1597759 – (CVE-2018-12896) CVE-2018-12896 kernel: Integer overflow in kernel/time/posix-timers.c

Bug 1597759 (CVE-2018-12896) - CVE-2018-12896 kernel: Integer overflow in kernel/time/posix-timers.c

Summary: CVE-2018-12896 kernel: Integer overflow in kernel/time/posix-timers.c

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2018-12896
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1597760 1597762 1638044
Blocks:	1597761
TreeView+	depends on / blocked

Reported:	2018-07-03 14:53 UTC by Laura Pardo
Modified:	2021-02-17 00:01 UTC (History)
CC List:	45 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	An issue was discovered in the Linux kernel where an integer overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically makes the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random.
Clone Of:
Environment:
Last Closed:	2018-08-01 13:22:08 UTC
Embargoed:

Attachments	(Terms of Use)

Description Laura Pardo 2018-07-03 14:53:41 UTC

An issue was discovered in the Linux kernel. An Integer Overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically makes the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random.

References:

https://bugzilla.kernel.org/show_bug.cgi?id=200189 	

https://github.com/lcytxw/bug_repro/tree/master/bug_200189 	

https://marc.info/?t=153003602900042&r=1&w=2

https://marc.info/?t=153003602700045&r=1&w=2

A suggested upstream patch:

https://github.com/torvalds/linux/commit/78c9c4dfbf8c04883941445a195276bb4bb92c76

Comment 1 Laura Pardo 2018-07-03 14:55:10 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1597760]

Comment 6 Vladis Dronov 2018-08-01 13:22:08 UTC

Note:

This bug is present in certain Red Hat products, but the security impact is absent. Therefore, we do not consider this bug to be a security flaw.

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
airlied
aquini
bhu
bskeggs
dbaker
dhoward
esammons
ewk
fhrbata
hdegoede
hkrzesin
hwkernel-mgr
iboverma
ichavero
itamar
jarodwilson
jforbes
jglisse
jkacur
john.j5live
jokerman
jonathan
josef
jross
jwboyer
kernel-maint
kernel-mgr
labbott
lgoncalv
linville
lwang
matt
mchehab
mcressma
mjg59
nmurray
plougher
rvrbovsk
skozina
steved
sthangav
trankin
vdronov
williams