Hide Forgot
A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c in the Linux kernel through 5.3.11 allows attackers to cause a DoS (memory consumption). Upstream Reference: https://github.com/torvalds/linux/commit/96c5c6e6a5b6db592acae039fed54b5c8844cd35
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1774947]
Only root can manipulate ftrace filters, right? Is there a way for an unprivileged user to trigger this memory leak?
Statement: This issue is rated as having Low impact because of the preconditions needed to trigger the error/resource cleanup code path (high privileges).
In reply to comment #2: > Only root can manipulate ftrace filters, right? > > Is there a way for an unprivileged user to trigger this memory leak? I'm not aware of one. Maybe perf with non paranoid setting. But that would still need privileged user to adjust the defaults.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
(In reply to Marian Rehak from comment #0) > A memory leak in the predicate_parse() function in > kernel/trace/trace_events_filter.c in the Linux kernel through 5.3.11 allows > attackers to cause a DoS (memory consumption). > > Upstream Reference: > > https://github.com/torvalds/linux/commit/ > 96c5c6e6a5b6db592acae039fed54b5c8844cd35 Is this an actual issue or an hypothetical one? It seems to me that the error path that leads to the memory leak is unreachable. It's supposed to happen when the depth of the nested parentheses in the filter is deeper than expected, but the depth has just been calculated in calc_stack(). The parser code is quite complicated though, and I might have missed something. On the other hand, I did hit another memory leak while trying to trigger the issue. It's fixed upstream by commit eea9be33cd19 ("tracing: Fix memory leak in create_filter()").
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4609 https://access.redhat.com/errata/RHSA-2020:4609
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19072