CVE-2018-1000200
kernel: NULL pointer dereference on OOM kill of large mlocked process
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The Linux Kernel versions 4.14, 4.15, and 4.16 has a null pointer dereference which can result in an out of memory (OOM) killing of large mlocked processes. The issue arises from an oom killed process's final thread calling exit_mmap(), which calls munlock_vma_pages_all() for mlocked vmas.This can happen synchronously with the oom reaper's unmap_page_range() since the vma's VM_LOCKED bit is cleared before munlocking (to determine if any other vmas share the memory and are mlocked).
Las versiones 4.14, 4.15 y 4.16 del kernel de Linux tienen una desreferencia de puntero NULL que puede resultar en agotamiento de memoria (OOM), cerrando grandes procesos bloqueados. El problema surge del hilo final de un proceso finalizado por un OOM que llama a exit_mmap(), el cual llama a munlock_vma_pages_all() para mlocked vmas. Esto puede ocurrir en sincronÃa con el rango unmap_page_range() del oom reaper ya que el bit VM_LOCKED del vma se borra antes del munlocking (para determinar si otros vmas comparten la memoria y son bloqueados).
A flaw was found in the Linux kernel where an out of memory (oom) killing of a process that has large spans of mlocked memory can result in deferencing a NULL pointer, leading to denial of service.
It was discovered that, when attempting to handle an out-of-memory situation, a null pointer dereference could be triggered in the Linux kernel in some circumstances. A local attacker could use this to cause a denial of service. Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-04-17 CVE Reserved
- 2018-06-05 CVE Published
- 2024-08-05 CVE Updated
- 2025-05-06 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-476: NULL Pointer Dereference
CAPEC
References (12)
| URL | Tag | Source |
|---|---|---|
| http://seclists.org/oss-sec/2018/q2/67 | Mailing List |
|
| http://www.securityfocus.com/bid/104397 | Third Party Advisory | |
| https://access.redhat.com/security/cve/cve-2018-1000200 | Third Party Advisory | |
| https://marc.info/?l=linux-kernel&m=152400522806945 | Mailing List | |
| https://marc.info/?l=linux-kernel&m=152460926619256 | Mailing List |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=27ae357fa82be5ab73b2ef8d39dcb8ca2563483a | 2018-10-31 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:2948 | 2018-10-31 | |
| https://usn.ubuntu.com/3752-1 | 2018-10-31 | |
| https://usn.ubuntu.com/3752-2 | 2018-10-31 | |
| https://usn.ubuntu.com/3752-3 | 2018-10-31 | |
| https://access.redhat.com/security/cve/CVE-2018-1000200 | 2018-10-30 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1568744 | 2018-10-30 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 4.14 Search vendor "Linux" for product "Linux Kernel" and version "4.14" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 4.15 Search vendor "Linux" for product "Linux Kernel" and version "4.15" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 4.16 Search vendor "Linux" for product "Linux Kernel" and version "4.16" | - |
Affected
| ||||||