During the period of this week, some solutions to various problems with the Linux Kernel have been released, but a few others were also discovered, of which Wanpeng Li recently discovered two denial of service (DOS) in the Linux kernel.
With which this allows local attackers to use a null pointer to refer to an error to trigger a DOS state.
The first vulnerability, with number CVE-2018-19406 on common vulnerabilities and exposures, It exists in the Linux kernel kvm_pv_send_ipi function, which is defined in the arch / x86 / kvm / lapic.c file.
CVE-2018-19406 vulnerability exists in Linux Kernel 4.19.2, allowing the attacker to use elaborate system calls on unrepaired devices to achieve DOS state. The cause of this problem is the failure of the Advanced Programmable Interrupt Controller (APIC) to initialize properly.
Wanpeng Li wrote:
“The reason is that the apic map has not been initialized yet, the testcase triggers the pv_send_ipi interface by vmcall, resulting in kvm-> arch.apic_map not being referenced. "This patch fixes it by checking if the apic map is NULL or not and immediately if so."
The second vulnerability discovered by Wanpeng Li is limited to situations where an attacker can physically access the device.
This issue is numbered CVE-2018-19407 in the national vulnerability database and appears in the vcpu_scan_ioapic function in arch / x86 / kvm / x86.c in Linux kernel 4.19.2, allowing local users to cause a denial of service (NULL pointer) deviation and BUG) through designed system calls that reach a situation where ioapic is not initialized.
Yet another vulnerability that affects the Linux Kernel CVE-2018-18955
Moreover, also in the course of this week a vulnerability was detected (CVE-2018-18955) in the uid / gid translation code from the user namespace.
To the main identifier set, which Allows a non-privileged user with administrator privileges in an isolated container (CAP_SYS_ADMIN) to bypass security restrictions and access resources outside of the namespace of the current identifier.
For example, when using a shared file system in a container and host environment, you can read the contents of the / etc / shadow file in the main environment through a direct appeal to i-node.
The vulnerability is present in distributions that use kernel 4.15 and newer versions, for example, in Ubuntu 18.04 and Ubuntu 18.10, Arch Linux and Fedora (kernel 4.19.2 with fix is already available in Arch and Fedora).
RHEL and SUSE are not affected. On Debian and Red Hat Enterprise Linux, user space support is not enabled by default, but is included in Ubuntu and Fedora.
The vulnerability is caused by a bug in the Linux kernel code 4.15, introduced in October last year.
The problem has been fixed in versions 4.18.19, 4.19.2 and 4.20-rc2.
Vulnerability is present in the map_write () function defined in the kernel file /user_namespace.c, and it is caused by incorrect processing of nested user identifier spaces that use more than 5 UID or GID ranges.
Under these conditions, the translation of the uid / gid identifiers from the namespace to the kernel (forward map) works correctly, but is not done during reverse conversion (reverse map, from kernel to identifier space).
A situation arises where user ID 0 (root) is correctly mapped to identifier 0 in the kernel during direct conversion, but it does not reflect the actual situation during reverse transformation used in the inode_owner_or_capable () and privileged_wrt_inode_uidgid () checks.
Therefore, when accessing an inode, the kernel considers that the user has the appropriate authority, despite the fact that the identifier 0 is not used from the main set of user ids, but from a separate namespace.