Fix would simply be to remove this line: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/chromeos-4.4/drivers/virtio/virtio_wl.c#930

zachr@ - please take a look.
jorgelo@ - is this shipping yet? could you set sec-impact accordingly?

No version of this driver is shipped on a chromebook. Only the 4.14 version is shipped in termina guest kernels.

Also jorgelo@ is OOO this week. mnissler@, could you fill in?

Since this doesn't affect the host kernel (I've double-checked kernel config just in case), this certainly isn't severity high. However, it might be useful in an exploit chain that escalates from guest to host via guest kernel compromise, so I think severity medium looks right for this. Setting Impact-Beta as crosvm/termina isn't launched to stable yet. Zach, please correct me if I'm wrong here.

Might make sense to consider fuzzing this interface using syzkaller?

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Does the patch I proposed in comment #2 sound correct? And if yes, would it be helpful to send a CL for it?

That sounds correct. I'll push the suggested change.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a1996093581e48ece5a5222b3f02a6d47a566e57

commit a1996093581e48ece5a5222b3f02a6d47a566e57
Author: Zach Reizner <zachr@google.com>
Date: Thu May 17 10:24:30 2018

CHROMIUM: virtwl: fix double free in error path for virtwl_ioctl_recv

BUG= chromium:840161 
TEST=None

Change-Id: I18981885db705862d34e91b695f7323a1d52e3dd
Signed-off-by: Zach Reizner <zachr@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1056146
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Alex Gaynor <alex.gaynor@gmail.com>
Reviewed-by: Zach Reizner <zachr@chromium.org>

[modify] https://crrev.com/a1996093581e48ece5a5222b3f02a6d47a566e57/drivers/virtio/virtio_wl.c

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Nice one alex.gaynor@, the Chrome VRP panel decided to award $1,000 for this report, and $500 for suppling the fix. A member of our finance team will be in touch to arrange payment. Also, how would you like to be credited in our release notes?

Please credit me as: Alex Gaynor, Fish in a Barrel. Thanks!

I imagine the member of the finance team will also be the correct person to work with on donating the payment?

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot