Issue metadata
Sign in to add a comment
|
CVE-2018-7995 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2018-7995 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-7995 CVSS severity score: 4.7/10.0 Description: ** DISPUTED ** Race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck<cpu number> directory. NOTE: a third party has indicated that this report is not security relevant. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Apr 7 2018
,
Apr 7 2018
,
Apr 11 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/f5441c910193eadc34c7e392e20176cc6e1ecdca commit f5441c910193eadc34c7e392e20176cc6e1ecdca Author: Seunghun Han <kkamagui@gmail.com> Date: Wed Apr 11 02:12:57 2018 UPSTREAM: x86/MCE: Serialize sysfs changes The check_interval file in /sys/devices/system/machinecheck/machinecheck<cpu number> directory is a global timer value for MCE polling. If it is changed by one CPU, mce_restart() broadcasts the event to other CPUs to delete and restart the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the mce_timer variable. If more than one CPU writes a specific value to the check_interval file concurrently, mce_timer is not protected from such concurrent accesses and all kinds of explosions happen. Since only root can write to those sysfs variables, the issue is not a big deal security-wise. However, concurrent writes to these configuration variables is void of reason so the proper thing to do is to serialize the access with a mutex. Boris: - Make store_int_with_restart() use device_store_ulong() to filter out negative intervals - Limit min interval to 1 second - Correct locking - Massage commit message BUG= chromium:829777 TEST=None Change-Id: Ifd04d627eef01add14ac14f80558f2e150d7e2b1 Signed-off-by: Seunghun Han <kkamagui@gmail.com> Signed-off-by: Borislav Petkov <bp@suse.de> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Tony Luck <tony.luck@intel.com> Cc: linux-edac <linux-edac@vger.kernel.org> Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkamagui@gmail.com (cherry picked from commit b3b7c4795ccab5be71f080774c45bbbcc75c2aaf) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/998916 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/f5441c910193eadc34c7e392e20176cc6e1ecdca/arch/x86/kernel/cpu/mcheck/mce.c
,
Apr 11 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/7cca2e9887e7d27dd71e495e65cf3f89d6113cfa commit 7cca2e9887e7d27dd71e495e65cf3f89d6113cfa Author: Seunghun Han <kkamagui@gmail.com> Date: Wed Apr 11 02:13:06 2018 UPSTREAM: x86/MCE: Serialize sysfs changes The check_interval file in /sys/devices/system/machinecheck/machinecheck<cpu number> directory is a global timer value for MCE polling. If it is changed by one CPU, mce_restart() broadcasts the event to other CPUs to delete and restart the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the mce_timer variable. If more than one CPU writes a specific value to the check_interval file concurrently, mce_timer is not protected from such concurrent accesses and all kinds of explosions happen. Since only root can write to those sysfs variables, the issue is not a big deal security-wise. However, concurrent writes to these configuration variables is void of reason so the proper thing to do is to serialize the access with a mutex. Boris: - Make store_int_with_restart() use device_store_ulong() to filter out negative intervals - Limit min interval to 1 second - Correct locking - Massage commit message BUG= chromium:829777 TEST=None Change-Id: Ifd04d627eef01add14ac14f80558f2e150d7e2b1 Signed-off-by: Seunghun Han <kkamagui@gmail.com> Signed-off-by: Borislav Petkov <bp@suse.de> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Tony Luck <tony.luck@intel.com> Cc: linux-edac <linux-edac@vger.kernel.org> Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkamagui@gmail.com (cherry picked from commit b3b7c4795ccab5be71f080774c45bbbcc75c2aaf) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/998917 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/7cca2e9887e7d27dd71e495e65cf3f89d6113cfa/arch/x86/kernel/cpu/mcheck/mce.c
,
Apr 11 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/3894b874466a92d27469a8ffbebb45ed012dec8c commit 3894b874466a92d27469a8ffbebb45ed012dec8c Author: Seunghun Han <kkamagui@gmail.com> Date: Wed Apr 11 02:13:16 2018 UPSTREAM: x86/MCE: Serialize sysfs changes The check_interval file in /sys/devices/system/machinecheck/machinecheck<cpu number> directory is a global timer value for MCE polling. If it is changed by one CPU, mce_restart() broadcasts the event to other CPUs to delete and restart the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the mce_timer variable. If more than one CPU writes a specific value to the check_interval file concurrently, mce_timer is not protected from such concurrent accesses and all kinds of explosions happen. Since only root can write to those sysfs variables, the issue is not a big deal security-wise. However, concurrent writes to these configuration variables is void of reason so the proper thing to do is to serialize the access with a mutex. Boris: - Make store_int_with_restart() use device_store_ulong() to filter out negative intervals - Limit min interval to 1 second - Correct locking - Massage commit message BUG= chromium:829777 TEST=None Change-Id: Ifd04d627eef01add14ac14f80558f2e150d7e2b1 Signed-off-by: Seunghun Han <kkamagui@gmail.com> Signed-off-by: Borislav Petkov <bp@suse.de> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Tony Luck <tony.luck@intel.com> Cc: linux-edac <linux-edac@vger.kernel.org> Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkamagui@gmail.com (cherry picked from commit b3b7c4795ccab5be71f080774c45bbbcc75c2aaf) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/998103 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/3894b874466a92d27469a8ffbebb45ed012dec8c/arch/x86/kernel/cpu/mcheck/mce.c
,
Apr 11 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/516700151e23d819b605be74ee703b45768c5f47 commit 516700151e23d819b605be74ee703b45768c5f47 Author: Seunghun Han <kkamagui@gmail.com> Date: Wed Apr 11 02:13:22 2018 UPSTREAM: x86/MCE: Serialize sysfs changes The check_interval file in /sys/devices/system/machinecheck/machinecheck<cpu number> directory is a global timer value for MCE polling. If it is changed by one CPU, mce_restart() broadcasts the event to other CPUs to delete and restart the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the mce_timer variable. If more than one CPU writes a specific value to the check_interval file concurrently, mce_timer is not protected from such concurrent accesses and all kinds of explosions happen. Since only root can write to those sysfs variables, the issue is not a big deal security-wise. However, concurrent writes to these configuration variables is void of reason so the proper thing to do is to serialize the access with a mutex. Boris: - Make store_int_with_restart() use device_store_ulong() to filter out negative intervals - Limit min interval to 1 second - Correct locking - Massage commit message BUG= chromium:829777 TEST=None Change-Id: Ifd04d627eef01add14ac14f80558f2e150d7e2b1 Signed-off-by: Seunghun Han <kkamagui@gmail.com> Signed-off-by: Borislav Petkov <bp@suse.de> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Tony Luck <tony.luck@intel.com> Cc: linux-edac <linux-edac@vger.kernel.org> Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkamagui@gmail.com (cherry picked from commit b3b7c4795ccab5be71f080774c45bbbcc75c2aaf) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/998918 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/516700151e23d819b605be74ee703b45768c5f47/arch/x86/kernel/cpu/mcheck/mce.c
,
Apr 11 2018
,
Apr 11 2018
,
Jul 18
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by zsm@google.com
, Apr 6 2018Labels: Security_Severity-Medium Security_Impact-Stable Pri-2
Owner: zsm@chromium.org
Status: Assigned (was: Untriaged)
The patch is b3b7c479("x86/MCE: Serialize sysfs changes"). This patch is present in 4.14. 4.4. This patch is not present on 3.18, 3.14, 3.10, 3.8