Issue metadata
Sign in to add a comment
|
CVE-2017-18174 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2017-18174 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-18174 CVSS severity score: 7.5/10.0 Description: In the Linux kernel before 4.7, the amd_gpio_remove function in drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function, leading to a double free. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Mar 14 2018
#1: Yes, I believe the assumption is that one already has local code execution.
The fix 251e22ab("pinctrl: amd: Use devm_pinctrl_register() for pinctrl registration") is present on 4.14.
The patch is not present on 4.4.
The patch is not required for kernels from 3.8, 3.10, 3.14, 3.18 as the double-free causing code does not seem to be present.
Patches would need to be applied in the following order :-
80e0f8d94("pinctrl: Add devm_ apis for pinctrl_{register, unregister}")
3024f920e("pinctrl: zynq: Use devm_pinctrl_register() for pinctrl registration")
251e22abd("pinctrl: amd: Use devm_pinctrl_register() for pinctrl registration")
,
Mar 14 2018
We are not shipping zynq or amd products in 4.4, so it should not be necessary to apply this patch to stable releases.
,
Mar 14 2018
,
Mar 14 2018
,
Mar 21 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/efef4b62717eef9e21f18ad802030837f09006bf commit efef4b62717eef9e21f18ad802030837f09006bf Author: Laxman Dewangan <ldewangan@nvidia.com> Date: Wed Mar 21 17:53:23 2018 UPSTREAM: pinctrl: Add devm_ apis for pinctrl_{register, unregister} Add device managed APIs devm_pinctrl_register() and devm_pinctrl_unregister() for the APIs pinctrl_register() and pinctrl_unregister(). This helps in reducing code in error path and sometimes removal of .remove callback for driver unbind. BUG= chromium:821334 TEST=None CQ-DEPEND=CL:968517 Change-Id: I7997a7e7d137ca583bd49cf3abd1673acd021ab6 Signed-off-by: Laxman Dewangan <ldewangan@nvidia.com> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Acked-by: Bjorn Andersson <bjorn.andersson@linaro.org> Signed-off-by: Linus Walleij <linus.walleij@linaro.org> (cherry picked from commit 80e0f8d94d3090f0f7bf3faf3e6180e920ee0d22) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/968516 Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/efef4b62717eef9e21f18ad802030837f09006bf/include/linux/pinctrl/pinctrl.h [modify] https://crrev.com/efef4b62717eef9e21f18ad802030837f09006bf/drivers/pinctrl/core.c
,
Mar 21 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a283de2b38da7c69811692ebb0de0d3fa5bcac92 commit a283de2b38da7c69811692ebb0de0d3fa5bcac92 Author: Laxman Dewangan <ldewangan@nvidia.com> Date: Wed Mar 21 17:53:25 2018 UPSTREAM: pinctrl: zynq: Use devm_pinctrl_register() for pinctrl registration Use devm_pinctrl_register() for pin control registration and remove the need of .remove callback. BUG= chromium:821334 TEST=None CQ-DEPEND=CL:968516 Change-Id: I6aa0fafda49ab7b36c360311cc1eee488b66bff9 Signed-off-by: Laxman Dewangan <ldewangan@nvidia.com> Cc: Michal Simek <michal.simek@xilinx.com> Cc: Sren Brinkmann <soren.brinkmann@xilinx.com> Cc: linux-gpio@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org Acked-by: Sren Brinkmann <soren.brinkmann@xilinx.com> Signed-off-by: Linus Walleij <linus.walleij@linaro.org> (cherry picked from commit 3024f920eb5f6e60453d035f26ec963c7126f517) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/968517 Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/a283de2b38da7c69811692ebb0de0d3fa5bcac92/drivers/pinctrl/pinctrl-zynq.c [modify] https://crrev.com/a283de2b38da7c69811692ebb0de0d3fa5bcac92/drivers/pinctrl/core.c
,
Mar 21 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/2ad7d2bc0314a5ab66634eb6a05f08856787e455 commit 2ad7d2bc0314a5ab66634eb6a05f08856787e455 Author: Laxman Dewangan <ldewangan@nvidia.com> Date: Wed Mar 21 20:25:49 2018 UPSTREAM: pinctrl: amd: Use devm_pinctrl_register() for pinctrl registration Use devm_pinctrl_register() for pin control registration and clean error path. BUG= chromium:821334 TEST=None Change-Id: I55dcdd1e2f61160251ee7096b192522e06dcd723 Signed-off-by: Laxman Dewangan <ldewangan@nvidia.com> Signed-off-by: Linus Walleij <linus.walleij@linaro.org> (cherry picked from commit 251e22abde21833b3d29577e4d8c7aaccd650eee) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/968518 Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/2ad7d2bc0314a5ab66634eb6a05f08856787e455/drivers/pinctrl/pinctrl-amd.c
,
Mar 22 2018
,
Mar 22 2018
,
Jun 28 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by allenwebb@chromium.org
, Mar 13 2018Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)