| Description: | As of commit 4c48abe91be0 ("waitid(): switch copyout of siginfo to unsafe_put_user()") in v4.13, waitid() stopped performing access_ok() checks on the infop argument, which allows for arbitrary kernel memory writing. Chris Salls discovered a missing access check in the waitid() system call implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
|