Issue metadata
Sign in to add a comment
|
CVE-2018-6927 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2018-6927 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-6927 CVSS severity score: 4.6/10.0 Description: The futex_requeue function in kernel/futex.c in the Linux kernel before 4.14.15 might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Mar 18 2018
,
Mar 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e3ccf1ab6cabb1702671cb6a21a2d4d5b4b7ea65 commit e3ccf1ab6cabb1702671cb6a21a2d4d5b4b7ea65 Author: Li Jinyue <lijinyue@huawei.com> Date: Mon Mar 19 16:34:45 2018 UPSTREAM: futex: Prevent overflow by strengthen input validation UBSAN reports signed integer overflow in kernel/futex.c: UBSAN: Undefined behaviour in kernel/futex.c:2041:18 signed integer overflow: 0 - -2147483648 cannot be represented in type 'int' Add a sanity check to catch negative values of nr_wake and nr_requeue. BUG= chromium:823048 TEST=Build and run Change-Id: Ic73766f14b7b926bbdca719c9a7190c1600cbecb Signed-off-by: Li Jinyue <lijinyue@huawei.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: peterz@infradead.org Cc: dvhart@infradead.org Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com (cherry picked from commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/968562 Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/e3ccf1ab6cabb1702671cb6a21a2d4d5b4b7ea65/kernel/futex.c
,
Mar 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/6f77165380f7dec107091c369c11f093ba216c0c commit 6f77165380f7dec107091c369c11f093ba216c0c Author: Li Jinyue <lijinyue@huawei.com> Date: Mon Mar 19 16:34:49 2018 UPSTREAM: futex: Prevent overflow by strengthen input validation UBSAN reports signed integer overflow in kernel/futex.c: UBSAN: Undefined behaviour in kernel/futex.c:2041:18 signed integer overflow: 0 - -2147483648 cannot be represented in type 'int' Add a sanity check to catch negative values of nr_wake and nr_requeue. BUG= chromium:823048 TEST=Build and run Change-Id: Ic73766f14b7b926bbdca719c9a7190c1600cbecb Signed-off-by: Li Jinyue <lijinyue@huawei.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: peterz@infradead.org Cc: dvhart@infradead.org Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com (cherry picked from commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/968561 Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/6f77165380f7dec107091c369c11f093ba216c0c/kernel/futex.c
,
Mar 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/085536756823e330dbfe5160550df190c4038e47 commit 085536756823e330dbfe5160550df190c4038e47 Author: Li Jinyue <lijinyue@huawei.com> Date: Mon Mar 19 16:34:47 2018 UPSTREAM: futex: Prevent overflow by strengthen input validation UBSAN reports signed integer overflow in kernel/futex.c: UBSAN: Undefined behaviour in kernel/futex.c:2041:18 signed integer overflow: 0 - -2147483648 cannot be represented in type 'int' Add a sanity check to catch negative values of nr_wake and nr_requeue. BUG= chromium:823048 TEST=Build and run Change-Id: Ic73766f14b7b926bbdca719c9a7190c1600cbecb Signed-off-by: Li Jinyue <lijinyue@huawei.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: peterz@infradead.org Cc: dvhart@infradead.org Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com (cherry picked from commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/968563 Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/085536756823e330dbfe5160550df190c4038e47/kernel/futex.c
,
Mar 19 2018
,
Mar 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/61ddab3adaf9f71957a7bda6d5a15c2564e802e4 commit 61ddab3adaf9f71957a7bda6d5a15c2564e802e4 Author: Li Jinyue <lijinyue@huawei.com> Date: Mon Mar 19 19:04:02 2018 UPSTREAM: futex: Prevent overflow by strengthen input validation UBSAN reports signed integer overflow in kernel/futex.c: UBSAN: Undefined behaviour in kernel/futex.c:2041:18 signed integer overflow: 0 - -2147483648 cannot be represented in type 'int' Add a sanity check to catch negative values of nr_wake and nr_requeue. BUG= chromium:823048 TEST=Build and run Change-Id: Ic73766f14b7b926bbdca719c9a7190c1600cbecb Signed-off-by: Li Jinyue <lijinyue@huawei.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: peterz@infradead.org Cc: dvhart@infradead.org Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com (cherry picked from commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/968524 Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/61ddab3adaf9f71957a7bda6d5a15c2564e802e4/kernel/futex.c
,
Mar 20 2018
,
Mar 20 2018
This bug requires manual review: M66 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 21 2018
,
Mar 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ad9e646196f7dc2093f3eb9d136f9eb709398333 commit ad9e646196f7dc2093f3eb9d136f9eb709398333 Author: Li Jinyue <lijinyue@huawei.com> Date: Thu Mar 22 10:28:01 2018 UPSTREAM: futex: Prevent overflow by strengthen input validation UBSAN reports signed integer overflow in kernel/futex.c: UBSAN: Undefined behaviour in kernel/futex.c:2041:18 signed integer overflow: 0 - -2147483648 cannot be represented in type 'int' Add a sanity check to catch negative values of nr_wake and nr_requeue. BUG= chromium:823048 TEST=Build and run Change-Id: Ic73766f14b7b926bbdca719c9a7190c1600cbecb Signed-off-by: Li Jinyue <lijinyue@huawei.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: peterz@infradead.org Cc: dvhart@infradead.org Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com (cherry picked from commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/968524 Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 61ddab3adaf9f71957a7bda6d5a15c2564e802e4) Reviewed-on: https://chromium-review.googlesource.com/970401 [modify] https://crrev.com/ad9e646196f7dc2093f3eb9d136f9eb709398333/kernel/futex.c
,
Mar 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/f9b2dcdf6341a684f7cac9d91e994e761c1b9076 commit f9b2dcdf6341a684f7cac9d91e994e761c1b9076 Author: Li Jinyue <lijinyue@huawei.com> Date: Thu Mar 22 10:28:04 2018 UPSTREAM: futex: Prevent overflow by strengthen input validation UBSAN reports signed integer overflow in kernel/futex.c: UBSAN: Undefined behaviour in kernel/futex.c:2041:18 signed integer overflow: 0 - -2147483648 cannot be represented in type 'int' Add a sanity check to catch negative values of nr_wake and nr_requeue. BUG= chromium:823048 TEST=Build and run Change-Id: Ic73766f14b7b926bbdca719c9a7190c1600cbecb Signed-off-by: Li Jinyue <lijinyue@huawei.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: peterz@infradead.org Cc: dvhart@infradead.org Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com (cherry picked from commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/968562 Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e3ccf1ab6cabb1702671cb6a21a2d4d5b4b7ea65) Reviewed-on: https://chromium-review.googlesource.com/970404 [modify] https://crrev.com/f9b2dcdf6341a684f7cac9d91e994e761c1b9076/kernel/futex.c
,
Mar 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/860af2e878248ad3cf1b20d0dc1e02f8939347e1 commit 860af2e878248ad3cf1b20d0dc1e02f8939347e1 Author: Li Jinyue <lijinyue@huawei.com> Date: Thu Mar 22 10:28:05 2018 UPSTREAM: futex: Prevent overflow by strengthen input validation UBSAN reports signed integer overflow in kernel/futex.c: UBSAN: Undefined behaviour in kernel/futex.c:2041:18 signed integer overflow: 0 - -2147483648 cannot be represented in type 'int' Add a sanity check to catch negative values of nr_wake and nr_requeue. BUG= chromium:823048 TEST=Build and run Change-Id: Ic73766f14b7b926bbdca719c9a7190c1600cbecb Signed-off-by: Li Jinyue <lijinyue@huawei.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: peterz@infradead.org Cc: dvhart@infradead.org Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com (cherry picked from commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/968563 Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 085536756823e330dbfe5160550df190c4038e47) Reviewed-on: https://chromium-review.googlesource.com/970402 [modify] https://crrev.com/860af2e878248ad3cf1b20d0dc1e02f8939347e1/kernel/futex.c
,
Mar 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ae749463329607ad468ec34d2b1ff5bf1ed8a6bf commit ae749463329607ad468ec34d2b1ff5bf1ed8a6bf Author: Li Jinyue <lijinyue@huawei.com> Date: Thu Mar 22 10:28:06 2018 UPSTREAM: futex: Prevent overflow by strengthen input validation UBSAN reports signed integer overflow in kernel/futex.c: UBSAN: Undefined behaviour in kernel/futex.c:2041:18 signed integer overflow: 0 - -2147483648 cannot be represented in type 'int' Add a sanity check to catch negative values of nr_wake and nr_requeue. BUG= chromium:823048 TEST=Build and run Change-Id: Ic73766f14b7b926bbdca719c9a7190c1600cbecb Signed-off-by: Li Jinyue <lijinyue@huawei.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: peterz@infradead.org Cc: dvhart@infradead.org Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com (cherry picked from commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/968561 Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 6f77165380f7dec107091c369c11f093ba216c0c) Reviewed-on: https://chromium-review.googlesource.com/970403 [modify] https://crrev.com/ae749463329607ad468ec34d2b1ff5bf1ed8a6bf/kernel/futex.c
,
Mar 22 2018
,
Mar 22 2018
,
Jun 28 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by groeck@chromium.org
, Mar 17 2018Labels: Security_Severity-Medium M-66 Security_Impact-Stable Pri-2
Owner: zsm@chromium.org
Status: Assigned (was: Untriaged)
Upstream commit fbe0e839d1e22 ("futex: Prevent overflow by strengthen input validation"). Fixed in chromeos-4.14 with merge of v4.14.15. Fixed in chromeos-4.4 with merge of v4.4.113. Backport to older kernels needed.