VOMIT (go/vomit) has received an external vulnerability report for the Linux kernel.
Advisory: CVE-2017-18344
Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2017-18344
CVSS severity score: 2.1/10.0
Description:
The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).
This bug was filed by http://go/vomit
Please contact us at vomit-team@google.com if you need any assistance.
Comment 1 by zsm@chromium.org
, Oct 3Labels: Security_Severity-Low Security_Impact-None Pri-3
Owner: zsm@chromium.org
Status: WontFix (was: Untriaged)
Upstream commit is cef31d9af9("posix-timer: Properly check sigevent->sigev_notify"). This commit is present in v4.14, v4.4, v3.18. Older kernels do not have this commit. CONFIG_CHECKPOINT_RESTORE is not set in any of the older kernels, so marking this as WontFix.