Bug 1731964 (CVE-2019-1010022)

Summary: CVE-2019-1010022 glibc: stack guard protection bypass
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: aoliva, arjun.is, ashankar, codonell, dj, fweimer, glibc-bugzilla, huzaifas, law, mfabian, mnewsome, pfrankli, rth, siddhesh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
[Disputed] GNU Libc is impacted by a mitigation bypass issue in its nptl component, which could allow an attacker to bypass stack guard protections. The stack canary (designed to prevent stack-based buffer overflows) can be overwritten if an attacker already have exploited any stack buffer overflow vulnerability. The vulnerability arises when creating new threads with pthread_create(), where the tcbhead_t structure containing the stack_guard is placed on the thread stack, making it susceptible to overwriting. Although this weakens the stack canary protection, it is categorized as a post-attack mitigation rather than a direct security flaw. Upstream maintainers have indicated that this is being treated as a non-security issue with no immediate threat.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-23 04:03:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1546607, 1731965    
Bug Blocks: 1731971    

Description msiddiqu 2019-07-22 12:43:35 UTC 
GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. 
 
References:  

https://sourceware.org/bugzilla/show_bug.cgi?id=22850
Comment 1 msiddiqu 2019-07-22 12:43:50 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1731965]
Comment 2 Huzaifa S. Sidhpurwala 2019-07-24 05:43:34 UTC 
As per upstream (https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c1), this is a known flaw in the way stack canaries are implemented in by glibc. Proposed solutions include moving the TCB structure away from the stack and/or generating a new canary for each new thread, both of these changes are intrusive since they have an impact on the core structures and algorithms.

Red Hat packages may be updated, once patches land upstream.

This flaw has been marked as having Moderate impact because stack canaries are essentially a post-attack mitigation. Therefore this is not really a security flaw in glibc.