Bug 1686136 (CVE-2019-9213)

Summary: CVE-2019-9213 kernel: lack of check for mmap minimum address in expand_downwards in mm/mmap.c leads to NULL pointer dereferences exploit on non-SMAP platforms
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, aquini, bhu, blc, brdeoliv, dhoward, dvlasenk, esammons, fhrbata, hkrzesin, iboverma, jbastian, jjarvis, jkacur, jross, jstancek, kernel-mgr, lgoncalv, matt, mcressma, mlangsdo, nmurray, osoukup, plougher, rt-maint, rvrbovsk, security-response-team, vdronov, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 4.20.14 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in mmap in the Linux kernel allowing the process to map a null page. This allows attackers to abuse this mechanism to turn null pointer dereferences into workable exploits.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:50:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1686137, 1686219, 1687667, 1687668, 1687669, 1692205, 1708829, 1708830, 1708831, 1708832, 1715342    
Bug Blocks: 1686141    

Description msiddiqu 2019-03-06 19:50:54 UTC 
In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a1d52994d440e21def1c2174932410b4f2a98a1

References:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1792

https://seclists.org/oss-sec/2019/q1/166
Comment 1 msiddiqu 2019-03-06 19:51:11 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1686137]
Comment 6 Wade Mealing 2019-03-12 03:49:15 UTC 
Bit of a public update since people have been asking:

The reproducer (and the theory) fails on both Red Hat Enterprise Linux 6 and 7.  The commit which introduced this flaw is 32e4e6d5cbb0c0e427391635991fe65e17797af8 and it needs to be be present to be exploited correctly. 

At this time this commit does not exit in Red Hat Enterprise Linux 6 and 7.  

This commit however IS present in the kernel-alt (ARM kernel) for rhel-7 based on 4.10.  However for the exploit to work correctly selinux must be disabled.  Other security mitigation technology will assist in mitigating this flaw from being useful (such as PXN (SMEP like) and PAN (SMAP like)), but are not considered an "absolute" defense, attackers may be able to work around these protection mechanisms.
Comment 8 Wade Mealing 2019-03-12 06:04:50 UTC 
Mitigation:

Enabling selinux prevents the public exploit from working correctly.
Comment 14 errata-xmlrpc 2019-04-23 14:30:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0831 https://access.redhat.com/errata/RHSA-2019:0831
Comment 16 errata-xmlrpc 2019-06-17 18:00:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1479 https://access.redhat.com/errata/RHSA-2019:1479
Comment 17 errata-xmlrpc 2019-06-17 19:56:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1480 https://access.redhat.com/errata/RHSA-2019:1480