1695074 – (CVE-2019-10125) CVE-2019-10125 kernel: use-after-free in aio_poll() in fs/aio.c

Bug 1695074 (CVE-2019-10125) - CVE-2019-10125 kernel: use-after-free in aio_poll() in fs/aio.c

Summary: CVE-2019-10125 kernel: use-after-free in aio_poll() in fs/aio.c

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2019-10125
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1695075 1711111 1711112 1711113 1711114
Blocks:	1695077
TreeView+	depends on / blocked

Reported:	2019-04-02 12:43 UTC by msiddiqu
Modified:	2021-02-16 22:09 UTC (History)
CC List:	43 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Linux kernel's aio_poll() function. Due to incorrect logic, this flaw can create a use-after-free memory condition where an attacker could submit malicious input to possibly execute arbitrary code resulting in privilege escalation.
Clone Of:
Environment:
Last Closed:	2019-07-31 13:57:54 UTC
Embargoed:

Attachments	(Terms of Use)

Description msiddiqu 2019-04-02 12:43:27 UTC

An use-after-free flaw was discovered in aio_poll() in fs/aio.c in the Linux kernel. A file may be released by aio_poll_wake() if an expected event is triggered immediately (e.g., by the close of a pair of pipes) after the return of vfs_poll(), and this will cause a use-after-free.

The use-after-free could possibly be used to create memory corruption or possibly priviledge escalation by a determined attacker.

References: 
https://patchwork.kernel.org/patch/10828359/

Comment 1 msiddiqu 2019-04-02 12:43:41 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1695075]

Comment 2 Justin M. Forbes 2019-04-03 13:24:12 UTC

The linked patch is actually not sufficient, the patch that went upstream is commit 84c4e1f89fefe70554da0ab33be72c9be7994379 and included in 5.0.5 stable.
This was fixed for Fedora with the 5.0.5 stable release.

Comment 3 msiddiqu 2019-04-03 13:38:25 UTC

Upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=84c4e1f89fefe70554da0ab33be72c9be7994379

Comment 4 msiddiqu 2019-04-03 13:39:09 UTC

nullIn reply to comment #2:
> The linked patch is actually not sufficient, the patch that went upstream is
> commit 84c4e1f89fefe70554da0ab33be72c9be7994379 and included in 5.0.5 stable.
> This was fixed for Fedora with the 5.0.5 stable release.

Thanks for the patch info, I've updated it.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
airlied
bhu
blc
brdeoliv
bskeggs
dhoward
dvlasenk
esammons
fhrbata
hdegoede
hkrzesin
iboverma
ichavero
itamar
jarodwilson
jeremy
jforbes
jglisse
jkacur
john.j5live
jonathan
josef
jross
jstancek
jwboyer
kernel-maint
kernel-mgr
labbott
lgoncalv
linville
matt
mchehab
mcressma
mjg59
mlangsdo
nmurray
plougher
rt-maint
rvrbovsk
steved
williams
wmealing