Issue metadata
Sign in to add a comment
|
CVE-2018-7480 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2018-7480 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-7480 CVSS severity score: 7.2/10.0 Description: The blkcg_init_queue function in block/blk-cgroup.c in the Linux kernel before 4.11 allows local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Mar 19 2018
Enabled in Lakitu configurations, so needed there. Updating severity accordingly.
,
Mar 19 2018
,
Mar 19 2018
Handled with b:75416097 and CL:969084.
,
Mar 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/3574f116f40f1c5a8d959c82231f8ddfbf2ca2a3 commit 3574f116f40f1c5a8d959c82231f8ddfbf2ca2a3 Author: Hou Tao <houtao1@huawei.com> Date: Tue Mar 20 05:26:33 2018 UPSTREAM: blkcg: fix double free of new_blkg in blkcg_init_queue commit 9b54d816e00425c3a517514e0d677bb3cec49258 upstream. If blkg_create fails, new_blkg passed as an argument will be freed by blkg_create, so there is no need to free it again. BUG=b:75416097, chromium:823125 TEST=lakitu-release tryjob. Change-Id: Id85a2b2ab5fe145ac57dd75a069ddeb38832ff29 Signed-off-by: Hou Tao <houtao1@huawei.com> Signed-off-by: Jens Axboe <axboe@fb.com> Cc: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Pradeep Sawlani <sawlani@google.com> Reviewed-on: https://chromium-review.googlesource.com/969162 Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/3574f116f40f1c5a8d959c82231f8ddfbf2ca2a3/block/blk-cgroup.c
,
Mar 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8b31030680c31cc38770a92953d251687554915c commit 8b31030680c31cc38770a92953d251687554915c Author: Hou Tao <houtao1@huawei.com> Date: Tue Mar 20 05:26:36 2018 UPSTREAM: blkcg: fix double free of new_blkg in blkcg_init_queue commit 9b54d816e00425c3a517514e0d677bb3cec49258 upstream. If blkg_create fails, new_blkg passed as an argument will be freed by blkg_create, so there is no need to free it again. BUG=b:75416097, chromium:823125 TEST=lakitu-release tryjob. Change-Id: Id85a2b2ab5fe145ac57dd75a069ddeb38832ff29 Signed-off-by: Hou Tao <houtao1@huawei.com> Signed-off-by: Jens Axboe <axboe@fb.com> Cc: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Pradeep Sawlani <sawlani@google.com> Reviewed-on: https://chromium-review.googlesource.com/969161 Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/8b31030680c31cc38770a92953d251687554915c/block/blk-cgroup.c
,
Mar 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/f2a506858314ce9673a262cfdf5e350ab55f7746 commit f2a506858314ce9673a262cfdf5e350ab55f7746 Author: Hou Tao <houtao1@huawei.com> Date: Tue Mar 20 09:22:08 2018 UPSTREAM: blkcg: fix double free of new_blkg in blkcg_init_queue commit 9b54d816e00425c3a517514e0d677bb3cec49258 upstream. If blkg_create fails, new_blkg passed as an argument will be freed by blkg_create, so there is no need to free it again. BUG=b:75416097, chromium:823125 TEST=lakitu-release tryjob. Change-Id: Id85a2b2ab5fe145ac57dd75a069ddeb38832ff29 Signed-off-by: Hou Tao <houtao1@huawei.com> Signed-off-by: Jens Axboe <axboe@fb.com> Cc: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Pradeep Sawlani <sawlani@google.com> Reviewed-on: https://chromium-review.googlesource.com/969084 Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/f2a506858314ce9673a262cfdf5e350ab55f7746/block/blk-cgroup.c
,
Mar 21 2018
,
Mar 22 2018
,
Jun 28 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by groeck@chromium.org
, Mar 18 2018Labels: Security_Severity-High Security_Impact-None Pri-3
Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)
Upstream commit 9b54d816e0042 ("blkcg: fix double free of new_blkg in blkcg_init_queue"). chromeos-4.14 is not affected. The fix is not in chromeos-4.4 and needed there. However, CONFIG_BLK_CGROUP is not enabled in ChromeOS images, thus we should not be affected. Still need to check if Lakitu is affected. Marking as Sev3/No impact for now. Requested for the fix to be pulled into upstream stable releases. Will pull from there unless Lakitu needs it.