An issue was discovered in con_insert_unipair in drivers/tty/vt/consolemap.c in the Linux kernel. There is a memory leak in a certain case of an ENOMEM outcome of kmalloc. This requires an attacker to be able to have local virtual-terminal level access and exploit this flaw during a low-memory condition to be succesful. This creates a memory-leak which could eventually consume all memory and crash the system. Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git/commit/?h=tty-next&id=84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1715706]
the suggested patch is incorrect and was reverted in the upstream: https://lore.kernel.org/lkml/b99d0da6-a1d6-1c04-66ff-b2937d21d346@nvidia.com/ https://lore.kernel.org/lkml/201905242302.139A912@keescook/ https://lore.kernel.org/lkml/20190604180039.gai2phwdxn7ias6n@decadent.org.uk/ [ https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git/commit/?h=tty-next&id=15b3cd8ef46ad1b100e0d3c7e38774f330726820 ] > However, if it looks up an *existing* middle layer and then fails to > allocate a bottom layer, it now frees both p1 and p2 but does *not* > free any other bottom layers under p1. So it *introduces* a memory > leak. > > The error path also cleared the wrong index in p->uni_pgdir[], > introducing a use-after-free. Wade, Mohammad, could you please adjust the linked trackers accordingly?
> The error path also cleared the wrong index in p->uni_pgdir[], > introducing a use-after-free. vdronov: how do you want them adjusted, we didnt ship the upstream patch yet afaics.. so the product should remain in the state that we originally diagnosed the condition in. If you want another CVE for the fix , that'd be a different flaw (since it introduced the UAF) , but we didnt ship that code from what I can see..
(In reply to Wade Mealing from comment #9) Hi, Wade! Nice to meet you again! > vdronov: how do you want them adjusted i guess, just close trackers and this flaw with not-a-bug (per my understanding of the original code without the fix, there is really no memory leak, just a pre-allocation which may never be used)
Righto, will do.
Closed up all trackers.