CVE-2018-16884

A flaw was found in the Linux kernels NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.

Weakness

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory “belongs” to the code that operates on the new pointer.

Affected Software

Potential Mitigations

References

• http://www.securityfocus.com/bid/106253
• https://access.redhat.com/errata/RHSA-2019:1873
• https://access.redhat.com/errata/RHSA-2019:1891
• https://access.redhat.com/errata/RHSA-2019:2696
• https://access.redhat.com/errata/RHSA-2019:2730
• https://access.redhat.com/errata/RHSA-2019:3309
• https://access.redhat.com/errata/RHSA-2019:3517
• https://access.redhat.com/errata/RHSA-2020:0204
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16884
• https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html
• https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html
• https://lists.debian.org/debian-lts-announce/2019/05/msg00002.html
• https://patchwork.kernel.org/cover/10733767/
• https://patchwork.kernel.org/patch/10733769/
• https://support.f5.com/csp/article/K21430012
• https://usn.ubuntu.com/3932-1/
• https://usn.ubuntu.com/3932-2/
• https://usn.ubuntu.com/3980-1/
• https://usn.ubuntu.com/3980-2/
• https://usn.ubuntu.com/3981-1/
• https://usn.ubuntu.com/3981-2/
• https://www.oracle.com/security-alerts/cpuApr2021.html
• http://www.securityfocus.com/bid/106253
• https://access.redhat.com/errata/RHSA-2019:1873
• https://access.redhat.com/errata/RHSA-2019:1891
• https://access.redhat.com/errata/RHSA-2019:2696
• https://access.redhat.com/errata/RHSA-2019:2730
• https://access.redhat.com/errata/RHSA-2019:3309
• https://access.redhat.com/errata/RHSA-2019:3517
• https://access.redhat.com/errata/RHSA-2020:0204
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16884
• https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html
• https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html
• https://lists.debian.org/debian-lts-announce/2019/05/msg00002.html
• https://patchwork.kernel.org/cover/10733767/
• https://patchwork.kernel.org/patch/10733769/
• https://support.f5.com/csp/article/K21430012
• https://usn.ubuntu.com/3932-1/
• https://usn.ubuntu.com/3932-2/
• https://usn.ubuntu.com/3980-1/
• https://usn.ubuntu.com/3980-2/
• https://usn.ubuntu.com/3981-1/
• https://usn.ubuntu.com/3981-2/
• https://www.oracle.com/security-alerts/cpuApr2021.html