The userfaultfd implementation in the Linux kernel before 4.19.7 mishandles access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c.
{ "vanir_signatures": [ { "id": "CVE-2018-18397-0f994766", "digest": { "length": 2178.0, "function_hash": "88822189313798355102722030246757077988" }, "target": { "function": "userfaultfd_unregister", "file": "fs/userfaultfd.c" }, "signature_version": "v1", "source": "https://github.com/torvalds/linux/commit/29ec90660d68bbdd69507c1c8b4e33aa299278b1", "deprecated": false, "signature_type": "Function" }, { "id": "CVE-2018-18397-10186e0a", "digest": { "line_hashes": [ "162763651857891705297717051795681962885", "252886811934717339831078341487762939236", "309805251415622960061177283775140301717", "38847988686236636808908195942635881069", "239854422739929484586997821715980872123", "192962523585601004029321267872298412274", "252806154454766244371327930100815898920", "117357893420595824141081426765656061905", "182710314962732340766345304664397005824", "110967525714789064919255637665598158688", "87904863880200892183498761749370351284", "188989513460040381571584380794163000761" ], "threshold": 0.9 }, "target": { "file": "fs/userfaultfd.c" }, "signature_version": "v1", "source": "https://github.com/torvalds/linux/commit/29ec90660d68bbdd69507c1c8b4e33aa299278b1", "deprecated": false, "signature_type": "Line" }, { "id": "CVE-2018-18397-11370444", "digest": { "line_hashes": [ "334349027950764353071431832243752082976", "239525020285109700583892111967342200383", "221755018383466999176800762684677061539", "153318425643414298483846319986554345928", "330318047361916487695601363781744480881", "221755018383466999176800762684677061539" ], "threshold": 0.9 }, "target": { "file": "mm/userfaultfd.c" }, "signature_version": "v1", "source": "https://github.com/torvalds/linux/commit/29ec90660d68bbdd69507c1c8b4e33aa299278b1", "deprecated": false, "signature_type": "Line" }, { "id": "CVE-2018-18397-2181a355", "digest": { "line_hashes": [ "162763651857891705297717051795681962885", "252886811934717339831078341487762939236", "309805251415622960061177283775140301717", "38847988686236636808908195942635881069", "239854422739929484586997821715980872123", "192962523585601004029321267872298412274", "252806154454766244371327930100815898920", "117357893420595824141081426765656061905", "182710314962732340766345304664397005824", "110967525714789064919255637665598158688", "87904863880200892183498761749370351284", "188989513460040381571584380794163000761" ], "threshold": 0.9 }, "target": { "file": "fs/userfaultfd.c" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@29ec90660d68bbdd69507c1c8b4e33aa299278b1", "deprecated": false, "signature_type": "Line" }, { "id": "CVE-2018-18397-426346e4", "digest": { "line_hashes": [ "334349027950764353071431832243752082976", "239525020285109700583892111967342200383", "221755018383466999176800762684677061539", "153318425643414298483846319986554345928", "330318047361916487695601363781744480881", "221755018383466999176800762684677061539" ], "threshold": 0.9 }, "target": { "file": "mm/userfaultfd.c" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@29ec90660d68bbdd69507c1c8b4e33aa299278b1", "deprecated": false, "signature_type": "Line" }, { "id": "CVE-2018-18397-623cf3a0", "digest": { "length": 3037.0, "function_hash": "226235449708140356725540298025928833845" }, "target": { "function": "userfaultfd_register", "file": "fs/userfaultfd.c" }, "signature_version": "v1", "source": "https://github.com/torvalds/linux/commit/29ec90660d68bbdd69507c1c8b4e33aa299278b1", "deprecated": false, "signature_type": "Function" }, { "id": "CVE-2018-18397-6a7dd8de", "digest": { "length": 3037.0, "function_hash": "226235449708140356725540298025928833845" }, "target": { "function": "userfaultfd_register", "file": "fs/userfaultfd.c" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@29ec90660d68bbdd69507c1c8b4e33aa299278b1", "deprecated": false, "signature_type": "Function" }, { "id": "CVE-2018-18397-8dcd4d7f", "digest": { "length": 2178.0, "function_hash": "88822189313798355102722030246757077988" }, "target": { "function": "userfaultfd_unregister", "file": "fs/userfaultfd.c" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@29ec90660d68bbdd69507c1c8b4e33aa299278b1", "deprecated": false, "signature_type": "Function" } ] }