Bug 1781679 (CVE-2019-19447) - CVE-2019-19447 kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c
Summary: CVE-2019-19447 kernel: mounting a crafted ext4 filesystem image, performing s...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-19447
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1781680 1801046 1801047 1801048 1801049 1801050 1888707 1894479 1894480 1894481 1894482
Blocks: 1781681
TreeView+ depends on / blocked
 
Reported: 2019-12-10 11:37 UTC by Marian Rehak
Modified: 2024-03-25 15:34 UTC (History)
48 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's ext4_unlink function. An attacker could corrupt memory or escalate privileges when deleting a file from a recently unmounted specially crafted ext4 filesystem, including local, USB, and iSCSI.
Clone Of:
Environment:
Last Closed: 2020-05-12 16:32:05 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:4416 0 None None None 2020-10-29 15:09:47 UTC
Red Hat Product Errata RHBA-2020:4417 0 None None None 2020-10-29 15:08:16 UTC
Red Hat Product Errata RHBA-2020:4418 0 None None None 2020-10-29 15:13:40 UTC
Red Hat Product Errata RHBA-2020:4419 0 None None None 2020-10-29 15:11:44 UTC
Red Hat Product Errata RHBA-2020:4420 0 None None None 2020-10-29 15:51:11 UTC
Red Hat Product Errata RHSA-2020:2104 0 None None None 2020-05-12 15:12:31 UTC
Red Hat Product Errata RHSA-2020:4060 0 None None None 2020-09-29 20:52:32 UTC
Red Hat Product Errata RHSA-2020:4062 0 None None None 2020-09-29 18:58:40 UTC
Red Hat Product Errata RHSA-2020:4431 0 None None None 2020-11-04 00:50:01 UTC
Red Hat Product Errata RHSA-2020:4609 0 None None None 2020-11-04 02:21:59 UTC
Red Hat Product Errata RHSA-2020:5206 0 None None None 2020-11-24 10:56:03 UTC
Red Hat Product Errata RHSA-2020:5430 0 None None None 2020-12-15 08:55:08 UTC
Red Hat Product Errata RHSA-2020:5656 0 None None None 2020-12-22 09:32:21 UTC

Description Marian Rehak 2019-12-10 11:37:25 UTC 
A user with permissions to mount and unmount a crafted ext4 file system, via any transport mechanism (local, USB, ISCSI) can lead to a use-after-free when attempting to delete a directory after the disk has been umounted.

This can lead to possible memory corruption and privilege escalation.

External Reference:

https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19447
https://bugzilla.kernel.org/show_bug.cgi?id=205433
Comment 1 Marian Rehak 2019-12-10 11:37:47 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1781680]
Comment 8 Eric Christensen 2020-02-13 16:36:10 UTC 
Mitigation:

Ext4 filesytems are built into the kernel so it is not possible to prevent the kernel module from loading.  However, this flaw can be prevented by disallowing mounting of untrusted filesystems.

As mounting is a privileged operation, (except for device hotplug) removing the ability for mounting and unmounting will prevent this flaw from being exploited.
Comment 9 errata-xmlrpc 2020-05-12 15:12:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2104 https://access.redhat.com/errata/RHSA-2020:2104
Comment 10 Product Security DevOps Team 2020-05-12 16:32:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19447
Comment 11 Justin M. Forbes 2020-05-13 22:16:45 UTC 
This was fixed for Fedora in the 5.4.4 stable kernel update.
Comment 12 errata-xmlrpc 2020-09-29 18:58:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062
Comment 13 errata-xmlrpc 2020-09-29 20:52:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060
Comment 30 errata-xmlrpc 2020-11-04 00:49:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431
Comment 31 errata-xmlrpc 2020-11-04 02:21:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4609 https://access.redhat.com/errata/RHSA-2020:4609
Comment 35 errata-xmlrpc 2020-11-24 10:55:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:5206 https://access.redhat.com/errata/RHSA-2020:5206
Comment 36 errata-xmlrpc 2020-12-15 08:55:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:5430 https://access.redhat.com/errata/RHSA-2020:5430
Comment 37 errata-xmlrpc 2020-12-22 09:32:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:5656 https://access.redhat.com/errata/RHSA-2020:5656
Note You need to log in before you can comment on or make changes to this bug.