Bug 1703063 (CVE-2019-11487) - CVE-2019-11487 kernel: Count overflow in FUSE request leading to use-after-free issues.
Summary: CVE-2019-11487 kernel: Count overflow in FUSE request leading to use-after-fr...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11487
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1703064 1705003 1705004 1705005 1705006 1705007 1705008 1705009 1705020 1738864 1738865 1753268 1836419 1836421 1836422 1836423 1836424
Blocks: 1703065
TreeView+ depends on / blocked
 
Reported: 2019-04-25 12:20 UTC by Marian Rehak
Modified: 2021-02-16 22:00 UTC (History)
50 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's implementation of the FUSE filesystem, where it allows a page reference counter overflow. If a page reference counter overflows into a negative value, it can be placed back into the "free" list for reuse by other applications. This flaw allows a local attacker who can manipulate memory page reference counters to cause memory corruption and possible privilege escalation by triggering a use-after-free condition. The current attack requires the system to have approximately 140 GB of RAM for this attack to be performed. It may be possible that the attack can occur with fewer memory requirements.
Clone Of:
Environment:
Last Closed: 2019-09-12 12:45:53 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2767 0 None None None 2019-09-12 19:12:32 UTC
Red Hat Product Errata RHBA-2020:0890 0 None None None 2020-03-18 07:42:19 UTC
Red Hat Product Errata RHBA-2020:0894 0 None None None 2020-03-18 15:16:49 UTC
Red Hat Product Errata RHBA-2020:0900 0 None None None 2020-03-19 09:34:27 UTC
Red Hat Product Errata RHBA-2020:1430 0 None None None 2020-04-14 08:23:38 UTC
Red Hat Product Errata RHBA-2020:1431 0 None None None 2020-04-14 08:15:20 UTC
Red Hat Product Errata RHBA-2020:1432 0 None None None 2020-04-14 08:15:31 UTC
Red Hat Product Errata RHSA-2019:2703 0 None None None 2019-09-10 19:00:16 UTC
Red Hat Product Errata RHSA-2019:2741 0 None None None 2019-09-11 16:42:11 UTC
Red Hat Product Errata RHSA-2020:0174 0 None None None 2020-01-21 15:49:48 UTC
Red Hat Product Errata RHSA-2020:0834 0 None None None 2020-03-17 16:16:45 UTC
Red Hat Product Errata RHSA-2020:0839 0 None None None 2020-03-17 16:17:50 UTC
Red Hat Product Errata RHSA-2020:2851 0 None None None 2020-07-07 09:51:45 UTC
Red Hat Product Errata RHSA-2020:3230 0 None None None 2020-07-29 21:40:45 UTC
Red Hat Product Errata RHSA-2020:3266 0 None None None 2020-08-03 06:13:54 UTC
Red Hat Product Errata RHSA-2020:4182 0 None None None 2020-10-07 20:16:15 UTC

Description Marian Rehak 2019-04-25 12:20:55 UTC
A flaw was found in the linux kernel's implementation of the FUSE filesystem, which allows for a page reference counter overflow.  If a page reference counter overflows into a negative value it can be put back into the "free" list for re-use by other applications.  

A local attacker who is able to manipulate memory page reference counters can abuse this situation to allow for memory corruption and possibly privilege escalation by triggering a Use After Free condition.

The current attack requires the system to have approximately 140 GiB of RAM for this attack to be carried out.  It may be possible that the attack can be carried out with lesser memory requirements.


Reporter information:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1752

Upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6b3a707736301c2128ca85ce85fb13f60b5e350a

Comment 1 Marian Rehak 2019-04-25 12:21:38 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1703064]

Comment 8 Miklos Szeredi 2019-05-01 15:10:55 UTC
Commits to backport (in commit order):

f958d7b528b1 mm: make page ref count overflow check tighter and more explicit
88b1a17dfc3e mm: add 'try_get_page()' helper function
8fde12ca79af mm: prevent get_user_pages() from overflowing page refcount
15fab63e1e57 fs: prevent page refcount overflow in pipe_buf_get

Comment 9 Justin M. Forbes 2019-06-10 15:33:02 UTC
This was fixed for Fedora with the 5.1 kernel rebases.

Comment 11 errata-xmlrpc 2019-09-10 19:00:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2703 https://access.redhat.com/errata/RHSA-2019:2703

Comment 12 errata-xmlrpc 2019-09-11 16:42:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2741 https://access.redhat.com/errata/RHSA-2019:2741

Comment 13 Product Security DevOps Team 2019-09-12 12:45:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11487

Comment 19 errata-xmlrpc 2020-01-21 15:49:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0174 https://access.redhat.com/errata/RHSA-2020:0174

Comment 20 errata-xmlrpc 2020-03-17 16:16:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0834 https://access.redhat.com/errata/RHSA-2020:0834

Comment 21 errata-xmlrpc 2020-03-17 16:17:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0839 https://access.redhat.com/errata/RHSA-2020:0839

Comment 26 Wade Mealing 2020-06-03 00:55:08 UTC
Mitigation:

Preventing loading of the 'fuse' kernel module will prevent attackers from using this exploit against the system; howeve the functionality of being able to access the filesystems that would  be allowed by fuse would no longer be allowed . See “How do I blacklist a kernel module to prevent it from loading automatically?" ( https://access.redhat.com/solutions/41278) for instructions on how to disable the 'fuse' kernel module from autoloading. This mitigation may not be suitable if access to the functionality provided by fuse is required.

Comment 27 errata-xmlrpc 2020-07-07 09:51:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2851 https://access.redhat.com/errata/RHSA-2020:2851

Comment 28 errata-xmlrpc 2020-07-29 21:40:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:3230 https://access.redhat.com/errata/RHSA-2020:3230

Comment 29 errata-xmlrpc 2020-08-03 06:13:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2020:3266 https://access.redhat.com/errata/RHSA-2020:3266

Comment 34 errata-xmlrpc 2020-10-07 20:16:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:4182 https://access.redhat.com/errata/RHSA-2020:4182


Note You need to log in before you can comment on or make changes to this bug.