|Summary:||CVE-2019-19447 kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c|
|Product:||[Other] Security Response||Reporter:||Marian Rehak <mrehak>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||acaringi, airlied, bdettelb, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jschorr, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, qzhao, rt-maint, rvrbovsk, steved, williams, wmealing|
|Fixed In Version:||Doc Type:||If docs needed, set a value|
A flaw was found in the Linux kernel's ext4_unlink function. An attacker could corrupt memory or escalate privileges when deleting a file from a recently unmounted specially crafted ext4 filesystem, including local, USB, and iSCSI.
|Last Closed:||2020-05-12 16:32:05 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1801046, 1801047, 1801048, 1801049, 1781680, 1801050|
Description Marian Rehak 2019-12-10 11:37:25 UTC
A user with permissions to mount and unmount a crafted ext4 file system, via any transport mechanism (local, USB, ISCSI) can lead to a use-after-free when attempting to delete a directory after the disk has been umounted. This can lead to possible memory corruption and privilege escalation. External Reference: https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19447 https://bugzilla.kernel.org/show_bug.cgi?id=205433
Comment 1 Marian Rehak 2019-12-10 11:37:47 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1781680]
Comment 8 Eric Christensen 2020-02-13 16:36:10 UTC
Mitigation: Ext4 filesytems are built into the kernel so it is not possible to prevent the kernel module from loading. However, this flaw can be prevented by disallowing mounting of untrusted filesystems. As mounting is a privileged operation, (except for device hotplug) removing the ability for mounting and unmounting will prevent this flaw from being exploited.
Comment 9 errata-xmlrpc 2020-05-12 15:12:28 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:2104 https://access.redhat.com/errata/RHSA-2020:2104
Comment 10 Product Security DevOps Team 2020-05-12 16:32:05 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19447
Comment 11 Justin M. Forbes 2020-05-13 22:16:45 UTC
This was fixed for Fedora in the 5.4.4 stable kernel update.