New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 877035 link

Starred by 1 user
Status: WontFix
Owner:
zsm@chromium.org
Closed: Jan 4
Cc:
wonderfly@chromium.org
groeck@chromium.org
chromeos-kernel-security-bug-access@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug-Security



Sign in to add a comment

CVE-2016-10723 CrOS: Vulnerability reported in Linux kernel

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Aug 23 
VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. 

Advisory: CVE-2016-10723
  Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2016-10723
  CVSS severity score: 4.9/10.0
  Description:

** DISPUTED ** An issue was discovered in the Linux kernel through 4.17.2. Since the page allocator does not yield CPU resources to the owner of the oom_lock mutex, a local unprivileged user can trivially lock up the system forever by wasting CPU resources from the page allocator (e.g., via concurrent page fault events) when the global OOM killer is invoked. NOTE: the software maintainer has not accepted certain proposed patches, in part because of a viewpoint that "the underlying problem is non-trivial to handle."



This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.

Comment 1 by zsm@chromium.org, Aug 24

Cc: groeck@chromium.org wonderfly@chromium.org
Labels: Security_Severity-Low Pri-3
Owner: zsm@chromium.org
Status: Assigned (was: Untriaged)
It is unclear if this issue affects our kernels. The patches being proposed upstream also seem to under discussion. Will wait on the upstream discussion/patches.

Comment 2 by groeck@chromium.org, Aug 24

Labels: Security_Impact-Unknown
Status: ExternalDependency (was: Assigned)
Since we are waiting for upstream, ExternalDependency seems to be an appropriate state.
Project Member

Comment 3 by sheriffbot@chromium.org, Aug 25

Labels: -Security_Impact-Unknown
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 25

Labels: -Pri-3 Pri-2

Comment 5 by zsm@chromium.org, Jan 4

Labels: -Pri-2 Security_Impact-None Pri-3
Status: WontFix (was: ExternalDependency)
Based on the discussion at the following links, there does not seem to be an agreement on what the desired behavior is. Will mark this bug as WontFix.

https://patchwork.kernel.org/patch/10395909/
https://lore.kernel.org/patchwork/patch/809760/
https://www.spinics.net/lists/linux-mm/msg117896.html

Sign in to add a comment