A cache invalidation bug in Linux memory management (Project Zero)
A cache invalidation bug in Linux memory management (Project Zero)
[Security] Posted Sep 26, 2018 17:51 UTC (Wed) by corbet
Jann Horn describes
CVE-2018-17182, a locally exploitable memory-management bug in the
kernel, in great detail. "Fundamentally, this bug can be triggered
by any process that can run for a sufficiently long time to overflow the
reference counter (about an hour if MAP_FIXED is usable) and has the
ability to use mmap()/munmap() (to manage memory mappings) and clone() (to
create a thread). These syscalls do not require any privileges, and they
are often permitted even in seccomp-sandboxed contexts, such as the Chrome
renderer sandbox (mmap, munmap, clone), the sandbox of the main gVisor host
component, and Docker's seccomp policy.
"