Issue metadata
Sign in to add a comment
|
CVE-2017-12190 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2017-12190 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-12190 CVSS severity score: 4.9/10.0 Description: The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Dec 13 2017
,
Dec 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5ba68876b519328575412fc1d7a5a29855393782 commit 5ba68876b519328575412fc1d7a5a29855393782 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Thu Dec 14 06:33:25 2017 BACKPORT: more bio_map_user_iov() leak fixes we need to take care of failure exit as well - pages already in bio should be dropped by analogue of bio_unmap_pages(), since their refcounts had been bumped only once per reference in bio. BUG= chromium:794126 TEST=Build and run Change-Id: Ie01803c9cce05570094ef4a06db2d242e22ba00a Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 2b04e8f6bbb1) Reviewed-on: https://chromium-review.googlesource.com/825768 Reviewed-by: Dylan Reid <dgreid@chromium.org> [modify] https://crrev.com/5ba68876b519328575412fc1d7a5a29855393782/block/bio.c
,
Dec 14 2017
,
Dec 14 2017
This bug requires manual review: M64 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 20 2017
,
Dec 20 2017
Approving merge to M64 Chrome OS.
,
Dec 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c89b643449b353c50865fac80031ede9a24afc67 commit c89b643449b353c50865fac80031ede9a24afc67 Author: Al Viro <viro@zeniv.linux.org.uk> Date: Wed Dec 20 23:20:50 2017 BACKPORT: more bio_map_user_iov() leak fixes we need to take care of failure exit as well - pages already in bio should be dropped by analogue of bio_unmap_pages(), since their refcounts had been bumped only once per reference in bio. BUG= chromium:794126 TEST=Build and run Change-Id: Ie01803c9cce05570094ef4a06db2d242e22ba00a Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 2b04e8f6bbb1) Reviewed-on: https://chromium-review.googlesource.com/825777 [modify] https://crrev.com/c89b643449b353c50865fac80031ede9a24afc67/block/bio.c
,
Dec 20 2017
,
Dec 21 2017
,
Mar 27 2018
,
Mar 29 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by groeck@chromium.org
, Dec 12 2017Labels: M-64 Security_Severity-Medium Security_Impact-Stable Pri-1
Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)
Upstream commits 2b04e8f6bbb1 ("more bio_map_user_iov() leak fixes") and 95d78c28b5a85 ("fix unbalanced page refcounting in bio_map_user_iov"). Both already fixed in chromeos-4.14. 95d78c28b5a85 is already fixed in chromeos-4.4, but not 2b04e8f6bbb1 (presumably due to a conflict). Will fix 2b04e8f6bbb1 in chromeos-4.4. WontFix for older kernels (too many changes, too risky).