New issue
Advanced search Search tips

Issue 817311 link

Starred by 1 user
Status: WontFix
Owner:
zsm@chromium.org
Closed: Feb 2018
Cc:
rkolchmeyer@google.com
wonderfly@google.com
chromeos-kernel-security-bug-access@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security



Sign in to add a comment

CVE-2014-8171 CrOS: Vulnerability reported in Linux kernel

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Feb 28 2018 
VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. 

Advisory: CVE-2014-8171
  Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2014-8171
  CVSS severity score: 4.9/10.0
  Description:

The memory resource controller (aka memcg) in the Linux kernel allows local users to cause a denial of service (deadlock) by spawning new processes within a memory-constrained cgroup.



This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.

Comment 1 by zsm@chromium.org, Feb 28 2018

Labels: Security_Severity-Medium Security_Impact-Beta M-65 Pri-2
Owner: zsm@chromium.org
Status: Started (was: Untriaged)
The fixes for this are as follows, details here (https://bugzilla.redhat.com/show_bug.cgi?id=1198109)

- 759496ba ("arch: mm: pass userspace fault flag to generic fault handler")
- 3a13c4d7 ("x86: finish user fault error path with fatal signal")
- 519e5247 ("mm: memcg: enable memcg OOM killer only for user faults")
- fb2a6fc5 ("mm: memcg: rework and document OOM waiting and wakeup")
- 3812c8c8 ("mm: memcg: do not trap chargers with full callstack on OOM")
- 49426420 ("mm: memcg: handle non-error OOM situations more gracefully")
- 84235de3 ("fs: buffer: move allocation failure loop into the allocator")
- a0d8b00a ("mm: memcg: do not declare OOM from __GFP_NOFAIL allocations")
- 1f14c1ac ("mm: memcg: do not allow task about to OOM kill to bypass the limit")
- 3168ecbe ("mm: memcg: use proper memcg in limit bypass")

These patches are present on 4.14, 4.4, 3.18, 3.14.
These patches are not found on 3.10, 3.8.

Comment 2 by zsm@chromium.org, Feb 28 2018 

1 other patch which is related but does not necessarily have to be applied.
- 0772dac1dc2 ("arch/parisc/mm/fault.c: fix uninitialized variable usage")
Project Member

Comment 3 by sheriffbot@chromium.org, Feb 28 2018

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Feb 28 2018

Labels: -Pri-2 Pri-1

Comment 5 by groeck@chromium.org, Feb 28 2018

Cc: wonderfly@google.com
Labels: -Pri-1 -Security_Impact-Beta -ReleaseBlock-Stable Security_Impact-Stable Pri-2
Per our CVE severity guidelines, this does not block stable releases. Also, there is nothing to revert, other than the decision to use the Linux kernel. Updating priority and impact per guidelines. Dropping ReleaseBlock. sheriffbot, please remain silent.

Comment 6 by mnissler@chromium.org, Feb 28 2018

Labels: -Security_Severity-Medium Security_Severity-Low
Let's downgrade to severity low since this is just a DoS and hard to exploit on Chrome OS. That should calm down sheriffbot :)

Comment 7 by zsm@google.com, Feb 28 2018

Status: WontFix (was: Started)
The patches do not cleanly apply on the older kernels. Given the severity, it might be better to not apply these patches in favor of ease of maintenance over the longer term. Closing this bug as WontFix.

Comment 8 by wonderfly@google.com, Feb 28 2018

Cc: rkolchmeyer@google.com

Sign in to add a comment