New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 838867 link

Starred by 1 user
Status: Fixed
Owner:
zsm@chromium.org
Closed: May 2018
Cc:
wonderfly@google.com
sawlani@google.com
groeck@chromium.org
chromeos-kernel-security-bug-access@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

CVE-2017-18255 CrOS: Vulnerability reported in Linux kernel

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, May 2 2018 
VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. 

Advisory: CVE-2017-18255
  Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-18255
  CVSS severity score: 4.6/10.0
  Description:

The perf_cpu_time_max_percent_handler function in kernel/events/core.c in the Linux kernel before 4.11 allows local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation.



This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.

Comment 1 by groeck@chromium.org, May 2 2018

Cc: groeck@chromium.org wonderfly@chromium.org
Labels: M-67 Security_Severity-Medium Security_Impact-Stable Pri-2
Owner: zsm@chromium.org
Status: Assigned (was: Untriaged)
Upstream 1572e45a924f254d95 ("perf/core: Fix the perf_cpu_time_max_percent check").
chromeos-4.14 not affected per CVE. Not fixed in chromeos-4.4 or older kernels.

Comment 2 by groeck@chromium.org, May 2 2018

Cc: -wonderfly@chromium.org wonderfly@google.com

Comment 3 by zsm@chromium.org, May 2 2018 

The patch applies cleanly to 4.4, 3.18 and 3.14. perf_cpu_time_max_percent_handler does not seem to exist on older kernels.

Comment 4 by wonderfly@google.com, May 2 2018

Cc: sawlani@google.com
Project Member

Comment 5 by sheriffbot@chromium.org, May 3 2018

Labels: -Pri-2 Pri-1
Project Member

Comment 6 by bugdroid1@chromium.org, May 10 2018

Labels: merge-merged-chromeos-3.14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/405c57dc243adb2c4959251c76933100fbf630e8

commit 405c57dc243adb2c4959251c76933100fbf630e8
Author: Tan Xiaojun <tanxiaojun@huawei.com>
Date: Thu May 10 22:09:53 2018

UPSTREAM: perf/core: Fix the perf_cpu_time_max_percent check

Use "proc_dointvec_minmax" instead of "proc_dointvec" to check the input
value from user-space.

If not, we can set a big value and some vars will overflow like
"sysctl_perf_event_sample_rate" which will cause a lot of unexpected
problems.

BUG= chromium:838867 
TEST=None

Change-Id: I46ef098db72c78d967b1d95ff43c59400cccde32
Signed-off-by: Tan Xiaojun <tanxiaojun@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <acme@kernel.org>
Cc: <alexander.shishkin@linux.intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Link: http://lkml.kernel.org/r/1487829879-56237-1-git-send-email-tanxiaojun@huawei.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
(cherry picked from commit 1572e45a924f254d9570093abde46430c3172e3d)
Reviewed-on: https://chromium-review.googlesource.com/1039869
Commit-Ready: Zubin Mithra <zsm@chromium.org>
Tested-by: Zubin Mithra <zsm@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/405c57dc243adb2c4959251c76933100fbf630e8/kernel/events/core.c
Project Member

Comment 7 by bugdroid1@chromium.org, May 10 2018

Labels: merge-merged-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/2c5175a4b09e7fb13a9dea5eb6bb28a7bb9eaaaf

commit 2c5175a4b09e7fb13a9dea5eb6bb28a7bb9eaaaf
Author: Tan Xiaojun <tanxiaojun@huawei.com>
Date: Thu May 10 22:10:05 2018

UPSTREAM: perf/core: Fix the perf_cpu_time_max_percent check

Use "proc_dointvec_minmax" instead of "proc_dointvec" to check the input
value from user-space.

If not, we can set a big value and some vars will overflow like
"sysctl_perf_event_sample_rate" which will cause a lot of unexpected
problems.

BUG= chromium:838867 
TEST=None

Change-Id: I46ef098db72c78d967b1d95ff43c59400cccde32
Signed-off-by: Tan Xiaojun <tanxiaojun@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <acme@kernel.org>
Cc: <alexander.shishkin@linux.intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Link: http://lkml.kernel.org/r/1487829879-56237-1-git-send-email-tanxiaojun@huawei.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
(cherry picked from commit 1572e45a924f254d9570093abde46430c3172e3d)
Reviewed-on: https://chromium-review.googlesource.com/1039868
Commit-Ready: Zubin Mithra <zsm@chromium.org>
Tested-by: Zubin Mithra <zsm@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/2c5175a4b09e7fb13a9dea5eb6bb28a7bb9eaaaf/kernel/events/core.c
Project Member

Comment 8 by bugdroid1@chromium.org, May 10 2018

Labels: merge-merged-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/6567ad232ebc17033edfa18f3919fb0f439d578f

commit 6567ad232ebc17033edfa18f3919fb0f439d578f
Author: Tan Xiaojun <tanxiaojun@huawei.com>
Date: Thu May 10 22:09:42 2018

UPSTREAM: perf/core: Fix the perf_cpu_time_max_percent check

Use "proc_dointvec_minmax" instead of "proc_dointvec" to check the input
value from user-space.

If not, we can set a big value and some vars will overflow like
"sysctl_perf_event_sample_rate" which will cause a lot of unexpected
problems.

BUG= chromium:838867 
TEST=None

Change-Id: I46ef098db72c78d967b1d95ff43c59400cccde32
Signed-off-by: Tan Xiaojun <tanxiaojun@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <acme@kernel.org>
Cc: <alexander.shishkin@linux.intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Link: http://lkml.kernel.org/r/1487829879-56237-1-git-send-email-tanxiaojun@huawei.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
(cherry picked from commit 1572e45a924f254d9570093abde46430c3172e3d)
Reviewed-on: https://chromium-review.googlesource.com/1039866
Commit-Ready: Zubin Mithra <zsm@chromium.org>
Tested-by: Zubin Mithra <zsm@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/6567ad232ebc17033edfa18f3919fb0f439d578f/kernel/events/core.c

Comment 9 by zsm@google.com, May 10 2018

Status: Fixed (was: Assigned)
Project Member

Comment 10 by sheriffbot@chromium.org, May 11 2018

Labels: Restrict-View-SecurityNotify
Project Member

Comment 11 by sheriffbot@chromium.org, Aug 17

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment