Bug 1709164 (CVE-2019-11810)

Summary: CVE-2019-11810 kernel: a NULL pointer dereference in drivers/scsi/megaraid/megaraid_sas_base.c leading to DoS
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rt-maint, rvrbovsk, steved, williams, wmealing, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel, prior to version 5.0.7, in drivers/scsi/megaraid/megaraid_sas_base.c, where a NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds(). An attacker can crash the system if they were able to load the megaraid_sas kernel module and groom memory beforehand, leading to a denial of service (DoS), related to a use-after-free.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-30 13:18:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1668409, 1709165, 1709819, 1712858, 1712860, 1712861, 1712862, 1712863, 1712864, 1712865, 1712866, 1712867, 1712868, 1772268, 1772269    
Bug Blocks: 1709168    

Description Marian Rehak 2019-05-13 06:35:55 UTC 
In the Linux kernel before 5.0.7. a NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. leading to Denial of Service, related to a use-after-free.

Upstream Patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bcf3b67d16a4c8ffae0aa79de5853435e683945c
Comment 1 Justin M. Forbes 2019-05-13 12:53:02 UTC 
This was fixed for Fedora with the 5.0.7 stable updates.
Comment 2 Marian Rehak 2019-05-14 11:18:44 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1709819]
Comment 4 Wade Mealing 2019-05-22 07:26:28 UTC 
it appears as though this flaw occurs during hardware initialization.  This would be when the module is unloaded/loaded or loaded the first time when the system is booted.  The upstream patch refers to this being a use-after-free (which could at some stage be abused to some kind of memory-corruption or possible further unknown effects.

The timing window for server-grade hardware to attack this is actually quite minimal and its unlikely that network services are available during the time when this code would be run (usually during boot).

It might be possible that this module is loaded post boot (when a privileged user unloads and reloads the module.  The small window of opportunity to exploit this flaw significantly increases its complexity for a local attacker to successfully exploit.
Comment 12 errata-xmlrpc 2019-07-30 09:42:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1959 https://access.redhat.com/errata/RHSA-2019:1959
Comment 13 errata-xmlrpc 2019-07-30 11:02:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1971 https://access.redhat.com/errata/RHSA-2019:1971
Comment 14 Product Security DevOps Team 2019-07-30 13:18:33 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11810
Comment 15 errata-xmlrpc 2019-08-06 12:04:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029
Comment 16 errata-xmlrpc 2019-08-06 12:07:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043
Comment 20 errata-xmlrpc 2019-09-11 15:29:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:2736 https://access.redhat.com/errata/RHSA-2019:2736
Comment 21 errata-xmlrpc 2019-09-20 10:53:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:2837 https://access.redhat.com/errata/RHSA-2019:2837
Comment 25 errata-xmlrpc 2019-10-29 12:55:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3217 https://access.redhat.com/errata/RHSA-2019:3217
Comment 28 errata-xmlrpc 2020-01-07 12:26:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:0036 https://access.redhat.com/errata/RHSA-2020:0036