New issue
Advanced search Search tips

Issue 912890 link

Starred by 1 user
Status: WontFix
Owner:
zsm@chromium.org
Closed: Dec 13
Cc:
mikewu@google.com
kerrnel@chromium.org
wonderfly@google.com
mnissler@chromium.org
groeck@chromium.org
chromeos-kernel-security-bug-access@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

CVE-2018-18559 CrOS: Vulnerability reported in Linux kernel

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Dec 7 
VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. 

Advisory: CVE-2018-18559
  Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-18559
  CVSS severity score: 6.8/10.0
  Description:

In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control.



This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.

Comment 1 by zsm@chromium.org, Dec 7

Owner: zsm@chromium.org
Status: Assigned (was: Untriaged)

Comment 2 by zsm@chromium.org, Dec 7

Cc: groeck@chromium.org wonderfly@google.com
Labels: Security_Severity-High Security_Impact-Stable Pri-1
15fe076edea7 ("net/packet: fix a race in packet_bind() and packet_notifier()") is present in chromeos-4.19, v4.14, v4.4 and v3.18.
It does not seem like a fix for the UAF has been merged into the upstream kernel yet.

Comment 3 by wonderfly@google.com, Dec 7

Cc: mikewu@google.com
Project Member

Comment 4 by sheriffbot@chromium.org, Dec 8

Labels: Target-71 M-71

Comment 5 by zsm@chromium.org, Dec 10 

Some related tracking bugs are :-
- android vomit report: b/120649409
- b/120649410
- b/120650292

Comment 6 by ketakid@google.com, Dec 11

Cc: kerrnel@chromium.org mnissler@chromium.org
zsm@ do we have an ETA for when the UAF will be merged into the upstream kernel yet?

Comment 7 by zsm@google.com, Dec 11 

No. There is conflicting information related to this bug. It is unclear if this issue is known(and fixed, with 15fe076edea7) or if 15fe076edea7 is the incomplete fix.
If there are no updates on the linked bugs by the end of tomorrow I'll ping edumazet@ and ask what he thinks.

Comment 8 by zsm@google.com, Dec 13

Labels: -Security_Impact-Stable Security_Impact-None
Status: WontFix (was: Assigned)
Looking at the post linked from the vomit link, the trigger for the UAF seems to rely on the ability for a second thread to call packet_notifier(). The patch 15fe076edea7 seems to explicitly try and prevent this from happening.
Closing this bug as WontFix as there are no patches that need to be applied.

If there is information suggesting otherwise please let me know and I'll reopen the bug.

Sign in to add a comment