Issue metadata
Sign in to add a comment
|
CVE-2018-13406 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2018-13406 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-13406 CVSS severity score: 7.2/10.0 Description: An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c in the Linux kernel before 4.17.4 could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Aug 29
,
Aug 31
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b7ef347def87dc655235bbcef6f01e7a03db05c7 commit b7ef347def87dc655235bbcef6f01e7a03db05c7 Author: Kees Cook <keescook@chromium.org> Date: Fri Aug 31 12:23:24 2018 UPSTREAM: video: uvesafb: Fix integer overflow in allocation cmap->len can get close to INT_MAX/2, allowing for an integer overflow in allocation. This uses kmalloc_array() instead to catch the condition. BUG= chromium:878353 TEST=None Change-Id: I6ccc2aba7365c45c6f3f0816b74042f874c1b187 Reported-by: Dr Silvio Cesare of InfoSect <silvio.cesare@gmail.com> Fixes: 8bdb3a2d7df48 ("uvesafb: the driver core") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> (cherry picked from commit 9f645bcc566a1e9f921bdae7528a01ced5bc3713) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1194382 [modify] https://crrev.com/b7ef347def87dc655235bbcef6f01e7a03db05c7/drivers/video/fbdev/uvesafb.c
,
Aug 31
,
Aug 31
,
Aug 31
This bug requires manual review: We are only 3 days from stable. Please contact the milestone owner if you have questions. Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 4
,
Sep 5
,
Sep 14
,
Sep 14
This bug requires manual review: M70 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: benmason@(Android), kariahda@(iOS), geohsu@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 18
geohsu@: can this patch be merged into stable?
,
Sep 25
Stable reviewers, could you approve for merge into stable?
,
Sep 25
#12: I think you mean stable release PMs, not reviewers
,
Sep 25
Thanks, yes, I meant stable release PMs.
,
Oct 1
Ping for stable release PMs. Kindly update the bug.
,
Oct 4
I pinged Geo on chat.
,
Oct 4
,
Oct 4
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5667a3e8072f3e7c5a45cea952839d1f5edd4fe7 commit 5667a3e8072f3e7c5a45cea952839d1f5edd4fe7 Author: Kees Cook <keescook@chromium.org> Date: Thu Oct 04 19:20:51 2018 UPSTREAM: video: uvesafb: Fix integer overflow in allocation cmap->len can get close to INT_MAX/2, allowing for an integer overflow in allocation. This uses kmalloc_array() instead to catch the condition. BUG= chromium:878353 TEST=None Change-Id: I6ccc2aba7365c45c6f3f0816b74042f874c1b187 Reported-by: Dr Silvio Cesare of InfoSect <silvio.cesare@gmail.com> Fixes: 8bdb3a2d7df48 ("uvesafb: the driver core") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> (cherry picked from commit 9f645bcc566a1e9f921bdae7528a01ced5bc3713) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1194382 (cherry picked from commit b7ef347def87dc655235bbcef6f01e7a03db05c7) Reviewed-on: https://chromium-review.googlesource.com/c/1262238 [modify] https://crrev.com/5667a3e8072f3e7c5a45cea952839d1f5edd4fe7/drivers/video/fbdev/uvesafb.c
,
Oct 4
,
Oct 4
,
Oct 5
,
Jan 11
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by zsm@google.com
, Aug 28Labels: Security_Severity-High Security_Impact-Stable Pri-1
Owner: zsm@chromium.org
Status: Assigned (was: Untriaged)
Upstream commit is 9f645bcc56("video: uvesafb: Fix integer overflow in allocation"). The commit is present in v4.14, and v4.4. v3.18 is affected and the patch cleanly applies. Older kernels are not affected.