In the Linux kernel before 5.0.7. a NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. leading to Denial of Service, related to a use-after-free. Upstream Patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bcf3b67d16a4c8ffae0aa79de5853435e683945c
This was fixed for Fedora with the 5.0.7 stable updates.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1709819]
it appears as though this flaw occurs during hardware initialization. This would be when the module is unloaded/loaded or loaded the first time when the system is booted. The upstream patch refers to this being a use-after-free (which could at some stage be abused to some kind of memory-corruption or possible further unknown effects. The timing window for server-grade hardware to attack this is actually quite minimal and its unlikely that network services are available during the time when this code would be run (usually during boot). It might be possible that this module is loaded post boot (when a privileged user unloads and reloads the module. The small window of opportunity to exploit this flaw significantly increases its complexity for a local attacker to successfully exploit.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1959 https://access.redhat.com/errata/RHSA-2019:1959
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1971 https://access.redhat.com/errata/RHSA-2019:1971
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11810
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:2736 https://access.redhat.com/errata/RHSA-2019:2736
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2019:2837 https://access.redhat.com/errata/RHSA-2019:2837
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:3217 https://access.redhat.com/errata/RHSA-2019:3217
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2020:0036 https://access.redhat.com/errata/RHSA-2020:0036