Bug 1781679 (CVE-2019-19447)

Summary: CVE-2019-19447 kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bdettelb, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jschorr, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, qzhao, rt-maint, rvrbovsk, steved, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's ext4_unlink function. An attacker could corrupt memory or escalate privileges when deleting a file from a recently unmounted specially crafted ext4 filesystem, including local, USB, and iSCSI.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-12 16:32:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1801046, 1801047, 1801048, 1801049, 1781680, 1801050    
Bug Blocks: 1781681    

Description Marian Rehak 2019-12-10 11:37:25 UTC
A user with permissions to mount and unmount a crafted ext4 file system, via any transport mechanism (local, USB, ISCSI) can lead to a use-after-free when attempting to delete a directory after the disk has been umounted.

This can lead to possible memory corruption and privilege escalation.

External Reference:

https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19447
https://bugzilla.kernel.org/show_bug.cgi?id=205433

Comment 1 Marian Rehak 2019-12-10 11:37:47 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1781680]

Comment 8 Eric Christensen 2020-02-13 16:36:10 UTC
Mitigation:

Ext4 filesytems are built into the kernel so it is not possible to prevent the kernel module from loading.  However, this flaw can be prevented by disallowing mounting of untrusted filesystems.

As mounting is a privileged operation, (except for device hotplug) removing the ability for mounting and unmounting will prevent this flaw from being exploited.

Comment 9 errata-xmlrpc 2020-05-12 15:12:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2104 https://access.redhat.com/errata/RHSA-2020:2104

Comment 10 Product Security DevOps Team 2020-05-12 16:32:05 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19447

Comment 11 Justin M. Forbes 2020-05-13 22:16:45 UTC
This was fixed for Fedora in the 5.4.4 stable kernel update.