Bug 1902788 (CVE-2019-20934)
| Summary: | CVE-2019-20934 kernel: use-after-free in show_numa_stats function | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acaringi, adscvr, airlied, aquini, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dvlasenk, eshatokhin, fhrbata, hdegoede, hkrzesin, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mjg59, mlangsdo, nmurray, ptalbert, qzhao, rvrbovsk, steved, walters, williams, wmealing |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the Linux kernel’s implementation of displaying NUMA statistics, where displaying the scheduler statistics could trigger a use-after-free in show_numa_stats() and display the kernel memory to userspace. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-21 03:54:40 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1902790, 1908221, 1908222, 1908223, 1915635, 1915636, 1997751, 1997752 | ||
| Bug Blocks: | 1902789 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-11-30 17:12:52 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1902790] This was fixed for Fedora with the 5.2.6 stable kernel updates. https://access.redhat.com/security/cve/CVE-2019-20934 states that RHEL 7 is not affected by the issue, while RHEL 8 is affected. It should probably be the reverse: * RHEL 8 has the fixes for the issue already. * RHEL 7 is probably still affected. ------------------------------------------------------------ Details: RHEL 7, kernel 3.10.0-1160.11.1.el7, do_execve_common: ---------------- /* execve succeeded */ current->fs->in_exec = 0; current->in_execve = 0; membarrier_execve(current); acct_update_integrals(current); task_numa_free(current); free_bprm(bprm); putname(filename); ---------------- "task_numa_free(current)" was added there by the mainline commit 82727018b0d3 "sched/numa: Call task_numa_free() from do_execve()". The issue was introduced by this commit, if I understand it correctly. The fixes from the mainline kernel are: * 16d51a590a8ce "sched/fair: Don't free p->numa_faults with concurrent readers" * cb361d8cdef6 "sched/fair: Use RCU accessors consistently for ->numa_group" Neither is present in 3.10.0-1160.11.1.el7, so, I guess, this kernel from RHEL 7 is still affected. ------------------------------------------------------------ RHEL 8, kernel 4.18.0-240.8.1.el8_3, the code of interest is in __do_execve_file() now: ---------------- /* execve succeeded */ current->fs->in_exec = 0; current->in_execve = 0; rseq_execve(current); acct_update_integrals(current); task_numa_free(current, false); // <<< 'false' was added by mainline commit 16d51a590a8ce "sched/fair: Don't free p->numa_faults with concurrent readers" free_bprm(bprm); kfree(pathbuf); ---------------- Besides, kernel/sched/fair.c does use deref_task_numa_group() added by commit cb361d8cdef6. So, it seems, both fixes mentioned above are present in 4.18.0-240.8.1.el8_3 and RHEL 8 is not actually affected. Am I missing something? I'm looking at my investigation notes, and it appears I had confused two NUMA issues that I had been working on. For some reason my affected state here was duplicated into another issue. The only thing I can think of is that I had a previous bz number in my clipboard. Sorry for any confusion, I will restart the investigation from scratch. EL8 marked notaffected, trackers closed EL7 marked affected, trackers opened, kernel-alt also affected, trackers opened. Not valid for el5 and 6. Mitigation: As the NUMA features are built-in and enabled by default, the NUMA functionality can be disabled at boot time by providing the kernel parameter, numa=off. The method of providing this parameter depends on the operating system version, see KCS article https://access.redhat.com/solutions/23216. Disabling this feature may have significant performance impacts and the administrator should consider if the performance penalty is a problem. If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2725 https://access.redhat.com/errata/RHSA-2021:2725 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2726 https://access.redhat.com/errata/RHSA-2021:2726 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20934 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Advanced Update Support Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions Red Hat Enterprise Linux 7.7 Telco Extended Update Support Via RHSA-2021:3987 https://access.redhat.com/errata/RHSA-2021:3987 |