Bug 1774946 (CVE-2019-19072)
| Summary: | CVE-2019-19072 kernel: A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c allows for a DoS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | acaringi, airlied, bdettelb, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, eshatokhin, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, jmarchan, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, qzhao, rt-maint, rvrbovsk, steved, williams |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the way the predicate_parse function in the tracing subsystem of the Linux kernel handled resource cleanup on error. This flaw allows an attacker with the ability to produce the error to crash the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 02:23:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1774947, 1829952, 1829953 | ||
| Bug Blocks: | 1774948 | ||
|
Description
Marian Rehak
2019-11-21 10:23:25 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1774947] Only root can manipulate ftrace filters, right? Is there a way for an unprivileged user to trigger this memory leak? Statement: This issue is rated as having Low impact because of the preconditions needed to trigger the error/resource cleanup code path (high privileges). In reply to comment #2: > Only root can manipulate ftrace filters, right? > > Is there a way for an unprivileged user to trigger this memory leak? I'm not aware of one. Maybe perf with non paranoid setting. But that would still need privileged user to adjust the defaults. Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. (In reply to Marian Rehak from comment #0) > A memory leak in the predicate_parse() function in > kernel/trace/trace_events_filter.c in the Linux kernel through 5.3.11 allows > attackers to cause a DoS (memory consumption). > > Upstream Reference: > > https://github.com/torvalds/linux/commit/ > 96c5c6e6a5b6db592acae039fed54b5c8844cd35 Is this an actual issue or an hypothetical one? It seems to me that the error path that leads to the memory leak is unreachable. It's supposed to happen when the depth of the nested parentheses in the filter is deeper than expected, but the depth has just been calculated in calc_stack(). The parser code is quite complicated though, and I might have missed something. On the other hand, I did hit another memory leak while trying to trigger the issue. It's fixed upstream by commit eea9be33cd19 ("tracing: Fix memory leak in create_filter()"). This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4609 https://access.redhat.com/errata/RHSA-2020:4609 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19072 |