[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Linux kernel: TLB flush happens too late on mremap (CVE-2018-18281; fixed in 4.9.135,
From:       Jann Horn <jannh () google ! com>
Date:       2018-10-29 15:11:34
Message-ID: CAG48ez2OYD-9P-YSozYs08Xx0TdmWjwYB0GEm=ztLnEfL8dmow () mail ! gmail ! com
[Download RAW message or body]

NOTE: I have requested a CVE identifier, and I'm sending this message,
to make tracking of the fix easier; however, to avoid missing security
fixes without CVE identifiers, you should *NOT* be cherry-picking a
specific patch in response to a notification about a kernel security
bug.

Since Linux kernel version 3.2, the mremap() syscall performs TLB
flushes after dropping pagetable locks. If a syscall such as
ftruncate() removes entries from the pagetables of a task that is in
the middle of mremap(), a stale TLB entry can remain for a short time
that permits access to a physical page after it has been released back
to the page allocator and reused.

This is CVE-2018-18281.

This is fixed in the following kernel versions:
4.9.135
4.14.78
4.18.16
4.19

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.16
https://bugs.chromium.org/p/project-zero/issues/detail?id=1695


[prev in list] [next in list] [prev in thread] [next in thread]