Bug 1695074 (CVE-2019-10125)

Summary: CVE-2019-10125 kernel: use-after-free in aio_poll() in fs/aio.c
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rt-maint, rvrbovsk, steved, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's aio_poll() function. Due to incorrect logic, this flaw can create a use-after-free memory condition where an attacker could submit malicious input to possibly execute arbitrary code resulting in privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-31 13:57:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1695075, 1711111, 1711112, 1711113, 1711114    
Bug Blocks: 1695077    

Description msiddiqu 2019-04-02 12:43:27 UTC 
An use-after-free flaw was discovered in aio_poll() in fs/aio.c in the Linux kernel. A file may be released by aio_poll_wake() if an expected event is triggered immediately (e.g., by the close of a pair of pipes) after the return of vfs_poll(), and this will cause a use-after-free.

The use-after-free could possibly be used to create memory corruption or possibly priviledge escalation by a determined attacker.

References: 
https://patchwork.kernel.org/patch/10828359/
Comment 1 msiddiqu 2019-04-02 12:43:41 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1695075]
Comment 2 Justin M. Forbes 2019-04-03 13:24:12 UTC 
The linked patch is actually not sufficient, the patch that went upstream is commit 84c4e1f89fefe70554da0ab33be72c9be7994379 and included in 5.0.5 stable.
This was fixed for Fedora with the 5.0.5 stable release.
Comment 3 msiddiqu 2019-04-03 13:38:25 UTC 
Upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=84c4e1f89fefe70554da0ab33be72c9be7994379
Comment 4 msiddiqu 2019-04-03 13:39:09 UTC 
nullIn reply to comment #2:
> The linked patch is actually not sufficient, the patch that went upstream is
> commit 84c4e1f89fefe70554da0ab33be72c9be7994379 and included in 5.0.5 stable.
> This was fixed for Fedora with the 5.0.5 stable release.

Thanks for the patch info, I've updated it.