Bug 1661435 (CVE-2018-11987)

Summary: CVE-2018-11987 kernel: Double-free in ion_system_heap.c
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, anemec, bhu, blc, carnil, dhoward, hkrzesin, hwkernel-mgr, kernel-mgr, mlangsdo, nmurray, nsl, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-09 14:00:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1661436    

Description Andrej Nemec 2018-12-21 09:06:03 UTC 
A vulnerability was found in the Linux kernel if there is an unlikely memory alloc failure for the secure pool in boot, it can result in wrong pointer access causing kernel panic.

References:

https://www.codeaurora.org/security-bulletin/2018/12/03/december-2018-code-aurora-security-bulletin#_CVE-2018-11987

Upstream patch:

https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=5e9ffcfa152ecb2832990c42fcd8a0f2e63c2c04
Comment 1 Nicholas Luedtke 2018-12-21 12:29:06 UTC 
Based on the references, this looks to be in android drivers. Can you confirm the upstream kernel is affected?
Comment 2 Andrej Nemec 2018-12-21 13:12:17 UTC 
(In reply to Nicholas Luedtke from comment #1)
> Based on the references, this looks to be in android drivers. Can you
> confirm the upstream kernel is affected?

Hi Nicholas, we are currently analyzing the issue to see if there's any chance it could affect our kernels. We'll update the bug with the results afterwards.
Comment 3 Salvatore Bonaccorso 2019-01-03 15:19:58 UTC 
Andrej, do you know if there was any conclusion on the affected status for affecting mainline kernel?
Comment 4 Andrej Nemec 2019-01-07 08:57:44 UTC 
(In reply to Salvatore Bonaccorso from comment #3)
> Andrej, do you know if there was any conclusion on the affected status for
> affecting mainline kernel?

Hi Salvatore, unfortunately we weren't able to dig into this further because of Christmas. There will be an update to this bug as soon as analysis is done.