Bug 1690897 (CVE-2019-9893) - CVE-2019-9893 libseccomp: incorrect generation of syscall filters in libseccomp
Summary: CVE-2019-9893 libseccomp: incorrect generation of syscall filters in libseccomp
Alias: CVE-2019-9893
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1688905 1690898 1695194 1695195
Blocks: 1690899
TreeView+ depends on / blocked
Reported: 2019-03-20 12:29 UTC by Dhananjay Arunesh
Modified: 2023-03-24 14:38 UTC (History)
2 users (show)

Fixed In Version: libseccomp 2.4.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-11-06 00:52:29 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3624 0 None None None 2019-11-05 21:20:47 UTC

Description Dhananjay Arunesh 2019-03-20 12:29:14 UTC
A security issue was discovered in current versions of libseccomp where the library did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE).It would appear that only systemd and Tor are using libseccomp in such a way as to trigger the bad code.  In the case of systemd this appears to affect the socket address family and scheduling class filters.  In the case of Tor it appears that the bad filters could impact the memory addresses passed to mprotect(2).



Comment 1 Dhananjay Arunesh 2019-03-20 12:29:29 UTC
Created libseccomp tracking bugs for this issue:

Affects: fedora-all [bug 1690898]

Comment 2 Paul Moore 2019-03-20 14:24:45 UTC
A libseccomp v2.4.0 package was released for F30, F29, and F28 using the BZs below:

- F30
* https://bugzilla.redhat.com/show_bug.cgi?id=1688903

- F29
* https://bugzilla.redhat.com/show_bug.cgi?id=1688905

- F28 
* https://bugzilla.redhat.com/show_bug.cgi?id=1688906

Comment 3 Riccardo Schirone 2019-03-27 10:23:48 UTC
Upstream issue:

Comment 5 Riccardo Schirone 2019-03-28 11:35:52 UTC
Incrementing the Impact of the flaw to Important because those kind of vulnerable libseccomp's filters are used by systemd when restricting address families and they could be exploited to access families that should not be allowed. Moreover, they may be used by other packages as well.

Comment 8 Riccardo Schirone 2019-04-01 12:09:22 UTC
Keeping the Impact of the flaw to Moderate as, after more analysis and feedback, this cannot be exploited directly and it doesn't have a direct impact on the shipped packages (systemd, flatpak, docker, etc.). An attacker would need to compromise a program/service first and then abuse the loose libseccomp filter somehow to get some advantages.

Comment 11 Riccardo Schirone 2019-04-02 17:35:37 UTC
When comparisons like SCMP_CMP_GE, SCMP_CMP_GT, SCMP_CMP_LE, SCMP_CMP_LT are used in a seccomp filter, the generated code does not properly checks the values and it allows some values that should instead be blocked.

Comment 12 errata-xmlrpc 2019-11-05 21:20:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3624 https://access.redhat.com/errata/RHSA-2019:3624

Comment 13 Product Security DevOps Team 2019-11-06 00:52:29 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.