Issue metadata
Sign in to add a comment
|
CVE-2017-18017 CrOS: Vulnerability reported in Linux kernel |
|||||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2017-18017 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-18017 CVSS severity score: 10/10.0 Description: The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Jan 19 2018
,
Jan 19 2018
,
Jan 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/412ff9668fa6429cf83e8217f1d1b02da824722b commit 412ff9668fa6429cf83e8217f1d1b02da824722b Author: Pablo Neira Ayuso <pablo@netfilter.org> Date: Fri Jan 19 22:04:56 2018 UPSTREAM: netfilter: xt_TCPMSS: fix handling of malformed TCP header and options Make sure the packet has enough room for the TCP header and that it is not malformed. While at it, store tcph->doff*4 in a variable, as it is used several times. This patch also fixes a possible off by one in case of malformed TCP options. BUG= chromium:803812 TEST=Build and run Change-Id: I956100476415c1c01908768c60c30c82d7fdf78c Reported-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 71ffe9c77dd7a2b62207953091efa8dafec958dd) (cherry picked from commit 0f465f72253fe2e10fb80deeea93f1e5698c62d7) Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/876490 [modify] https://crrev.com/412ff9668fa6429cf83e8217f1d1b02da824722b/net/netfilter/xt_TCPMSS.c
,
Jan 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/00a8a0f4d241819d80ed936e8bb69bdbd392e59e commit 00a8a0f4d241819d80ed936e8bb69bdbd392e59e Author: Eric Dumazet <edumazet@google.com> Date: Fri Jan 19 22:04:57 2018 UPSTREAM: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff Denys provided an awesome KASAN report pointing to an use after free in xt_TCPMSS I have provided three patches to fix this issue, either in xt_TCPMSS or in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible impact. BUG= chromium:803812 TEST=Build and run Change-Id: I2a9ae6a021a3a4ceeb2421ad7b118b1b3ccea8db Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3) (cherry picked from commit 7a07429b0a4705aa258e14c5d958da1ddb327cf2) Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/876491 [modify] https://crrev.com/00a8a0f4d241819d80ed936e8bb69bdbd392e59e/net/netfilter/xt_TCPMSS.c
,
Jan 19 2018
chromeos-3.18 and older are all affected. chromeos-3.10 and chromeos-3.8 need an additional patch (upstream 71ffe9c77dd7) to fix other vulnerabilities in the same code.
,
Jan 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/359b9d663990c2e514c39c5a8148a31360bbdcdf commit 359b9d663990c2e514c39c5a8148a31360bbdcdf Author: Eric Dumazet <edumazet@google.com> Date: Sat Jan 20 01:18:04 2018 UPSTREAM: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff Denys provided an awesome KASAN report pointing to an use after free in xt_TCPMSS I have provided three patches to fix this issue, either in xt_TCPMSS or in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible impact. BUG= chromium:803812 TEST=Build and run Change-Id: I2a9ae6a021a3a4ceeb2421ad7b118b1b3ccea8db Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3) Reviewed-on: https://chromium-review.googlesource.com/875883 [modify] https://crrev.com/359b9d663990c2e514c39c5a8148a31360bbdcdf/net/netfilter/xt_TCPMSS.c
,
Jan 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/1b1028333cd43e743df98acccd9f66e496596015 commit 1b1028333cd43e743df98acccd9f66e496596015 Author: Pablo Neira Ayuso <pablo@netfilter.org> Date: Sat Jan 20 01:17:55 2018 UPSTREAM: netfilter: xt_TCPMSS: fix handling of malformed TCP header and options Make sure the packet has enough room for the TCP header and that it is not malformed. While at it, store tcph->doff*4 in a variable, as it is used several times. This patch also fixes a possible off by one in case of malformed TCP options. BUG= chromium:803812 TEST=Build and run Change-Id: I956100476415c1c01908768c60c30c82d7fdf78c Reported-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 71ffe9c77dd7a2b62207953091efa8dafec958dd) Reviewed-on: https://chromium-review.googlesource.com/876488 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> [modify] https://crrev.com/1b1028333cd43e743df98acccd9f66e496596015/net/netfilter/xt_TCPMSS.c
,
Jan 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/f972ea4455d7774a10952cbb8be7376f7be3176f commit f972ea4455d7774a10952cbb8be7376f7be3176f Author: Eric Dumazet <edumazet@google.com> Date: Sat Jan 20 01:17:56 2018 UPSTREAM: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff Denys provided an awesome KASAN report pointing to an use after free in xt_TCPMSS I have provided three patches to fix this issue, either in xt_TCPMSS or in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible impact. BUG= chromium:803812 TEST=Build and run Change-Id: I2a9ae6a021a3a4ceeb2421ad7b118b1b3ccea8db Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3) Reviewed-on: https://chromium-review.googlesource.com/876489 [modify] https://crrev.com/f972ea4455d7774a10952cbb8be7376f7be3176f/net/netfilter/xt_TCPMSS.c
,
Jan 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c42b364028a3e2873a3f40591abc32523abc1937 commit c42b364028a3e2873a3f40591abc32523abc1937 Author: Eric Dumazet <edumazet@google.com> Date: Sat Jan 20 01:18:14 2018 UPSTREAM: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff Denys provided an awesome KASAN report pointing to an use after free in xt_TCPMSS I have provided three patches to fix this issue, either in xt_TCPMSS or in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible impact. BUG= chromium:803812 TEST=Build and run Change-Id: I2a9ae6a021a3a4ceeb2421ad7b118b1b3ccea8db Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3) Reviewed-on: https://chromium-review.googlesource.com/876486 Reviewed-by: Kevin Cernekee <cernekee@chromium.org> [modify] https://crrev.com/c42b364028a3e2873a3f40591abc32523abc1937/net/netfilter/xt_TCPMSS.c
,
Jan 20 2018
,
Jan 20 2018
This bug requires manual review: We are only 2 days from stable. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 20 2018
This is a critical security issue. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 20 2018
,
Jan 21 2018
Your change meets the bar and is auto-approved for M65. Please go ahead and merge the CL to branch 3325 manually. Please contact milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 21 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4497e67587aebf819ed3b9cf9f4a377f03089e12 commit 4497e67587aebf819ed3b9cf9f4a377f03089e12 Author: Eric Dumazet <edumazet@google.com> Date: Sun Jan 21 02:47:14 2018 UPSTREAM: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff Denys provided an awesome KASAN report pointing to an use after free in xt_TCPMSS I have provided three patches to fix this issue, either in xt_TCPMSS or in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible impact. BUG= chromium:803812 TEST=Build and run Change-Id: I2a9ae6a021a3a4ceeb2421ad7b118b1b3ccea8db Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3) Reviewed-on: https://chromium-review.googlesource.com/877587 [modify] https://crrev.com/4497e67587aebf819ed3b9cf9f4a377f03089e12/net/netfilter/xt_TCPMSS.c
,
Jan 21 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/2c60136e9476e6afc66d17932c5586c3d9fdd206 commit 2c60136e9476e6afc66d17932c5586c3d9fdd206 Author: Pablo Neira Ayuso <pablo@netfilter.org> Date: Sun Jan 21 02:47:26 2018 UPSTREAM: netfilter: xt_TCPMSS: fix handling of malformed TCP header and options Make sure the packet has enough room for the TCP header and that it is not malformed. While at it, store tcph->doff*4 in a variable, as it is used several times. This patch also fixes a possible off by one in case of malformed TCP options. BUG= chromium:803812 TEST=Build and run Change-Id: I956100476415c1c01908768c60c30c82d7fdf78c Reported-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 71ffe9c77dd7a2b62207953091efa8dafec958dd) (cherry picked from commit 0f465f72253fe2e10fb80deeea93f1e5698c62d7) Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/877585 [modify] https://crrev.com/2c60136e9476e6afc66d17932c5586c3d9fdd206/net/netfilter/xt_TCPMSS.c
,
Jan 21 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b94bbda41b64bc141c17d3309b39375f8642ea04 commit b94bbda41b64bc141c17d3309b39375f8642ea04 Author: Pablo Neira Ayuso <pablo@netfilter.org> Date: Sun Jan 21 02:47:45 2018 UPSTREAM: netfilter: xt_TCPMSS: fix handling of malformed TCP header and options Make sure the packet has enough room for the TCP header and that it is not malformed. While at it, store tcph->doff*4 in a variable, as it is used several times. This patch also fixes a possible off by one in case of malformed TCP options. BUG= chromium:803812 TEST=Build and run Change-Id: I956100476415c1c01908768c60c30c82d7fdf78c Reported-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 71ffe9c77dd7a2b62207953091efa8dafec958dd) Reviewed-on: https://chromium-review.googlesource.com/877586 [modify] https://crrev.com/b94bbda41b64bc141c17d3309b39375f8642ea04/net/netfilter/xt_TCPMSS.c
,
Jan 21 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/32e8729786d00bbb957d501a9c0da93f64adde70 commit 32e8729786d00bbb957d501a9c0da93f64adde70 Author: Eric Dumazet <edumazet@google.com> Date: Sun Jan 21 02:48:23 2018 UPSTREAM: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff Denys provided an awesome KASAN report pointing to an use after free in xt_TCPMSS I have provided three patches to fix this issue, either in xt_TCPMSS or in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible impact. BUG= chromium:803812 TEST=Build and run Change-Id: I2a9ae6a021a3a4ceeb2421ad7b118b1b3ccea8db Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3) Reviewed-on: https://chromium-review.googlesource.com/877588 [modify] https://crrev.com/32e8729786d00bbb957d501a9c0da93f64adde70/net/netfilter/xt_TCPMSS.c
,
Jan 21 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/7a249c06adf91f61d3e188b07caffd895a1ac73f commit 7a249c06adf91f61d3e188b07caffd895a1ac73f Author: Eric Dumazet <edumazet@google.com> Date: Sun Jan 21 03:41:58 2018 UPSTREAM: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff Denys provided an awesome KASAN report pointing to an use after free in xt_TCPMSS I have provided three patches to fix this issue, either in xt_TCPMSS or in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible impact. BUG= chromium:803812 TEST=Build and run Change-Id: I2a9ae6a021a3a4ceeb2421ad7b118b1b3ccea8db Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3) Reviewed-on: https://chromium-review.googlesource.com/877587 (cherry picked from commit 4497e67587aebf819ed3b9cf9f4a377f03089e12) Reviewed-on: https://chromium-review.googlesource.com/877589 [modify] https://crrev.com/7a249c06adf91f61d3e188b07caffd895a1ac73f/net/netfilter/xt_TCPMSS.c
,
Jan 21 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5013230d712faaf8c070ee2ad02691999afbd08c commit 5013230d712faaf8c070ee2ad02691999afbd08c Author: Eric Dumazet <edumazet@google.com> Date: Sun Jan 21 03:42:01 2018 UPSTREAM: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff Denys provided an awesome KASAN report pointing to an use after free in xt_TCPMSS I have provided three patches to fix this issue, either in xt_TCPMSS or in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible impact. BUG= chromium:803812 TEST=Build and run Change-Id: I2a9ae6a021a3a4ceeb2421ad7b118b1b3ccea8db Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3) Reviewed-on: https://chromium-review.googlesource.com/877587 (cherry picked from commit 4497e67587aebf819ed3b9cf9f4a377f03089e12) Reviewed-on: https://chromium-review.googlesource.com/877590 [modify] https://crrev.com/5013230d712faaf8c070ee2ad02691999afbd08c/net/netfilter/xt_TCPMSS.c
,
Jan 22 2018
,
Jan 22 2018
,
Jan 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/15a3b7998c8416a69f1f404309ff8990e1ffc91a commit 15a3b7998c8416a69f1f404309ff8990e1ffc91a Author: Eric Dumazet <edumazet@google.com> Date: Mon Jan 22 18:26:31 2018 UPSTREAM: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff Denys provided an awesome KASAN report pointing to an use after free in xt_TCPMSS I have provided three patches to fix this issue, either in xt_TCPMSS or in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible impact. BUG= chromium:803812 TEST=Build and run Change-Id: I2a9ae6a021a3a4ceeb2421ad7b118b1b3ccea8db Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3) Reviewed-on: https://chromium-review.googlesource.com/875884 [modify] https://crrev.com/15a3b7998c8416a69f1f404309ff8990e1ffc91a/net/netfilter/xt_TCPMSS.c
,
Jan 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/6f56701bc696772d64bf71a96d3c73489dc2e49b commit 6f56701bc696772d64bf71a96d3c73489dc2e49b Author: Pablo Neira Ayuso <pablo@netfilter.org> Date: Mon Jan 22 18:26:34 2018 UPSTREAM: netfilter: xt_TCPMSS: fix handling of malformed TCP header and options Make sure the packet has enough room for the TCP header and that it is not malformed. While at it, store tcph->doff*4 in a variable, as it is used several times. This patch also fixes a possible off by one in case of malformed TCP options. BUG= chromium:803812 TEST=Build and run Change-Id: I956100476415c1c01908768c60c30c82d7fdf78c Reported-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 71ffe9c77dd7a2b62207953091efa8dafec958dd) (cherry picked from commit 0f465f72253fe2e10fb80deeea93f1e5698c62d7) Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/875887 [modify] https://crrev.com/6f56701bc696772d64bf71a96d3c73489dc2e49b/net/netfilter/xt_TCPMSS.c
,
Jan 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/0beec1ab284056016e3e5f745cdcc6da39c45a8a commit 0beec1ab284056016e3e5f745cdcc6da39c45a8a Author: Pablo Neira Ayuso <pablo@netfilter.org> Date: Mon Jan 22 18:26:36 2018 UPSTREAM: netfilter: xt_TCPMSS: fix handling of malformed TCP header and options Make sure the packet has enough room for the TCP header and that it is not malformed. While at it, store tcph->doff*4 in a variable, as it is used several times. This patch also fixes a possible off by one in case of malformed TCP options. BUG= chromium:803812 TEST=Build and run Change-Id: I956100476415c1c01908768c60c30c82d7fdf78c Reported-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 71ffe9c77dd7a2b62207953091efa8dafec958dd) Reviewed-on: https://chromium-review.googlesource.com/875886 [modify] https://crrev.com/0beec1ab284056016e3e5f745cdcc6da39c45a8a/net/netfilter/xt_TCPMSS.c
,
Jan 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/0e3ba69b8ed9921bd982c10581f274dbc24a2c3e commit 0e3ba69b8ed9921bd982c10581f274dbc24a2c3e Author: Eric Dumazet <edumazet@google.com> Date: Mon Jan 22 18:55:30 2018 UPSTREAM: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff Denys provided an awesome KASAN report pointing to an use after free in xt_TCPMSS I have provided three patches to fix this issue, either in xt_TCPMSS or in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible impact. BUG= chromium:803812 TEST=Build and run Change-Id: I2a9ae6a021a3a4ceeb2421ad7b118b1b3ccea8db Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3) Reviewed-on: https://chromium-review.googlesource.com/879162 [modify] https://crrev.com/0e3ba69b8ed9921bd982c10581f274dbc24a2c3e/net/netfilter/xt_TCPMSS.c
,
Jan 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/2abd4986393d11e285b38580c389ae37e94d4941 commit 2abd4986393d11e285b38580c389ae37e94d4941 Author: Eric Dumazet <edumazet@google.com> Date: Mon Jan 22 18:55:48 2018 UPSTREAM: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff Denys provided an awesome KASAN report pointing to an use after free in xt_TCPMSS I have provided three patches to fix this issue, either in xt_TCPMSS or in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible impact. BUG= chromium:803812 TEST=Build and run Change-Id: I2a9ae6a021a3a4ceeb2421ad7b118b1b3ccea8db Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3) Reviewed-on: https://chromium-review.googlesource.com/875885 [modify] https://crrev.com/2abd4986393d11e285b38580c389ae37e94d4941/net/netfilter/xt_TCPMSS.c
,
Jan 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/139680aff9aac40fed52b675fe0d7057efe7a2de commit 139680aff9aac40fed52b675fe0d7057efe7a2de Author: Eric Dumazet <edumazet@google.com> Date: Mon Jan 22 18:56:00 2018 UPSTREAM: netfilter: xt_TCPMSS: add more sanity tests on tcph->doff Denys provided an awesome KASAN report pointing to an use after free in xt_TCPMSS I have provided three patches to fix this issue, either in xt_TCPMSS or in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible impact. BUG= chromium:803812 TEST=Build and run Change-Id: I2a9ae6a021a3a4ceeb2421ad7b118b1b3ccea8db Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3) Reviewed-on: https://chromium-review.googlesource.com/879163 [modify] https://crrev.com/139680aff9aac40fed52b675fe0d7057efe7a2de/net/netfilter/xt_TCPMSS.c
,
Jan 22 2018
,
Feb 8 2018
,
Mar 27 2018
,
May 1 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||||
Comment 1 by groeck@chromium.org
, Jan 19 2018Labels: M-64 Security_Severity-Critical Security_Impact-Stable Pri-1
Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)
Upstream 2638fd0f92d4397884fd991d8f4925cb3 ("netfilter: xt_TCPMSS: add more sanity tests on tcph->doff"). Fixed in chromeos-4.4 since v4.4.76. chromeos-4.14 is not affected. Fixed in v3.18.y stable release, but not in chromeos-3.18. Functionality is enabled in chromeos-3.18. chromeos-3.18 and possibly earlier are affected.