Bug 1708518 (CVE-2019-11815)

Summary: CVE-2019-11815 kernel: race condition in rds_tcp_kill_sock in net/rds/tcp.c leading to use-after-free
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, carlos.canau, chris.snell, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, klaas, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, pasteur, plougher, rt-maint, rvrbovsk, steved, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's implementation of RDS over TCP. A system that has the rds_tcp kernel module loaded (either through autoload via local process running listen(), or manual loading) could possibly cause a use after free (UAF) in which an attacker who is able to manipulate socket state while a network namespace is being torn down. This can lead to possible memory corruption and privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-15 05:23:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1710152    
Bug Blocks: 1708519    

Description Marian Rehak 2019-05-10 07:13:08 UTC 
A flaw was found in the linux kernels implementation of RDS over TCP.  A system that has the rds_tcp kernel module loaded (either through autoload via local process running listen(), or manual loading) could possibly cause a Use After Free (UAF) in which an attacker who is able to manipulate socket state while a network namespace is being torn down.  This can lead to possible memory corruption and privilege escalation.

Upstream Repository:

https://github.com/torvalds/linux/commit/cb66ddd156203daefb8d71158036b27b0e2caf63
Comment 1 Wade Mealing 2019-05-15 02:07:29 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1710152]
Comment 2 Wade Mealing 2019-05-15 02:25:34 UTC 
Statement:

The affected code is not built in the following kernels:

- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux MRG-2
- Red Hat Enterprise Linux for ARM (kernel-alt).
- Red Hat Enterprise Linux 8

These kernels are not affected.


The affected code was introduced by commit bdf5bd7f21323493dbe5f2c723dc33f2fbb0241a.

This affected commit is not present in the following kernels:

- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
Comment 3 Wade Mealing 2019-05-15 02:33:31 UTC 
There is misinformation available about this exploit currently circulating.  While this is a network protocol being affected, the protocol is not available by default.  A local process (or user) can trigger the protocol to be used which will then be loaded automatically would then have the vulnerable code loaded and the attack vector opened.  To reiterate it is unlikely that most Linux systems will be using this protocol and therefore affected.

Most systems do _NOT_ have this protocol used by services.   This is an infrequently used module and if you wish to blacklist it, you can follow the steps outlined in https://access.redhat.com/solutions/41278 to blacklist the "rds_tcp" module for the relevant version of Red Hat Enterprise Linux.
Comment 5 Justin M. Forbes 2019-05-15 12:53:07 UTC 
This was fixed for Fedora with the 5.0.8 stable kernel updates.