Issue metadata
Sign in to add a comment
|
CVE-2018-10882 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2018-10882 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-10882 CVSS severity score: 4.9/10.0 Description: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound write in in fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Sep 24
,
Sep 25
,
Sep 25
,
Sep 26
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/05ff0f3425fb58126b8c7d838e6e1b55378ada71 commit 05ff0f3425fb58126b8c7d838e6e1b55378ada71 Author: Theodore Ts'o <tytso@mit.edu> Date: Wed Sep 26 03:40:57 2018 UPSTREAM: ext4: add more inode number paranoia checks If there is a directory entry pointing to a system inode (such as a journal inode), complain and declare the file system to be corrupted. Also, if the superblock's first inode number field is too small, refuse to mount the file system. This addresses CVE-2018-10882. https://bugzilla.kernel.org/show_bug.cgi?id=200069 BUG= chromium:888320 TEST=None Change-Id: I9f16a66a93f9ebf8928f8ecada439de9a11c460e Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org (cherry picked from commit c37e9e013469521d9adb932d17a1795c139b36db) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1241353 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> [modify] https://crrev.com/05ff0f3425fb58126b8c7d838e6e1b55378ada71/fs/ext4/inode.c [modify] https://crrev.com/05ff0f3425fb58126b8c7d838e6e1b55378ada71/fs/ext4/ext4.h [modify] https://crrev.com/05ff0f3425fb58126b8c7d838e6e1b55378ada71/fs/ext4/super.c
,
Sep 28
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/69a5923f6838c388237d716bc6135c42a58525d3 commit 69a5923f6838c388237d716bc6135c42a58525d3 Author: Theodore Ts'o <tytso@mit.edu> Date: Fri Sep 28 02:44:44 2018 UPSTREAM: ext4: add more inode number paranoia checks If there is a directory entry pointing to a system inode (such as a journal inode), complain and declare the file system to be corrupted. Also, if the superblock's first inode number field is too small, refuse to mount the file system. This addresses CVE-2018-10882. https://bugzilla.kernel.org/show_bug.cgi?id=200069 BUG= chromium:888320 TEST=None Change-Id: I9f16a66a93f9ebf8928f8ecada439de9a11c460e Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org (cherry picked from commit c37e9e013469521d9adb932d17a1795c139b36db) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1246408 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> [modify] https://crrev.com/69a5923f6838c388237d716bc6135c42a58525d3/fs/ext4/inode.c [modify] https://crrev.com/69a5923f6838c388237d716bc6135c42a58525d3/fs/ext4/ext4.h [modify] https://crrev.com/69a5923f6838c388237d716bc6135c42a58525d3/fs/ext4/super.c
,
Sep 28
,
Sep 29
,
Jan 4
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by zsm@chromium.org
, Sep 24Labels: Security_Severity-Medium Security_Impact-Stable Pri-2
Owner: zsm@chromium.org
Status: Assigned (was: Untriaged)
Upstream commit is c37e9e013("ext4: add more inode number paranoia checks") This commit is present in v4.14, v4.4. The commit is not present in 3.18.y, but applies cleanly to v3.18. Will test this patch out.