Check Point researchers recently took the time to review the Linux kernel, and more specifically they looked into drivers trying to roll their own usage of the mmap() function.
How Was CVE-2018-8781 Discovered?
The idea of re-implementing kernel functions is likely to lead to mistakes due to the fact that less QA staff in organizations review their code and fix security issues as part of their process, the researchers explained.
Reviewing this, they unearthed and disclosed a number of issues and a specific bug that is in fact an eight-year-old vulnerability in a driver. The bug can be used for escalating privileges in the latest kernel version (4.16-rc3).
This particular bug is identified as CVE-2018-8781, and it affects the internal mmap() function defined in the fb_helper file operations of the udl driver of DisplayLink:
The video/drm module in the kernel defines a default mmap() wrapper that calls that real mmap() handler defined by the specific driver. In our case the vulnerability is in the internal mmap() defined in the fb_helper file operations of the “udl” driver of “DisplayLink”.
This is a classic example for an Integer-Overflow,Check Point clarified. https://research.checkpoint.com/mmap-vulnerabilities-linux-kernel/ What is an integer overflow? An integer overflow takes place when an arithmetic operation tries to create a numeric value which is outside of the range that can be represented with a given number of bits.
Since offset is unsigned the programmer skipped check #1 and went directly to check #2. However, the calculation “offset + size” could wrap-around to a low value, allowing us to bypass the check while still using an illegal “offset” value.
How was CVE-2018-8781 verified? To do so, the researchers used an Ubuntu 64-bit virtual machine, and uploaded a simulated vulnerable (Read more...)
*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum authored by Milena Dimitrova. Read the original post at: https://sensorstechforum.com/cve-2018-8781-8-year-old-linux-kernel-bug/