Triage from chromium:835889 :- 
CVE-2018-1094:

Upstream commits 18db4b4e6fc ("ext4: don't allow r/w mounts if metadata blocks overlap the superblock") and a45403b515 ("ext4: always initialize the crc32c checksum driver"). No CVE severity assigned. 1st patch queued for v4.4.129 and v4.14.36. Second patch queued for v4.14.36; v4.4 does not appear to be affected.
---------------------------------------------------------
The patches are not present in 3.18, 3.14, 3.10, 3.8.
Note: sb_rdonly is introduced in 94e92e7ac("vfs: Add sb_rdonly(sb) to query the MS_RDONLY flag on s_flags").

Guenter points out that according to the kernel team's guidelines, these are SS-High. While we harmonize the guidelines, we can follow the kernel team's for kernel bugs.

zsm: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/bb545a0d654d91ae15a827ec001e003db0f86322

commit bb545a0d654d91ae15a827ec001e003db0f86322
Author: Theodore Ts'o <tytso@mit.edu>
Date: Tue May 22 01:19:18 2018

UPSTREAM: ext4: always initialize the crc32c checksum driver

The extended attribute code now uses the crc32c checksum for hashing
purposes, so we should just always always initialize it.  We also want
to prevent NULL pointer dereferences if one of the metadata checksum
features is enabled after the file sytsem is originally mounted.

This issue has been assigned CVE-2018-1094.

https://bugzilla.kernel.org/show_bug.cgi?id=199183
https://bugzilla.redhat.com/show_bug.cgi?id=1560788

BUG= chromium:839358 
TEST=None

CQ-DEPEND=CL:1042611

Change-Id: I585c1bbf628664d270ce9460fe54516f03fab5e1
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
(cherry picked from commit a45403b51582a87872927a3e0fc0a389c26867f1)
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1042270

[modify] https://crrev.com/bb545a0d654d91ae15a827ec001e003db0f86322/fs/ext4/super.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/58b334a1165896664896a536d96acea84afa68a7

commit 58b334a1165896664896a536d96acea84afa68a7
Author: David Howells <dhowells@redhat.com>
Date: Tue May 22 01:19:16 2018

UPSTREAM: vfs: Add sb_rdonly(sb) to query the MS_RDONLY flag on s_flags

Add an sb_rdonly() function to query the MS_RDONLY flag on sb->s_flags
preparatory to providing an SB_RDONLY flag.

BUG= chromium:839358 
TEST=None

Change-Id: I573949ebbfbe1cd41a1bd1d3521e4a25f80fcec9
Signed-off-by: David Howells <dhowells@redhat.com>
(cherry picked from commit 94e92e7ac90d06e1e839e112d3ae80b2457dbdd7)
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1042611

[modify] https://crrev.com/58b334a1165896664896a536d96acea84afa68a7/include/linux/fs.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c94cba83c74a0aedbc764a83e6b24515e2b5dbc5

commit c94cba83c74a0aedbc764a83e6b24515e2b5dbc5
Author: Theodore Ts'o <tytso@mit.edu>
Date: Tue May 22 01:19:19 2018

UPSTREAM: ext4: don't allow r/w mounts if metadata blocks overlap the superblock

If some metadata block, such as an allocation bitmap, overlaps the
superblock, it's very likely that if the file system is mounted
read/write, the results will not be pretty.  So disallow r/w mounts
for file systems corrupted in this particular way.

BUG= chromium:839358 
TEST=None

CQ-DEPEND=CL:1042270

Change-Id: I1399dfe1346121e950cc2f1b1bbd2989efd267d6
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
(cherry picked from commit 18db4b4e6fc31eda838dd1c1296d67dbcb3dc957)
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1042613

[modify] https://crrev.com/c94cba83c74a0aedbc764a83e6b24515e2b5dbc5/fs/ext4/super.c

These patches seem to cause stability issues on 3.18 and 3.14 when testing with the CQ. I'll look further into what is causing these CQ failures.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/171db3ea038cff34f447be034befd5991294aa73

commit 171db3ea038cff34f447be034befd5991294aa73
Author: David Howells <dhowells@redhat.com>
Date: Thu May 24 07:23:10 2018

UPSTREAM: vfs: Add sb_rdonly(sb) to query the MS_RDONLY flag on s_flags

Add an sb_rdonly() function to query the MS_RDONLY flag on sb->s_flags
preparatory to providing an SB_RDONLY flag.

BUG= chromium:839358 
TEST=None

Change-Id: I573949ebbfbe1cd41a1bd1d3521e4a25f80fcec9
Signed-off-by: David Howells <dhowells@redhat.com>
(cherry picked from commit 94e92e7ac90d06e1e839e112d3ae80b2457dbdd7)
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1042608
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>

[modify] https://crrev.com/171db3ea038cff34f447be034befd5991294aa73/include/linux/fs.h

#13: The patches continue to cause stability issues on 3.18 and 3.14 across multiple trybot/CQ attempts, and have been abandoned as a result. The patches have been merged into 4.14, closing this bug.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot