A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS). References: https://marc.info/?t=127366612300001&r=1&w=2 https://marc.info/?l=linux-kernel&m=127422151819010&w=2 https://lore.kernel.org/patchwork/patch/205534/ https://marc.info/?t=136035740900005&r=1&w=2 An upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2dcb22b346be https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=326cf0f0f308
Acknowledgments: Name: Eiichi Tsukata
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1488 https://access.redhat.com/errata/RHSA-2019:1488
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.6 Advanced Update Support Via RHSA-2019:1489 https://access.redhat.com/errata/RHSA-2019:1489
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 Advanced Update Support Via RHSA-2019:1490 https://access.redhat.com/errata/RHSA-2019:1490
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-3896