CVE-2018-8781: 8-Year-Old Linux Kernel Bug Discovered
CYBER NEWS

CVE-2018-8781: 8-Year-Old Linux Kernel Bug Discovered

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Check Point researchers recently decided to review the Linux kernel, and more specifically they looked into drivers trying to roll their own usage of the mmap() function.

CVE-2018-8781 Official Description:

The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c at the Linux kernel version 3.4 and up to and including 4.15 has an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space.

How Was CVE-2018-8781 Discovered?

The idea of re-implementing kernel functions is likely to lead to mistakes due to the fact that less QA staff in organizations review their code and fix security issues as part of their process, the researchers explained.

Related Story: Top 15 Linux Security Questions You Didn’t Know You Had

Reviewing this, they unearthed and disclosed a number of issues and a specific bug that is in fact an eight-year-old vulnerability in a driver. The bug can be used for escalating privileges in kernel versions 3.4 and up to and including 4.15.

This particular bug is identified as CVE-2018-8781, and it affects the internal mmap() function defined in the fb_helper file operations of the udl driver of DisplayLink:

The video/drm module in the kernel defines a default mmap() wrapper that calls that real mmap() handler defined by the specific driver. In our case the vulnerability is in the internal mmap() defined in the fb_helper file operations of the “udl” driver of “DisplayLink”.

This is a classic example for an Integer-Overflow, Check Point clarified. What is an integer overflow? An integer overflow takes place when an arithmetic operation tries to create a numeric value which is outside of the range that can be represented with a given number of bits.

Since offset is unsigned the programmer skipped check #1 and went directly to check #2. However, the calculation “offset + size” could wrap-around to a low value, allowing us to bypass the check while still using an illegal “offset” value.


How was CVE-2018-8781 verified?
To do so, the researchers used an Ubuntu 64-bit virtual machine, and uploaded a simulated vulnerable driver. On every test the driver’s mmap() handler contained the implementation they were aiming to check. Further analysis revealed that the user can read and write from/to the mapped pages, allowing an attacker to trigger code execution in kernel space.

Related Story: 14 Flaws Found in Linux Kernel USB Subsystem (CVE-2017-16525)

More details about CVE-2018-8781 and how to address it are available.

Avatar

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...