Bug 1786164 (CVE-2019-19768) - CVE-2019-19768 kernel: use-after-free in __blk_add_trace in kernel/trace/blktrace.c
Summary: CVE-2019-19768 kernel: use-after-free in __blk_add_trace in kernel/trace/blkt...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-19768
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1798306 1798308 1798309 1798310 1798318 1798325 1786166 1798307 1798311 1798312 1798313 1798314 1798316 1798317 1798319 1798320 1798321 1798322 1798323 1798324 1798326 1798327 1798328 1798329 1798330 1798331 1798332 1798333 1798334 1798335 1798337 1798338 1798339 1804310 1804318 1806367 1806368 1806369 1806370 1806393
Blocks: 1786167
TreeView+ depends on / blocked
 
Reported: 2019-12-23 17:30 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-06-19 01:50 UTC (History)
53 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the Linux kernel’s implementation of blktrace in the __blk_add_trace function. A local attacker with permissions to run block trace instructions against a device can create a situation where the core block_trace object is used after it is freed. The attacker can pre-groom memory to race this use-after-free to create a condition where the memory is corrupted and cause privilege escalation.
Clone Of:
Environment:
Last Closed: 2020-04-28 16:35:05 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2052 None None None 2020-05-11 12:54:00 UTC
Red Hat Product Errata RHBA-2020:2233 None None None 2020-05-20 12:27:42 UTC
Red Hat Product Errata RHBA-2020:2626 None None None 2020-06-19 01:50:11 UTC
Red Hat Product Errata RHSA-2020:1567 None None None 2020-04-28 15:25:24 UTC
Red Hat Product Errata RHSA-2020:1769 None None None 2020-04-28 15:51:59 UTC
Red Hat Product Errata RHSA-2020:1966 None None None 2020-04-29 09:36:08 UTC
Red Hat Product Errata RHSA-2020:2082 None None None 2020-05-12 18:38:24 UTC
Red Hat Product Errata RHSA-2020:2085 None None None 2020-05-12 18:38:40 UTC
Red Hat Product Errata RHSA-2020:2104 None None None 2020-05-12 15:12:39 UTC
Red Hat Product Errata RHSA-2020:2199 None None None 2020-05-19 12:38:08 UTC
Red Hat Product Errata RHSA-2020:2203 None None None 2020-05-19 12:38:34 UTC
Red Hat Product Errata RHSA-2020:2214 None None None 2020-05-19 14:41:33 UTC
Red Hat Product Errata RHSA-2020:2242 None None None 2020-05-20 17:35:40 UTC
Red Hat Product Errata RHSA-2020:2277 None None None 2020-05-26 09:39:56 UTC
Red Hat Product Errata RHSA-2020:2285 None None None 2020-05-26 08:48:35 UTC
Red Hat Product Errata RHSA-2020:2289 None None None 2020-05-26 11:17:19 UTC
Red Hat Product Errata RHSA-2020:2291 None None None 2020-05-26 11:17:33 UTC
Red Hat Product Errata RHSA-2020:2519 None None None 2020-06-11 01:33:21 UTC
Red Hat Product Errata RHSA-2020:2522 None None None 2020-06-11 02:10:21 UTC

Description Guilherme de Almeida Suckevicz 2019-12-23 17:30:53 UTC
A use-after-free flaw was found in the Linux kernels implementation of blktrace in the __blk_add_trace function. A local attacker with permissions to run block trace instructions against a device can create a situation where the core block_trace object is used after it is freed.  The attacker can pre-groom memory to race this use-after-free to create a condition where memory is corrupted and also likely to be privilege escalation.


Reference:
https://bugzilla.kernel.org/show_bug.cgi?id=205711

Patch:
A patch may be attached to the bugzilla.kernel.org but no patch exists at this time.

Comment 1 Guilherme de Almeida Suckevicz 2019-12-23 17:33:17 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1786166]

Comment 3 Wade Mealing 2020-02-04 08:06:42 UTC
While this flaw is rated as important, it was a difficult decision to make.  Users who are granted permissions on system block devices can likely find other ways of doing this, such as modifying the setuid bits on mounted filesystems, or perverting the contents of setuid files, or just the password file itself if they can access it on that block device.

Comment 14 Justin M. Forbes 2020-03-20 15:17:08 UTC
This was fixed for Fedora with the 5.5.8 stable kernel updates.

Comment 15 errata-xmlrpc 2020-04-28 15:25:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1567 https://access.redhat.com/errata/RHSA-2020:1567

Comment 16 errata-xmlrpc 2020-04-28 15:51:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1769 https://access.redhat.com/errata/RHSA-2020:1769

Comment 17 Product Security DevOps Team 2020-04-28 16:35:05 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19768

Comment 18 errata-xmlrpc 2020-04-29 09:36:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:1966 https://access.redhat.com/errata/RHSA-2020:1966

Comment 19 errata-xmlrpc 2020-05-12 15:12:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2104 https://access.redhat.com/errata/RHSA-2020:2104

Comment 20 errata-xmlrpc 2020-05-12 18:38:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2082 https://access.redhat.com/errata/RHSA-2020:2082

Comment 21 errata-xmlrpc 2020-05-12 18:38:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2085 https://access.redhat.com/errata/RHSA-2020:2085

Comment 22 errata-xmlrpc 2020-05-19 12:37:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2199 https://access.redhat.com/errata/RHSA-2020:2199

Comment 23 errata-xmlrpc 2020-05-19 12:38:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2203 https://access.redhat.com/errata/RHSA-2020:2203

Comment 24 errata-xmlrpc 2020-05-19 14:41:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:2214 https://access.redhat.com/errata/RHSA-2020:2214

Comment 25 errata-xmlrpc 2020-05-20 17:35:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2020:2242 https://access.redhat.com/errata/RHSA-2020:2242

Comment 27 errata-xmlrpc 2020-05-26 08:48:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:2285 https://access.redhat.com/errata/RHSA-2020:2285

Comment 28 errata-xmlrpc 2020-05-26 09:39:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:2277 https://access.redhat.com/errata/RHSA-2020:2277

Comment 29 errata-xmlrpc 2020-05-26 11:17:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2289 https://access.redhat.com/errata/RHSA-2020:2289

Comment 30 errata-xmlrpc 2020-05-26 11:17:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2291 https://access.redhat.com/errata/RHSA-2020:2291

Comment 32 errata-xmlrpc 2020-06-11 01:33:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:2519 https://access.redhat.com/errata/RHSA-2020:2519

Comment 33 errata-xmlrpc 2020-06-11 02:10:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:2522 https://access.redhat.com/errata/RHSA-2020:2522


Note You need to log in before you can comment on or make changes to this bug.