The move_pages system call in mm/migrate.c in the Linux kernel before 4.12.9 doesn't check the effective uid of the target process, enabling a local attacker to learn the memory layout of a setuid executable despite ASLR. Upstream patch: https://github.com/torvalds/linux/commit/197e7e521384a23b9e585178f3f11c9fa08274b9
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1488330]
This was fixed in 4.12.9 stable which is currently available across all supported Fedora releases.
Statement: This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5,6,7 and MRG-2. Red Hat Enterprise Linux 5 and 6 are in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. The official life cycle policy can be reviewed here: https://access.redhat.com/support/policy/updates/errata/ This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal. Future Linux kernel updates for Red Hat Enterprise Linux 7 may address this issue.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:0676
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:1062 https://access.redhat.com/errata/RHSA-2018:1062