A flaw was found in the upstream version of the kernels implementation of waitid systemcall. This flaw was the removal of validation of the target location where the kernel would copy the results. Previously it would implement a check to restrict the results to be copied to a valid userspace address, a new patch had inadvertently allowed copying to kernel addresses. An attacker could use this flaw to corrupt memory, panic the machine or possibly allow for arbitary memory writes.
Acknowledgments: Name: Chris Salls
Created attachment 1336563 [details] Proposed patch
Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=96ca579a1ecc943b75beba58bebb0356f6cc4b51
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1501762]
References: http://seclists.org/oss-sec/2017/q4/78
Statement: This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux as they did not include the upstream commit https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4c48abe91be03d191d0c20cc755877da2cb35622 that introduced this issue.
kernel-4.13.8-300.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
kernel-4.13.8-100.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
kernel-4.13.8-200.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.