Bug 1781679 (CVE-2019-19447) - CVE-2019-19447 kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c
Summary: CVE-2019-19447 kernel: mounting a crafted ext4 filesystem image, performing s...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-19447
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1801046 1801047 1801048 1801049 1781680 1801050
Blocks: 1781681
TreeView+ depends on / blocked
 
Reported: 2019-12-10 11:37 UTC by Marian Rehak
Modified: 2020-05-13 22:16 UTC (History)
47 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's ext4_unlink function. An attacker could corrupt memory or escalate privileges when deleting a file from a recently unmounted specially crafted ext4 filesystem, including local, USB, and iSCSI.
Clone Of:
Environment:
Last Closed: 2020-05-12 16:32:05 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2104 None None None 2020-05-12 15:12:31 UTC

Description Marian Rehak 2019-12-10 11:37:25 UTC
A user with permissions to mount and unmount a crafted ext4 file system, via any transport mechanism (local, USB, ISCSI) can lead to a use-after-free when attempting to delete a directory after the disk has been umounted.

This can lead to possible memory corruption and privilege escalation.

External Reference:

https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19447
https://bugzilla.kernel.org/show_bug.cgi?id=205433

Comment 1 Marian Rehak 2019-12-10 11:37:47 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1781680]

Comment 8 Eric Christensen 2020-02-13 16:36:10 UTC
Mitigation:

Ext4 filesytems are built into the kernel so it is not possible to prevent the kernel module from loading.  However, this flaw can be prevented by disallowing mounting of untrusted filesystems.

As mounting is a privileged operation, (except for device hotplug) removing the ability for mounting and unmounting will prevent this flaw from being exploited.

Comment 9 errata-xmlrpc 2020-05-12 15:12:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2104 https://access.redhat.com/errata/RHSA-2020:2104

Comment 10 Product Security DevOps Team 2020-05-12 16:32:05 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19447

Comment 11 Justin M. Forbes 2020-05-13 22:16:45 UTC
This was fixed for Fedora in the 5.4.4 stable kernel update.


Note You need to log in before you can comment on or make changes to this bug.