This issue has been assigned CVE-2018-12932. In most cases, an application does not have any reason to trigger this issue, and an attacker would have to be in possession of the system's kernel memory in order to take advantage of it. This vulnerability is considered low risk, because it requires the attacker to have a system privilege in order to be exploited.
At the time of this writing, there are no known public exploits for this issue. If a public exploit for this issue becomes available, it would be added to the article.
Vulnerable code example
This vulnerability is triggered when a user application (the exploit code) attempts to read from the system's kernel memory. The vulnerability exists in the way that the input buffer is initialized using a copy of the first 64 bytes of data from an adjacent buffer. If a user program does not allocate enough storage for its input buffer, this condition will be met and the program will see data from another process.
The following code has been tested on Ubuntu 16.04 LTS with Linux kernel 4.13-rc1-01062-g5e5b5c7a (Ubuntu 18.04 LTS with Linux kernel 4.18-rc3-0495f8d6).
int app_main(void *arg) { int res; struct app_data *app = arg; char buf[64]; res = sys_write(1, buf, sizeof(buf)); // Allocate space for input buffer memset(buf, 0x42, sizeof(buf)); res = sys_read(1, buf + 64, sizeof(buf)); }
Exploitation of issue p wning process
A potential vulnerability that allows a local privilege escalation has been discovered in the Linux kernel. This vulnerability is due to a race condition in the implementation of the set_mempolicy function in mm/mempolicy.c when handling permissions for memory mappings.
The vulnerability is considered low risk because it requires a local privilege escalation and an attacker must be in possession of the system's kernel memory. At the time of this writing, there are no known public exploits for this issue. If a public exploit for this issue becomes available, it would be added to the article.
Overview
An information disclosure vulnerability has been discovered in VMware Workstation. A malicious process with access to the kernel memory of a system can trigger the issue if it calls nt!KiFastSystemCall (nt!KiFastSystemCall+0x10).
For systems running ESX, ESXi, or any other virtual machine that uses the VMX86 processor type, this vulnerability is not applicable. For all other systems, an attacker would have to be in possession of the underlying system's kernel memory in order to take advantage of this vulnerability.
This vulnerability is considered low risk because it requires an attacker to have a system privilege in order to be exploited and existing mitigations are sufficient for most users.
Vulnerability Details
On Unix systems, the race condition vulnerability exists in the implementation of the posix_fadvise() system call. The vulnerability affects only a limited number of file system operations that can cause data corruption when an application does not handle the F_FREESWAP or F_FASYNC flags associated with these operations correctly.
The vulnerability is caused by a race condition where two different processes both access and change a single file at the same time, which may lead to data corruption. A malicious application can exploit this issue by opening two files at once and then either changing one of them or reading from one of them, depending on what operation it performs first.
Vulnerability Discovery and Research:
5 Steps to Take
1. Identify the specific application that may be affected by this vulnerability
2. Figure out what process is running when the vulnerability is triggered
3. Determine if any of the events are related to memory allocation and use
4. Test your findings with a tool or script designed for this purpose
5. Report your findings to the appropriate maintainers
Timeline
Published on: 11/19/2022 00:15:00 UTC
Last modified on: 11/28/2022 20:32:00 UTC