Bug 1700007 (CVE-2019-11191)

Summary: CVE-2019-11191 kernel: race condition in load_aout_binary() allows local users to bypass ASLR on setuid a.out programs
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acaringi, airlied, bhu, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, nmurray, plougher, rt-maint, rvrbovsk, steved, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
The Linux kernel allows local users to bypass ASLR protections for setuid a.out programs when CONFIG_IA32_AOUT is enabled and ia32_aout module is loaded, because install_exec_creds() is called too late in the load_aout_binary() in fs/binfmt_aout.c. Due to this, the ptrace_may_access() check may have a race condition with install_exec_creds() when reading /proc/pid/stat file and reveal information on addresses of kernel structures, henceforth defeating the KASLR protection.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-17 18:25:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1700008    
Bug Blocks: 1700011    

Description msiddiqu 2019-04-15 15:01:53 UTC 
The Linux kernel allows local users to bypass ASLR protection for setuid a.out programs when CONFIG_IA32_AOUT is enabled and [ia32_aout] module is loaded, because install_exec_creds() is called too late in the load_aout_binary() in fs/binfmt_aout.c. Due to this, the ptrace_may_access() check may have a race condition with install_exec_creds() when reading /proc/pid/stat file and reveal information on addresses of kernel structures, henceforth defeating the KASLR protection.

References: 

https://www.openwall.com/lists/oss-security/2019/04/03/4

https://www.openwall.com/lists/oss-security/2019/04/03/4/1
Comment 1 msiddiqu 2019-04-15 15:02:08 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1700008]
Comment 2 Justin M. Forbes 2019-04-15 20:42:49 UTC 
Fedora is not impacted by this issue: # CONFIG_IA32_AOUT is not set
Comment 5 Vladis Dronov 2019-04-17 18:25:24 UTC 
Note:

This bug is a sibling of the CVE-2019-11190 flaw (bz1699856), but in a.out format code, not in the ELF format code. While the flaw is indeed present in the upstream Linux kernel code, there is no patch for this, as the upstream current plan is to deprecate a.out format.

Red Hat Enterprise Linux kernel does not build and ship the a.out format code, so no Red Hat products are vulnerable to this flaw.