Bug 1678685 (CVE-2019-8912)

Summary: CVE-2019-8912 kernel: af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, acaringi, bhu, blc, brdeoliv, dahjelle.redhat.com, dbaker, dhoward, dvlasenk, esammons, fhrbata, hannsj_uhl, hkrzesin, hwkernel-mgr, iboverma, jaredl, jkacur, jokerman, jross, jstancek, kernel-mgr, klaas, lgoncalv, matt, mcressma, mlangsdo, nmurray, pasik, plougher, rt-maint, rvrbovsk, sparks, sthangav, trankin, troels, vdronov, whaidinger, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
In the Linux kernel af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free (UAF) in sockfs_setattr. A local attacker can use this flaw to escalate privileges and take control of the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-21 20:09:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1678686, 1679432, 1679433, 1679434, 1679435, 1679436, 1679437, 1679438, 1679439, 1679440, 1679441, 1679442, 1679444, 1679445, 1679446, 1679447, 1679448, 1679449, 1679450, 1679451, 1679452, 1679524    
Bug Blocks: 1678692    

Description msiddiqu 2019-02-19 11:42:07 UTC 
In the Linux kernel af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free (UAF) in sockfs_setattr.

A local attacker can use this flaw to escalate privileges and take control of the system.  Other vendors have considered this a 'network' accessible attack, this claim is unsubstantiated at this time. 

Note: The attack vector that allowed the use-after-free mentioned in the original report is not introduced in the Red Hat Enterprise Linux 7, 6 and 5 versions of the kernel.  

References:

http://patchwork.ozlabs.org/patch/1042902/

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9060cb719e61b685ec0102574e10337fa5f445ea
Comment 1 msiddiqu 2019-02-19 11:42:20 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1678686]
Comment 11 errata-xmlrpc 2020-01-21 15:49:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0174 https://access.redhat.com/errata/RHSA-2020:0174
Comment 12 Product Security DevOps Team 2020-01-21 20:09:30 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-8912