Date: Wed, 12 Dec 2018 01:27:13 +0100 From: Jann Horn <jannh@...gle.com> To: oss-security@...ts.openwall.com Subject: Linux kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7) NOTE: I have requested a CVE identifier, and I'm sending this message, to make tracking of the fix easier; however, to avoid missing security fixes without CVE identifiers, you should *NOT* be cherry-picking a specific patch in response to a notification about a kernel security bug. In Linux kernel versions since 4.11, userfaultfd can be used to write arbitrary data into holes in sparse tmpfs files to which an attacker has read-only access. This is CVE-2018-18397. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=29ec90660d68bbdd69507c1c8b4e33aa299278b1 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.87 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.7 https://bugs.chromium.org/p/project-zero/issues/detail?id=1700
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.