New issue
Advanced search Search tips

Issue 906343 link

Starred by 1 user
Status: WontFix
Owner:
zsm@chromium.org
Closed: Nov 19
Cc:
rkolchmeyer@google.com
wonderfly@google.com
groeck@chromium.org
chromeos-kernel-security-bug-access@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security



Sign in to add a comment

CVE-2018-5391 CrOS: Vulnerability reported in Linux kernel

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Nov 17 
VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. 

Advisory: CVE-2018-5391
  Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-5391
  CVSS severity score: 7.8/10.0
  Description:

The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size.



This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.

Comment 1 by zsm@chromium.org, Nov 19

Owner: zsm@chromium.org
Status: Assigned (was: Untriaged)

Comment 2 by zsm@chromium.org, Nov 19

Cc: groeck@chromium.org wonderfly@google.com
The following patches from the branch ip-Use-rb-trees-for-IP-frag-queue(on net-next) have been merged into mainline to fix the issue
- 7969e5c40dfd ("ip: discard IPv4 datagrams with overlapping segments.")
- 385114dec8a4 ("net: modify skb_rbtree_purge to return the truesize of all purged skbs.")
- fa0f527358bd ("ip: use rb trees for IP frag queue.")

related commits:
- 70837ffe3085 ("ipv4: frags: precedence bug in ip_expire()")
- 5d407b071dc3 ("ip: frags: fix crash in ip_do_fragment()")

These commits are present in chromeos-4.19, v4.14. v4.4 and older kernels do not seem to have these commits; 4.4.y does not seem to have these commits; they do not seem to be queued in queue-4.4.

Comment 4 by wonderfly@google.com, Nov 19

Cc: rkolchmeyer@google.com

Comment 5 by groeck@chromium.org, Nov 19 

Please also see  crbug.com/869941  and b/111650510. Not sure how significant the additional patches are on top of those already applied (ie if the severity score really applies to the current state of the various branches).

Comment 6 by zsm@chromium.org, Nov 19 

Ah I see, thanks, I hadn't seen those bugs. I'll take another look.

Comment 7 by zsm@chromium.org, Nov 19

Labels: Security_Severity-Low Security_Impact-Stable Pri-2
Status: WontFix (was: Assigned)
#5: Thanks, I guess that the CLs in crbug:869941 should be enough. I'll go ahead and mark this as WontFix. If the patches do land in 4.4.y we can pull them in through stable merge.

Comment 8 by groeck@chromium.org, Nov 19 

#7: sgtm. Looking into the patches, I am not sure if the added protection is worth the risk for chromeos-4.4, so I am inclined to let this go.

Sign in to add a comment