CVE-2018-12232

kernel: NULL pointer dereference if close and fchownat system calls share a socket file descriptor

Severity Score

5.9

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In net/socket.c in the Linux kernel through 4.17.1, there is a race condition between fchownat and close in cases where they target the same socket file descriptor, related to the sock_close and sockfs_setattr functions. fchownat does not increment the file descriptor reference count, which allows close to set the socket to NULL during fchownat's execution, leading to a NULL pointer dereference and system crash.

En net/socket.c en el kernel de Linux hasta la versión 4.17.1, hay una condición de carrera entre fchownat y close en los casos en los que apuntan al mismo descriptor de archivo socket. Esto está relacionado con las funciones sock_close y sockfs_setattr. fchownat no incrementa el conteo de referencia del descriptor de archivos, lo que permite que close establezca el socket como NULL durante la ejecución de fchownat lo que conduce a una desreferencia de puntero NULL y a un cierre inesperado del sistema.

A NULL pointer dereference issue was found in the Linux kernel. If the close() and fchownat() system calls share a socket file descriptor as an argument, then the two calls can race and trigger a NULL pointer dereference leading to a system crash and a denial of service.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-06-12 CVE Reserved
2018-06-12 CVE Published
2024-05-22 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-476: NULL Pointer Dereference

CAPEC

References (11)

URL	Tag	Source
http://www.securityfocus.com/bid/104453	Third Party Advisory
https://lkml.org/lkml/2018/6/5/14	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6d8c50dcb029872b298eea68cc6209c866fd3e14	2018-10-31
https://github.com/torvalds/linux/commit/6d8c50dcb029872b298eea68cc6209c866fd3e14	2018-10-31
https://patchwork.ozlabs.org/patch/926519	2018-10-31

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2018:2948	2018-10-31
https://usn.ubuntu.com/3752-1	2018-10-31
https://usn.ubuntu.com/3752-2	2018-10-31
https://usn.ubuntu.com/3752-3	2018-10-31
https://access.redhat.com/security/cve/CVE-2018-12232	2018-10-30
https://bugzilla.redhat.com/show_bug.cgi?id=1590215	2018-10-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				<= 4.17.1 Search vendor "Linux" for product "Linux Kernel" and version " <= 4.17.1"		-		Affected