1696604 – (CVE-2018-20449) CVE-2018-20449 kernel: reading "callback=" lines in a debugfs file in drivers/dma/qcom/hidma_dbg.c results in information disclosure

Bug 1696604 (CVE-2018-20449) - CVE-2018-20449 kernel: reading "callback=" lines in a debugfs file in drivers/dma/qcom/hidma_dbg.c results in information disclosure

Summary: CVE-2018-20449 kernel: reading "callback=" lines in a debugfs file in drivers...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2018-20449
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1696605
Blocks:	1696607
TreeView+	depends on / blocked

Reported:	2019-04-05 08:41 UTC by Marian Rehak
Modified:	2021-02-16 22:08 UTC (History)
CC List:	43 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	The hidma_chan_stats() function in the drivers/dma/qcom/hidma_dbg.c file in the Linux kernel allows local users to obtain sensitive address information by reading "callback=" lines in a debugfs file. By default, the debugfs filesystem access is restricted so only a privileged user can access it.
Clone Of:
Environment:
Last Closed:	2019-04-12 11:31:34 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2019-04-05 08:41:48 UTC

The hidma_chan_stats() function in the drivers/dma/qcom/hidma_dbg.c file in the Linux kernel allows local users to obtain sensitive address information by reading "callback=" lines in a debugfs file. By default debugfs filesystem access is restricted, so only a privileged user can access it.

References:

https://www.mail-archive.com/debian-security-tracker@lists.debian.org/msg03808.html 

Upstream patches:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ad67b74d2469d9b82aaa572d76474c95bc484d57

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=91efafb1dd8f471177a3dddb4841d75d3df1cc46

Comment 1 Marian Rehak 2019-04-05 08:42:24 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1696605]

Comment 3 Justin M. Forbes 2019-04-11 19:57:06 UTC

This was mitigated in 4.15 and newer kernels with commit ad67b74d2469d9b82aaa572d76474c95bc484d57 "printk: hash addresses printed with %p"

Comment 6 Vladis Dronov 2019-04-12 11:31:34 UTC

Note:

RHEL-8 has the %p cloaking patchset integrated, so %p is cloaked if printed. RHEL-ALT is vulnerable to this flaw, but by default debugfs filesystem access is restricted, so only a privileged user (a real "root") can access it. Henceforth, we do not believe this issue is a security flaw. Earlier RHEL versions do not build and ship the code in question.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
airlied
bhu
blc
brdeoliv
bskeggs
dhoward
dvlasenk
esammons
fhrbata
hdegoede
hkrzesin
iboverma
ichavero
itamar
jarodwilson
jeremy
jforbes
jglisse
jkacur
john.j5live
jonathan
josef
jross
jstancek
jwboyer
kernel-maint
kernel-mgr
labbott
lgoncalv
linville
matt
mchehab
mcressma
mjg59
mlangsdo
nmurray
plougher
rt-maint
rvrbovsk
steved
vdronov
williams