1549621 – (CVE-2017-18202) CVE-2017-18202 kernel: Infoleak/use-after-free in __oom_reap_task_mm function in mm/oom_kill.c

Bug 1549621 (CVE-2017-18202) - CVE-2017-18202 kernel: Infoleak/use-after-free in __oom_reap_task_mm function in mm/oom_kill.c

Summary: CVE-2017-18202 kernel: Infoleak/use-after-free in __oom_reap_task_mm function...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-18202
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1549622 1554355 1554356
Blocks:	1549624
TreeView+	depends on / blocked

Reported:	2018-02-27 14:02 UTC by Pedro Sampaio
Modified:	2021-06-10 14:54 UTC (History)
CC List:	44 users (show)
Fixed In Version:	Linux 4.14.4
Doc Type:	If docs needed, set a value
Doc Text:	The __oom_reap_task_mm function in mm/oom_kill.c in the Linux kernel, before 4.14.4, mishandles gather operations. This allows attackers to cause a denial of service (TLB entry leak or use-after-free) or possibly have unspecified other impact by triggering a copy_to_user call within a certain time window.
Clone Of:
Environment:
Last Closed:	2019-06-08 03:41:35 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:2772	0	None	None	None	2018-09-25 17:54:54 UTC

Description Pedro Sampaio 2018-02-27 14:02:22 UTC

The __oom_reap_task_mm function in mm/oom_kill.c in the Linux kernel before 4.14.4 mishandles gather operations, which allows attackers to cause a denial of service (TLB entry leak or use-after-free) or possibly have unspecified other impact by triggering a copy_to_user call within a certain time window.

References:

https://marc.info/?t=151004877700005&r=1&w=2

An upsteam patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=687cb0884a714ff484d038e9190edc874edcf146

Comment 1 Pedro Sampaio 2018-02-27 14:02:51 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1549622]

Comment 2 Justin M. Forbes 2018-02-27 15:27:13 UTC

This was fixed for fedora with the 4.14.4 stable updates.

Comment 7 errata-xmlrpc 2018-09-25 17:54:32 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2772 https://access.redhat.com/errata/RHSA-2018:2772

Note You need to log in before you can comment on or make changes to this bug.

airlied
ajax
aquini
bhu
blc
bskeggs
dhoward
ewk
fhrbata
hdegoede
hkrzesin
hwkernel-mgr
iboverma
ichavero
itamar
jarodwilson
jforbes
jglisse
jkacur
john.j5live
jonathan
josef
jross
jwboyer
kernel-maint
kernel-mgr
labbott
lgoncalv
linville
matt
mchehab
mcressma
mjg59
mlangsdo
nmurray
plougher
pmatouse
rt-maint
rvrbovsk
skozina
steved
vdronov
williams
yozone