New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 794126 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

CVE-2017-12190 CrOS: Vulnerability reported in Linux kernel

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Dec 12 2017

Issue description

VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. 

Advisory: CVE-2017-12190
  Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-12190
  CVSS severity score: 4.9/10.0
  Description:

The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition.



This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.

 

Comment 1 by groeck@chromium.org, Dec 12 2017

Cc: wonderfly@chromium.org
Labels: M-64 Security_Severity-Medium Security_Impact-Stable Pri-1
Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)
Upstream commits 2b04e8f6bbb1 ("more bio_map_user_iov() leak fixes") and 95d78c28b5a85 ("fix unbalanced page refcounting in bio_map_user_iov").
Both already fixed in chromeos-4.14. 95d78c28b5a85 is already fixed in chromeos-4.4, but not 2b04e8f6bbb1 (presumably due to a conflict).
Will fix 2b04e8f6bbb1 in chromeos-4.4. WontFix for older kernels (too many changes, too risky).

Comment 2 by groeck@chromium.org, Dec 13 2017

Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, Dec 14 2017

Labels: merge-merged-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5ba68876b519328575412fc1d7a5a29855393782

commit 5ba68876b519328575412fc1d7a5a29855393782
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Thu Dec 14 06:33:25 2017

BACKPORT: more bio_map_user_iov() leak fixes

we need to take care of failure exit as well - pages already
in bio should be dropped by analogue of bio_unmap_pages(),
since their refcounts had been bumped only once per reference
in bio.

BUG= chromium:794126 
TEST=Build and run

Change-Id: Ie01803c9cce05570094ef4a06db2d242e22ba00a
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 2b04e8f6bbb1)
Reviewed-on: https://chromium-review.googlesource.com/825768
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/5ba68876b519328575412fc1d7a5a29855393782/block/bio.c

Comment 4 by groeck@chromium.org, Dec 14 2017

Labels: Merge-Request-64
Project Member

Comment 5 by sheriffbot@chromium.org, Dec 14 2017

Labels: -Merge-Request-64 Hotlist-Merge-Review Merge-Review-64
This bug requires manual review: M64 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by groeck@chromium.org, Dec 20 2017

Cc: kbleicher@chromium.org
Labels: -Merge-Review-64 Merge-Approved-64
Approving merge to M64 Chrome OS.
Project Member

Comment 8 by bugdroid1@chromium.org, Dec 20 2017

Labels: merge-merged-release-R64-10176.B-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c89b643449b353c50865fac80031ede9a24afc67

commit c89b643449b353c50865fac80031ede9a24afc67
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Wed Dec 20 23:20:50 2017

BACKPORT: more bio_map_user_iov() leak fixes

we need to take care of failure exit as well - pages already
in bio should be dropped by analogue of bio_unmap_pages(),
since their refcounts had been bumped only once per reference
in bio.

BUG= chromium:794126 
TEST=Build and run

Change-Id: Ie01803c9cce05570094ef4a06db2d242e22ba00a
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 2b04e8f6bbb1)
Reviewed-on: https://chromium-review.googlesource.com/825777

[modify] https://crrev.com/c89b643449b353c50865fac80031ede9a24afc67/block/bio.c

Comment 9 by groeck@chromium.org, Dec 20 2017

Labels: -Merge-Approved-64
Status: Fixed (was: Started)
Project Member

Comment 10 by sheriffbot@chromium.org, Dec 21 2017

Labels: Restrict-View-SecurityNotify
Project Member

Comment 11 by sheriffbot@chromium.org, Mar 27 2018

Labels: -M-64 M-65
Project Member

Comment 12 by sheriffbot@chromium.org, Mar 29 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment