In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task. An upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a1d52994d440e21def1c2174932410b4f2a98a1 References: https://bugs.chromium.org/p/project-zero/issues/detail?id=1792 https://seclists.org/oss-sec/2019/q1/166
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1686137]
Bit of a public update since people have been asking: The reproducer (and the theory) fails on both Red Hat Enterprise Linux 6 and 7. The commit which introduced this flaw is 32e4e6d5cbb0c0e427391635991fe65e17797af8 and it needs to be be present to be exploited correctly. At this time this commit does not exit in Red Hat Enterprise Linux 6 and 7. This commit however IS present in the kernel-alt (ARM kernel) for rhel-7 based on 4.10. However for the exploit to work correctly selinux must be disabled. Other security mitigation technology will assist in mitigating this flaw from being useful (such as PXN (SMEP like) and PAN (SMAP like)), but are not considered an "absolute" defense, attackers may be able to work around these protection mechanisms.
Mitigation: Enabling selinux prevents the public exploit from working correctly.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:0831 https://access.redhat.com/errata/RHSA-2019:0831
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1479 https://access.redhat.com/errata/RHSA-2019:1479
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1480 https://access.redhat.com/errata/RHSA-2019:1480