1677778 – (CVE-2019-10140) CVE-2019-10140 kernel: overlayfs: NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c

Bug 1677778 (CVE-2019-10140) - CVE-2019-10140 kernel: overlayfs: NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c

Summary: CVE-2019-10140 kernel: overlayfs: NULL pointer dereference in ovl_posix_acl_c...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-10140
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1729240 1677705 1685356 1685357 1696289 1696290 1696291 1696292 1726955
Blocks:	1677780
TreeView+	depends on / blocked

Reported:	2019-02-15 20:49 UTC by Laura Pardo
Modified:	2021-10-25 09:51 UTC (History)
CC List:	49 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in Linux kernel's implementation of overlayfs. An attacker with local access can create a denial of service situation via NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c. This can allow attackers with ability to create directories on overlayfs to crash the kernel creating a denial of service (DOS).
Clone Of:
Environment:
Last Closed:	2021-10-25 09:51:27 UTC
Embargoed:

Attachments	(Terms of Use)
Fix for flaw. (374 bytes, patch) 2019-08-15 07:14 UTC, Wade Mealing	no flags	Details \| Diff
View All

Description Laura Pardo 2019-02-15 20:49:33 UTC

A vulnerability was found in Linux Kernels implementation of overlayfs. An attacker with local access can create a denial of service situation via NULL  pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c. The ovl_create function can return a positive number leading to a null pointer derference of path in may_open.

This can allow attackers with ability to create directories on overlayfs to crash the kernel creating a Denial Of Service (DOS).

This flaw likely only affects Red Hat Enterprise Linux 7 based products as this issue was created by by human-error in the backporting process.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1677705

Proposed fix:
https://bugzilla.redhat.com/show_bug.cgi?id=1677778

Comment 5 Laura Pardo 2019-05-24 18:21:02 UTC

Acknowledgments:

Name: Vasily Averin (Virtuozzo)

Comment 10 Wade Mealing 2019-08-15 03:51:05 UTC

Mitigation: 

Some systems may wish to use device-mapper as an alternative to overlayfs.  This does not remove the flaw if overlayfs module is still in use.

Comment 11 Wade Mealing 2019-08-15 07:14:11 UTC

Created attachment 1604006 [details]
Fix for flaw.

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
acaringi
airlied
bhu
blc
brdeoliv
bskeggs
dbaker
dhoward
dvlasenk
esammons
fhrbata
hdegoede
hkrzesin
iboverma
ichavero
itamar
jarodwilson
jeremy
jforbes
jkacur
jlelli
john.j5live
jokerman
jonathan
josef
jross
jshortt
jstancek
jwboyer
kernel-maint
kernel-mgr
lgoncalv
linville
mchehab
mcressma
mjg59
mlangsdo
mvanderw
nmurray
rt-maint
rvrbovsk
security-response-team
steved
sthangav
trankin
vvs
williams
wmealing