Bug 1711194 (CVE-2019-10142) - CVE-2019-10142 kernel: integer overflow in ioctl handling of fsl hypervisor
Summary: CVE-2019-10142 kernel: integer overflow in ioctl handling of fsl hypervisor
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-10142
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1711195
Blocks: 1711196
TreeView+ depends on / blocked
 
Reported: 2019-05-17 07:52 UTC by Marian Rehak
Modified: 2021-02-16 21:56 UTC (History)
43 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's freescale hypervisor manager implementation. A parameter passed to an ioctl was incorrectly validated and used in size calculations for the page size calculation. An attacker can use this flaw to crash the system, corrupt memory, or create other adverse security affects.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:55:37 UTC
Embargoed:

Attachments (Terms of Use)

Description Marian Rehak 2019-05-17 07:52:36 UTC 
A flaw was found in the Linux kernels freescale hypervisor manager implementation.  A parameter passed via to an ioctl was incorrectly validated and used in size calculations for page size calculation, 

The "param.count" value is a u64 from the user. The code later assumes that param.count is at least one, leading to ZERO_SIZE_PTR dereference in case it is not. Also the addition can have an integer overflow which leads to allocating fewer "pages" array than required.


Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6a024330650e24556b8a18cc654ad00cfecf6c6c
Comment 1 Marian Rehak 2019-05-17 07:52:50 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1711195]
Comment 5 Fedora Update System 2019-05-25 03:35:24 UTC 
kernel-5.0.17-200.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Marian Rehak 2019-07-30 11:11:59 UTC 
Acknowledgments:

Name: Murray McAllister
Note You need to log in before you can comment on or make changes to this bug.