Bug 1700007 (CVE-2019-11191) - CVE-2019-11191 kernel: race condition in load_aout_binary() allows local users to bypass ASLR on setuid a.out programs
Summary: CVE-2019-11191 kernel: race condition in load_aout_binary() allows local user...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-11191
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1700008
Blocks: 1700011
TreeView+ depends on / blocked
 
Reported: 2019-04-15 15:01 UTC by msiddiqu
Modified: 2019-09-29 15:11 UTC (History)
41 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
The Linux kernel allows local users to bypass ASLR protections for setuid a.out programs when CONFIG_IA32_AOUT is enabled and ia32_aout module is loaded, because install_exec_creds() is called too late in the load_aout_binary() in fs/binfmt_aout.c. Due to this, the ptrace_may_access() check may have a race condition with install_exec_creds() when reading /proc/pid/stat file and reveal information on addresses of kernel structures, henceforth defeating the KASLR protection.
Clone Of:
Environment:
Last Closed: 2019-04-17 18:25:24 UTC


Attachments (Terms of Use)

Description msiddiqu 2019-04-15 15:01:53 UTC
The Linux kernel allows local users to bypass ASLR protection for setuid a.out programs when CONFIG_IA32_AOUT is enabled and [ia32_aout] module is loaded, because install_exec_creds() is called too late in the load_aout_binary() in fs/binfmt_aout.c. Due to this, the ptrace_may_access() check may have a race condition with install_exec_creds() when reading /proc/pid/stat file and reveal information on addresses of kernel structures, henceforth defeating the KASLR protection.

References: 

https://www.openwall.com/lists/oss-security/2019/04/03/4

https://www.openwall.com/lists/oss-security/2019/04/03/4/1

Comment 1 msiddiqu 2019-04-15 15:02:08 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1700008]

Comment 2 Justin M. Forbes 2019-04-15 20:42:49 UTC
Fedora is not impacted by this issue: # CONFIG_IA32_AOUT is not set

Comment 5 Vladis Dronov 2019-04-17 18:25:24 UTC
Note:

This bug is a sibling of the CVE-2019-11190 flaw (bz1699856), but in a.out format code, not in the ELF format code. While the flaw is indeed present in the upstream Linux kernel code, there is no patch for this, as the upstream current plan is to deprecate a.out format.

Red Hat Enterprise Linux kernel does not build and ship the a.out format code, so no Red Hat products are vulnerable to this flaw.


Note You need to log in before you can comment on or make changes to this bug.