Date: Thu, 4 Oct 2018 05:14:42 -0400 (EDT) From: Vladis Dronov <vdronov@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2018-14656: Linux kernel: arbitrary kernel memory dump into the dmesg log Heololo, A missing address check in the callers of the show_opcodes() in the Linux kernel allows an attacker to dump the kernel memory at an arbitrary kernel address into the dmesg log. This affects the upstream Linux kernel as it was introduced by ba54d856a9d8 and 7cccf0725cf7, both since v4.18-rc1 and fixed by 342db04ae712 since v4.19-rc2. The CVE-2018-14656 was assigned to this flaw, I would suggest to use it in public communications regarding this flaw. References: https://bugzilla.redhat.com/show_bug.cgi?id=1629940 https://bugs.chromium.org/p/project-zero/issues/detail?id=1650 https://firstname.lastname@example.org/T/ An upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=342db04ae71273322f0011384a9ed414df8bdae4 Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.