A cache invalidation bug in Linux memory management (Project Zero)

Jann Horn describesCVE-2018-17182, a locally exploitable memory-management bug in thekernel, in great detail. "Fundamentally, this bug can be triggeredby any process that can run for a sufficiently long time to overflow thereference counter (about an hour if MAP_FIXED is usable) and has theability to use mmap()/munmap() (to manage memory mappings) and clone() (tocreate a thread). These syscalls do not require any privileges, and theyare often permitted even in seccomp-sandboxed contexts, such as the Chromerenderer sandbox (mmap, munmap, clone), the sandbox of the main gVisor hostcomponent, and Docker's seccomp policy."