Bug 1762321 (CVE-2019-16921)

Summary: CVE-2019-16921 kernel: information disclosure in hns_roce_alloc_ucontext in drivers/infiniband/hw/hns/hns_roce_main.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rt-maint, rvrbovsk, steved, williams, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An information disclosure flaw was found in the Linux kernel. The Infiniband driver does not initialize the resp data structure which allows an attacker to obtain sensitive information from kernel stack memory. The highest threat from this vulnerability is to data confidentiality.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-17 08:09:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1762322    
Bug Blocks: 1762323    

Description Dhananjay Arunesh 2019-10-16 14:18:14 UTC
A vulnerability was found in the Linux kernel, hns_roce_alloc_ucontext in drivers/infiniband/hw/hns/hns_roce_main.c does not initialize the resp data structure, which might allow attackers to obtain sensitive information from kernel stack memory.

Reference:
https://github.com/openSUSE/kernel/commit/72be029e947510dd6cbbbaf51879622af26e4200
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=df7e40425813c50cd252e6f5e348a81ef1acae56
https://github.com/torvalds/linux/commit/df7e40425813c50cd252e6f5e348a81ef1acae56

Comment 1 Dhananjay Arunesh 2019-10-16 14:18:48 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1762322]

Comment 2 Justin M. Forbes 2019-10-16 16:15:25 UTC
This was fixed upstream in the 4.17 kernel, and has not impacted any of the currently supported versions of Fedora.

Comment 5 Wade Mealing 2020-01-17 05:27:04 UTC
Red Hat Enterprise Linux 8 and 9 ship support for aarm64, which this specific bit of hardware requires.

$ git grep --heading  -A 10 "static struct ib_ucontext \*$affected_function" -- '*.[ch]' 

      drivers/infiniband/hw/hns/hns_roce_main.c
      static struct ib_ucontext *hns_roce_alloc_ucontext(struct ib_device *ib_dev,
							 struct ib_udata *udata)
      {
	      int ret = 0;
	      struct hns_roce_ucontext *context;
	      struct hns_roce_ib_alloc_ucontext_resp resp = {};
	      struct hns_roce_dev *hr_dev = to_hr_dev(ib_dev);

	      if (!hr_dev->active)
		      return ERR_PTR(-EAGAIN);

kernel-alt for el7 arm64 has same patch already applied and not affected.

Comment 6 Product Security DevOps Team 2020-01-17 08:09:30 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16921