Bug 1694812 (CVE-2019-3896)

Summary: CVE-2019-3896 kernel: Double free in lib/idr.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, pmatouse, rt-maint, rvrbovsk, security-response-team, steved, vdronov, williams, wmealing, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-12 13:06:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1698139, 1698140, 1698141, 1698142, 1715283    
Bug Blocks: 1694813    

Description Pedro Sampaio 2019-04-01 18:29:08 UTC 
A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).

References:

https://marc.info/?t=127366612300001&r=1&w=2

https://marc.info/?l=linux-kernel&m=127422151819010&w=2

https://lore.kernel.org/patchwork/patch/205534/

https://marc.info/?t=136035740900005&r=1&w=2

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2dcb22b346be

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=326cf0f0f308
Comment 2 Vladis Dronov 2019-04-09 15:45:36 UTC 
Acknowledgments:

Name: Eiichi Tsukata
Comment 11 errata-xmlrpc 2019-06-17 18:24:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1488 https://access.redhat.com/errata/RHSA-2019:1488
Comment 12 errata-xmlrpc 2019-06-17 19:27:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2019:1489 https://access.redhat.com/errata/RHSA-2019:1489
Comment 13 errata-xmlrpc 2019-06-17 19:28:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2019:1490 https://access.redhat.com/errata/RHSA-2019:1490
Comment 14 Product Security DevOps Team 2019-07-12 13:06:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3896