Bug 1790044 (CVE-2019-19927)

Summary: CVE-2019-19927 kernel: Out-of-bounds read in ttm_put_pages in gpu/drm/ttm/ttm_page_alloc.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mcressma, mjg59, mlangsdo, nmurray, qzhao, rkeshri, rt-maint, rvrbovsk, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds (OOB) memory access flaw was found in ttm_put_pages in drivers/gpu/drm/ttm/ttm_page_alloc.c in the Linux kernel’s graphics module. Incrementing the page pointer for huge pages was not in sync with the reference counter, and this could lead to an out-of-bounds access or a denial of service. This flaw allows a local attacker with special user privileges (or root) to cause memory exploitation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-15 11:29:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1790045, 1833103, 1833104    
Bug Blocks: 1790046    

Description Pedro Sampaio 2020-01-11 14:33:39 UTC 
A out-of-bounds (OOB) memory access flaw was found in ttm_put_pages in drivers/gpu/drm/ttm/ttm_page_alloc.c in Linux kernel graphics module. Here incrementing the page pointer for huge pages was not in sync with the reference counter, and this could lead to an out-of-bound memory problem or a DoS.  A local attacker with special user privilege (or root) can plot an exploit in the memory to harm.

References:

https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19927

Upstream patch:

https://github.com/torvalds/linux/commit/453393369dc9806d2455151e329c599684762428
https://github.com/torvalds/linux/commit/a66477b0efe511d98dde3e4aaeb189790e6f0a39
https://github.com/torvalds/linux/commit/ac1e516d5a4c56bf0cb4a3dfc0672f689131cfd4
Comment 1 Pedro Sampaio 2020-01-11 14:34:17 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1790045]
Comment 2 Justin M. Forbes 2020-01-13 12:53:55 UTC 
This was fixed for Fedora with the 5.1 kernel rebases.
Comment 8 Rohit Keshri 2020-05-07 20:14:59 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.