Bug 1703063 (CVE-2019-11487) - CVE-2019-11487 kernel: Count overflow in FUSE request leading to use-after-free issues.
Summary: CVE-2019-11487 kernel: Count overflow in FUSE request leading to use-after-fr...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11487
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190422,repo...
Depends On: 1705003 1705004 1705005 1705007 1705009 1705020 1738864 1738865 1753268 1703064 1705006 1705008
Blocks: 1703065
TreeView+ depends on / blocked
 
Reported: 2019-04-25 12:20 UTC by Marian Rehak
Modified: 2019-09-18 13:56 UTC (History)
49 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-12 12:45:53 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2767 None None None 2019-09-12 19:12:32 UTC
Red Hat Product Errata RHSA-2019:2703 None None None 2019-09-10 19:00:16 UTC
Red Hat Product Errata RHSA-2019:2741 None None None 2019-09-11 16:42:11 UTC

Description Marian Rehak 2019-04-25 12:20:55 UTC
A flaw was found in the linux kernel's implementation of the FUSE filesystem, which allows for a page reference counter overflow.  If a page reference counter overflows into a negative value it can be put back into the "free" list for re-use by other applications.  

A local attacker who is able to manipulate memory page reference counters can abuse this situation to allow for memory corruption and possibly privilege escalation by triggering a Use After Free condition.

The current attack requires the system to have approximately 140 GiB of RAM for this attack to be carried out.  It may be possible that the attack can be carried out with lesser memory requirements.


Reporter information:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1752

Upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6b3a707736301c2128ca85ce85fb13f60b5e350a

Comment 1 Marian Rehak 2019-04-25 12:21:38 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1703064]

Comment 8 Miklos Szeredi 2019-05-01 15:10:55 UTC
Commits to backport (in commit order):

f958d7b528b1 mm: make page ref count overflow check tighter and more explicit
88b1a17dfc3e mm: add 'try_get_page()' helper function
8fde12ca79af mm: prevent get_user_pages() from overflowing page refcount
15fab63e1e57 fs: prevent page refcount overflow in pipe_buf_get

Comment 9 Justin M. Forbes 2019-06-10 15:33:02 UTC
This was fixed for Fedora with the 5.1 kernel rebases.

Comment 11 errata-xmlrpc 2019-09-10 19:00:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2703 https://access.redhat.com/errata/RHSA-2019:2703

Comment 12 errata-xmlrpc 2019-09-11 16:42:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2741 https://access.redhat.com/errata/RHSA-2019:2741

Comment 13 Product Security DevOps Team 2019-09-12 12:45:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11487


Note You need to log in before you can comment on or make changes to this bug.