Issue metadata
Sign in to add a comment
|
CVE-2018-1068 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2018-1068 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-1068 CVSS severity score: 7.2/10.0 Description: A flaw was found in the Linux 4.x kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Apr 11 2018
Enabled in Lakitu and COS images, thus the fix will be needed in stable releases after all (4.4 and 4.14).
,
Apr 11 2018
,
Apr 11 2018
,
Apr 11 2018
,
Apr 11 2018
This bug requires manual review: We are only 5 days from stable. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 11 2018
,
Apr 11 2018
Merge request is for chromeos-4.4 and chromeos-4.14. Patch is already available in ToT, and has been there for a while, for both releases.
,
Apr 11 2018
Thanks Guenter! We also intend to support M65 for a while, so I'm going to request a merge into M65 as well.
,
Apr 13 2018
Approved for M66 No more M65 releases planned
,
Apr 13 2018
ok, seems like lakitu will still support M65 - approved for their builds
,
Apr 13 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/1f24759a8692fae02d1dfb1906eb1a88f9d1a008 commit 1f24759a8692fae02d1dfb1906eb1a88f9d1a008 Author: Florian Westphal <fw@strlen.de> Date: Fri Apr 13 17:51:06 2018 UPSTREAM: netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets commit b71812168571fa55e44cdd0254471331b9c4c4c6 upstream. We need to make sure the offsets are not out of range of the total size. Also check that they are in ascending order. The WARN_ON triggered by syzkaller (it sets panic_on_warn) is changed to also bail out, no point in continuing parsing. Briefly tested with simple ruleset of -A INPUT --limit 1/s' --log plus jump to custom chains using 32bit ebtables binary. Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> BUG= chromium:831539 TEST=Build and boot (cherry picked from commit eaa06bfba8eabd44ce952758046492eebc973bbe) Signed-off-by: Guenter Roeck <groeck@chromium.org> Change-Id: I89db5561918203a825ae92271142a4d7cd1716a9 Reviewed-on: https://chromium-review.googlesource.com/1007326 Reviewed-by: Guenter Roeck <groeck@chromium.org> Commit-Queue: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/1f24759a8692fae02d1dfb1906eb1a88f9d1a008/net/bridge/netfilter/ebtables.c
,
Apr 13 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/f6f6e0c235939bd12c519061eefbe40e268a38cc commit f6f6e0c235939bd12c519061eefbe40e268a38cc Author: Florian Westphal <fw@strlen.de> Date: Fri Apr 13 17:51:08 2018 UPSTREAM: netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets commit b71812168571fa55e44cdd0254471331b9c4c4c6 upstream. We need to make sure the offsets are not out of range of the total size. Also check that they are in ascending order. The WARN_ON triggered by syzkaller (it sets panic_on_warn) is changed to also bail out, no point in continuing parsing. Briefly tested with simple ruleset of -A INPUT --limit 1/s' --log plus jump to custom chains using 32bit ebtables binary. Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> BUG= chromium:831539 TEST=Build and boot (cherry picked from commit eaa06bfba8eabd44ce952758046492eebc973bbe) Signed-off-by: Guenter Roeck <groeck@chromium.org> Change-Id: I89db5561918203a825ae92271142a4d7cd1716a9 Reviewed-on: https://chromium-review.googlesource.com/1007522 Reviewed-by: Guenter Roeck <groeck@chromium.org> Commit-Queue: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/f6f6e0c235939bd12c519061eefbe40e268a38cc/net/bridge/netfilter/ebtables.c
,
Apr 13 2018
,
Apr 13 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d6ac256575edffe7864326d0a4274bf2e2cac2bd commit d6ac256575edffe7864326d0a4274bf2e2cac2bd Author: Florian Westphal <fw@strlen.de> Date: Fri Apr 13 20:02:55 2018 UPSTREAM: netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets commit b71812168571fa55e44cdd0254471331b9c4c4c6 upstream. We need to make sure the offsets are not out of range of the total size. Also check that they are in ascending order. The WARN_ON triggered by syzkaller (it sets panic_on_warn) is changed to also bail out, no point in continuing parsing. Briefly tested with simple ruleset of -A INPUT --limit 1/s' --log plus jump to custom chains using 32bit ebtables binary. Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> BUG= chromium:831539 TEST=Build and boot (cherry picked from commit eaa06bfba8eabd44ce952758046492eebc973bbe) Signed-off-by: Guenter Roeck <groeck@chromium.org> Change-Id: I89db5561918203a825ae92271142a4d7cd1716a9 Reviewed-on: https://chromium-review.googlesource.com/1007522 Reviewed-by: Guenter Roeck <groeck@chromium.org> Commit-Queue: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit f6f6e0c235939bd12c519061eefbe40e268a38cc) Reviewed-on: https://chromium-review.googlesource.com/1012435 Tested-by: Robert Kolchmeyer <rkolchmeyer@google.com> Commit-Queue: Robert Kolchmeyer <rkolchmeyer@google.com> [modify] https://crrev.com/d6ac256575edffe7864326d0a4274bf2e2cac2bd/net/bridge/netfilter/ebtables.c
,
Apr 13 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/f6b908222e3c044c3ac920125d3db7c87225281e commit f6b908222e3c044c3ac920125d3db7c87225281e Author: Florian Westphal <fw@strlen.de> Date: Fri Apr 13 20:02:57 2018 UPSTREAM: netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets commit b71812168571fa55e44cdd0254471331b9c4c4c6 upstream. We need to make sure the offsets are not out of range of the total size. Also check that they are in ascending order. The WARN_ON triggered by syzkaller (it sets panic_on_warn) is changed to also bail out, no point in continuing parsing. Briefly tested with simple ruleset of -A INPUT --limit 1/s' --log plus jump to custom chains using 32bit ebtables binary. Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> BUG= chromium:831539 TEST=Build and boot (cherry picked from commit eaa06bfba8eabd44ce952758046492eebc973bbe) Signed-off-by: Guenter Roeck <groeck@chromium.org> Change-Id: I89db5561918203a825ae92271142a4d7cd1716a9 Reviewed-on: https://chromium-review.googlesource.com/1007326 Reviewed-by: Guenter Roeck <groeck@chromium.org> Commit-Queue: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 1f24759a8692fae02d1dfb1906eb1a88f9d1a008) Reviewed-on: https://chromium-review.googlesource.com/1012436 Tested-by: Robert Kolchmeyer <rkolchmeyer@google.com> Commit-Queue: Robert Kolchmeyer <rkolchmeyer@google.com> [modify] https://crrev.com/f6b908222e3c044c3ac920125d3db7c87225281e/net/bridge/netfilter/ebtables.c
,
Apr 13 2018
,
Apr 14 2018
,
Jul 21
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by groeck@chromium.org
, Apr 11 2018Labels: Security_Severity-High Security_Impact-None Pri-1
Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)
Upstream commit b71812168571fa55e44 ("netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets"). In chromeos-4.4 with merge of v4.4.122. In chromeos-4.14 with merge of v4.14.27. CONFIG_BRIDGE_NF_EBTABLES is not enabled in ChromeOS images, thus the fix is not needed in stable releases. Still need to check Lakitu configurations.