Bug 1786160 (CVE-2019-19767)

Summary: CVE-2019-19767 kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c and fs/ext4/super.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bdettelb, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, fsorenso, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jschorr, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, qzhao, rt-maint, rvrbovsk, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel’s ext4 file system functionality when the user mount ext4 partition, with the usage of an additional debug parameter is defining an extra inode size. If this parameter has a non zero value, this flaw allows a local user to crash the system when inode expansion happens.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-07 19:27:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1786161, 1817634, 1817635, 1817636, 1817637, 1817638    
Bug Blocks: 1786162    

Description Guilherme de Almeida Suckevicz 2019-12-23 17:19:49 UTC
The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c.

References:
https://bugzilla.kernel.org/show_bug.cgi?id=205609
https://bugzilla.kernel.org/show_bug.cgi?id=205707

Upstream commit:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4ea99936a1630f51fc3a2d61a58ec4a1c4b7d55a

Comment 1 Guilherme de Almeida Suckevicz 2019-12-23 17:20:57 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1786161]

Comment 2 Justin M. Forbes 2020-03-20 15:13:55 UTC
This was fixed for Fedora with the 5.3.15 stable kernel updates.

Comment 4 Alex 2020-03-26 17:12:53 UTC
Mitigation:

The mitigation is not to use debug_want_extra_isize parameter when mounting ext4 FS.

Comment 6 errata-xmlrpc 2020-07-07 13:18:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2854 https://access.redhat.com/errata/RHSA-2020:2854

Comment 7 Product Security DevOps Team 2020-07-07 19:27:55 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19767

Comment 8 errata-xmlrpc 2020-09-29 18:59:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062

Comment 9 errata-xmlrpc 2020-09-29 20:53:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060

Comment 25 errata-xmlrpc 2020-11-04 00:50:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431

Comment 26 errata-xmlrpc 2020-11-04 02:22:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4609 https://access.redhat.com/errata/RHSA-2020:4609