Bug 1690897 (CVE-2019-9893) - CVE-2019-9893 libseccomp: incorrect generation of syscall filters in libseccomp
Summary: CVE-2019-9893 libseccomp: incorrect generation of syscall filters in libseccomp
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-9893
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1688905 1690898 1695194 1695195
Blocks: 1690899
TreeView+ depends on / blocked
 
Reported: 2019-03-20 12:29 UTC by Dhananjay Arunesh
Modified: 2023-03-24 14:38 UTC (History)
2 users (show)

Fixed In Version: libseccomp 2.4.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-06 00:52:29 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3624 0 None None None 2019-11-05 21:20:47 UTC

Description Dhananjay Arunesh 2019-03-20 12:29:14 UTC 
A security issue was discovered in current versions of libseccomp where the library did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE).It would appear that only systemd and Tor are using libseccomp in such a way as to trigger the bad code.  In the case of systemd this appears to affect the socket address family and scheduling class filters.  In the case of Tor it appears that the bad filters could impact the memory addresses passed to mprotect(2).

Reference:
https://www.openwall.com/lists/oss-security/2019/03/15/1

Commits:
https://github.com/seccomp/libseccomp/commit/c5bf78de480b32b324e0f511c88ce533ed280b37
https://github.com/seccomp/libseccomp/commit/cf5d1538d243fb6f1839db70b69469d3d7e9e077
https://github.com/seccomp/libseccomp/commit/2878b8ba7859cf1771795ebef5c85ec211756dca
https://github.com/seccomp/libseccomp/commit/3da42d78e26cd16282bee85fcd817115b7f91af0
https://github.com/seccomp/libseccomp/commit/b29eda913b11ca339a7c1727fdc7e3309dd2a9b6
Comment 1 Dhananjay Arunesh 2019-03-20 12:29:29 UTC 
Created libseccomp tracking bugs for this issue:

Affects: fedora-all [bug 1690898]
Comment 2 Paul Moore 2019-03-20 14:24:45 UTC 
A libseccomp v2.4.0 package was released for F30, F29, and F28 using the BZs below:

- F30
* https://bugzilla.redhat.com/show_bug.cgi?id=1688903

- F29
* https://bugzilla.redhat.com/show_bug.cgi?id=1688905

- F28 
* https://bugzilla.redhat.com/show_bug.cgi?id=1688906
Comment 3 Riccardo Schirone 2019-03-27 10:23:48 UTC 
Upstream issue:
https://github.com/seccomp/libseccomp/issues/139
Comment 5 Riccardo Schirone 2019-03-28 11:35:52 UTC 
Incrementing the Impact of the flaw to Important because those kind of vulnerable libseccomp's filters are used by systemd when restricting address families and they could be exploited to access families that should not be allowed. Moreover, they may be used by other packages as well.
Comment 8 Riccardo Schirone 2019-04-01 12:09:22 UTC 
Keeping the Impact of the flaw to Moderate as, after more analysis and feedback, this cannot be exploited directly and it doesn't have a direct impact on the shipped packages (systemd, flatpak, docker, etc.). An attacker would need to compromise a program/service first and then abuse the loose libseccomp filter somehow to get some advantages.
Comment 11 Riccardo Schirone 2019-04-02 17:35:37 UTC 
When comparisons like SCMP_CMP_GE, SCMP_CMP_GT, SCMP_CMP_LE, SCMP_CMP_LT are used in a seccomp filter, the generated code does not properly checks the values and it allows some values that should instead be blocked.
Comment 12 errata-xmlrpc 2019-11-05 21:20:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3624 https://access.redhat.com/errata/RHSA-2019:3624
Comment 13 Product Security DevOps Team 2019-11-06 00:52:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9893
Note You need to log in before you can comment on or make changes to this bug.