Issue metadata
Sign in to add a comment
|
CVE-2018-10940 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2018-10940 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-10940 CVSS severity score: 4.9/10.0 Description: The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c in the Linux kernel before 4.16.6 allows local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Jun 14 2018
,
Jun 14 2018
,
Jun 14 2018
,
Jun 14 2018
,
Jun 16 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4aca1aa91312731a267633306de26766d676d982 commit 4aca1aa91312731a267633306de26766d676d982 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Sat Jun 16 05:16:42 2018 UPSTREAM: cdrom: information leak in cdrom_ioctl_media_changed() This cast is wrong. "cdi->capacity" is an int and "arg" is an unsigned long. The way the check is written now, if one of the high 32 bits is set then we could read outside the info->slots[] array. This bug is pretty old and it predates git. BUG= chromium:852759 TEST=None Change-Id: Iced2191b6ef1f561948407867e296a842d5fbbb6 Reviewed-by: Christoph Hellwig <hch@lst.de> Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> (cherry picked from commit 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1100999 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> [modify] https://crrev.com/4aca1aa91312731a267633306de26766d676d982/drivers/cdrom/cdrom.c
,
Jun 16 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/eab5e2bbdaa79060aa34001138b24e3966e30e20 commit eab5e2bbdaa79060aa34001138b24e3966e30e20 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Sat Jun 16 05:17:04 2018 UPSTREAM: cdrom: information leak in cdrom_ioctl_media_changed() This cast is wrong. "cdi->capacity" is an int and "arg" is an unsigned long. The way the check is written now, if one of the high 32 bits is set then we could read outside the info->slots[] array. This bug is pretty old and it predates git. BUG= chromium:852759 TEST=None Change-Id: Iced2191b6ef1f561948407867e296a842d5fbbb6 Reviewed-by: Christoph Hellwig <hch@lst.de> Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> (cherry picked from commit 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1100961 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/eab5e2bbdaa79060aa34001138b24e3966e30e20/drivers/cdrom/cdrom.c
,
Jun 16 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b36a50b4126f1723b8b5b2682ad1cf301293fc35 commit b36a50b4126f1723b8b5b2682ad1cf301293fc35 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Sat Jun 16 05:16:47 2018 UPSTREAM: cdrom: information leak in cdrom_ioctl_media_changed() This cast is wrong. "cdi->capacity" is an int and "arg" is an unsigned long. The way the check is written now, if one of the high 32 bits is set then we could read outside the info->slots[] array. This bug is pretty old and it predates git. BUG= chromium:852759 TEST=None Change-Id: Iced2191b6ef1f561948407867e296a842d5fbbb6 Reviewed-by: Christoph Hellwig <hch@lst.de> Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> (cherry picked from commit 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1100997 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> [modify] https://crrev.com/b36a50b4126f1723b8b5b2682ad1cf301293fc35/drivers/cdrom/cdrom.c
,
Jun 16 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/f053cd9637697c2e6741b522a76288aa9f2cceb4 commit f053cd9637697c2e6741b522a76288aa9f2cceb4 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Sat Jun 16 05:16:59 2018 UPSTREAM: cdrom: information leak in cdrom_ioctl_media_changed() This cast is wrong. "cdi->capacity" is an int and "arg" is an unsigned long. The way the check is written now, if one of the high 32 bits is set then we could read outside the info->slots[] array. This bug is pretty old and it predates git. BUG= chromium:852759 TEST=None Change-Id: Iced2191b6ef1f561948407867e296a842d5fbbb6 Reviewed-by: Christoph Hellwig <hch@lst.de> Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> (cherry picked from commit 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1100998 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> [modify] https://crrev.com/f053cd9637697c2e6741b522a76288aa9f2cceb4/drivers/cdrom/cdrom.c
,
Jun 18 2018
,
Jun 19 2018
,
Sep 25
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by zsm@chromium.org
, Jun 14 2018Labels: Security_Severity-Medium Security_Impact-Stable Pri-2
Owner: zsm@chromium.org
Status: Assigned (was: Untriaged)
Upstream commit is 9de4ee405("cdrom: information leak in cdrom_ioctl_media_changed()"). Present in 4.14 and 4.4. Patch is not present in older kernels but applies cleanly.