Bug 1695074 (CVE-2019-10125) - CVE-2019-10125 kernel: use-after-free in aio_poll() in fs/aio.c
Summary: CVE-2019-10125 kernel: use-after-free in aio_poll() in fs/aio.c
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-10125
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1695075 Engineering1711111 Engineering1711112 Engineering1711113 Engineering1711114
Blocks: Embargoed1695077
TreeView+ depends on / blocked
 
Reported: 2019-04-02 12:43 UTC by msiddiqu
Modified: 2021-02-16 22:09 UTC (History)
43 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's aio_poll() function. Due to incorrect logic, this flaw can create a use-after-free memory condition where an attacker could submit malicious input to possibly execute arbitrary code resulting in privilege escalation.
Clone Of:
Environment:
Last Closed: 2019-07-31 13:57:54 UTC


Attachments (Terms of Use)

Description msiddiqu 2019-04-02 12:43:27 UTC
An use-after-free flaw was discovered in aio_poll() in fs/aio.c in the Linux kernel. A file may be released by aio_poll_wake() if an expected event is triggered immediately (e.g., by the close of a pair of pipes) after the return of vfs_poll(), and this will cause a use-after-free.

The use-after-free could possibly be used to create memory corruption or possibly priviledge escalation by a determined attacker.

References: 
https://patchwork.kernel.org/patch/10828359/

Comment 1 msiddiqu 2019-04-02 12:43:41 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1695075]

Comment 2 Justin M. Forbes 2019-04-03 13:24:12 UTC
The linked patch is actually not sufficient, the patch that went upstream is commit 84c4e1f89fefe70554da0ab33be72c9be7994379 and included in 5.0.5 stable.
This was fixed for Fedora with the 5.0.5 stable release.

Comment 4 msiddiqu 2019-04-03 13:39:09 UTC
nullIn reply to comment #2:
> The linked patch is actually not sufficient, the patch that went upstream is
> commit 84c4e1f89fefe70554da0ab33be72c9be7994379 and included in 5.0.5 stable.
> This was fixed for Fedora with the 5.0.5 stable release.

Thanks for the patch info, I've updated it.


Note You need to log in before you can comment on or make changes to this bug.