CVE-2018-1068: Linux kernel: netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets

[Vladis Dronov <vdronov () redhat com>]

hello,

(we believe this flaw is semi-public. there are posts in public mailing
lists and a commit in the upstream Linux tree, but we are not aware of this bug
being considered as a security flaw and not aware of any exploits in the wild.
so we would like to explicitly post to oss-sec@)

a CVE id of CVE-2018-1068 was assigned to this flaw and we would like to ask to
use it in the related public communications.

so:

A flaw was found in the Linux kernel implementation of 32 bit syscall interface
for bridging allowing a privileged user to arbitrarily write to a limited range
of kernel memory. This flaw can be exploited not only by a system's privileged
user (a real "root" user), but also by an attacker who is a privileged user
(a "root" user) in a user+network namespace.

References:

https://marc.info/?l=linux-netdev&m=152023808817590&w=2

https://marc.info/?l=linux-netdev&m=152025888924151&w=2

https://bugzilla.redhat.com/show_bug.cgi?id=1552048

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b71812168571fa55e44cdd0254471331b9c4c4c6

https://github.com/torvalds/linux/commit/b71812168571fa55e44cdd0254471331b9c4c4c6

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer