Bug 1699856 (CVE-2019-11190) - CVE-2019-11190 kernel: ASLR bypass for setuid binaries due to late install_exec_creds()
Summary: CVE-2019-11190 kernel: ASLR bypass for setuid binaries due to late install_ex...
Keywords:
Status: NEW
Alias: CVE-2019-11190
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1700360 1700361 1700362
Blocks: 1696601
TreeView+ depends on / blocked
 
Reported: 2019-04-15 11:53 UTC by Vladis Dronov
Modified: 2019-09-29 15:11 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw in the load_elf_binary() function in the Linux kernel allows a local attacker to leak the base address of .text and stack sections for setuid binaries and bypass ASLR because install_exec_creds() is called too late in this function.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Vladis Dronov 2019-04-15 11:53:32 UTC
A flaw in the load_elf_binary() function in the Linux kernel allows a local attacker to leak the base address of .text and stack sections for setuid binaries and thus to bypass ASLR because install_exec_creds() is called too late in this function.

References:

https://seclists.org/oss-sec/2019/q2/9

https://www.openwall.com/lists/oss-security/2019/04/03/4

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9f834ec18defc369d73ccf9e87a2790bfa05bf46

Comment 3 Vladis Dronov 2019-04-16 11:39:55 UTC
Notes:

In our research we was not able to reproduce the issue with the standard RHEL-7 kernel, but only with modified kernel with specially inserted delay, which widens a race window. This means the race condition still exists, i.e. the system is still vulnerable, but it is hard to hit it.


Note You need to log in before you can comment on or make changes to this bug.