New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 857439 link

Starred by 1 user
Status: Fixed
Owner:
zsm@chromium.org
Closed: Jul 2
Cc:
wonderfly@chromium.org
groeck@chromium.org
chromeos-kernel-security-bug-access@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

CVE-2018-1000199 CrOS: Vulnerability reported in Linux kernel

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Jun 28 2018 
VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. 

Advisory: CVE-2018-1000199
  Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-1000199
  CVSS severity score: 4.9/10.0
  Description:

The Linux Kernel version 3.18 contains a dangerous feature vulnerability in modify_user_hw_breakpoint() that can result in crash and possibly memory corruption. This attack appear to be exploitable via local code execution and the ability to use ptrace. This vulnerability appears to have been fixed in git commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f.



This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.

Comment 1 by zsm@google.com, Jun 28 2018

Cc: groeck@chromium.org wonderfly@chromium.org
Labels: Security_Severity-Medium Security_Impact-Stable Pri-2
Owner: zsm@chromium.org
Status: Assigned (was: Untriaged)
Upstream fix is f67b15037a("perf/hwbp: Simplify the perf-hwbp code, fix documentation")
Patch is present in 4.14, 4.4. Not present in older kernels.

Comment 2 by groeck@chromium.org, Jun 28 2018

Labels: M-68
Description suggests that it may only be needed in chromeos-3.18.
Project Member

Comment 3 by bugdroid1@chromium.org, Jun 29 2018

Labels: merge-merged-chromeos-3.18
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/0a7c2593e03e1b25a8be82f6fdb67b9fab57e7b5

commit 0a7c2593e03e1b25a8be82f6fdb67b9fab57e7b5
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Fri Jun 29 08:08:58 2018

UPSTREAM: perf/hwbp: Simplify the perf-hwbp code, fix documentation

Annoyingly, modify_user_hw_breakpoint() unnecessarily complicates the
modification of a breakpoint - simplify it and remove the pointless
local variables.

Also update the stale Docbook while at it.

BUG= chromium:857439 
TEST=None

Change-Id: Id27557d33ba1450e53b101c199951aa703a4ca72
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
(cherry picked from commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f)
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1118608
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>

[modify] https://crrev.com/0a7c2593e03e1b25a8be82f6fdb67b9fab57e7b5/kernel/events/hw_breakpoint.c
Project Member

Comment 4 by sheriffbot@chromium.org, Jun 29 2018

Labels: -Pri-2 Pri-1

Comment 5 by zsm@chromium.org, Jul 2

Status: Fixed (was: Assigned)
Project Member

Comment 6 by sheriffbot@chromium.org, Jul 2

Labels: Restrict-View-SecurityNotify
Project Member

Comment 7 by sheriffbot@chromium.org, Oct 8

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment