Bug 1715491 (CVE-2019-12379)
| Summary: | CVE-2019-12379 kernel: memory leak in con_insert_unipair in drivers/tty/vt/consolemap.c | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | msiddiqu |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rt-maint, rvrbovsk, steved, vdronov, williams, wmealing |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was discovered in the Linux kernel's con_insert_unipair function in drivers/tty/vt/consolemap.c. An attacker, with local physical access to the system and local virtual terminal level access, is able to leak memory in certain cases of ENOMEM outcomes of kmalloc.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-01 11:56:37 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1715703, 1715704, 1715705, 1715706, 1715707, 1715708, 1715709 | ||
| Bug Blocks: | 1715560 | ||
|
Description
msiddiqu
2019-05-30 13:32:25 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1715706] the suggested patch is incorrect and was reverted in the upstream: https://lore.kernel.org/lkml/b99d0da6-a1d6-1c04-66ff-b2937d21d346@nvidia.com/ https://lore.kernel.org/lkml/201905242302.139A912@keescook/ https://lore.kernel.org/lkml/20190604180039.gai2phwdxn7ias6n@decadent.org.uk/ [ https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git/commit/?h=tty-next&id=15b3cd8ef46ad1b100e0d3c7e38774f330726820 ] > However, if it looks up an *existing* middle layer and then fails to > allocate a bottom layer, it now frees both p1 and p2 but does *not* > free any other bottom layers under p1. So it *introduces* a memory > leak. > > The error path also cleared the wrong index in p->uni_pgdir[], > introducing a use-after-free. Wade, Mohammad, could you please adjust the linked trackers accordingly? > The error path also cleared the wrong index in p->uni_pgdir[],
> introducing a use-after-free.
vdronov: how do you want them adjusted, we didnt ship the upstream patch yet afaics.. so the product should remain in the state that we originally diagnosed the condition in.
If you want another CVE for the fix , that'd be a different flaw (since it introduced the UAF) , but we didnt ship that code from what I can see..
(In reply to Wade Mealing from comment #9) Hi, Wade! Nice to meet you again! > vdronov: how do you want them adjusted i guess, just close trackers and this flaw with not-a-bug (per my understanding of the original code without the fix, there is really no memory leak, just a pre-allocation which may never be used) Righto, will do. Closed up all trackers. |