VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel.
Advisory: CVE-2017-18241
Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-18241
CVSS severity score: 4.9/10.0
Description:
fs/f2fs/segment.c in the Linux kernel before 4.13 allows local users to cause a denial of service (NULL pointer dereference and panic) by using a noflush_merge option that triggers a NULL value for a flush_cmd_control data structure.
This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.
Comment 1 by groeck@chromium.org
, Apr 23 2018Status: WontFix (was: Untriaged)
Upstream commit d4fdf8ba0e5808 ("f2fs: fix a panic caused by NULL flush_cmd_control"). chromeos-4.14 not affected per CVE comments. Fix is not in older releases. The affected code has been rewritten, so it is difficult to determine if 4.4 and older are affected. Either case, F2FS is not enabled in our images, so we don't need a fix in the first place, and generating one would be difficult to test. Marking WontFix.