The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c. References: https://bugs.chromium.org/p/project-zero/issues/detail?id=1790 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.114 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.37 https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.10 Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=04f5866e41fb70690e28397487d8bd8eea7d712a https://github.com/torvalds/linux/commit/04f5866e41fb70690e28397487d8bd8eea7d712a
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1705938]
*** Bug 1696015 has been marked as a duplicate of this bug. ***
This is fixed for Fedora with the 5.0.10 stable updates.
Acknowledgments: Name: Andrea Arcangeli (Red Hat Engineering)
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11599
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3309
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3517 https://access.redhat.com/errata/RHSA-2019:3517
This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2020:0100 https://access.redhat.com/errata/RHSA-2020:0100
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2020:0103 https://access.redhat.com/errata/RHSA-2020:0103
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:0179 https://access.redhat.com/errata/RHSA-2020:0179
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2020:0543 https://access.redhat.com/errata/RHSA-2020:0543