Bug 1711194 (CVE-2019-10142)

Summary: CVE-2019-10142 kernel: integer overflow in ioctl handling of fsl hypervisor
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rt-maint, rvrbovsk, steved, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's freescale hypervisor manager implementation. A parameter passed to an ioctl was incorrectly validated and used in size calculations for the page size calculation. An attacker can use this flaw to crash the system, corrupt memory, or create other adverse security affects.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:55:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1711195    
Bug Blocks: 1711196    

Description Marian Rehak 2019-05-17 07:52:36 UTC 
A flaw was found in the Linux kernels freescale hypervisor manager implementation.  A parameter passed via to an ioctl was incorrectly validated and used in size calculations for page size calculation, 

The "param.count" value is a u64 from the user. The code later assumes that param.count is at least one, leading to ZERO_SIZE_PTR dereference in case it is not. Also the addition can have an integer overflow which leads to allocating fewer "pages" array than required.


Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6a024330650e24556b8a18cc654ad00cfecf6c6c
Comment 1 Marian Rehak 2019-05-17 07:52:50 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1711195]
Comment 5 Fedora Update System 2019-05-25 03:35:24 UTC 
kernel-5.0.17-200.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Marian Rehak 2019-07-30 11:11:59 UTC 
Acknowledgments:

Name: Murray McAllister