ASA-2018-00014 – Linux kernel: TLB flush happens too late on mremap()


Allele Security Alert

ASA-2018-00014

Identifier(s)

ASA-2018-00014, CVE-2018-18281

Title

TLB flush happens too late on mremap()

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel versions before 4.19

Linux kernel versions before 4.9.135
Linux kernel versions before 4.14.78
Linux kernel versions before 4.18.16
Linux kernel versions before 4.4.163
Linux kernel versions before 3.18.125
Linux kernel versions before 3.16.62

Fixed version(s)

Linux kernel version 4.19

Linux kernel version 4.9.135
Linux kernel version 4.14.78
Linux kernel version 4.18.16
Linux kernel version 4.4.163
Linux kernel version 3.18.125
Linux kernel version 3.16.62

Proof of concept

Yes

Description

Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused.

Technical details

Unknown

Credits

Jann Horn (Google Project Zero)

Reference(s)

Linux: mremap() TLB flush too late with concurrent ftruncate()
https://bugs.chromium.org/p/project-zero/issues/detail?id=1695

Linux kernel: TLB flush happens too late on mremap (CVE-2018-18281; fixed in 4.9.135, 4.14.78, 4.18.16, 4.19)
https://seclists.org/oss-sec/2018/q4/108

mremap: properly flush TLB before releasing the page
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821

mremap: properly flush TLB before releasing the page
https://github.com/torvalds/linux/commit/eb66ae030829605d61fbef1909ce310e29f78821

TLB 缓存延迟刷新漏洞解析 – PDS
http://jiayy.me/2019/02/15/CVE-2018-18281/

android_vuln_poc-exp/EXP-CVE-2018-18281 at master · jiayy/android_vuln_poc-exp
https://github.com/jiayy/android_vuln_poc-exp/tree/master/EXP-CVE-2018-18281

Linux kernel 4.19
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19

Linux kernel 4.18.16
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.16

Linux kernel 4.14.78
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78

Linux kernel 4.9.135
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135

Linux kernel 4.4.163
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.163

Linux kernel 3.18.125
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.18.125

Linux kernel 3.16.62
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.62

CVE-2018-18281 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2018-18281

CVE-2018-18281 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18281.html

CVE-2018-18281
https://security-tracker.debian.org/tracker/CVE-2018-18281

CVE-2018-18281 | SUSE
https://www.suse.com/security/cve/CVE-2018-18281

CVE-2018-18281
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18281

CVE-2018-18281
https://nvd.nist.gov/vuln/detail/CVE-2018-18281

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: November 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.