Issue metadata
Sign in to add a comment
|
CVE-2018-10322 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2018-10322 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-10322 CVSS severity score: 4.9/10.0 Description: The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_ilock_attr_map_shared invalid pointer dereference) via a crafted xfs image. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Jun 12 2018
,
Jun 12 2018
Turns out xfs changes since v4.14 are too substantial to apply just a single patch to v4.14.y, much less to v4.4.y. It would be necessary to apply a sequence of patches to older kernels to fix the problem there. Let's leave this up to the maintainer. If we ever enable XFS in our images, we'll have to apply many if not all post-4.14 patches to reduce the risk associated with using XFS. Marking as WontFix.
,
Jun 12 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by groeck@chromium.org
, Jun 12 2018Owner: groeck@chromium.org
Status: ExternalDependency (was: Untriaged)
CONFIG_XFS_FS is not enabled in any Chrome OS or VM configurations. Fixed with upstream commit b42db0860e13 ("xfs: enhance dinode verifier") which is not tagged for stable and thus not available in any stable releases. Will request backport and pull from stable releases into chromeos-4.14 and chromeos-4.4. No immediate action required.