Bug 1790044 (CVE-2019-19927) - CVE-2019-19927 kernel: Out-of-bounds read in ttm_put_pages in gpu/drm/ttm/ttm_page_alloc.c
Summary: CVE-2019-19927 kernel: Out-of-bounds read in ttm_put_pages in gpu/drm/ttm/ttm...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-19927
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1790045 1833103 1833104
Blocks: 1790046
TreeView+ depends on / blocked
 
Reported: 2020-01-11 14:33 UTC by Pedro Sampaio
Modified: 2021-12-15 11:29 UTC (History)
42 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds (OOB) memory access flaw was found in ttm_put_pages in drivers/gpu/drm/ttm/ttm_page_alloc.c in the Linux kernel’s graphics module. Incrementing the page pointer for huge pages was not in sync with the reference counter, and this could lead to an out-of-bounds access or a denial of service. This flaw allows a local attacker with special user privileges (or root) to cause memory exploitation.
Clone Of:
Environment:
Last Closed: 2021-12-15 11:29:32 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2020-01-11 14:33:39 UTC 
A out-of-bounds (OOB) memory access flaw was found in ttm_put_pages in drivers/gpu/drm/ttm/ttm_page_alloc.c in Linux kernel graphics module. Here incrementing the page pointer for huge pages was not in sync with the reference counter, and this could lead to an out-of-bound memory problem or a DoS.  A local attacker with special user privilege (or root) can plot an exploit in the memory to harm.

References:

https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19927

Upstream patch:

https://github.com/torvalds/linux/commit/453393369dc9806d2455151e329c599684762428
https://github.com/torvalds/linux/commit/a66477b0efe511d98dde3e4aaeb189790e6f0a39
https://github.com/torvalds/linux/commit/ac1e516d5a4c56bf0cb4a3dfc0672f689131cfd4
Comment 1 Pedro Sampaio 2020-01-11 14:34:17 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1790045]
Comment 2 Justin M. Forbes 2020-01-13 12:53:55 UTC 
This was fixed for Fedora with the 5.1 kernel rebases.
Comment 8 Rohit Keshri 2020-05-07 20:14:59 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Note You need to log in before you can comment on or make changes to this bug.