CVE-2018-8781: 8-Year-Old Linux Kernel Bug Discovered

jeremy · 05-02-2018, 11:05 AM

Quote:

How Was CVE-2018-8781 Discovered?

The idea of re-implementing kernel functions is likely to lead to mistakes due to the fact that less QA staff in organizations review their code and fix security issues as part of their process, the researchers explained.
Related Story: Top 15 Linux Security Questions You Didn’t Know You Had

Reviewing this, they unearthed and disclosed a number of issues and a specific bug that is in fact an eight-year-old vulnerability in a driver. The bug can be used for escalating privileges in the latest kernel version (4.16-rc3).

This particular bug is identified as CVE-2018-8781, and it affects the internal mmap() function defined in the fb_helper file operations of the udl driver of DisplayLink:

The video/drm module in the kernel defines a default mmap() wrapper that calls that real mmap() handler defined by the specific driver. In our case the vulnerability is in the internal mmap() defined in the fb_helper file operations of the “udl” driver of “DisplayLink”.

This is a classic example for an Integer-Overflow,Check Point clarified. https://research.checkpoint.com/mmap...-linux-kernel/ What is an integer overflow? An integer overflow takes place when an arithmetic operation tries to create a numeric value which is outside of the range that can be represented with a given number of bits.

https://sensorstechforum.com/cve-201...ux-kernel-bug/ for more...

--jeremy

MIJ-VI · 05-03-2018, 11:00 AM

Updated info:

2 May 2018
DisplayLink DRM Driver Had A Local Privilege Escalation Vulnerability - Phoronix
https://www.phoronix.com/scan.php?pa...-CVE-2018-8781

X-LFS-2010 · 09-06-2018, 07:15 PM

tons of hardware bugs are submitted, repealed, resubmitted "many times over" (same bug) in today's lk.

video cards don't promote security (ie, a hard drive controller promotes security). so it's not really a firm issue anyway.

unix: "everything is a file"

(well, video cards and sound excluded)

(actually on Solaris unix you could copy .au files to your soundcard - but no security bits were honored of course. Microsoft copied the format and called it …. .wav)

mltvsk1 · 11-09-2018, 02:12 PM

Ohh Finally !!