VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel.
Advisory: CVE-2018-12714
Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-12714
CVSS severity score: 10/10.0
Description:
An issue was discovered in the Linux kernel through 4.17.2. The filter parsing in kernel/trace/trace_events_filter.c could be called with no filter, which is an N=0 case when it expected at least one line to have been read, thus making the N-1 index invalid. This allows attackers to cause a denial of service (slab out-of-bounds write) or possibly have unspecified other impact via crafted perf_event_open and mmap system calls.
This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.
Comment 1 by zsm@chromium.org
, Aug 23Labels: Security_Severity-Critical Security_Impact-None Pri-3
Owner: zsm@chromium.org
Status: WontFix (was: Untriaged)
Upstream commit is 81f9c4e41 as the merge commit. The individual commit can be found in git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace as 70303420b5 ("tracing: Check for no filter when processing event filters") from trace-v4.18-rc1 CONFIG_FTRACE and CONFIG_TRACING seem to be set in our kernels, but the cause of this bug(lack of validation inside predicate_parse) is not, as predicate_parse has not been introduced yet into our kernels. Also, Fixes tag corresponds to 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster") which is not present in our kernels. Marking as WontFix.