Issue metadata
Sign in to add a comment
|
CVE-2017-16649 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2017-16649 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-16649 CVSS severity score: 7.2/10.0 Description: The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Nov 29 2017
,
Nov 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c599af055a4958689c14e214488e5465e7c2a5e3 commit c599af055a4958689c14e214488e5465e7c2a5e3 Author: Bjørn Mork <bjorn@mork.no> Date: Thu Nov 30 02:05:07 2017 BACKPORT: net: cdc_ether: fix divide by 0 on bad descriptors Setting dev->hard_mtu to 0 will cause a divide error in usbnet_probe. Protect against devices with bogus CDC Ethernet functional descriptors by ignoring a zero wMaxSegmentSize. BUG= chromium:789494 TEST=Build and run Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c Signed-off-by: Bjrn Mork <bjorn@mork.no> Acked-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from upstream commit 2cb80187ba06) (cherry picked from commit 0839b4b24f92fd42e4de351dd36636713b8e750a chromeos-4.4; fixed conflicts) Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/797230 [modify] https://crrev.com/c599af055a4958689c14e214488e5465e7c2a5e3/drivers/net/usb/cdc_ether.c
,
Nov 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/aebfc04b610b670623d23f0a2a1f9907938f40bd commit aebfc04b610b670623d23f0a2a1f9907938f40bd Author: Bjørn Mork <bjorn@mork.no> Date: Thu Nov 30 02:04:45 2017 BACKPORT: net: cdc_ether: fix divide by 0 on bad descriptors Setting dev->hard_mtu to 0 will cause a divide error in usbnet_probe. Protect against devices with bogus CDC Ethernet functional descriptors by ignoring a zero wMaxSegmentSize. BUG= chromium:789494 TEST=Build and run Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c Signed-off-by: Bjrn Mork <bjorn@mork.no> Acked-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from upstream commit 2cb80187ba06) (cherry picked from commit 0839b4b24f92fd42e4de351dd36636713b8e750a chromeos-4.4; fixed conflicts) Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/797231 [modify] https://crrev.com/aebfc04b610b670623d23f0a2a1f9907938f40bd/drivers/net/usb/cdc_ether.c
,
Nov 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5a79f25f1796c37895d5e1719c1f97d861e8b8ad commit 5a79f25f1796c37895d5e1719c1f97d861e8b8ad Author: Bjørn Mork <bjorn@mork.no> Date: Thu Nov 30 02:05:03 2017 BACKPORT: net: cdc_ether: fix divide by 0 on bad descriptors Setting dev->hard_mtu to 0 will cause a divide error in usbnet_probe. Protect against devices with bogus CDC Ethernet functional descriptors by ignoring a zero wMaxSegmentSize. BUG= chromium:789494 TEST=Build and run Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c Signed-off-by: Bjrn Mork <bjorn@mork.no> Acked-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from upstream commit 2cb80187ba06) (cherry picked from commit 0839b4b24f92fd42e4de351dd36636713b8e750a chromeos-4.4; fixed conflicts) Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/797210 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> [modify] https://crrev.com/5a79f25f1796c37895d5e1719c1f97d861e8b8ad/drivers/net/usb/cdc_ether.c
,
Nov 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/cae050958189dc297cd82c3eb9662f0c71aeb53a commit cae050958189dc297cd82c3eb9662f0c71aeb53a Author: Bjørn Mork <bjorn@mork.no> Date: Thu Nov 30 02:04:36 2017 BACKPORT: net: cdc_ether: fix divide by 0 on bad descriptors Setting dev->hard_mtu to 0 will cause a divide error in usbnet_probe. Protect against devices with bogus CDC Ethernet functional descriptors by ignoring a zero wMaxSegmentSize. BUG= chromium:789494 TEST=Build and run Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c Signed-off-by: Bjrn Mork <bjorn@mork.no> Acked-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from upstream commit 2cb80187ba06) (cherry picked from commit 0839b4b24f92fd42e4de351dd36636713b8e750a chromeos-4.4; fixed conflicts) Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/797232 [modify] https://crrev.com/cae050958189dc297cd82c3eb9662f0c71aeb53a/drivers/net/usb/cdc_ether.c
,
Nov 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e10015b729e9e211ccc0f19af0bbf7540df19e17 commit e10015b729e9e211ccc0f19af0bbf7540df19e17 Author: Bjørn Mork <bjorn@mork.no> Date: Thu Nov 30 02:04:52 2017 UPSTREAM: net: cdc_ether: fix divide by 0 on bad descriptors Setting dev->hard_mtu to 0 will cause a divide error in usbnet_probe. Protect against devices with bogus CDC Ethernet functional descriptors by ignoring a zero wMaxSegmentSize. BUG= chromium:789494 TEST=Build and run Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c Signed-off-by: Bjrn Mork <bjorn@mork.no> Acked-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 2cb80187ba06) Reviewed-on: https://chromium-review.googlesource.com/797112 Reviewed-by: Daniel Wang <wonderfly@google.com> Reviewed-by: Kevin Cernekee <cernekee@chromium.org> [modify] https://crrev.com/e10015b729e9e211ccc0f19af0bbf7540df19e17/drivers/net/usb/cdc_ether.c
,
Nov 30 2017
,
Nov 30 2017
This bug requires manual review: We are only 4 days from stable. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 30 2017
,
Nov 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/cfddeddb57b8a5bd0e795d9d29cd247959779ef0 commit cfddeddb57b8a5bd0e795d9d29cd247959779ef0 Author: Bjørn Mork <bjorn@mork.no> Date: Thu Nov 30 19:07:50 2017 BACKPORT: net: cdc_ether: fix divide by 0 on bad descriptors Setting dev->hard_mtu to 0 will cause a divide error in usbnet_probe. Protect against devices with bogus CDC Ethernet functional descriptors by ignoring a zero wMaxSegmentSize. BUG= chromium:789494 TEST=Build and run Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c Signed-off-by: Bjrn Mork <bjorn@mork.no> Acked-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from upstream commit 2cb80187ba06) (cherry picked from commit 0839b4b24f92fd42e4de351dd36636713b8e750a chromeos-4.4; fixed conflicts) Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/797232 (cherry picked from commit cae050958189dc297cd82c3eb9662f0c71aeb53a) Reviewed-on: https://chromium-review.googlesource.com/801099 [modify] https://crrev.com/cfddeddb57b8a5bd0e795d9d29cd247959779ef0/drivers/net/usb/cdc_ether.c
,
Nov 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d6f13de5c7c96047d912ae8ca4049e4efd89f1ff commit d6f13de5c7c96047d912ae8ca4049e4efd89f1ff Author: Bjørn Mork <bjorn@mork.no> Date: Thu Nov 30 19:10:48 2017 BACKPORT: net: cdc_ether: fix divide by 0 on bad descriptors Setting dev->hard_mtu to 0 will cause a divide error in usbnet_probe. Protect against devices with bogus CDC Ethernet functional descriptors by ignoring a zero wMaxSegmentSize. BUG= chromium:789494 TEST=Build and run Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c Signed-off-by: Bjrn Mork <bjorn@mork.no> Acked-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from upstream commit 2cb80187ba06) (cherry picked from commit 0839b4b24f92fd42e4de351dd36636713b8e750a chromeos-4.4; fixed conflicts) Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/797231 (cherry picked from commit aebfc04b610b670623d23f0a2a1f9907938f40bd) Reviewed-on: https://chromium-review.googlesource.com/801098 [modify] https://crrev.com/d6f13de5c7c96047d912ae8ca4049e4efd89f1ff/drivers/net/usb/cdc_ether.c
,
Nov 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4ffd482e1b474d9415e954cd2617447dbad4b7d9 commit 4ffd482e1b474d9415e954cd2617447dbad4b7d9 Author: Bjørn Mork <bjorn@mork.no> Date: Thu Nov 30 19:10:59 2017 UPSTREAM: net: cdc_ether: fix divide by 0 on bad descriptors Setting dev->hard_mtu to 0 will cause a divide error in usbnet_probe. Protect against devices with bogus CDC Ethernet functional descriptors by ignoring a zero wMaxSegmentSize. BUG= chromium:789494 TEST=Build and run Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c Signed-off-by: Bjrn Mork <bjorn@mork.no> Acked-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 2cb80187ba06) Reviewed-on: https://chromium-review.googlesource.com/797112 Reviewed-by: Daniel Wang <wonderfly@google.com> Reviewed-by: Kevin Cernekee <cernekee@chromium.org> (cherry picked from commit e10015b729e9e211ccc0f19af0bbf7540df19e17) Reviewed-on: https://chromium-review.googlesource.com/801095 [modify] https://crrev.com/4ffd482e1b474d9415e954cd2617447dbad4b7d9/drivers/net/usb/cdc_ether.c
,
Nov 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b8b265975177c63b32fab4217140ce1f14602aaa commit b8b265975177c63b32fab4217140ce1f14602aaa Author: Bjørn Mork <bjorn@mork.no> Date: Thu Nov 30 19:14:45 2017 BACKPORT: net: cdc_ether: fix divide by 0 on bad descriptors Setting dev->hard_mtu to 0 will cause a divide error in usbnet_probe. Protect against devices with bogus CDC Ethernet functional descriptors by ignoring a zero wMaxSegmentSize. BUG= chromium:789494 TEST=Build and run Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c Signed-off-by: Bjrn Mork <bjorn@mork.no> Acked-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from upstream commit 2cb80187ba06) (cherry picked from commit 0839b4b24f92fd42e4de351dd36636713b8e750a chromeos-4.4; fixed conflicts) Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/797210 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> (cherry picked from commit 5a79f25f1796c37895d5e1719c1f97d861e8b8ad) Reviewed-on: https://chromium-review.googlesource.com/801096 [modify] https://crrev.com/b8b265975177c63b32fab4217140ce1f14602aaa/drivers/net/usb/cdc_ether.c
,
Nov 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ca27d70b593f47071ba373d23a4d9639a995e6ad commit ca27d70b593f47071ba373d23a4d9639a995e6ad Author: Bjørn Mork <bjorn@mork.no> Date: Thu Nov 30 19:14:58 2017 BACKPORT: net: cdc_ether: fix divide by 0 on bad descriptors Setting dev->hard_mtu to 0 will cause a divide error in usbnet_probe. Protect against devices with bogus CDC Ethernet functional descriptors by ignoring a zero wMaxSegmentSize. BUG= chromium:789494 TEST=Build and run Change-Id: I0664ec88dff4d2a3ee1b134ce27000c35b4d617c Signed-off-by: Bjrn Mork <bjorn@mork.no> Acked-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from upstream commit 2cb80187ba06) (cherry picked from commit 0839b4b24f92fd42e4de351dd36636713b8e750a chromeos-4.4; fixed conflicts) Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/797230 (cherry picked from commit c599af055a4958689c14e214488e5465e7c2a5e3) Reviewed-on: https://chromium-review.googlesource.com/801097 [modify] https://crrev.com/ca27d70b593f47071ba373d23a4d9639a995e6ad/drivers/net/usb/cdc_ether.c
,
Nov 30 2017
,
Dec 1 2017
,
Mar 9 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by groeck@chromium.org
, Nov 29 2017Labels: Security_Severity-High Security_Impact-Stable M-63 Pri-1
Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)
Upstream commit 2cb80187ba06 ("net: cdc_ether: fix divide by 0 on bad descriptors"). Already fixed in chromeos-4.14. Required in older kernels.