Bug 1772014 (CVE-2019-18874) - CVE-2019-18874 python-psutil: double free because of refcount mishandling
Summary: CVE-2019-18874 python-psutil: double free because of refcount mishandling
Status: NEW
Alias: CVE-2019-18874
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1772015 1772016 1772020 1774355 1774356 1777134 1773616 1774340 1774341 1774342 1774343
Blocks: 1772019
TreeView+ depends on / blocked
Reported: 2019-11-13 13:01 UTC by Guilherme de Almeida Suckevicz
Modified: 2019-12-05 00:30 UTC (History)
36 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A double free issue has been discovered in python-psutil because of the mishandling of refcounts while converting system data into Python objects in functions like psutil_disk_partitions(), psutil_users(), psutil_net_if_addrs(), and others. In particular cases, a local attacker may be able to get code execution by manipulating system resources that python-psutil then tries to convert.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2019-11-13 13:01:19 UTC
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.


Comment 1 Guilherme de Almeida Suckevicz 2019-11-13 13:01:42 UTC
Created python-psutil tracking bugs for this issue:

Affects: epel-all [bug 1772016]
Affects: fedora-all [bug 1772015]

Comment 2 Guilherme de Almeida Suckevicz 2019-11-13 13:06:03 UTC
Created python-psutil tracking bugs for this issue:

Affects: openstack-rdo [bug 1772020]

Comment 4 Riccardo Schirone 2019-11-18 14:20:56 UTC

Name: Riccardo Schirone (Red Hat)

Comment 5 Riccardo Schirone 2019-11-18 14:30:14 UTC
Most of the functions in  psutil/_psutil_*.c contain loops that convert system data into python objects and during the process they create python objects and decrement their refcounts after they have been added to the result list, at the end of the loop. In case of errors during the conversion of one of those objects, variables pointing to those python objects have their refcounts decremented, to ensure that objects do not leak memory on the error path.

However, after the first iteration variables may still point to already freed python objects and if an attacker is able to make the parsing of such objects fail, it is possible to decrement the refcount two times thus causing a double-free issue. This could be used by a local attacker to get code execution with the privileges of the user running the python-psutil application.

Comment 7 Riccardo Schirone 2019-11-18 14:44:35 UTC
No upstream release yet with the fix mentioned in comment 3.

Comment 8 Riccardo Schirone 2019-11-18 14:49:51 UTC
Affected functions in psutil/_psutil_linux.c and psutil/_psutil_posix.c are psutil_disk_partitions(), psutil_users(), psutil_net_if_addrs(). The last two can hardly be manipulated by an attacker as they list the users and the network interfaces on a system, while the first could be manipulated by a user who can mount filesystems (e.g. with FUSE).

Comment 10 Riccardo Schirone 2019-11-18 14:53:26 UTC
Attack Vector (AV) of CVSSv3 set to Local as affected functions for linux are just psutil_disk_partitions(), psutil_users(), psutil_net_if_addrs() and they would require a user to manipulate users, network interface and/or disk partitions to try to trigger the flaw.

Note You need to log in before you can comment on or make changes to this bug.