UBUNTU-CVE-2018-12896

Description

An issue was discovered in the Linux kernel through 4.17.3. An Integer Overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically makes the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. For example, a local user can cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls.

CVSS Metrics

• v3.0•MEDIUM•Score: 5.5CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Systems

• ubuntu•linux

  < 3.13.0-164.214 | < 4.4.0-141.167 | < 4.15.0-43.46

• ubuntu•linux-aws

  < 4.4.0-1037.40 | < 4.4.0-1074.84 | < 4.15.0-1031.33

• ubuntu•linux-azure

  < 4.15.0-1036.38~14.04.2 | < 4.15.0-1036.38~16.04.1 | < 4.15.0-1036.38

• ubuntu•linux-azure-6.11

  all

• ubuntu•linux-azure-fde

  all

• ubuntu•linux-azure-fde-5.15

  all

• ubuntu•linux-fips

  < 4.4.0-1008.10

• ubuntu•linux-gcp

  < 4.15.0-1026.27~16.04.1 | < 4.15.0-1026.27

• ubuntu•linux-gcp-6.11

  all

• ubuntu•linux-gke

  all

• ubuntu•linux-hwe

  < 4.15.0-43.46~16.04.1

• ubuntu•linux-hwe-6.11

  all

• ubuntu•linux-intel-iot-realtime

  all

• ubuntu•linux-kvm

  < 4.4.0-1039.45 | < 4.15.0-1028.28

• ubuntu•linux-lowlatency-hwe-6.11

  all

• ubuntu•linux-lts-xenial

  < 4.4.0-141.167~14.04.1

• ubuntu•linux-oem

  < 4.15.0-1030.35

• ubuntu•linux-raspi-realtime

  all

• ubuntu•linux-raspi2

  < 4.4.0-1102.110 | < 4.15.0-1030.32 | all

• ubuntu•linux-realtime

  all

• ubuntu•linux-riscv

  all | all

• ubuntu•linux-snapdragon

  < 4.4.0-1106.111

References (12)

• https://ubuntu.com/security/CVE-2018-12896
• https://bugzilla.kernel.org/show_bug.cgi?id=200189
• https://github.com/lcytxw/bug_repro/tree/master/bug_200189
• https://github.com/torvalds/linux/commit/78c9c4dfbf8c04883941445a195276bb4bb92c76
• https://ubuntu.com/security/notices/USN-3847-1
• https://ubuntu.com/security/notices/USN-3847-2
• https://ubuntu.com/security/notices/USN-3847-3
• https://ubuntu.com/security/notices/USN-3848-1
• https://ubuntu.com/security/notices/USN-3848-2
• https://ubuntu.com/security/notices/USN-3849-1
• https://ubuntu.com/security/notices/USN-3849-2
• https://www.cve.org/CVERecord?id=CVE-2018-12896