New issue
Advanced search Search tips

Issue 813013 link

Starred by 1 user
Status: WontFix
Owner:
groeck@chromium.org
Closed: Apr 2018
Cc:
wonderfly@google.com
chromeos-kernel-security-bug-access@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security



Sign in to add a comment

CVE-2018-5703 CrOS: Vulnerability reported in Linux kernel

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Feb 16 2018 
VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. 

Advisory: CVE-2018-5703
  Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-5703
  CVSS severity score: 10/10.0
  Description:

The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.14.11 allows attackers to cause a denial of service (slab out-of-bounds write) or possibly have unspecified other impact via vectors involving TLS.



This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.

Comment 1 by zsm@google.com, Feb 16 2018 

Fix has not been submitted upstream yet. From list as ("tls: Use correct sk->sk_prot for IPV6") here(https://patchwork.ozlabs.org/patch/801530/)

Fixed required for 4.14. Other kernels do not seem to have TLS support under net.

Comment 2 by groeck@chromium.org, Feb 16 2018

Cc: wonderfly@google.com
Labels: Security_Severity-Critical M-66 Security_Impact-Head Pri-1
Owner: groeck@chromium.org
Status: ExternalDependency (was: Untriaged)
Marking as Security_Impact-Head and Pri=1 since we don't have any shipping images on chromeos-4.14. The patchwork state is "Changes Requested". Instead of hurrying in a less than perfect fix, let's wait a bit to see if we can pull a final version.

Comment 3 by groeck@chromium.org, Feb 16 2018

Labels: -Pri-1 -Security_Impact-Head Security_Impact-None Pri-2
CONFIG_TLS is currently not enabled in our images, so we can wait for a proper upstream fix. Marking as Pri=2 and Security_Impact-None.

Comment 4 by groeck@chromium.org, Feb 16 2018 

The upstream code has changed significantly since https://patchwork.ozlabs.org/patch/801530/ was submitted. Yet, the most recent reference in the syzcaller mailing list suggests that the problem may persist.

Comment 5 by groeck@chromium.org, Feb 23 2018 

Queried upstream if there are plans to add TCPv6 support to TLS, or at least to block attempts to use in-kernel TLS with TCPv6. Waiting for feedback to determine if it makes sense to keep the bug open.

Comment 6 by groeck@chromium.org, Feb 27 2018 

Fix has been accepted upstream and is queued for -stable.

Comment 7 by groeck@chromium.org, Mar 2 2018 

in linux-next: commit c113187d38ff ("tls: Use correct sk->sk_prot for IPV6")

Comment 8 by groeck@chromium.org, Apr 16 2018

Status: WontFix (was: ExternalDependency)
Fix has landed in mainline and in linux-4.15.y more than a month ago. There appears to be no plan to apply the fix to linux-4.14.y. Since it does not affect us, closing as WontFix.

Sign in to add a comment