Fixed with upstream commit 63489f8e82114 ("hugetlbfs: check for pgoff value overflow"). Queued for v4.14.31 but not yet in any stable release. Only chromeos-4.14 is affected. Configuration is enabled in ChromeOS.
Marking P2/Security Severity medium per our policy.

Note: While there are no shipping Chromebooks using chromeos-4.14, the configuration is also enabled in Lakitu, and the fix will thus be required in M-66.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/9294844fcb72f28f468c39452e2bc14b5839d92b

commit 9294844fcb72f28f468c39452e2bc14b5839d92b
Author: Mike Kravetz <mike.kravetz@oracle.com>
Date: Thu Mar 29 06:23:37 2018

UPSTREAM: hugetlbfs: check for pgoff value overflow

A vma with vm_pgoff large enough to overflow a loff_t type when
converted to a byte offset can be passed via the remap_file_pages system
call.  The hugetlbfs mmap routine uses the byte offset to calculate
reservations and file size.

A sequence such as:

  mmap(0x20a00000, 0x600000, 0, 0x66033, -1, 0);
  remap_file_pages(0x20a00000, 0x600000, 0, 0x20000000000000, 0);

will result in the following when task exits/file closed,

  kernel BUG at mm/hugetlb.c:749!
  Call Trace:
    hugetlbfs_evict_inode+0x2f/0x40
    evict+0xcb/0x190
    __dentry_kill+0xcb/0x150
    __fput+0x164/0x1e0
    task_work_run+0x84/0xa0
    exit_to_usermode_loop+0x7d/0x80
    do_syscall_64+0x18b/0x190
    entry_SYSCALL_64_after_hwframe+0x3d/0xa2

The overflowed pgoff value causes hugetlbfs to try to set up a mapping
with a negative range (end < start) that leaves invalid state which
causes the BUG.

The previous overflow fix to this code was incomplete and did not take
the remap_file_pages system call into account.

[mike.kravetz@oracle.com: v3]
  Link: http://lkml.kernel.org/r/20180309002726.7248-1-mike.kravetz@oracle.com
[akpm@linux-foundation.org: include mmdebug.h]
[akpm@linux-foundation.org: fix -ve left shift count on sh]
Link: http://lkml.kernel.org/r/20180308210502.15952-1-mike.kravetz@oracle.com
Fixes: 045c7a3f53d9 ("hugetlbfs: fix offset overflow in hugetlbfs mmap")
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Reported-by: Nic Losby <blurbdust@gmail.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Yisheng Xie <xieyisheng1@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

BUG= chromium:826673 
TEST=Build and boot

Change-Id: Ib8f91b097d1d08aff4295044c3d04c652a80a953
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 63489f8e821144000e0bdca7e65a8d1cc23a7ee7)
Reviewed-on: https://chromium-review.googlesource.com/984036
Reviewed-by: Zubin Mithra <zsm@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/9294844fcb72f28f468c39452e2bc14b5839d92b/fs/hugetlbfs/inode.c
[modify] https://crrev.com/9294844fcb72f28f468c39452e2bc14b5839d92b/mm/hugetlb.c

This bug requires manual review: M66 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/425ead889365ca91a79ceac96f4270efa926c00b

commit 425ead889365ca91a79ceac96f4270efa926c00b
Author: Mike Kravetz <mike.kravetz@oracle.com>
Date: Fri Mar 30 17:52:57 2018

UPSTREAM: hugetlbfs: check for pgoff value overflow

A vma with vm_pgoff large enough to overflow a loff_t type when
converted to a byte offset can be passed via the remap_file_pages system
call.  The hugetlbfs mmap routine uses the byte offset to calculate
reservations and file size.

A sequence such as:

  mmap(0x20a00000, 0x600000, 0, 0x66033, -1, 0);
  remap_file_pages(0x20a00000, 0x600000, 0, 0x20000000000000, 0);

will result in the following when task exits/file closed,

  kernel BUG at mm/hugetlb.c:749!
  Call Trace:
    hugetlbfs_evict_inode+0x2f/0x40
    evict+0xcb/0x190
    __dentry_kill+0xcb/0x150
    __fput+0x164/0x1e0
    task_work_run+0x84/0xa0
    exit_to_usermode_loop+0x7d/0x80
    do_syscall_64+0x18b/0x190
    entry_SYSCALL_64_after_hwframe+0x3d/0xa2

The overflowed pgoff value causes hugetlbfs to try to set up a mapping
with a negative range (end < start) that leaves invalid state which
causes the BUG.

The previous overflow fix to this code was incomplete and did not take
the remap_file_pages system call into account.

[mike.kravetz@oracle.com: v3]
  Link: http://lkml.kernel.org/r/20180309002726.7248-1-mike.kravetz@oracle.com
[akpm@linux-foundation.org: include mmdebug.h]
[akpm@linux-foundation.org: fix -ve left shift count on sh]
Link: http://lkml.kernel.org/r/20180308210502.15952-1-mike.kravetz@oracle.com
Fixes: 045c7a3f53d9 ("hugetlbfs: fix offset overflow in hugetlbfs mmap")
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Reported-by: Nic Losby <blurbdust@gmail.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Yisheng Xie <xieyisheng1@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

BUG= chromium:826673 
TEST=Build and boot

Change-Id: Ib8f91b097d1d08aff4295044c3d04c652a80a953
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 63489f8e821144000e0bdca7e65a8d1cc23a7ee7)
Reviewed-on: https://chromium-review.googlesource.com/984036
Reviewed-by: Zubin Mithra <zsm@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
(cherry picked from commit 9294844fcb72f28f468c39452e2bc14b5839d92b)
Reviewed-on: https://chromium-review.googlesource.com/987933

[modify] https://crrev.com/425ead889365ca91a79ceac96f4270efa926c00b/fs/hugetlbfs/inode.c
[modify] https://crrev.com/425ead889365ca91a79ceac96f4270efa926c00b/mm/hugetlb.c

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Anything left to be merged here?

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot