A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs. As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls. References: https://bugs.chromium.org/p/project-zero/issues/detail?id=807 https://seclists.org/oss-sec/2019/q2/9 An upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=79c9ce57eb2d5f1497546a3946b4ae21b6fdc438
Notes: Red Hat Enterprise Linux 6 does not have PERF_TYPE_BREAKPOINT implemented, so the attack surface is much more limited, and so severity of this security flaw is considered low for it.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1016 https://access.redhat.com/errata/RHSA-2020:1016
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1070 https://access.redhat.com/errata/RHSA-2020:1070
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-3901
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2020:2522 https://access.redhat.com/errata/RHSA-2020:2522
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:2851 https://access.redhat.com/errata/RHSA-2020:2851