Bug 1786164 (CVE-2019-19768) - CVE-2019-19768 kernel: use-after-free in __blk_add_trace in kernel/trace/blktrace.c [NEEDINFO]
Summary: CVE-2019-19768 kernel: use-after-free in __blk_add_trace in kernel/trace/blkt...
Keywords:
Status: NEW
Alias: CVE-2019-19768
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1786166 1798306 1798307 1798308 1798309 1798310 1798311 1798312 1798313 1798314 1798316 1798317 1798318 1798323 1798324 1798325 1798326 1798327 1798329 1798331 1798332 1798333 1798334 1798337 1804310 1804318 1806393 1798319 1798320 1798321 1798322 1798328 1798330 1798335 1798338 1798339 1806367 1806368 1806369 1806370
Blocks: 1786167
TreeView+ depends on / blocked
 
Reported: 2019-12-23 17:30 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-02-24 05:12 UTC (History)
53 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the Linux kernel’s implementation of blktrace in the __blk_add_trace function. A local attacker with permissions to run block trace instructions against a device can create a situation where the core block_trace object is used after it is freed. The attacker can pre-groom memory to race this use-after-free to create a condition where the memory is corrupted and cause privilege escalation.
Clone Of:
Environment:
Last Closed:
nmurray: needinfo? (wmealing)


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2019-12-23 17:30:53 UTC
A use-after-free flaw was found in the Linux kernels implementation of blktrace in the __blk_add_trace function. A local attacker with permissions to run block trace instructions against a device can create a situation where the core block_trace object is used after it is freed.  The attacker can pre-groom memory to race this use-after-free to create a condition where memory is corrupted and also likely to be privilege escalation.


Reference:
https://bugzilla.kernel.org/show_bug.cgi?id=205711

Patch:
A patch may be attached to the bugzilla.kernel.org but no patch exists at this time.

Comment 1 Guilherme de Almeida Suckevicz 2019-12-23 17:33:17 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1786166]

Comment 3 Wade Mealing 2020-02-04 08:06:42 UTC
While this flaw is rated as important, it was a difficult decision to make.  Users who are granted permissions on system block devices can likely find other ways of doing this, such as modifying the setuid bits on mounted filesystems, or perverting the contents of setuid files, or just the password file itself if they can access it on that block device.


Note You need to log in before you can comment on or make changes to this bug.