Issue metadata
Sign in to add a comment
|
CVE-2018-18559 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2018-18559 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-18559 CVSS severity score: 6.8/10.0 Description: In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Dec 7
15fe076edea7 ("net/packet: fix a race in packet_bind() and packet_notifier()") is present in chromeos-4.19, v4.14, v4.4 and v3.18.
It does not seem like a fix for the UAF has been merged into the upstream kernel yet.
,
Dec 7
,
Dec 8
,
Dec 10
Some related tracking bugs are :- - android vomit report: b/120649409 - b/120649410 - b/120650292
,
Dec 11
zsm@ do we have an ETA for when the UAF will be merged into the upstream kernel yet?
,
Dec 11
No. There is conflicting information related to this bug. It is unclear if this issue is known(and fixed, with 15fe076edea7) or if 15fe076edea7 is the incomplete fix. If there are no updates on the linked bugs by the end of tomorrow I'll ping edumazet@ and ask what he thinks.
,
Dec 13
Looking at the post linked from the vomit link, the trigger for the UAF seems to rely on the ability for a second thread to call packet_notifier(). The patch 15fe076edea7 seems to explicitly try and prevent this from happening. Closing this bug as WontFix as there are no patches that need to be applied. If there is information suggesting otherwise please let me know and I'll reopen the bug. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by zsm@chromium.org
, Dec 7Status: Assigned (was: Untriaged)