A flaw was found in the linux kernel's implementation of the FUSE filesystem, which allows for a page reference counter overflow. If a page reference counter overflows into a negative value it can be put back into the "free" list for re-use by other applications. A local attacker who is able to manipulate memory page reference counters can abuse this situation to allow for memory corruption and possibly privilege escalation by triggering a Use After Free condition. The current attack requires the system to have approximately 140 GiB of RAM for this attack to be carried out. It may be possible that the attack can be carried out with lesser memory requirements. Reporter information: https://bugs.chromium.org/p/project-zero/issues/detail?id=1752 Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6b3a707736301c2128ca85ce85fb13f60b5e350a
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1703064]
Commits to backport (in commit order): f958d7b528b1 mm: make page ref count overflow check tighter and more explicit 88b1a17dfc3e mm: add 'try_get_page()' helper function 8fde12ca79af mm: prevent get_user_pages() from overflowing page refcount 15fab63e1e57 fs: prevent page refcount overflow in pipe_buf_get
This was fixed for Fedora with the 5.1 kernel rebases.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2703 https://access.redhat.com/errata/RHSA-2019:2703
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2741 https://access.redhat.com/errata/RHSA-2019:2741
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11487
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0174 https://access.redhat.com/errata/RHSA-2020:0174
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0834 https://access.redhat.com/errata/RHSA-2020:0834
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0839 https://access.redhat.com/errata/RHSA-2020:0839
Mitigation: Preventing loading of the 'fuse' kernel module will prevent attackers from using this exploit against the system; howeve the functionality of being able to access the filesystems that would be allowed by fuse would no longer be allowed . See “How do I blacklist a kernel module to prevent it from loading automatically?" ( https://access.redhat.com/solutions/41278) for instructions on how to disable the 'fuse' kernel module from autoloading. This mitigation may not be suitable if access to the functionality provided by fuse is required.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:2851 https://access.redhat.com/errata/RHSA-2020:2851
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2020:3230 https://access.redhat.com/errata/RHSA-2020:3230
This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2020:3266 https://access.redhat.com/errata/RHSA-2020:3266
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:4182 https://access.redhat.com/errata/RHSA-2020:4182