The timercreate syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigevnotify field, which leads to out-of-bounds access in the showtimer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIGPOSIXTIMERS and CONFIGCHECKPOINT_RESTORE).
{ "vanir_signatures": [ { "id": "CVE-2017-18344-37ce9602", "signature_type": "Function", "digest": { "function_hash": "91978049241427869349359769787530876705", "length": 722.0 }, "target": { "file": "kernel/time/posix-timers.c", "function": "common_timer_get" }, "source": "https://github.com/torvalds/linux/commit/cef31d9af908243421258f1df35a4a644604efbe", "signature_version": "v1", "deprecated": false }, { "id": "CVE-2017-18344-60feac13", "signature_type": "Function", "digest": { "function_hash": "115908372110247328066651298022795767701", "length": 778.0 }, "target": { "file": "kernel/time/posix-timers.c", "function": "common_timer_set" }, "source": "https://github.com/torvalds/linux/commit/cef31d9af908243421258f1df35a4a644604efbe", "signature_version": "v1", "deprecated": false }, { "id": "CVE-2017-18344-8abebf45", "signature_type": "Line", "digest": { "line_hashes": [ "146197936919818065248076150557485196780", "128334216374169068790596793946404006176", "339925895396929344413987964858568551389", "184452859644798576549248792683773494326", "47655441244207130206451221386185673445", "139416599320693002291691262152522043607", "125379787334682308768506735496233247504", "78543303975873552307974033646329052819", "250857661375613309051009668468809650358", "224527544721182226544730456812780003850", "246857783785049624063665842306045379136", "222729680264692881102965914793949564760", "174582477823483378953130510082731793511", "168614959044836456389374558948264401721", "196126059948684577953005774779089949061", "109456044838412606375161596405635895491", "150987946082902909180055097630472616905", "18150880662664686175948959079144583362", "49531577852050146125049299696959805439", "111821535592461620094399762496492622009" ], "threshold": 0.9 }, "target": { "file": "kernel/time/posix-timers.c" }, "source": "https://github.com/torvalds/linux/commit/cef31d9af908243421258f1df35a4a644604efbe", "signature_version": "v1", "deprecated": false }, { "id": "CVE-2017-18344-d6701266", "signature_type": "Function", "digest": { "function_hash": "326937765684080479665931808154825368488", "length": 496.0 }, "target": { "file": "kernel/time/posix-timers.c", "function": "good_sigevent" }, "source": "https://github.com/torvalds/linux/commit/cef31d9af908243421258f1df35a4a644604efbe", "signature_version": "v1", "deprecated": false } ] }