A security flaw in a driver advancing to local exempt escalation in the modern Linux Kernel type was familiarized eight years ago. The security vulnerability delivers a local consumer with access to a flaw exempted driver with the prospect to read from and write to penetrating kernel memory. Followed as CVE 2018-8781, the flaw could be oppressed to intensify local treats.
The vulnerability influences the internal mmap() purpose described in the fb_helper file actions of the “udl” driver of “DisplayLink” and was exposed employing a ordinary search. Since the drivers usually apply their own version of file action works, they are disposed to operate errors, and the detection of this flaw is impervious of that. Actually, there are different ordinary flaws influencing drivers where the mmap() handler is employed, likely absence of input endorsements and Integer-Overflows.
A typical driver, the researchers clarify, grips an inner buffer demonstrating the shared memory section with the outlying device, and should merely allow the user acquire memory assortments inside this buffer. The model of the mmap() task comprises abundant fields that an cybercriminal can regulate and developers should accomplish a series of checks and to evade probable Integer-Overflows to avoid issues.
There are three authorizations that should be accomplished: Region start: 0 <= offset < buffer’s end; Region end: buffer’s start <= offset + length <= buffer’s end; and Region start <= Region End. “In actual fact, the last check can be spared since the Linux kernel will sanitize the supplied length, making it practically impossible to pass the first two checks while still passing the third check,” Check Point says.
The researchers exposed the security vulnerability while having a faster appearance at remap_pfn_range(), a work of high significance, since it plans physical memory pages to the user. “The video/drm module in the kernel defines a default mmap() wrapper that calls that real mmap() handler defined by the specific driver,” the security researchers note.
The flaw is a typical instance for an Integer-Overflow: there’s an unidentified offset, therefore the initial check is avoided, and the control “offset + size,” but, can avoid the second check while yet employing an unlawful “offset” value. As there are about 48 bits of available memory on 64-bit machines, the usage of a vast “offset” to avoid the check needs ensuring that “info->fix.smem_start + offset” will wrap-across to a legal mappable physical address, Check Point also notes.
The flaw was confirmed on an Ubuntu 64-bit virtual machine where an imitation susceptible driver was uploaded. The driver’s mmap() handler contained the execution to check in each test. Two following calls to mmap() on the flaw driver were prepared by user-manner code, specifically a stability check and a flaw check. To apply setting the buffer’s address at the page-associated physical position of the kernel’s /dev/urandom execution consequences in the output offering the right physical page and the prior physical page, individually.
Further checks exposed that it is conceivable for the consumer to read and write from/to the planned pages. Therefore, cybercriminal could ultimately trigger code implementation in kernel space, the investigators clarify.
“While the vulnerability was found using a simple search, it was introduced to the kernel eight years ago. This fact can teach us that even on a popular open source project as the Linux Kernel, you could always hope to find vulnerabilities if you know where to search,” Check Point concludes.
The flaw was revealed to the Linux Kernel on this March 18 and a fix was announced the same day. After the fix was confirmed, the authorized Linux fix was announced for CVE 2018-8781 on March 21 and was assimilated to the Linux Kernel the same day.