Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Dec 2018 01:27:13 +0100
From: Jann Horn <jannh@...gle.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: userfaultfd bypasses tmpfs file permissions
 (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7)

NOTE: I have requested a CVE identifier, and I'm sending this message,
to make tracking of the fix easier; however, to avoid missing security
fixes without CVE identifiers, you should *NOT* be cherry-picking a
specific patch in response to a notification about a kernel security
bug.

In Linux kernel versions since 4.11, userfaultfd can be used to write
arbitrary data into holes in sparse tmpfs files to which an attacker
has read-only access.

This is CVE-2018-18397.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=29ec90660d68bbdd69507c1c8b4e33aa299278b1
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.87
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.7
https://bugs.chromium.org/p/project-zero/issues/detail?id=1700

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.