An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed. It is possible that an attacker could use this flaw to leak kernel internal information to userspace for use in an additional attack. Reference: https://bugs.chromium.org/p/project-zero/issues/detail?id=1913 Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=16d51a590a8ce3befb1308e0e7ab77f3b661af33
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1902790]
This was fixed for Fedora with the 5.2.6 stable kernel updates.
https://access.redhat.com/security/cve/CVE-2019-20934 states that RHEL 7 is not affected by the issue, while RHEL 8 is affected. It should probably be the reverse: * RHEL 8 has the fixes for the issue already. * RHEL 7 is probably still affected. ------------------------------------------------------------ Details: RHEL 7, kernel 3.10.0-1160.11.1.el7, do_execve_common: ---------------- /* execve succeeded */ current->fs->in_exec = 0; current->in_execve = 0; membarrier_execve(current); acct_update_integrals(current); task_numa_free(current); free_bprm(bprm); putname(filename); ---------------- "task_numa_free(current)" was added there by the mainline commit 82727018b0d3 "sched/numa: Call task_numa_free() from do_execve()". The issue was introduced by this commit, if I understand it correctly. The fixes from the mainline kernel are: * 16d51a590a8ce "sched/fair: Don't free p->numa_faults with concurrent readers" * cb361d8cdef6 "sched/fair: Use RCU accessors consistently for ->numa_group" Neither is present in 3.10.0-1160.11.1.el7, so, I guess, this kernel from RHEL 7 is still affected. ------------------------------------------------------------ RHEL 8, kernel 4.18.0-240.8.1.el8_3, the code of interest is in __do_execve_file() now: ---------------- /* execve succeeded */ current->fs->in_exec = 0; current->in_execve = 0; rseq_execve(current); acct_update_integrals(current); task_numa_free(current, false); // <<< 'false' was added by mainline commit 16d51a590a8ce "sched/fair: Don't free p->numa_faults with concurrent readers" free_bprm(bprm); kfree(pathbuf); ---------------- Besides, kernel/sched/fair.c does use deref_task_numa_group() added by commit cb361d8cdef6. So, it seems, both fixes mentioned above are present in 4.18.0-240.8.1.el8_3 and RHEL 8 is not actually affected. Am I missing something?
I'm looking at my investigation notes, and it appears I had confused two NUMA issues that I had been working on. For some reason my affected state here was duplicated into another issue. The only thing I can think of is that I had a previous bz number in my clipboard. Sorry for any confusion, I will restart the investigation from scratch.
EL8 marked notaffected, trackers closed EL7 marked affected, trackers opened, kernel-alt also affected, trackers opened. Not valid for el5 and 6.
Mitigation: As the NUMA features are built-in and enabled by default, the NUMA functionality can be disabled at boot time by providing the kernel parameter, numa=off. The method of providing this parameter depends on the operating system version, see KCS article https://access.redhat.com/solutions/23216. Disabling this feature may have significant performance impacts and the administrator should consider if the performance penalty is a problem. If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2725 https://access.redhat.com/errata/RHSA-2021:2725
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:2726 https://access.redhat.com/errata/RHSA-2021:2726
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20934
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Advanced Update Support Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions Red Hat Enterprise Linux 7.7 Telco Extended Update Support Via RHSA-2021:3987 https://access.redhat.com/errata/RHSA-2021:3987