In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c in the Linux kernel before 4.13.5, a guest kernel crash can be triggered from unprivileged userspace during a core dump on a POWER host due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path, leading to a denial of service.
[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
| Link | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1558149 | issue tracking third party advisory |
| https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.5 | patch vendor advisory |
| https://marc.info/?l=linuxppc-embedded&m=150535531910494&w=2 | third party advisory patch |
| https://access.redhat.com/security/cve/cve-2018-1091 | third party advisory |
| https://access.redhat.com/errata/RHSA-2018:1318 | vendor advisory |
| http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c1fa0768a8713b135848f78fd43ffc208d8ded70 | patch vendor advisory |
| https://github.com/torvalds/linux/commit/c1fa0768a8713b135848f78fd43ffc208d8ded70 | third party advisory patch |
| http://openwall.com/lists/oss-security/2018/03/27/4 | third party advisory mailing list |