Issue metadata
Sign in to add a comment
|
CVE-2018-11412 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2018-11412 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-11412 CVSS severity score: 4.3/10.0 Description: In the Linux kernel 4.13 through 4.16.11, ext4_read_inline_data() in fs/ext4/inline.c performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Jun 27 2018
,
Jun 29 2018
Merge request is for the merge of upstream commit 117166efb1ee8f13 into chromeos-4.14.
,
Jun 29 2018
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 29 2018
,
Jun 29 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/52a84cab3bb49e459a20306dd35707a880d7a1bc commit 52a84cab3bb49e459a20306dd35707a880d7a1bc Author: Theodore Ts'o <tytso@mit.edu> Date: Fri Jun 29 18:44:41 2018 UPSTREAM: ext4: do not allow external inodes for inline data commit 117166efb1ee8f13c38f9e96b258f16d4923f888 upstream. The inline data feature was implemented before we added support for external inodes for xattrs. It makes no sense to support that combination, but the problem is that there are a number of extended attribute checks that are skipped if e_value_inum is non-zero. Unfortunately, the inline data code is completely e_value_inum unaware, and attempts to interpret the xattr fields as if it were an inline xattr --- at which point, Hilarty Ensues. This addresses CVE-2018-11412. https://bugzilla.kernel.org/show_bug.cgi?id=199803 BUG= chromium:857017 TEST=Run image through ext4 file system tests Change-Id: I65d201d0ba3a03ce5ff98bfe45d394c857f82cac Reported-by: Jann Horn <jannh@google.com> Reviewed-by: Andreas Dilger <adilger@dilger.ca> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Fixes: e50e5129f384 ("ext4: xattr-in-inode support") Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-on: https://chromium-review.googlesource.com/1120875 Reviewed-by: Guenter Roeck <groeck@chromium.org> Commit-Queue: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/52a84cab3bb49e459a20306dd35707a880d7a1bc/fs/ext4/inline.c
,
Jun 29 2018
,
Jun 30 2018
,
Jul 3
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 3
,
Oct 6
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by groeck@chromium.org
, Jun 27 2018Labels: M-68 Security_Severity-Medium Security_Impact-Stable Pri-1
Owner: groeck@chromium.org
Status: Started (was: Untriaged)
Fixed with upstream commit 117166efb1ee8f13 ("ext4: do not allow external inodes for inline data"). Per CVE, only chromeos-4.14 is affected. Fix is queued for inclusion into chromeos-4.14 with the merge of v4.14.52. Will cherry-pick into beta release after the merge is complete.