Bug 1703063 (CVE-2019-11487)
| Summary: | CVE-2019-11487 kernel: Count overflow in FUSE request leading to use-after-free issues. | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | acaringi, airlied, apmukher, asavkov, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, joe.lawrence, john.j5live, jonathan, josef, jpoimboe, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, mmilgram, mszeredi, nmurray, plougher, rhandlin, rt-maint, rvrbovsk, steved, williams, wmealing |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the Linux kernel's implementation of the FUSE filesystem, where it allows a page reference counter overflow. If a page reference counter overflows into a negative value, it can be placed back into the "free" list for reuse by other applications. This flaw allows a local attacker who can manipulate memory page reference counters to cause memory corruption and possible privilege escalation by triggering a use-after-free condition.
The current attack requires the system to have approximately 140 GB of RAM for this attack to be performed. It may be possible that the attack can occur with fewer memory requirements.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-09-12 12:45:53 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1703064, 1705003, 1705004, 1705005, 1705006, 1705007, 1705008, 1705009, 1705020, 1738864, 1738865, 1753268, 1836419, 1836421, 1836422, 1836423, 1836424 | ||
| Bug Blocks: | 1703065 | ||
|
Description
Marian Rehak
2019-04-25 12:20:55 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1703064] Commits to backport (in commit order): f958d7b528b1 mm: make page ref count overflow check tighter and more explicit 88b1a17dfc3e mm: add 'try_get_page()' helper function 8fde12ca79af mm: prevent get_user_pages() from overflowing page refcount 15fab63e1e57 fs: prevent page refcount overflow in pipe_buf_get This was fixed for Fedora with the 5.1 kernel rebases. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2703 https://access.redhat.com/errata/RHSA-2019:2703 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2741 https://access.redhat.com/errata/RHSA-2019:2741 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11487 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0174 https://access.redhat.com/errata/RHSA-2020:0174 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0834 https://access.redhat.com/errata/RHSA-2020:0834 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0839 https://access.redhat.com/errata/RHSA-2020:0839 Mitigation: Preventing loading of the 'fuse' kernel module will prevent attackers from using this exploit against the system; howeve the functionality of being able to access the filesystems that would be allowed by fuse would no longer be allowed . See “How do I blacklist a kernel module to prevent it from loading automatically?" ( https://access.redhat.com/solutions/41278) for instructions on how to disable the 'fuse' kernel module from autoloading. This mitigation may not be suitable if access to the functionality provided by fuse is required. This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:2851 https://access.redhat.com/errata/RHSA-2020:2851 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2020:3230 https://access.redhat.com/errata/RHSA-2020:3230 This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2020:3266 https://access.redhat.com/errata/RHSA-2020:3266 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:4182 https://access.redhat.com/errata/RHSA-2020:4182 |