Issue metadata
Sign in to add a comment
|
CVE-2017-17712 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2017-17712 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-17712 CVSS severity score: 6.9/10.0 Description: The raw_sendmsg() function in net/ipv4/raw.c in the Linux kernel through 4.14.6 has a race condition in inet->hdrincl that leads to uninitialized stack pointer usage; this allows a local user to execute code and gain privileges. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Jan 2 2018
Fix will be pulled into chromeos-4.14 with merge of v4.14.11, and into chromeos-4.4 with merge of v4.4.109. Will pull in through merge to avoid conflicts.
,
Jan 10 2018
Merge request is for chromeos-4.4 only.
,
Jan 10 2018
This bug requires manual review: We are only 12 days from stable. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 17 2018
,
Jan 17 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/2cbee1af2bec3f32a3ea1d33822efc2e937c1fd1 commit 2cbee1af2bec3f32a3ea1d33822efc2e937c1fd1 Author: Mohamed Ghannam <simo.ghannam@gmail.com> Date: Wed Jan 17 01:40:07 2018 BACKPORT: net: ipv4: fix for a race condition in raw_sendmsg [ Upstream commit 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 ] inet->hdrincl is racy, and could lead to uninitialized stack pointer usage, so its value should be read only once. BUG= chromium:798133 TEST=Build and run Change-Id: I961423eee8404786e2c84b8bb4b3354e259bf1af Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt") Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: net/ipv4/raw.c Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit be27b620a861) Reviewed-on: https://chromium-review.googlesource.com/860563 [modify] https://crrev.com/2cbee1af2bec3f32a3ea1d33822efc2e937c1fd1/net/ipv4/raw.c
,
Jan 17 2018
,
Jan 17 2018
,
Jan 17 2018
,
Mar 27 2018
,
Apr 25 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by groeck@chromium.org
, Dec 30 2017Labels: M-64 Security_Severity-Medium Security_Impact-Stable Pri-1
Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)
8f659a03a0ba ("net: ipv4: fix for a race condition in raw_sendmsg"). Fixes c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt"). chromeos-4.4 and later are affected.