Issue metadata
Sign in to add a comment
|
CVE-2018-10883 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2018-10883 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-10883 CVSS severity score: 4.9/10.0 Description: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Oct 5
Testing the initial patch here: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1265180
,
Oct 6
,
Oct 6
,
Oct 8
I'm having trouble reproducing the crash with the PoC from the bugzilla link. Confirming with tytso@ on whether a backport is required.
,
Oct 8
tytso@
"""
The first commit enough is to prevent the POC from triggering, but the true underlying bug is fixed by the second commit. It might be possible to trigger some *other* crash if the second commit is not backported. I think the reason why it's not in 4.4 is that the backport wasn't something that could be done automatically. From a higher level perspective, something that might make sense for older ChromeOS kernels is to disable support for inline_data, since inline_data is not enabled by default today and it's primarily used in speciality use cases today. So it's not something Chrome OS *needs*, and inline_data has a bunch of bugs, and not all of them may be easily back-portable to 4.4, 3.18, et. al."""
zsm@
"""
Thanks a lot, this is very helpful.
Is there a way to trivially disable inline_data in a kernel build? I took a look at the Kconfig but could not find any relevant CONFIG values. I don't see such a CONFIG value upstream either. Would it make sense to introduce one?
"""
tytso@
"""
There isn't a CONFIG value, but it's a one-line patch which you could just apply for the CrOS 4.4 kernels:
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 75cf6195b2d9..1063580f97d8 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -1800,7 +1800,6 @@ EXT4_FEATURE_INCOMPAT_FUNCS(ioencoding, IOENCODING)
EXT4_FEATURE_INCOMPAT_FLEX_BG| \
EXT4_FEATURE_INCOMPAT_EA_INODE| \
EXT4_FEATURE_INCOMPAT_MMP | \
- EXT4_FEATURE_INCOMPAT_INLINE_DATA | \
EXT4_FEATURE_INCOMPAT_ENCRYPT | \
EXT4_FEATURE_INCOMPAT_IOENCODING | \
EXT4_FEATURE_INCOMPAT_CSUM_SEED | \
Basically, just remove that bit (EXT4_FEATURE_INCOMPAT_INLINE_DATA) from EXT4_FEATURE_INCOMPAT_SUPP.
We could add a 4.4 and 4.9 CONFIG to disable inline_data, but it's mainly because there have a been a very large number of these sorts of bugs discovered relating to inline_data, and we don't have anyone tracking to make sure all of the inline_data fixes are getting backported to the 4.4.x and 4.9.x stable kernels, at least on the upstream side. It's not really something we are eager are to enable upstream since we don't want to make the CONFIG parameters that much more complex.
"""
,
Oct 9
,
Oct 10
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/1d5df63f14b586828a01173c04e0927e468b3d13 commit 1d5df63f14b586828a01173c04e0927e468b3d13 Author: Zubin Mithra <zsm@chromium.org> Date: Wed Oct 10 04:14:08 2018 CHROMIUM: ext4: Disable inline data in inode There are a high number of bugs being reported upstream related to inline_data. As not all of these patches are being backported to 4.9 and older kernels, it is useful to simply disable inline_data support in the kernel builds. BUG= chromium:892598 TEST=None Change-Id: I2e65c4387bf104f90779100192423b9d73e7bdb3 Reviewed-on: https://chromium-review.googlesource.com/1269699 Commit-Ready: Zubin Mithra <zsm@chromium.org> Tested-by: Zubin Mithra <zsm@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> Reviewed-by: Zubin Mithra <zsm@chromium.org> Reviewed-by: Theodore Tso <tytso@google.com> [modify] https://crrev.com/1d5df63f14b586828a01173c04e0927e468b3d13/fs/ext4/ext4.h
,
Oct 10
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ce046b8d9b0b3286b0921064cd5a8a7ebf42a7b0 commit ce046b8d9b0b3286b0921064cd5a8a7ebf42a7b0 Author: Zubin Mithra <zsm@chromium.org> Date: Wed Oct 10 04:14:15 2018 CHROMIUM: ext4: Disable inline data in inode There are a high number of bugs being reported upstream related to inline_data. As not all of these patches are being backported to 4.9 and older kernels, it is useful to simply disable inline_data support in the kernel builds. BUG= chromium:892598 TEST=None Change-Id: I2e65c4387bf104f90779100192423b9d73e7bdb3 Reviewed-on: https://chromium-review.googlesource.com/1269697 Commit-Ready: Zubin Mithra <zsm@chromium.org> Tested-by: Zubin Mithra <zsm@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> Reviewed-by: Zubin Mithra <zsm@chromium.org> Reviewed-by: Theodore Tso <tytso@google.com> [modify] https://crrev.com/ce046b8d9b0b3286b0921064cd5a8a7ebf42a7b0/fs/ext4/ext4.h
,
Oct 10
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d6b0ebac21f31b2bf3a1a7cf5cce070d36c691f5 commit d6b0ebac21f31b2bf3a1a7cf5cce070d36c691f5 Author: Zubin Mithra <zsm@chromium.org> Date: Wed Oct 10 12:19:53 2018 CHROMIUM: ext4: Disable inline data in inode There are a high number of bugs being reported upstream related to inline_data. As not all of these patches are being backported to 4.9 and older kernels, it is useful to simply disable inline_data support in the kernel builds. BUG= chromium:892598 TEST=None Change-Id: I2e65c4387bf104f90779100192423b9d73e7bdb3 Reviewed-on: https://chromium-review.googlesource.com/1269698 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Zubin Mithra <zsm@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> Reviewed-by: Zubin Mithra <zsm@chromium.org> Reviewed-by: Theodore Tso <tytso@google.com> [modify] https://crrev.com/d6b0ebac21f31b2bf3a1a7cf5cce070d36c691f5/fs/ext4/ext4.h
,
Oct 11
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/94bffd44240ea6be82c9ae58adb87ddfc653dd37 commit 94bffd44240ea6be82c9ae58adb87ddfc653dd37 Author: Zubin Mithra <zsm@chromium.org> Date: Thu Oct 11 00:07:55 2018 CHROMIUM: ext4: Disable inline data in inode There are a high number of bugs being reported upstream related to inline_data. As not all of these patches are being backported to 4.9 and older kernels, it is useful to simply disable inline_data support in the kernel builds. BUG= chromium:892598 TEST=None Change-Id: I2e65c4387bf104f90779100192423b9d73e7bdb3 Reviewed-on: https://chromium-review.googlesource.com/1273352 Commit-Ready: Zubin Mithra <zsm@chromium.org> Tested-by: Zubin Mithra <zsm@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> Reviewed-by: Zubin Mithra <zsm@chromium.org> Reviewed-by: Theodore Tso <tytso@google.com> [modify] https://crrev.com/94bffd44240ea6be82c9ae58adb87ddfc653dd37/fs/ext4/ext4.h
,
Oct 11
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/93062e2d90e3d6eb820d9b8292104aef63841667 commit 93062e2d90e3d6eb820d9b8292104aef63841667 Author: Zubin Mithra <zsm@chromium.org> Date: Thu Oct 11 00:08:02 2018 CHROMIUM: ext4: Disable inline data in inode There are a high number of bugs being reported upstream related to inline_data. As not all of these patches are being backported to 4.9 and older kernels, it is useful to simply disable inline_data support in the kernel builds. BUG= chromium:892598 TEST=None Change-Id: I2e65c4387bf104f90779100192423b9d73e7bdb3 Reviewed-on: https://chromium-review.googlesource.com/1273351 Commit-Ready: Zubin Mithra <zsm@chromium.org> Tested-by: Zubin Mithra <zsm@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> Reviewed-by: Zubin Mithra <zsm@chromium.org> Reviewed-by: Theodore Tso <tytso@google.com> [modify] https://crrev.com/93062e2d90e3d6eb820d9b8292104aef63841667/fs/ext4/ext4.h
,
Oct 11
patches disabling inline_data have been submitted, marking as Fixed.
,
Oct 11
,
Oct 15
,
Jan 17
(5 days ago)
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by zsm@google.com
, Oct 5Labels: Security_Severity-Medium Security_Impact-Stable Pri-2
Owner: zsm@chromium.org
Status: Assigned (was: Untriaged)
Upstream commits are :- - e09463f2 ("jbd2: don't mark block as modified if the handle is out of credits") - 8bc1379b ("ext4: avoid running out of journal credits when appending to an inline file") These commits are present in v4.14. v4.4 has e09463f2 but not 8bc1379b, conflict occurs on applying the latter.