NVD Vulnerability Detail

CVE-2018-18281

Summary	Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.
Publication Date	Oct. 31, 2018, 3:29 a.m.
Registration Date	March 1, 2021, 7:09 p.m.
Last Update	Nov. 21, 2024, 12:55 p.m.

CVSS3.0 : HIGH
スコア	7.8
Vector	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
攻撃元区分(AV)	ローカル
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	低
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	高

CVSS2.0 : MEDIUM
Score	4.6
Vector	AV:L/AC:L/Au:N/C:P/I:P/A:P
攻撃元区分(AV)	ローカル
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	低
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:o:linux:linux_kernel::::::::	4.9.136			4.14.78
cpe:2.3:o:linux:linux_kernel::::::::	3.2			4.9.135
cpe:2.3:o:linux:linux_kernel::::::::	4.18.17			4.19
cpe:2.3:o:linux:linux_kernel::::::::	4.14.79			4.18.16

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:12.04::::esm:::
cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:18.10:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:8.0:::::::*

Related information, measures and tools

No	URL	タグ
1	http://packetstormsecurity.com/files/150001/Linux-mremap-TLB-Flush-Too-Late.html	Patch Third Party Advisory VDB Entry
2	http://packetstormsecurity.com/files/150001/Linux-mremap-TLB-Flush-Too-Late.html	Patch Third Party Advisory VDB Entry
3	http://www.openwall.com/lists/oss-security/2018/10/29/5	Mailing List Patch Third Party Advisory
4	http://www.openwall.com/lists/oss-security/2018/10/29/5	Mailing List Patch Third Party Advisory
5	http://www.securityfocus.com/bid/105761	Third Party Advisory VDB Entry
6	http://www.securityfocus.com/bid/105761	Third Party Advisory VDB Entry
7	http://www.securityfocus.com/bid/106503	Third Party Advisory VDB Entry
8	http://www.securityfocus.com/bid/106503	Third Party Advisory VDB Entry
9	https://access.redhat.com/errata/RHSA-2019:0831
10	https://access.redhat.com/errata/RHSA-2019:0831
11	https://access.redhat.com/errata/RHSA-2019:2029
12	https://access.redhat.com/errata/RHSA-2019:2029
13	https://access.redhat.com/errata/RHSA-2019:2043
14	https://access.redhat.com/errata/RHSA-2019:2043
15	https://access.redhat.com/errata/RHSA-2020:0036
16	https://access.redhat.com/errata/RHSA-2020:0036
17	https://access.redhat.com/errata/RHSA-2020:0100
18	https://access.redhat.com/errata/RHSA-2020:0100
19	https://access.redhat.com/errata/RHSA-2020:0103
20	https://access.redhat.com/errata/RHSA-2020:0103
21	https://access.redhat.com/errata/RHSA-2020:0179
22	https://access.redhat.com/errata/RHSA-2020:0179
23	https://bugs.chromium.org/p/project-zero/issues/detail?id=1695	Exploit Patch Third Party Advisory
24	https://bugs.chromium.org/p/project-zero/issues/detail?id=1695	Exploit Patch Third Party Advisory
25	https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78	Patch Vendor Advisory
26	https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78	Patch Vendor Advisory
27	https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.16	Patch Vendor Advisory
28	https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.16	Patch Vendor Advisory
29	https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135	Patch Vendor Advisory
30	https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135	Patch Vendor Advisory
31	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821	Patch Vendor Advisory
32	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821	Patch Vendor Advisory
33	https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html	Mailing List Third Party Advisory
34	https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html	Mailing List Third Party Advisory
35	https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html	Mailing List Third Party Advisory
36	https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html	Mailing List Third Party Advisory
37	https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html	Mailing List Third Party Advisory
38	https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html	Mailing List Third Party Advisory
39	https://usn.ubuntu.com/3832-1/	Third Party Advisory
40	https://usn.ubuntu.com/3832-1/	Third Party Advisory
41	https://usn.ubuntu.com/3835-1/	Third Party Advisory
42	https://usn.ubuntu.com/3835-1/	Third Party Advisory
43	https://usn.ubuntu.com/3871-1/	Third Party Advisory
44	https://usn.ubuntu.com/3871-1/	Third Party Advisory
45	https://usn.ubuntu.com/3871-3/	Third Party Advisory
46	https://usn.ubuntu.com/3871-3/	Third Party Advisory
47	https://usn.ubuntu.com/3871-4/	Third Party Advisory
48	https://usn.ubuntu.com/3871-4/	Third Party Advisory
49	https://usn.ubuntu.com/3871-5/	Third Party Advisory
50	https://usn.ubuntu.com/3871-5/	Third Party Advisory
51	https://usn.ubuntu.com/3880-1/	Third Party Advisory
52	https://usn.ubuntu.com/3880-1/	Third Party Advisory
53	https://usn.ubuntu.com/3880-2/	Third Party Advisory
54	https://usn.ubuntu.com/3880-2/	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-459	不完全なクリーンアップ	https://cwe.mitre.org/data/definitions/459.html

JVN Vulnerability Information

Linux Kernel における入力確認に関する脆弱性

Title	Linux Kernel における入力確認に関する脆弱性
Summary	Linux Kernel には、入力確認に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 18, 2018, midnight
Registration Date	March 11, 2019, 5:20 p.m.
Last Update	March 11, 2019, 5:20 p.m.

Affected System

Canonical

Ubuntu

Linux

Linux Kernel 3.2

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-18281	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18281
2	CVE-2018-18281	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18281
National Vulnerability Database (NVD)
3	CVE-2018-18281	https://nvd.nist.gov/vuln/detail/CVE-2018-18281
4	CVE-2018-18281	https://nvd.nist.gov/vuln/detail/CVE-2018-18281

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html
2	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Chromium
1	Issue 1695	https://bugs.chromium.org/p/project-zero/issues/detail?id=1695
2	Issue 1695	https://bugs.chromium.org/p/project-zero/issues/detail?id=1695
kernel.org
3	ARC: build: Don't set CROSS_COMPILE in arch's Makefile	https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.16
4	ARC: build: Don't set CROSS_COMPILE in arch's Makefile	https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.16
5	HV: properly delay KVP packets when negotiation is in progress	https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135
6	HV: properly delay KVP packets when negotiation is in progress	https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135
7	IB/hfi1: Fix destroy_qp hang after a link down	https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78
8	IB/hfi1: Fix destroy_qp hang after a link down	https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78
Linux Kernel
9	Linux Kernel Archives	http://www.kernel.org
10	Linux Kernel Archives	http://www.kernel.org
Linux kernel source tree
11	mremap: properly flush TLB before releasing the page	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821
12	mremap: properly flush TLB before releasing the page	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821
Ubuntu Security Notice
13	USN-3832-1	https://usn.ubuntu.com/3832-1/
14	USN-3832-1	https://usn.ubuntu.com/3832-1/
15	USN-3835-1	https://usn.ubuntu.com/3835-1/
16	USN-3835-1	https://usn.ubuntu.com/3835-1/
17	USN-3871-1	https://usn.ubuntu.com/3871-1/
18	USN-3871-1	https://usn.ubuntu.com/3871-1/
19	USN-3871-3	https://usn.ubuntu.com/3871-3/
20	USN-3871-3	https://usn.ubuntu.com/3871-3/
21	USN-3871-4	https://usn.ubuntu.com/3871-4/
22	USN-3871-4	https://usn.ubuntu.com/3871-4/
23	USN-3871-5	https://usn.ubuntu.com/3871-5/
24	USN-3871-5	https://usn.ubuntu.com/3871-5/
25	USN-3880-1	https://usn.ubuntu.com/3880-1/
26	USN-3880-1	https://usn.ubuntu.com/3880-1/
27	USN-3880-2	https://usn.ubuntu.com/3880-2/
28	USN-3880-2	https://usn.ubuntu.com/3880-2/

その他

No	Name	URL
関連文書
1	Linux kernel: TLB flush happens too late on mremap (CVE-2018-18281; fixed in 4.9.135, 4.14.78, 4.18.16, 4.19)	https://www.openwall.com/lists/oss-security/2018/10/29/5
2	Linux kernel: TLB flush happens too late on mremap (CVE-2018-18281; fixed in 4.9.135, 4.14.78, 4.18.16, 4.19)	https://www.openwall.com/lists/oss-security/2018/10/29/5
3	Linux mremap() TLB Flush Too Late	https://packetstormsecurity.com/files/150001/Linux-mremap-TLB-Flush-Too-Late.html
4	Linux mremap() TLB Flush Too Late	https://packetstormsecurity.com/files/150001/Linux-mremap-TLB-Flush-Too-Late.html

Change Log

No	Changed Details	Date of change
1	[2019年03月11日] 掲載	March 11, 2019, 5:20 p.m.