Bug 1715491 (CVE-2019-12379) - CVE-2019-12379 kernel: memory leak in con_insert_unipair in drivers/tty/vt/consolemap.c
Summary: CVE-2019-12379 kernel: memory leak in con_insert_unipair in drivers/tty/vt/c...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-12379
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1715703 1715704 1715705 1715706 1715707 1715708 1715709
Blocks: 1715560
TreeView+ depends on / blocked
 
Reported: 2019-05-30 13:32 UTC by msiddiqu
Modified: 2021-02-16 21:53 UTC (History)
44 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in the Linux kernel's con_insert_unipair function in drivers/tty/vt/consolemap.c. An attacker, with local physical access to the system and local virtual terminal level access, is able to leak memory in certain cases of ENOMEM outcomes of kmalloc.
Clone Of:
Environment:
Last Closed: 2019-08-01 11:56:37 UTC
Embargoed:

Attachments (Terms of Use)

Description msiddiqu 2019-05-30 13:32:25 UTC 
An issue was discovered in con_insert_unipair in drivers/tty/vt/consolemap.c in the Linux kernel. There is a memory leak in a certain case of an ENOMEM outcome of kmalloc.

This requires an attacker to be able to have local virtual-terminal level access and exploit this flaw during a low-memory condition to be succesful.

This creates a memory-leak which could eventually consume all memory and crash the system.

Upstream patch: 

https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git/commit/?h=tty-next&id=84ecc2f6eb1cb12e6d44818f94fa49b50f06e6ac
Comment 4 Wade Mealing 2019-05-31 03:21:24 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1715706]
Comment 7 Vladis Dronov 2019-07-03 16:39:15 UTC 
the suggested patch is incorrect and was reverted in the upstream:

https://lore.kernel.org/lkml/b99d0da6-a1d6-1c04-66ff-b2937d21d346@nvidia.com/
https://lore.kernel.org/lkml/201905242302.139A912@keescook/
https://lore.kernel.org/lkml/20190604180039.gai2phwdxn7ias6n@decadent.org.uk/

[ https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git/commit/?h=tty-next&id=15b3cd8ef46ad1b100e0d3c7e38774f330726820 ]
> However, if it looks up an *existing* middle layer and then fails to
> allocate a bottom layer, it now frees both p1 and p2 but does *not*
> free any other bottom layers under p1.  So it *introduces* a memory
> leak.
> 
> The error path also cleared the wrong index in p->uni_pgdir[],
> introducing a use-after-free.

Wade, Mohammad, could you please adjust the linked trackers accordingly?
Comment 9 Wade Mealing 2019-07-05 06:27:58 UTC 
> The error path also cleared the wrong index in p->uni_pgdir[],
> introducing a use-after-free.

vdronov: how do you want them adjusted, we didnt ship the upstream patch yet afaics.. so the product should remain in the state that we originally diagnosed the condition in.

If you want another CVE for the fix , that'd be a different flaw (since it introduced the UAF)  , but we didnt ship that code from what I can see..
Comment 11 Vladis Dronov 2019-07-09 21:43:17 UTC 
(In reply to Wade Mealing from comment #9)
Hi, Wade!
Nice to meet you again!

> vdronov: how do you want them adjusted

i guess, just close trackers and this flaw with not-a-bug (per my understanding of the original code without the fix, there is really no memory leak, just a pre-allocation which may never be used)
Comment 12 Wade Mealing 2019-07-10 01:56:09 UTC 
Righto, will do.
Comment 13 Wade Mealing 2019-07-10 05:28:32 UTC 
Closed up all trackers.
Note You need to log in before you can comment on or make changes to this bug.