Check Point researchers recently decided to review the Linux kernel, and more specifically they looked into drivers trying to roll their own usage of the mmap() function.
CVE-2018-8781 Official Description:
The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c at the Linux kernel version 3.4 and up to and including 4.15 has an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space.
How Was CVE-2018-8781 Discovered?
The idea of re-implementing kernel functions is likely to lead to mistakes due to the fact that less QA staff in organizations review their code and fix security issues as part of their process, the researchers explained.
Reviewing this, they unearthed and disclosed a number of issues and a specific bug that is in fact an eight-year-old vulnerability in a driver. The bug can be used for escalating privileges in kernel versions 3.4 and up to and including 4.15.
This particular bug is identified as CVE-2018-8781, and it affects the internal mmap() function defined in the fb_helper file operations of the udl driver of DisplayLink:
The video/drm module in the kernel defines a default mmap() wrapper that calls that real mmap() handler defined by the specific driver. In our case the vulnerability is in the internal mmap() defined in the fb_helper file operations of the “udl” driver of “DisplayLink”.
This is a classic example for an Integer-Overflow, Check Point clarified. What is an integer overflow? An integer overflow takes place when an arithmetic operation tries to create a numeric value which is outside of the range that can be represented with a given number of bits.
Since offset is unsigned the programmer skipped check #1 and went directly to check #2. However, the calculation “offset + size” could wrap-around to a low value, allowing us to bypass the check while still using an illegal “offset” value.
How was CVE-2018-8781 verified? To do so, the researchers used an Ubuntu 64-bit virtual machine, and uploaded a simulated vulnerable driver. On every test the driver’s mmap() handler contained the implementation they were aiming to check. Further analysis revealed that the user can read and write from/to the mapped pages, allowing an attacker to trigger code execution in kernel space.
More details about CVE-2018-8781 and how to address it are available.