cause a divide error in
usbnet_probe. Protect against devices with bogus CDC Ethernet
functional descriptors by ignoring a zero wMaxSegmentSize.

BUG= chromium:789494 
TEST=Build and run

Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c
Signed-off-by: Bjrn Mork <bjorn@mork.no>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from upstream commit 2cb80187ba06)
(cherry picked from commit 0839b4b24f92fd42e4de351dd36636713b8e750a
 chromeos-4.4; fixed conflicts)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/797232
(cherry picked from commit cae050958189dc297cd82c3eb9662f0c71aeb53a)
Reviewed-on: https://chromium-review.googlesource.com/801099

[modify] https://crrev.com/cfddeddb57b8a5bd0e795d9d29cd247959779ef0/drivers/net/usb/cdc_ether.c

Project Member

Comment 12 by bugdroid1@chromium.org, Nov 30 2017

Labels: merge-merged-release-R63-10032.B-chromeos-3.10

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d6f13de5c7c96047d912ae8ca4049e4efd89f1ff

commit d6f13de5c7c96047d912ae8ca4049e4efd89f1ff
Author: Bjørn Mork <bjorn@mork.no>
Date: Thu Nov 30 19:10:48 2017

BACKPORT: net: cdc_ether: fix divide by 0 on bad descriptors

Setting dev->hard_mtu to 0 will cause a divide error in
usbnet_probe. Protect against devices with bogus CDC Ethernet
functional descriptors by ignoring a zero wMaxSegmentSize.

BUG= chromium:789494 
TEST=Build and run

Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c
Signed-off-by: Bjrn Mork <bjorn@mork.no>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from upstream commit 2cb80187ba06)
(cherry picked from commit 0839b4b24f92fd42e4de351dd36636713b8e750a
 chromeos-4.4; fixed conflicts)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/797231
(cherry picked from commit aebfc04b610b670623d23f0a2a1f9907938f40bd)
Reviewed-on: https://chromium-review.googlesource.com/801098

[modify] https://crrev.com/d6f13de5c7c96047d912ae8ca4049e4efd89f1ff/drivers/net/usb/cdc_ether.c

Project Member

Comment 13 by bugdroid1@chromium.org, Nov 30 2017

Labels: merge-merged-release-R63-10032.B-chromeos-4.4

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4ffd482e1b474d9415e954cd2617447dbad4b7d9

commit 4ffd482e1b474d9415e954cd2617447dbad4b7d9
Author: Bjørn Mork <bjorn@mork.no>
Date: Thu Nov 30 19:10:59 2017

UPSTREAM: net: cdc_ether: fix divide by 0 on bad descriptors

Setting dev->hard_mtu to 0 will cause a divide error in
usbnet_probe. Protect against devices with bogus CDC Ethernet
functional descriptors by ignoring a zero wMaxSegmentSize.

BUG= chromium:789494 
TEST=Build and run

Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c
Signed-off-by: Bjrn Mork <bjorn@mork.no>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 2cb80187ba06)
Reviewed-on: https://chromium-review.googlesource.com/797112
Reviewed-by: Daniel Wang <wonderfly@google.com>
Reviewed-by: Kevin Cernekee <cernekee@chromium.org>
(cherry picked from commit e10015b729e9e211ccc0f19af0bbf7540df19e17)
Reviewed-on: https://chromium-review.googlesource.com/801095

[modify] https://crrev.com/4ffd482e1b474d9415e954cd2617447dbad4b7d9/drivers/net/usb/cdc_ether.c

Project Member

Comment 14 by bugdroid1@chromium.org, Nov 30 2017

Labels: merge-merged-release-R63-10032.B-chromeos-3.18

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b8b265975177c63b32fab4217140ce1f14602aaa

commit b8b265975177c63b32fab4217140ce1f14602aaa
Author: Bjørn Mork <bjorn@mork.no>
Date: Thu Nov 30 19:14:45 2017

BACKPORT: net: cdc_ether: fix divide by 0 on bad descriptors

Setting dev->hard_mtu to 0 will cause a divide error in
usbnet_probe. Protect against devices with bogus CDC Ethernet
functional descriptors by ignoring a zero wMaxSegmentSize.

BUG= chromium:789494 
TEST=Build and run

Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c
Signed-off-by: Bjrn Mork <bjorn@mork.no>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from upstream commit 2cb80187ba06)
(cherry picked from commit 0839b4b24f92fd42e4de351dd36636713b8e750a
 chromeos-4.4; fixed conflicts)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/797210
Reviewed-by: Kevin Cernekee <cernekee@chromium.org>
(cherry picked from commit 5a79f25f1796c37895d5e1719c1f97d861e8b8ad)
Reviewed-on: https://chromium-review.googlesource.com/801096

[modify] https://crrev.com/b8b265975177c63b32fab4217140ce1f14602aaa/drivers/net/usb/cdc_ether.c

Project Member

Comment 15 by bugdroid1@chromium.org, Nov 30 2017

Labels: merge-merged-release-R63-10032.B-chromeos-3.14

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ca27d70b593f47071ba373d23a4d9639a995e6ad

commit ca27d70b593f47071ba373d23a4d9639a995e6ad
Author: Bjørn Mork <bjorn@mork.no>
Date: Thu Nov 30 19:14:58 2017

BACKPORT: net: cdc_ether: fix divide by 0 on bad descriptors

Setting dev->hard_mtu to 0 will cause a divide error in
usbnet_probe. Protect against devices with bogus CDC Ethernet
functional descriptors by ignoring a zero wMaxSegmentSize.

BUG= chromium:789494 
TEST=Build and run

Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c
Signed-off-by: Bjrn Mork <bjorn@mork.no>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from upstream commit 2cb80187ba06)
(cherry picked from commit 0839b4b24f92fd42e4de351dd36636713b8e750a
 chromeos-4.4; fixed conflicts)
Signed-off-by: Guenter Roeck <groeck@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/797230
(cherry picked from commit c599af055a4958689c14e214488e5465e7c2a5e3)
Reviewed-on: https://chromium-review.googlesource.com/801097

[modify] https://crrev.com/ca27d70b593f47071ba373d23a4d9639a995e6ad/drivers/net/usb/cdc_ether.c

Comment 16 by groeck@chromium.org, Nov 30 2017

Labels: -Merge-Approved-63
Status: Fixed (was: Started)

Project Member

Comment 17 by sheriffbot@chromium.org, Dec 1 2017

Labels: Restrict-View-SecurityNotify

Project Member

Comment 18 by sheriffbot@chromium.org, Mar 9 2018

Labels: -Restrict-View-SecurityNotify allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Project Member

Comment 19 by sheriffbot@chromium.org, Mar 27 2018

Labels: -M-63 M-65

►

Issue 789494 link

Issue metadata

CVE-2017-16649 CrOS: Vulnerability reported in Linux kernel

Issue description

Comment 1 by groeck@chromium.org, Nov 29 2017

Comment 1 Deleted

Comment 2 by groeck@chromium.org, Nov 29 2017

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Nov 30 2017

Comment 3 Deleted

Comment 4 by bugdroid1@chromium.org, Nov 30 2017

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Nov 30 2017

Comment 5 Deleted

Comment 6 by bugdroid1@chromium.org, Nov 30 2017

Comment 6 Deleted

Comment 7 by bugdroid1@chromium.org, Nov 30 2017

Comment 7 Deleted

Comment 8 by groeck@chromium.org, Nov 30 2017

Comment 8 Deleted

Comment 9 by sheriffbot@chromium.org, Nov 30 2017

Comment 9 Deleted

Comment 10 by gkihumba@google.com, Nov 30 2017

Comment 10 Deleted

Comment 11 by bugdroid1@chromium.org, Nov 30 2017

Comment 11 Deleted

Comment 12 by bugdroid1@chromium.org, Nov 30 2017

Comment 12 Deleted

Comment 13 by bugdroid1@chromium.org, Nov 30 2017

Comment 13 Deleted

Comment 14 by bugdroid1@chromium.org, Nov 30 2017

Comment 14 Deleted

Comment 15 by bugdroid1@chromium.org, Nov 30 2017

Comment 15 Deleted

Comment 16 by groeck@chromium.org, Nov 30 2017

Comment 16 Deleted

Comment 17 by sheriffbot@chromium.org, Dec 1 2017

Comment 17 Deleted

Comment 18 by sheriffbot@chromium.org, Mar 9 2018

Comment 18 Deleted

Comment 19 by sheriffbot@chromium.org, Mar 27 2018

Comment 19 Deleted

Sign in to add a comment