Bug 1760100 (CVE-2019-15917) - CVE-2019-15917 kernel: use-after-free in drivers/bluetooth/hci_ldisc.c
Summary: CVE-2019-15917 kernel: use-after-free in drivers/bluetooth/hci_ldisc.c
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-15917
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1760101 1808803 1808804 1808805 1808806 1808807 1888701
Blocks: 1760102
TreeView+ depends on / blocked
 
Reported: 2019-10-09 20:43 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-16 21:18 UTC (History)
48 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's implementation of the HCI UART driver. A local attacker with access permissions to the Bluetooth device can issue an ioctl, which triggers the hci_uart_set_proto() function in drivers/bluetooth/hci_ldisc.c. The flaw in this function can cause memory corruption or a denial of service because of a use-after-free issue when the hci_uart_register_dev() fails.
Clone Of:
Environment:
Last Closed: 2020-07-07 19:27:37 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:4416 0 None None None 2020-10-29 15:09:23 UTC
Red Hat Product Errata RHBA-2020:4417 0 None None None 2020-10-29 15:07:50 UTC
Red Hat Product Errata RHBA-2020:4418 0 None None None 2020-10-29 15:13:15 UTC
Red Hat Product Errata RHBA-2020:4419 0 None None None 2020-10-29 15:12:05 UTC
Red Hat Product Errata RHBA-2020:4420 0 None None None 2020-10-29 15:50:49 UTC
Red Hat Product Errata RHSA-2020:2854 0 None None None 2020-07-07 13:18:39 UTC
Red Hat Product Errata RHSA-2020:4060 0 None None None 2020-09-29 20:51:36 UTC
Red Hat Product Errata RHSA-2020:4062 0 None None None 2020-09-29 18:58:01 UTC
Red Hat Product Errata RHSA-2020:4431 0 None None None 2020-11-04 00:49:23 UTC
Red Hat Product Errata RHSA-2020:4609 0 None None None 2020-11-04 02:21:07 UTC
Red Hat Product Errata RHSA-2021:0019 0 None None None 2021-01-05 10:20:31 UTC

Description Guilherme de Almeida Suckevicz 2019-10-09 20:43:11 UTC
An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c.

References:
https://github.com/torvalds/linux/commit/56897b217a1d0a91c9920cb418d6b3fe922f590a
https://lists.debian.org/debian-lts-announce/2019/09/msg00025.html

Comment 1 Guilherme de Almeida Suckevicz 2019-10-09 20:44:16 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1760101]

Comment 2 Justin M. Forbes 2019-10-10 16:12:42 UTC
This was fixed for Fedora in the 5.0.5 stable updates.

Comment 6 Petr Matousek 2020-03-05 10:39:35 UTC
Statement:

This flaw is rated as a Moderate as it requires the local attacker to have permissions to issue ioctl commands to the bluetooth device and bluetooth hardware to be present.

Comment 7 Alex 2020-03-05 19:26:45 UTC
Mitigation:

To mitigate this issue, prevent module hci_uart from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.

Comment 9 Alex 2020-03-08 12:29:03 UTC
Explaining CVSS score:

Attack Complexity: High -- because call out a race condition being required for a possible privilege escalation.
 
Confidentiality , Integrity, Availability: High -- privilege escalation possibly to a high level of access or capability impacting Confidentiality, Integrity, and Availability.

Comment 11 errata-xmlrpc 2020-07-07 13:18:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2854 https://access.redhat.com/errata/RHSA-2020:2854

Comment 12 Product Security DevOps Team 2020-07-07 19:27:37 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15917

Comment 13 errata-xmlrpc 2020-09-29 18:57:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062

Comment 14 errata-xmlrpc 2020-09-29 20:51:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060

Comment 31 errata-xmlrpc 2020-11-04 00:49:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431

Comment 32 errata-xmlrpc 2020-11-04 02:21:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4609 https://access.redhat.com/errata/RHSA-2020:4609

Comment 33 errata-xmlrpc 2021-01-05 10:21:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:0019 https://access.redhat.com/errata/RHSA-2021:0019


Note You need to log in before you can comment on or make changes to this bug.