[PATCH 0/5][SRU][B/C] CVE-2018-18397 - tmpfs permissions bypass
Tyler Hicks
tyhicks at canonical.com
Fri Jan 25 02:01:21 UTC 2019
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18397.html
The userfaultfd implementation in the Linux kernel before 4.19.7 mishandles
access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing
local users to write data into holes in a tmpfs file (if the user has
read-only access to that file, and that file contains holes), related to
fs/userfaultfd.c and mm/userfaultfd.c.
All but one of these patches are clean cherry picks to Cosmic and Bionic. The
one that required manual backporting was due to minor context changes due to
upstream commit 2cf855837b89d92996cf264713f3bed2bf9b0b4f missing in those
kernels.
I've successfully regression tested these changes by running the
tools/testing/selftests/vm/run_vmtests kernel selftests, which excercise
userfaultfd.
Tyler
More information about the kernel-team
mailing list