Issue metadata
Sign in to add a comment
|
CVE-2018-1120 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2018-1120 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-1120 CVSS severity score: 3.5/10.0 Description: A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks). This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Aug 13
Test CL at : https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1172728 coral-pre-cq https://cros-goldeneye.corp.google.com/chromeos/healthmonitoring/buildDetails?buildbucketId=8938291079352741744 bob-pre-cq https://cros-goldeneye.corp.google.com/chromeos/healthmonitoring/buildDetails?buildbucketId=8938291075903123456 kevin-pre-cq https://cros-goldeneye.corp.google.com/chromeos/healthmonitoring/buildDetails?buildbucketId=8938291072447946880 coral-paladin-tryjob https://cros-goldeneye.corp.google.com/chromeos/healthmonitoring/buildDetails?buildbucketId=8938291068859708336 bob-paladin-tryjob https://cros-goldeneye.corp.google.com/chromeos/healthmonitoring/buildDetails?buildbucketId=8938291065329944752 kevin-paladin-tryjob https://cros-goldeneye.corp.google.com/chromeos/healthmonitoring/buildDetails?buildbucketId=8938291061856907776
,
Aug 13
,
Aug 15
DoS is not a security event per our severity guidelines, but synchronization primitive might be useful (that's a long shot though). Hence setting low severity. I expect this to be also OK for lakitu, speak up if you disagree. Recommendation: Apply the patch where it applies cleanly and ship via regular release cycle.
,
Aug 15
As the patch is in 4.14 and the impact is set to low, I'll go ahead and close this bug without any further action. Please feel free to reassign if further action is required on this bug.
,
Aug 15
#5: sgtm.
,
Aug 16
,
Nov 22
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by groeck@chromium.org
, Aug 12Labels: M-70 Pri-2
Owner: zsm@chromium.org
Status: Assigned (was: Untriaged)
Upstream commit 7f7ccc2ccc2e ("proc: do not access cmdline nor environ from file-backed areas"). Fixed in chromeos-4.14 with merge of v4.14.42. Not fixed in older releases. A comment in the commit log suggests that the fix may be needed in older kernels, and if so that it would require manual packport. A quick check reveals that this is the case at least for chromeos-4.4. Best action is probably to backport the patch to chromeos-4.4, check it as much as possible, request for it to be included in upstream stable releases, and then pull it from there. The risk associated with backports to even older kernels is probably not worth it.