Bug 1708518 (CVE-2019-11815) - CVE-2019-11815 kernel: race condition in rds_tcp_kill_sock in net/rds/tcp.c leading to use-after-free
Summary: CVE-2019-11815 kernel: race condition in rds_tcp_kill_sock in net/rds/tcp.c l...
Status: CLOSED NOTABUG
Alias: CVE-2019-11815
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190508,repo...
Keywords: Security
Depends On: 1710152
Blocks: 1708519
TreeView+ depends on / blocked
 
Reported: 2019-05-10 07:13 UTC by Marian Rehak
Modified: 2019-05-15 14:45 UTC (History)
47 users (show)

(edit)
A flaw was found in the Linux kernel's implementation of RDS over TCP. A system that has the rds_tcp kernel module loaded (either through autoload via local process running listen(), or manual loading) could possibly cause a use after free (UAF) in which an attacker who is able to manipulate socket state while a network namespace is being torn down. This can lead to possible memory corruption and privilege escalation.
Clone Of:
(edit)
Last Closed: 2019-05-15 05:23:25 UTC


Attachments (Terms of Use)

Description Marian Rehak 2019-05-10 07:13:08 UTC
A flaw was found in the linux kernels implementation of RDS over TCP.  A system that has the rds_tcp kernel module loaded (either through autoload via local process running listen(), or manual loading) could possibly cause a Use After Free (UAF) in which an attacker who is able to manipulate socket state while a network namespace is being torn down.  This can lead to possible memory corruption and privilege escalation.

Upstream Repository:

https://github.com/torvalds/linux/commit/cb66ddd156203daefb8d71158036b27b0e2caf63

Comment 1 Wade Mealing 2019-05-15 02:07:29 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1710152]

Comment 2 Wade Mealing 2019-05-15 02:25:34 UTC
Statement:

The affected code is not built in the following kernels:

- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux MRG-2
- Red Hat Enterprise Linux for ARM (kernel-alt).
- Red Hat Enterprise Linux 8

These kernels are not affected.


The affected code was introduced by commit bdf5bd7f21323493dbe5f2c723dc33f2fbb0241a.

This affected commit is not present in the following kernels:

- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6

Comment 3 Wade Mealing 2019-05-15 02:33:31 UTC
There is misinformation available about this exploit currently circulating.  While this is a network protocol being affected, the protocol is not available by default.  A local process (or user) can trigger the protocol to be used which will then be loaded automatically would then have the vulnerable code loaded and the attack vector opened.  To reiterate it is unlikely that most Linux systems will be using this protocol and therefore affected.

Most systems do _NOT_ have this protocol used by services.   This is an infrequently used module and if you wish to blacklist it, you can follow the steps outlined in https://access.redhat.com/solutions/41278 to blacklist the "rds_tcp" module for the relevant version of Red Hat Enterprise Linux.

Comment 5 Justin M. Forbes 2019-05-15 12:53:07 UTC
This was fixed for Fedora with the 5.0.8 stable kernel updates.


Note You need to log in before you can comment on or make changes to this bug.