Bug 1771826 (CVE-2019-18683)

Summary: CVE-2019-18683 kernel: race condition in vivid_stop_generating_vid_cap(),vivid_stop_generating_vid_out(), sdr_cap_stop_streaming()
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, bdettelb, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jschorr, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, qzhao, rt-maint, rvrbovsk, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. Multiple race conditions were found in the vivid driver leading to privilege escalation and in at least one case a use-after-free condition. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-06 11:00:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1771828    
Bug Blocks: 1771829    

Description Dhananjay Arunesh 2019-11-13 05:18:15 UTC 
An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(),vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free.

Reference:
https://seclists.org/oss-sec/2019/q4/43
https://www.openwall.com/lists/oss-security/2019/11/02/1
https://lore.kernel.org/lkml/20191103221719.27118-1-alex.popov@linux.com/
Comment 1 Dhananjay Arunesh 2019-11-13 05:18:44 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1771828]
Comment 2 Justin M. Forbes 2019-11-14 17:20:07 UTC 
The vivid drivers are not enabled for Fedora as they depend on CONFIG_V4L_TEST_DRIVERS.
Comment 3 Eric Christensen 2020-05-06 14:23:49 UTC 
External References:

https://seclists.org/oss-sec/2019/q4/43
https://www.openwall.com/lists/oss-security/2019/11/02/1
https://lore.kernel.org/lkml/20191103221719.27118-1-alex.popov@linux.com/