From $URL: "Chris Salls discovered that when the waitid() syscall in Linux kernel v4.13 was refactored, it accidentally stopped checking that the incoming argument was pointing to userspace. This allowed local attackers to write directly to kernel memory, which could lead to privilege escalation." Also contains links to patches; this is expected to be included in 4.13.7 once it ships, but that has only just entered stable testing. The patch, https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=96ca579a1ecc943b75beba58bebb0356f6cc4b51 , is pretty simple and applies cleanly to gentoo-sources-4.13.6, although my test compile & reboot have not yet completed.
4.13.7 has been released, including the fix for this: https://marc.info/?l=linux-kernel&m=150798988715443&w=2
(In reply to Hank Leininger from comment #1) > 4.13.7 has been released, including the fix for this: > https://marc.info/?l=linux-kernel&m=150798988715443&w=2 Thank you for the report Hank. Kernel is handled by the security-kernel project, I'm assigning them in the report.
Affected: All kernels carrying "waitid(): switch copyout of siginfo to unsafe_put_user()" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4c48abe91be0). Fixed via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=efb84bf857ad03452a567a59c3360f2fa986bc89 All done.