Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-18281.json"
[
{
"id": "CVE-2018-18281-0309df8a",
"target": {
"file": "mm/mremap.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@eb66ae030829605d61fbef1909ce310e29f78821",
"digest": {
"threshold": 0.9,
"line_hashes": [
"92697889820763839730374790618990393854",
"105440202265162792661803974256983549807",
"330762911630613558606938239464853811560",
"240453084622830753157204312602981941199",
"114111111884190930587488895617982994511",
"227096721780268140074097234763412953969",
"160408239133736557365147528583323126847",
"191476069401900501364024755319768493841",
"146893735436428800983312940882824895790",
"239587684910741856918959097211510197193",
"215696267756170158248695027053864545350",
"246752419274339185070930414478812971978",
"290692725904320176037724842795037990153",
"216336373897806601023553103058942060753",
"214909951378105727220210880296168623317",
"191210588808874800849414479882121512263",
"286281483478750181364654615956734170915",
"257194708265769100035720015625309198816",
"38518645009586911069290995433995091517",
"121229790912824901825961164361078752857",
"221706908127077832839053728145858000080",
"300765660170816094440034297318970781892",
"249402839329718547020808715059888189312",
"336186269512982240789161730960975458360",
"168574537830506056579506406076243207767",
"162385835815416724922434367592504137607",
"317742195197600053510106612633454242438",
"5225032278525371998980006834790897994",
"77917117284502933813454741427948282939",
"210820791937438296759610203846013761004",
"151844715030381997216029693584906101514",
"22384827390285062933208137244688130771",
"96433475243311956001117548626492825125",
"243004264750861414698878415067797630313",
"272029714189524221852225264427260721885"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2018-18281-6ce39555",
"target": {
"function": "move_huge_pmd",
"file": "mm/huge_memory.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@eb66ae030829605d61fbef1909ce310e29f78821",
"digest": {
"function_hash": "308427329507209796886974008625637000106",
"length": 1082.0
},
"signature_type": "Function"
},
{
"id": "CVE-2018-18281-947a0873",
"target": {
"function": "move_page_tables",
"file": "mm/mremap.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@eb66ae030829605d61fbef1909ce310e29f78821",
"digest": {
"function_hash": "69244523805035784381161506978611102319",
"length": 1383.0
},
"signature_type": "Function"
},
{
"id": "CVE-2018-18281-a1166281",
"target": {
"file": "mm/huge_memory.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@eb66ae030829605d61fbef1909ce310e29f78821",
"digest": {
"threshold": 0.9,
"line_hashes": [
"211827960032877907373889867675998001092",
"102580090038024182888984676015955558479",
"86616071003178531058249676660031696339",
"224696180084193885597496494712906457567",
"180215221833409355950418375119573498448",
"160845538724478109667652823705188939045",
"131697499447673859155263321798804179475",
"188101907048859608883629354197095347313",
"217991472116689216515365901996946105028",
"4785445832382867915027566631194625512",
"159509630358998859403302152947909297142",
"120994650916595091677519921713665546802",
"33037410457124118157038640374139287288",
"105487671328989618154227675836645946621",
"236142527205153903254716790534107224404",
"104245626346097184097821545089092772426",
"298430277176394943164804859823178975795"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2018-18281-b02ee72c",
"target": {
"function": "move_ptes",
"file": "mm/mremap.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@eb66ae030829605d61fbef1909ce310e29f78821",
"digest": {
"function_hash": "337191495463000318785490423459463399412",
"length": 1148.0
},
"signature_type": "Function"
},
{
"id": "CVE-2018-18281-cac99dbf",
"target": {
"file": "include/linux/huge_mm.h"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@eb66ae030829605d61fbef1909ce310e29f78821",
"digest": {
"threshold": 0.9,
"line_hashes": [
"317630906680280894105705812353324819021",
"100255012787525455777675353191142935077",
"331266913040750049742698081558118214147",
"149743492649637961553254714989769509735"
]
},
"signature_type": "Line"
}
]