Issue metadata
Sign in to add a comment
|
CVE-2018-1092 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2018-1092 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-1092 CVSS severity score: 7.1/10.0 Description: The ext4_iget function in fs/ext4/inode.c in the Linux kernel through 4.15.15 mishandles the case of a root directory with a zero i_links_count, which allows attackers to cause a denial of service (ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4 image. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
May 3 2018
As per the severity guidelines in https://chromium.googlesource.com/chromiumos/docs/+/master/security_severity_guidelines.md, DoS is treated at most as SS-Low.
,
May 3 2018
,
May 3 2018
#2: Your call, but I disagree. This can be triggered by a rogue USB stick. Note that the series is already tracked in crbug.com/835889 .
,
May 3 2018
,
May 3 2018
,
May 3 2018
Guenter points out that according to the kernel team's guidelines, these are SS-High. While we harmonize the guidelines, we can follow the kernel team's for kernel bugs.
,
May 5 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/bf83884c035532941682c96b340b9cd060d2fab8 commit bf83884c035532941682c96b340b9cd060d2fab8 Author: Theodore Ts'o <tytso@mit.edu> Date: Sat May 05 03:38:03 2018 BACKPORT: ext4: fail ext4_iget for root directory if unallocated If the root directory has an i_links_count of zero, then when the file system is mounted, then when ext4_fill_super() notices the problem and tries to call iput() the root directory in the error return path, ext4_evict_inode() will try to free the inode on disk, before all of the file system structures are set up, and this will result in an OOPS caused by a NULL pointer dereference. This issue has been assigned CVE-2018-1092. https://bugzilla.kernel.org/show_bug.cgi?id=199179 https://bugzilla.redhat.com/show_bug.cgi?id=1560777 Backport Note: As EFSCORRUPTED does not exist in 3.8, use EIO BUG= chromium:839356 TEST=None Change-Id: Iaa2cf501cc246b23c6ba84e3dd6ad46323d581f7 Reported-by: Wen Xu <wen.xu@gatech.edu> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@vger.kernel.org (cherry picked from commit 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1042607 Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/bf83884c035532941682c96b340b9cd060d2fab8/fs/ext4/inode.c
,
May 8 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e05dc621c4b78012fe60989ed3ef3dee83be84aa commit e05dc621c4b78012fe60989ed3ef3dee83be84aa Author: Theodore Ts'o <tytso@mit.edu> Date: Tue May 08 20:17:19 2018 BACKPORT: ext4: fail ext4_iget for root directory if unallocated If the root directory has an i_links_count of zero, then when the file system is mounted, then when ext4_fill_super() notices the problem and tries to call iput() the root directory in the error return path, ext4_evict_inode() will try to free the inode on disk, before all of the file system structures are set up, and this will result in an OOPS caused by a NULL pointer dereference. This issue has been assigned CVE-2018-1092. https://bugzilla.kernel.org/show_bug.cgi?id=199179 https://bugzilla.redhat.com/show_bug.cgi?id=1560777 Backport Note: As EFSCORRUPTED does not exist in 3.10, use EIO instead. BUG= chromium:839356 TEST=None Change-Id: Iaa2cf501cc246b23c6ba84e3dd6ad46323d581f7 Reported-by: Wen Xu <wen.xu@gatech.edu> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@vger.kernel.org (cherry picked from commit 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1042606 Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/e05dc621c4b78012fe60989ed3ef3dee83be84aa/fs/ext4/inode.c
,
May 8 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/aac061fa49f9c701bdcb7e4f72de57e0fe881359 commit aac061fa49f9c701bdcb7e4f72de57e0fe881359 Author: Theodore Ts'o <tytso@mit.edu> Date: Tue May 08 20:17:15 2018 UPSTREAM: ext4: fail ext4_iget for root directory if unallocated If the root directory has an i_links_count of zero, then when the file system is mounted, then when ext4_fill_super() notices the problem and tries to call iput() the root directory in the error return path, ext4_evict_inode() will try to free the inode on disk, before all of the file system structures are set up, and this will result in an OOPS caused by a NULL pointer dereference. This issue has been assigned CVE-2018-1092. https://bugzilla.kernel.org/show_bug.cgi?id=199179 https://bugzilla.redhat.com/show_bug.cgi?id=1560777 BUG= chromium:839356 TEST=None Change-Id: Iaa2cf501cc246b23c6ba84e3dd6ad46323d581f7 Reported-by: Wen Xu <wen.xu@gatech.edu> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@vger.kernel.org (cherry picked from commit 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1042492 Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/aac061fa49f9c701bdcb7e4f72de57e0fe881359/fs/ext4/inode.c
,
May 9 2018
,
May 9 2018
This bug requires manual review: We don't branch M68 until 2018-05-24. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 9 2018
#11: I think you mean Merge-Request-67 and possibly Merge-Request-66.
,
May 9 2018
#13, Thanks, yes, I've changed it to Merge-Request-67.
,
May 10 2018
#3 and #7 are confusing as to whether this is required for M67. Esp as it's a P2. Can I get some more context? Thanks
,
May 10 2018
#15: ChromeOS kernel security bug guidelines are available at https://docs.google.com/document/d/162La0RHeMUtO6QMdTG8WP5frAUgXSoYYFR45ztGXUN0/edit?usp=sharing Lakitu security guidelines are available at https://docs.google.com/document/d/1OrTRYANjy7iGkzkDRYeYai3kgKb77jrfw0HUHGIABOs/edit?usp=sharing Both sets of guidelines in conjunction with the assigned CVE severity suggest that the patches should be applied at least to M-67. Note that the patches have already been applied to both M-66 and M-67 by the Lakitu team, using CL:1044272 and related CLs.
,
May 10 2018
I'll approve; thanks for the context. But the implication that it was already merged prior to the approval is concerning. Approving merge to M67 Chrome OS.
,
May 11 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/66d763ca3804ff83639d627c38114a0aed38b916 commit 66d763ca3804ff83639d627c38114a0aed38b916 Author: Theodore Ts'o <tytso@mit.edu> Date: Fri May 11 02:40:43 2018 UPSTREAM: ext4: fail ext4_iget for root directory if unallocated If the root directory has an i_links_count of zero, then when the file system is mounted, then when ext4_fill_super() notices the problem and tries to call iput() the root directory in the error return path, ext4_evict_inode() will try to free the inode on disk, before all of the file system structures are set up, and this will result in an OOPS caused by a NULL pointer dereference. This issue has been assigned CVE-2018-1092. https://bugzilla.kernel.org/show_bug.cgi?id=199179 https://bugzilla.redhat.com/show_bug.cgi?id=1560777 BUG= chromium:839356 TEST=None Change-Id: Iaa2cf501cc246b23c6ba84e3dd6ad46323d581f7 Reported-by: Wen Xu <wen.xu@gatech.edu> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@vger.kernel.org (cherry picked from commit 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1042605 Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/66d763ca3804ff83639d627c38114a0aed38b916/fs/ext4/inode.c
,
May 11 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/fc28a59b1266875faeddc4ef117af826f036c233 commit fc28a59b1266875faeddc4ef117af826f036c233 Author: Theodore Ts'o <tytso@mit.edu> Date: Fri May 11 15:43:41 2018 BACKPORT: ext4: fail ext4_iget for root directory if unallocated If the root directory has an i_links_count of zero, then when the file system is mounted, then when ext4_fill_super() notices the problem and tries to call iput() the root directory in the error return path, ext4_evict_inode() will try to free the inode on disk, before all of the file system structures are set up, and this will result in an OOPS caused by a NULL pointer dereference. This issue has been assigned CVE-2018-1092. https://bugzilla.kernel.org/show_bug.cgi?id=199179 https://bugzilla.redhat.com/show_bug.cgi?id=1560777 Backport Note: As EFSCORRUPTED does not exist in 3.10, use EIO instead. BUG= chromium:839356 TEST=None Change-Id: Iaa2cf501cc246b23c6ba84e3dd6ad46323d581f7 Reported-by: Wen Xu <wen.xu@gatech.edu> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@vger.kernel.org (cherry picked from commit 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1042606 Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit e05dc621c4b78012fe60989ed3ef3dee83be84aa) Reviewed-on: https://chromium-review.googlesource.com/1055114 [modify] https://crrev.com/fc28a59b1266875faeddc4ef117af826f036c233/fs/ext4/inode.c
,
May 11 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/22bcc3bf905061e48b979df02194707e9bbc2144 commit 22bcc3bf905061e48b979df02194707e9bbc2144 Author: Theodore Ts'o <tytso@mit.edu> Date: Fri May 11 15:43:51 2018 UPSTREAM: ext4: fail ext4_iget for root directory if unallocated If the root directory has an i_links_count of zero, then when the file system is mounted, then when ext4_fill_super() notices the problem and tries to call iput() the root directory in the error return path, ext4_evict_inode() will try to free the inode on disk, before all of the file system structures are set up, and this will result in an OOPS caused by a NULL pointer dereference. This issue has been assigned CVE-2018-1092. https://bugzilla.kernel.org/show_bug.cgi?id=199179 https://bugzilla.redhat.com/show_bug.cgi?id=1560777 BUG= chromium:839356 TEST=None Change-Id: Iaa2cf501cc246b23c6ba84e3dd6ad46323d581f7 Reported-by: Wen Xu <wen.xu@gatech.edu> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@vger.kernel.org (cherry picked from commit 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1042605 Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit 66d763ca3804ff83639d627c38114a0aed38b916) Reviewed-on: https://chromium-review.googlesource.com/1055113 [modify] https://crrev.com/22bcc3bf905061e48b979df02194707e9bbc2144/fs/ext4/inode.c
,
May 11 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/312fa0ecad19f673f7380c1a9cf980abd1fe445a commit 312fa0ecad19f673f7380c1a9cf980abd1fe445a Author: Theodore Ts'o <tytso@mit.edu> Date: Fri May 11 15:43:52 2018 BACKPORT: ext4: fail ext4_iget for root directory if unallocated If the root directory has an i_links_count of zero, then when the file system is mounted, then when ext4_fill_super() notices the problem and tries to call iput() the root directory in the error return path, ext4_evict_inode() will try to free the inode on disk, before all of the file system structures are set up, and this will result in an OOPS caused by a NULL pointer dereference. This issue has been assigned CVE-2018-1092. https://bugzilla.kernel.org/show_bug.cgi?id=199179 https://bugzilla.redhat.com/show_bug.cgi?id=1560777 Backport Note: As EFSCORRUPTED does not exist in 3.8, use EIO BUG= chromium:839356 TEST=None Change-Id: Iaa2cf501cc246b23c6ba84e3dd6ad46323d581f7 Reported-by: Wen Xu <wen.xu@gatech.edu> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@vger.kernel.org (cherry picked from commit 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1042607 Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit bf83884c035532941682c96b340b9cd060d2fab8) Reviewed-on: https://chromium-review.googlesource.com/1055115 [modify] https://crrev.com/312fa0ecad19f673f7380c1a9cf980abd1fe445a/fs/ext4/inode.c
,
May 11 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/93b28f7b64611be608a3a2e281feb3377607790e commit 93b28f7b64611be608a3a2e281feb3377607790e Author: Theodore Ts'o <tytso@mit.edu> Date: Fri May 11 15:43:54 2018 UPSTREAM: ext4: fail ext4_iget for root directory if unallocated If the root directory has an i_links_count of zero, then when the file system is mounted, then when ext4_fill_super() notices the problem and tries to call iput() the root directory in the error return path, ext4_evict_inode() will try to free the inode on disk, before all of the file system structures are set up, and this will result in an OOPS caused by a NULL pointer dereference. This issue has been assigned CVE-2018-1092. https://bugzilla.kernel.org/show_bug.cgi?id=199179 https://bugzilla.redhat.com/show_bug.cgi?id=1560777 BUG= chromium:839356 TEST=None Change-Id: Iaa2cf501cc246b23c6ba84e3dd6ad46323d581f7 Reported-by: Wen Xu <wen.xu@gatech.edu> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@vger.kernel.org (cherry picked from commit 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1042492 Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit aac061fa49f9c701bdcb7e4f72de57e0fe881359) Reviewed-on: https://chromium-review.googlesource.com/1055112 [modify] https://crrev.com/93b28f7b64611be608a3a2e281feb3377607790e/fs/ext4/inode.c
,
May 11 2018
,
May 12 2018
,
May 14 2018
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 14 2018
,
Aug 18
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by zsm@chromium.org
, May 3 2018Labels: Security_Severity-High Security_Impact-Stable Pri-1
Owner: zsm@chromium.org
Status: Assigned (was: Untriaged)
Upstream patch is 8e4b5eae5d("ext4: fail ext4_iget for root directory if unallocated"). Patch is present in 4.14, 4.4. Patch is not present in 3.18, 3.14, 3.10, 3.8.