CVE-2018-1091

Description

In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c in the Linux kernel before 4.13.5, a guest kernel crash can be triggered from unprivileged userspace during a core dump on a POWER host due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path, leading to a denial of service.

CVSS Metrics

• v3.0•MEDIUM•Score: 5.5CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
• v2.0•MEDIUM•Score: 4.9AV:L/AC:L/Au:N/C:N/I:N/A:C

EPSS Trends

Current EPSS score: 0.08%• Percentile: 24%

Techniques & Countermeasures

• CWE-119•Improper Restriction of Operations within the Bounds of a Memory Buffer

  The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

• CWE-391•Unchecked Error Condition

  [PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.

Affected Systems

• linux•linux_kernel

  ≤ 4.13.4

References (8)

• https://bugzilla.redhat.com/show_bug.cgi?id=1558149
• https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.5
• https://marc.info/?l=linuxppc-embedded&m=150535531910494&w=2
• https://access.redhat.com/security/cve/cve-2018-1091
• https://access.redhat.com/errata/RHSA-2018:1318
• http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c1fa0768a8713b135848f78fd43ffc208d8ded70
• https://github.com/torvalds/linux/commit/c1fa0768a8713b135848f78fd43ffc208d8ded70
• http://openwall.com/lists/oss-security/2018/03/27/4