Bug 1902788 (CVE-2019-20934)

Summary: CVE-2019-20934 kernel: use-after-free in show_numa_stats function
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, aquini, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dvlasenk, eshatokhin, fhrbata, hdegoede, hkrzesin, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mjg59, mlangsdo, nmurray, ptalbert, qzhao, rvrbovsk, steved, walters, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel’s implementation of displaying NUMA statistics, where displaying the scheduler statistics could trigger a use-after-free in show_numa_stats() and display the kernel memory to userspace. The highest threat from this vulnerability is to system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-21 03:54:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1902790, 1908221, 1908222, 1908223, 1915635, 1915636, 1997751, 1997752    
Bug Blocks: 1902789    

Description Guilherme de Almeida Suckevicz 2020-11-30 17:12:52 UTC
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed.

It is possible that an attacker could use this flaw to leak kernel internal information to userspace for use in an additional attack.


Upstream patch:

Comment 1 Guilherme de Almeida Suckevicz 2020-11-30 17:13:50 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1902790]

Comment 2 Justin M. Forbes 2020-12-01 13:42:39 UTC
This was fixed for Fedora with the 5.2.6 stable kernel updates.

Comment 8 Evgenii Shatokhin 2021-01-12 21:06:22 UTC
https://access.redhat.com/security/cve/CVE-2019-20934 states that RHEL 7 is not affected by the issue, while RHEL 8 is affected.

It should probably be the reverse:

* RHEL 8 has the fixes for the issue already.
* RHEL 7 is probably still affected.


RHEL 7, kernel 3.10.0-1160.11.1.el7, do_execve_common:
        /* execve succeeded */
        current->fs->in_exec = 0;
        current->in_execve = 0;

"task_numa_free(current)" was added there by the mainline commit 82727018b0d3 "sched/numa: Call task_numa_free() from do_execve()". The issue was introduced by this commit, if I understand it correctly.

The fixes from the mainline kernel are:
* 16d51a590a8ce "sched/fair: Don't free p->numa_faults with concurrent readers"
* cb361d8cdef6 "sched/fair: Use RCU accessors consistently for ->numa_group"

Neither is present in 3.10.0-1160.11.1.el7, so, I guess, this kernel from RHEL 7 is still affected.

RHEL 8, kernel 4.18.0-240.8.1.el8_3, the code of interest is in __do_execve_file() now:
        /* execve succeeded */
        current->fs->in_exec = 0;
        current->in_execve = 0;
        task_numa_free(current, false); // <<< 'false' was added by mainline commit 16d51a590a8ce "sched/fair: Don't free p->numa_faults with concurrent readers"

Besides, kernel/sched/fair.c does use deref_task_numa_group() added by commit cb361d8cdef6.

So, it seems, both fixes mentioned above are present in 4.18.0-240.8.1.el8_3 and RHEL 8 is not actually affected.

Am I missing something?

Comment 9 Wade Mealing 2021-01-13 03:43:37 UTC
I'm looking at my investigation notes, and it appears I had confused two NUMA issues that I had been working on.  For some reason my affected state here was duplicated into another issue.  The only thing I can think of is that I had a previous bz number in my clipboard.

Sorry for any confusion, I will restart the investigation from scratch.

Comment 11 Wade Mealing 2021-01-13 06:33:28 UTC
EL8 marked notaffected, trackers closed
EL7 marked affected, trackers opened,
kernel-alt also affected, trackers opened.

Not valid for el5 and 6.

Comment 16 RaTasha Tillery-Smith 2021-02-12 13:48:31 UTC

As the NUMA features are built-in and enabled by default, the NUMA functionality can be disabled at boot time by providing the kernel parameter, numa=off.

The method of providing this parameter depends on the operating system version, see KCS article https://access.redhat.com/solutions/23216.

Disabling this feature may have significant performance impacts and the administrator should consider if the performance penalty is a problem.

If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.

Comment 19 errata-xmlrpc 2021-07-21 01:07:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2725 https://access.redhat.com/errata/RHSA-2021:2725

Comment 20 errata-xmlrpc 2021-07-21 01:08:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2726 https://access.redhat.com/errata/RHSA-2021:2726

Comment 21 Product Security DevOps Team 2021-07-21 03:54:40 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 23 errata-xmlrpc 2021-10-26 07:38:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2021:3987 https://access.redhat.com/errata/RHSA-2021:3987