Bug 1743547 (CVE-2018-20976) - CVE-2018-20976 kernel: use-after-free in fs/xfs/xfs_super.c
Summary: CVE-2018-20976 kernel: use-after-free in fs/xfs/xfs_super.c
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-20976
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1782047 1782048 1782049 1782050 1782051 1783127 1783128 1783129 1783130 1783131 1783132 1783133 1783134 1783135 1804344
Blocks: 1743613
TreeView+ depends on / blocked
 
Reported: 2019-08-20 08:19 UTC by msiddiqu
Modified: 2023-09-05 18:03 UTC (History)
52 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's implementation of the XFS filesystem. A key data structure (sb->s_fs_info) may not be de-allocated when the system is under memory pressure. This same data structure is then used at a later time during filesystem operations. This could allow a local attacker who is able to groom memory to place an attacker-controlled data structure in this location and create a use-after-free situation which can result in memory corruption or privilege escalation.
Clone Of:
Environment:
Last Closed: 2020-01-21 20:09:34 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0178 0 None None None 2020-01-21 16:00:01 UTC
Red Hat Product Errata RHSA-2020:0543 0 None None None 2020-02-18 14:43:47 UTC
Red Hat Product Errata RHSA-2020:0592 0 None None None 2020-02-25 12:10:58 UTC
Red Hat Product Errata RHSA-2020:0609 0 None None None 2020-02-26 09:16:10 UTC
Red Hat Product Errata RHSA-2020:0661 0 None None None 2020-03-03 10:04:18 UTC

Description msiddiqu 2019-08-20 08:19:01 UTC 
A flaw was found in the Linux kernels implementation of XFS filesystem where a key data structure (sb->s_fs_info)  may not be de-allocated when the system is under memory pressure.  This same datastructure is then used at a later time during filesystem operations.

This could allow a local attacker who is able to groom memory to place an attacker-controlled data structure in this location and create a use-after-free situation which can result in memory corruption or possible privilege escalation.


Upstream patch:  

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c9fbd7bbc23dbdd73364be4d045e5d3612cf6e82
Comment 18 Wade Mealing 2019-12-13 06:18:31 UTC 
Statement:

Red Hat Enterprise Linux 7.6.z had fixed this flaw mid release without it being recognised as a CVE.  Prior releases of Red Hat Enterprise Linux EUS/AUS will still require the fix to be secure.  Trackers have been made and fixes will be available as part of the standard release cycle.
Comment 23 errata-xmlrpc 2020-01-21 15:59:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:0178 https://access.redhat.com/errata/RHSA-2020:0178
Comment 24 Product Security DevOps Team 2020-01-21 20:09:34 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-20976
Comment 26 errata-xmlrpc 2020-02-18 14:43:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:0543 https://access.redhat.com/errata/RHSA-2020:0543
Comment 28 errata-xmlrpc 2020-02-25 12:10:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:0592 https://access.redhat.com/errata/RHSA-2020:0592
Comment 29 errata-xmlrpc 2020-02-26 09:16:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2020:0609 https://access.redhat.com/errata/RHSA-2020:0609
Comment 30 errata-xmlrpc 2020-03-03 10:04:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:0661 https://access.redhat.com/errata/RHSA-2020:0661
Note You need to log in before you can comment on or make changes to this bug.