[SRU][T][PATCH 0/1] CVE-2017-18344 - Incorrect POSIX timer validation
tyhicks at canonical.com
Fri Aug 3 21:25:31 UTC 2018
The timer_create syscall implementation in kernel/time/posix-timers.c in
the Linux kernel before 4.14.8 doesn't properly validate the
sigevent->sigev_notify field, which leads to out-of-bounds access in the
show_timer function (called when /proc/$PID/timers is read). This allows
userspace applications to read arbitrary kernel memory (on a kernel built
with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).
This is backported from upstream and tested with a PoC that I wrote. Xenial has
already picked up this fix via linux-stable. Bionic released with this fix.
More information about the kernel-team