CVE-2018-1091

kernel: guest kernel crash during core dump on POWER9 host

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c in the Linux kernel before 4.13.5, a guest kernel crash can be triggered from unprivileged userspace during a core dump on a POWER host due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path, leading to a denial of service.

En la función flush_tmregs_to_thread en arch/powerpc/kernel/ptrace.c en el kernel de Linux, en versiones anteriores a la 4.13.5, se puede desencadenar un cierre inesperado del kernel invitado desde un espacio de usuario sin privilegios durante un volcado de memoria en un host POWER. Esto se debe a la falta de verificación de la funcionalidad del procesador y un uso erróneo de las instrucciones de la memoria transaccional (TM) en la ruta de volcado de memoria, lo que da lugar a una denegación de servicio (DoS).

A flaw was found in the Linux kernel where a crash can be triggered from unprivileged userspace during core dump on a POWER system with a certain configuration. This is due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path leading to a denial of service.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-12-04 CVE Reserved
2018-03-27 CVE Published
2023-03-21 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-391: Unchecked Error Condition

CAPEC

References (9)

URL	Tag	Source
http://openwall.com/lists/oss-security/2018/03/27/4	Mailing List
https://access.redhat.com/security/cve/cve-2018-1091	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c1fa0768a8713b135848f78fd43ffc208d8ded70	2018-05-10
https://github.com/torvalds/linux/commit/c1fa0768a8713b135848f78fd43ffc208d8ded70	2018-05-10
https://marc.info/?l=linuxppc-embedded&m=150535531910494&w=2	2018-05-10
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.5	2018-05-10

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2018:1318	2018-05-10
https://bugzilla.redhat.com/show_bug.cgi?id=1558149	2018-05-08
https://access.redhat.com/security/cve/CVE-2018-1091	2018-05-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				<= 4.13.4 Search vendor "Linux" for product "Linux Kernel" and version " <= 4.13.4"		-		Affected