The Linux kernel allows local users to bypass ASLR protection for setuid a.out programs when CONFIG_IA32_AOUT is enabled and [ia32_aout] module is loaded, because install_exec_creds() is called too late in the load_aout_binary() in fs/binfmt_aout.c. Due to this, the ptrace_may_access() check may have a race condition with install_exec_creds() when reading /proc/pid/stat file and reveal information on addresses of kernel structures, henceforth defeating the KASLR protection. References: https://www.openwall.com/lists/oss-security/2019/04/03/4 https://www.openwall.com/lists/oss-security/2019/04/03/4/1
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1700008]
Fedora is not impacted by this issue: # CONFIG_IA32_AOUT is not set
Note: This bug is a sibling of the CVE-2019-11190 flaw (bz1699856), but in a.out format code, not in the ELF format code. While the flaw is indeed present in the upstream Linux kernel code, there is no patch for this, as the upstream current plan is to deprecate a.out format. Red Hat Enterprise Linux kernel does not build and ship the a.out format code, so no Red Hat products are vulnerable to this flaw.