Bug 1709164 (CVE-2019-11810) - CVE-2019-11810 kernel: a NULL pointer dereference in drivers/scsi/megaraid/megaraid_sas_base.c leading to DoS
Summary: CVE-2019-11810 kernel: a NULL pointer dereference in drivers/scsi/megaraid/me...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11810
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1772268 1772269 1668409 1709165 1709819 1712858 1712860 1712861 1712862 1712863 1712864 1712865 1712866 1712867 1712868
Blocks: 1709168
TreeView+ depends on / blocked
 
Reported: 2019-05-13 06:35 UTC by Marian Rehak
Modified: 2019-11-18 07:55 UTC (History)
44 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel, prior to version 5.0.7, in drivers/scsi/megaraid/megaraid_sas_base.c, where a NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds(). An attacker can crash the system if they were able to load the megaraid_sas kernel module and groom memory beforehand, leading to a denial of service (DoS), related to a use-after-free.
Clone Of:
Environment:
Last Closed: 2019-07-30 13:18:33 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:1977 None None None 2019-07-30 14:16:01 UTC
Red Hat Product Errata RHSA-2019:1959 None None None 2019-07-30 09:42:18 UTC
Red Hat Product Errata RHSA-2019:1971 None None None 2019-07-30 11:02:11 UTC
Red Hat Product Errata RHSA-2019:2029 None None None 2019-08-06 12:04:46 UTC
Red Hat Product Errata RHSA-2019:2043 None None None 2019-08-06 12:07:11 UTC
Red Hat Product Errata RHSA-2019:2736 None None None 2019-09-11 15:29:26 UTC
Red Hat Product Errata RHSA-2019:2837 None None None 2019-09-20 10:53:13 UTC
Red Hat Product Errata RHSA-2019:3217 None None None 2019-10-29 12:55:41 UTC

Description Marian Rehak 2019-05-13 06:35:55 UTC
In the Linux kernel before 5.0.7. a NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. leading to Denial of Service, related to a use-after-free.

Upstream Patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bcf3b67d16a4c8ffae0aa79de5853435e683945c

Comment 1 Justin M. Forbes 2019-05-13 12:53:02 UTC
This was fixed for Fedora with the 5.0.7 stable updates.

Comment 2 Marian Rehak 2019-05-14 11:18:44 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1709819]

Comment 4 💾 Wade Mealing 💾 2019-05-22 07:26:28 UTC
it appears as though this flaw occurs during hardware initialization.  This would be when the module is unloaded/loaded or loaded the first time when the system is booted.  The upstream patch refers to this being a use-after-free (which could at some stage be abused to some kind of memory-corruption or possible further unknown effects.

The timing window for server-grade hardware to attack this is actually quite minimal and its unlikely that network services are available during the time when this code would be run (usually during boot).

It might be possible that this module is loaded post boot (when a privileged user unloads and reloads the module.  The small window of opportunity to exploit this flaw significantly increases its complexity for a local attacker to successfully exploit.

Comment 12 errata-xmlrpc 2019-07-30 09:42:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1959 https://access.redhat.com/errata/RHSA-2019:1959

Comment 13 errata-xmlrpc 2019-07-30 11:02:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1971 https://access.redhat.com/errata/RHSA-2019:1971

Comment 14 Product Security DevOps Team 2019-07-30 13:18:33 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11810

Comment 15 errata-xmlrpc 2019-08-06 12:04:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029

Comment 16 errata-xmlrpc 2019-08-06 12:07:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043

Comment 20 errata-xmlrpc 2019-09-11 15:29:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:2736 https://access.redhat.com/errata/RHSA-2019:2736

Comment 21 errata-xmlrpc 2019-09-20 10:53:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:2837 https://access.redhat.com/errata/RHSA-2019:2837

Comment 25 errata-xmlrpc 2019-10-29 12:55:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3217 https://access.redhat.com/errata/RHSA-2019:3217


Note You need to log in before you can comment on or make changes to this bug.