Issue metadata
Sign in to add a comment
|
CVE-2018-10877 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2018-10877 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-10877 CVSS severity score: 6.8/10.0 Description: Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Sep 24
,
Sep 25
,
Sep 25
,
Sep 26
Patch is at https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1240897 caroline-pre-cq https://cros-goldeneye.corp.google.com/chromeos/healthmonitoring/buildDetails?buildbucketId=8934301830682591904 caroline-paladin-tryjob https://cros-goldeneye.corp.google.com/chromeos/healthmonitoring/buildDetails?buildbucketId=8934301827685732928 cave-pre-cq https://cros-goldeneye.corp.google.com/chromeos/healthmonitoring/buildDetails?buildbucketId=8934301825118258752 cave-paladin-tryjob https://cros-goldeneye.corp.google.com/chromeos/healthmonitoring/buildDetails?buildbucketId=8934301822584226800
,
Sep 27
success on retrying the tryjobs caroline-pre-cq https://cros-goldeneye.corp.google.com/chromeos/healthmonitoring/buildDetails?buildbucketId=8934215747768192496 caroline-paladin-tryjob https://cros-goldeneye.corp.google.com/chromeos/healthmonitoring/buildDetails?buildbucketId=8934215744366913680 cave-pre-cq https://cros-goldeneye.corp.google.com/chromeos/healthmonitoring/buildDetails?buildbucketId=8934215741394875712 cave-paladin-tryjob https://cros-goldeneye.corp.google.com/chromeos/healthmonitoring/buildDetails?buildbucketId=8934215738761416320 sending patch to CQ
,
Sep 28
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5bef272b4b8d9868640f21a405db5cf6497c0d98 commit 5bef272b4b8d9868640f21a405db5cf6497c0d98 Author: Theodore Ts'o <tytso@mit.edu> Date: Fri Sep 28 02:44:56 2018 UPSTREAM: ext4: verify the depth of extent tree in ext4_find_extent() If there is a corupted file system where the claimed depth of the extent tree is -1, this can cause a massive buffer overrun leading to sadness. This addresses CVE-2018-10877. https://bugzilla.kernel.org/show_bug.cgi?id=199417 BUG= chromium:888315 TEST=None Change-Id: I72edb13ef81e5106e2d43a59347ec3bf068f0c1a Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org (cherry picked from commit bc890a60247171294acc0bd67d211fa4b88d40ba) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1240897 [modify] https://crrev.com/5bef272b4b8d9868640f21a405db5cf6497c0d98/fs/ext4/extents.c [modify] https://crrev.com/5bef272b4b8d9868640f21a405db5cf6497c0d98/fs/ext4/ext4_extents.h
,
Oct 1
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c60517f56ee18ad3f74484282630afc6cd570667 commit c60517f56ee18ad3f74484282630afc6cd570667 Author: Theodore Ts'o <tytso@mit.edu> Date: Mon Oct 01 18:31:13 2018 UPSTREAM: ext4: verify the depth of extent tree in ext4_find_extent() If there is a corupted file system where the claimed depth of the extent tree is -1, this can cause a massive buffer overrun leading to sadness. This addresses CVE-2018-10877. https://bugzilla.kernel.org/show_bug.cgi?id=199417 BUG= chromium:888315 TEST=None Change-Id: I72edb13ef81e5106e2d43a59347ec3bf068f0c1a Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org (cherry picked from commit bc890a60247171294acc0bd67d211fa4b88d40ba) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1240897 (cherry picked from commit 5bef272b4b8d9868640f21a405db5cf6497c0d98) Reviewed-on: https://chromium-review.googlesource.com/1251746 [modify] https://crrev.com/c60517f56ee18ad3f74484282630afc6cd570667/fs/ext4/extents.c [modify] https://crrev.com/c60517f56ee18ad3f74484282630afc6cd570667/fs/ext4/ext4_extents.h
,
Oct 1
,
Oct 2
,
Jan 8
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by zsm@chromium.org
, Sep 24Labels: Security_Severity-High Security_Impact-Stable Pri-2
Owner: zsm@chromium.org
Status: Assigned (was: Untriaged)
Upstream commit is bc890a602("ext4: verify the depth of extent tree in ext4_find_extent()") This commit is present in v4.14, v4.4. Older kernels do not have this commit. The patch applies cleanly to v3.18, will test the patch.