Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 30 Oct 2018 16:24:54 +0100
From: Andrey Konovalov <>
Cc: Kostya Serebryany <>, Dmitry Vyukov <>, 
	Alexander Potapenko <>, Kees Cook <>
Subject: Re: Linux kernel: CVE-2017-18344: arbitrary-read vulnerability in the
 timer subsystem

On Thu, Aug 2, 2018 at 8:57 PM Andrey Konovalov <> wrote:
> Hi!
> Syzkaller/syzbot found a global-out-of-bounds bug in the timer
> subsystem of the Linux kernel [1], that is exploitable and can be used
> to gain an arbitrary-read primitive. This allows to access kernel
> memory and leak keys, credentials or other sensitive information that
> is stored there (so the bug has a similar impact to Meltdown). I'll
> share a PoC exploit in a week.
> The bug was introduced in commit 57b8015e ("posix-timers: Show
> sigevent info in proc file") [2] in 3.10 and fixed by commit cef31d9a
> ("posix-timer: Properly check sigevent->sigev_notify") [3] in
> 4.15-rc4. The bug only affects kernels that have CONFIG_POSIX_TIMERS
> and CONFIG_CHECKPOINT_RESTORE enabled, which is done by a lot of
> modern distros.
> This bug has been fixed in Ubuntu 16.04 [7], but still affects at
> least CentOS 7 at this moment (at least 3.10.0-862.9.1.el7.x86_64 that
> I've checked). I haven't checked the other distros.


> Then I decided to take a look at the CentOS kernel. I was quite
> surprised to find out that this bug hasn't been fixed there at all. I
> was under the impression that most Linux distros either follow stable
> kernel branches or monitor upstream commits for security related fixes
> themselves. It seems that this is not the case. Perhaps this fix was
> missed because CentOS 7 kernel is based on the 3.10 kernel version,
> and the 3.10 stable kernel release stopped being supported in November
> 2017.

This bug has finally been fixed in the Red Hat kernels [1] (so it's
probably fixed in CentOS as well, do they use the same kernel?), which
took another 3 months since my announcement on oss-security and 11
months since the initial syzbot bug report.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.