Bug 1696604 (CVE-2018-20449)

Summary: CVE-2018-20449 kernel: reading "callback=" lines in a debugfs file in drivers/dma/qcom/hidma_dbg.c results in information disclosure
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rt-maint, rvrbovsk, steved, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
The hidma_chan_stats() function in the drivers/dma/qcom/hidma_dbg.c file in the Linux kernel allows local users to obtain sensitive address information by reading "callback=" lines in a debugfs file. By default, the debugfs filesystem access is restricted so only a privileged user can access it.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-12 11:31:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1696605    
Bug Blocks: 1696607    

Description Marian Rehak 2019-04-05 08:41:48 UTC 
The hidma_chan_stats() function in the drivers/dma/qcom/hidma_dbg.c file in the Linux kernel allows local users to obtain sensitive address information by reading "callback=" lines in a debugfs file. By default debugfs filesystem access is restricted, so only a privileged user can access it.

References:

https://www.mail-archive.com/debian-security-tracker@lists.debian.org/msg03808.html 

Upstream patches:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ad67b74d2469d9b82aaa572d76474c95bc484d57

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=91efafb1dd8f471177a3dddb4841d75d3df1cc46
Comment 1 Marian Rehak 2019-04-05 08:42:24 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1696605]
Comment 3 Justin M. Forbes 2019-04-11 19:57:06 UTC 
This was mitigated in 4.15 and newer kernels with commit ad67b74d2469d9b82aaa572d76474c95bc484d57 "printk: hash addresses printed with %p"
Comment 6 Vladis Dronov 2019-04-12 11:31:34 UTC 
Note:

RHEL-8 has the %p cloaking patchset integrated, so %p is cloaked if printed. RHEL-ALT is vulnerable to this flaw, but by default debugfs filesystem access is restricted, so only a privileged user (a real "root") can access it. Henceforth, we do not believe this issue is a security flaw. Earlier RHEL versions do not build and ship the code in question.