1132472 – (CVE-2019-11190) VUL-0: CVE-2019-11190: kernel-source: Linux kernel < 4.8 local generic ASLR bypass for setuid binaries

Bug 1132472 (CVE-2019-11190) - VUL-0: CVE-2019-11190: kernel-source: Linux kernel < 4.8 local generic ASLR bypass for setuid binaries

Summary: VUL-0: CVE-2019-11190: kernel-source: Linux kernel < 4.8 local generic ASLR b...

Status:	RESOLVED FIXED

Alias:	CVE-2019-11190

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Michal Hocko
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/229541/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2019-04-15 05:16 UTC by Marcus Meissner
Modified:	2019-12-26 16:54 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2019-04-15 05:16:06 UTC

CVE-2019-11190

The Linux kernel before 4.8 allows local users to bypass ASLR on setuid programs
(such as /bin/su) because install_exec_creds() is called too late in
load_elf_binary() in fs/binfmt_elf.c, and thus the ptrace_may_access() check has
a race condition when reading /proc/pid/stat.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11190
https://www.openwall.com/lists/oss-security/2019/04/03/4
https://www.openwall.com/lists/oss-security/2019/04/03/4/1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11190
http://www.cvedetails.com/cve/CVE-2019-11190/
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/?id=e1676b55d874a43646e8b2c46d87f2f3e45516ff
https://bugs.chromium.org/p/project-zero/issues/detail?id=807
http://www.securityfocus.com/bid/107890
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/?id=a5b5352558f6808db0589644ea5401b3e3148a0d

Comment 2 Petr Mladek 2019-05-16 12:08:28 UTC

The similar CVE-2019-11191 (bug#1132374) has been fixed the race by taking task->signal->cred_guard_mutex in various perf-related code paths, see the commit
79c9ce57eb2d5f1497546a3 ("perf/core: Fix perf_event_open() vs. execve() race").

It looks to me that the commit 9f834ec18defc369d73ccf9e87a27 ("binfmt_elf:
switch to new creds when switching to new mm") is not enough. It reduced the race window but it still seems to be there, for example, ptrace_may_access() call in do_task_stat() still does not look to be synchronized against install_exec_creds() in fs/binfmt_elf.c.

I have sent a question to people involved in fixing these two vulnerabilities.

Comment 3 Petr Mladek 2019-05-16 12:22:46 UTC

Jan Horn's reply:

--- cut ---
You're right. There is an old series of fixes that never went in on
the mailing list here:
<https://lore.kernel.org/linux-fsdevel/1477863998-3298-1-git-send-email-jann@thejh.net/>

The cred_guard_light in that series is probably the wrong approach. I
think the right way to address the deadlock problem Oleg described
back then is probably to drop the cred_guard_mutex in the middle of
execve and make the __ptrace_may_access() check even more complicated
by checking against two sets of credentials if an execve is pending. I
started an attempt to implement that some time ago, but couldn't
figure out the locking requirements of some of the LSM code.
--- cut ---

There seems to be a long way to get the full fix.

I am going to backport at least the partial fix that reduces the race window and is mentioned in the advisories.

Comment 4 Petr Mladek 2019-05-17 12:41:42 UTC

I have backported the commit 9f834ec18defc369d73ccf9 ("binfmt_elf: switch to new creds when switching to new mm") into all old branches up to cve/linux-2.6.32 aka SLE11-SP1-TD.

Comment 19 Swamp Workflow Management 2019-06-17 18:06:40 UTC

This is an autogenerated message for OBS integration:
This bug (1132472) was mentioned in
https://build.opensuse.org/request/show/710405 42.3 / kernel-source

Comment 20 Swamp Workflow Management 2019-06-17 23:35:49 UTC

SUSE-SU-2019:1532-1: An update that solves 13 vulnerabilities and has 73 fixes is now available.

Category: security (important)
Bug References: 1005778,1005780,1005781,1012382,1019695,1019696,1022604,1063638,1065600,1085535,1085539,1090888,1099658,1100132,1106110,1106284,1106929,1108293,1108838,1110785,1110946,1112063,1112178,1116803,1117562,1119086,1120642,1120843,1120902,1122776,1126040,1126356,1128052,1129138,1129770,1130972,1131107,1131488,1131565,1132212,1132472,1133188,1133874,1134160,1134162,1134338,1134537,1134564,1134565,1134566,1134651,1134760,1134806,1134813,1134848,1135013,1135014,1135015,1135100,1135120,1135281,1135603,1135642,1135661,1135878,1136424,1136438,1136448,1136449,1136451,1136452,1136455,1136458,1136539,1136573,1136575,1136586,1136590,1136623,1136810,1136935,1136990,1137142,1137162,1137586,843419
CVE References: CVE-2018-17972,CVE-2018-7191,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11486,CVE-2019-11815,CVE-2019-11833,CVE-2019-11884,CVE-2019-12382,CVE-2019-3846,CVE-2019-5489
Sources used:
SUSE Linux Enterprise Live Patching 12-SP3 (src):    kgraft-patch-SLE12-SP3_Update_26-1-4.3.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Swamp Workflow Management 2019-06-18 00:02:33 UTC

SUSE-SU-2019:1533-1: An update that solves 9 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1104367,1110785,1113769,1120843,1120885,1125580,1125931,1131543,1131587,1132374,1132472,1134848,1135281,1136424,1136446,1137586
CVE References: CVE-2018-17972,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11833,CVE-2019-11884,CVE-2019-3846,CVE-2019-5489
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    kernel-default-3.12.74-60.64.115.1, kernel-source-3.12.74-60.64.115.1, kernel-syms-3.12.74-60.64.115.1, kernel-xen-3.12.74-60.64.115.1, kgraft-patch-SLE12-SP1_Update_34-1-2.5.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    kernel-default-3.12.74-60.64.115.1, kernel-source-3.12.74-60.64.115.1, kernel-syms-3.12.74-60.64.115.1, kernel-xen-3.12.74-60.64.115.1, kgraft-patch-SLE12-SP1_Update_34-1-2.5.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.74-60.64.115.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 22 Swamp Workflow Management 2019-06-18 00:09:53 UTC

SUSE-SU-2019:1532-1: An update that solves 13 vulnerabilities and has 73 fixes is now available.

Category: security (important)
Bug References: 1005778,1005780,1005781,1012382,1019695,1019696,1022604,1063638,1065600,1085535,1085539,1090888,1099658,1100132,1106110,1106284,1106929,1108293,1108838,1110785,1110946,1112063,1112178,1116803,1117562,1119086,1120642,1120843,1120902,1122776,1126040,1126356,1128052,1129138,1129770,1130972,1131107,1131488,1131565,1132212,1132472,1133188,1133874,1134160,1134162,1134338,1134537,1134564,1134565,1134566,1134651,1134760,1134806,1134813,1134848,1135013,1135014,1135015,1135100,1135120,1135281,1135603,1135642,1135661,1135878,1136424,1136438,1136448,1136449,1136451,1136452,1136455,1136458,1136539,1136573,1136575,1136586,1136590,1136623,1136810,1136935,1136990,1137142,1137162,1137586,843419
CVE References: CVE-2018-17972,CVE-2018-7191,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11486,CVE-2019-11815,CVE-2019-11833,CVE-2019-11884,CVE-2019-12382,CVE-2019-3846,CVE-2019-5489
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    kernel-default-4.4.180-94.97.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    kernel-docs-4.4.180-94.97.1, kernel-obs-build-4.4.180-94.97.1
SUSE Linux Enterprise Server 12-SP3 (src):    kernel-default-4.4.180-94.97.1, kernel-source-4.4.180-94.97.1, kernel-syms-4.4.180-94.97.1
SUSE Linux Enterprise Live Patching 12-SP3 (src):    kgraft-patch-SLE12-SP3_Update_26-1-4.3.3
SUSE Linux Enterprise High Availability 12-SP3 (src):    kernel-default-4.4.180-94.97.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    kernel-default-4.4.180-94.97.1, kernel-source-4.4.180-94.97.1, kernel-syms-4.4.180-94.97.1
SUSE CaaS Platform ALL (src):    kernel-default-4.4.180-94.97.1
SUSE CaaS Platform 3.0 (src):    kernel-default-4.4.180-94.97.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 23 Swamp Workflow Management 2019-06-18 00:21:55 UTC

SUSE-SU-2019:1527-1: An update that solves 14 vulnerabilities and has 81 fixes is now available.

Category: security (important)
Bug References: 1005778,1005780,1005781,1012382,1019695,1019696,1022604,1053043,1063638,1065600,1066223,1085535,1085539,1090888,1099658,1100132,1106110,1106284,1106929,1108293,1108838,1110785,1110946,1112063,1112178,1116803,1117562,1119086,1120642,1120843,1120885,1120902,1122776,1125580,1126040,1126356,1128052,1129138,1129770,1130972,1131107,1131488,1131543,1131565,1132212,1132374,1132472,1133188,1133874,1134160,1134162,1134338,1134537,1134564,1134565,1134566,1134651,1134760,1134806,1134813,1134848,1135013,1135014,1135015,1135100,1135120,1135281,1135603,1135642,1135661,1135878,1136424,1136438,1136446,1136448,1136449,1136451,1136452,1136455,1136458,1136539,1136573,1136575,1136586,1136590,1136623,1136810,1136935,1136990,1137142,1137162,1137586,1137739,1137752,843419
CVE References: CVE-2013-4343,CVE-2018-17972,CVE-2018-7191,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11486,CVE-2019-11815,CVE-2019-11833,CVE-2019-11884,CVE-2019-12382,CVE-2019-3846,CVE-2019-5489
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    kernel-azure-4.4.180-4.31.1, kernel-source-azure-4.4.180-4.31.1, kernel-syms-azure-4.4.180-4.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 24 Swamp Workflow Management 2019-06-18 00:50:36 UTC

SUSE-SU-2019:1534-1: An update that solves 12 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 1099658,1106284,1110785,1113769,1120843,1120885,1131543,1131565,1132374,1132472,1134537,1134596,1134848,1135281,1135603,1136424,1136446,1136586,1136935,1137586
CVE References: CVE-2018-17972,CVE-2018-7191,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11815,CVE-2019-11833,CVE-2019-11884,CVE-2019-12382,CVE-2019-3846,CVE-2019-5489
Sources used:
SUSE OpenStack Cloud 7 (src):    kernel-default-4.4.121-92.114.1, kernel-source-4.4.121-92.114.1, kernel-syms-4.4.121-92.114.1, kgraft-patch-SLE12-SP2_Update_30-1-3.5.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    kernel-default-4.4.121-92.114.1, kernel-source-4.4.121-92.114.1, kernel-syms-4.4.121-92.114.1, kgraft-patch-SLE12-SP2_Update_30-1-3.5.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    kernel-default-4.4.121-92.114.1, kernel-source-4.4.121-92.114.1, kernel-syms-4.4.121-92.114.1, kgraft-patch-SLE12-SP2_Update_30-1-3.5.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    kernel-default-4.4.121-92.114.1, kernel-source-4.4.121-92.114.1, kernel-syms-4.4.121-92.114.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.121-92.114.1
SUSE Enterprise Storage 4 (src):    kernel-default-4.4.121-92.114.1, kernel-source-4.4.121-92.114.1, kernel-syms-4.4.121-92.114.1, kgraft-patch-SLE12-SP2_Update_30-1-3.5.1
OpenStack Cloud Magnum Orchestration 7 (src):    kernel-default-4.4.121-92.114.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 25 Swamp Workflow Management 2019-06-18 13:19:10 UTC

openSUSE-SU-2019:1570-1: An update that solves 15 vulnerabilities and has 62 fixes is now available.

Category: security (important)
Bug References: 1005778,1005780,1005781,1012382,1019695,1019696,1022604,1053043,1063638,1065600,1066223,1085535,1085539,1090888,1099658,1100132,1106110,1106284,1106929,1108838,1109137,1112178,1117562,1119086,1120642,1120843,1120902,1125580,1126356,1127155,1128052,1129770,1131107,1131543,1131565,1132374,1132472,1133190,1133874,1134338,1134806,1134813,1135120,1135281,1135603,1135642,1135661,1135878,1136424,1136438,1136448,1136449,1136451,1136452,1136455,1136458,1136539,1136573,1136575,1136586,1136590,1136598,1136623,1136810,1136922,1136935,1136990,1136993,1137142,1137162,1137586,1137739,1137752,1137915,1138291,1138293,1138374
CVE References: CVE-2018-7191,CVE-2019-11190,CVE-2019-11191,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11487,CVE-2019-11833,CVE-2019-12380,CVE-2019-12382,CVE-2019-12456,CVE-2019-12818,CVE-2019-12819,CVE-2019-3846,CVE-2019-5489
Sources used:
openSUSE Leap 42.3 (src):    kernel-debug-4.4.180-102.1, kernel-default-4.4.180-102.1, kernel-docs-4.4.180-102.1, kernel-obs-build-4.4.180-102.1, kernel-obs-qa-4.4.180-102.1, kernel-source-4.4.180-102.1, kernel-syms-4.4.180-102.1, kernel-vanilla-4.4.180-102.1

Comment 26 Swamp Workflow Management 2019-06-18 16:46:20 UTC

SUSE-SU-2019:14089-1: An update that solves 9 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 1110785,1113769,1119314,1120326,1120843,1120885,1131295,1131543,1132374,1132472,1132580,1133188,1134102,1134729,1134848,1137586,923908,939260
CVE References: CVE-2014-9710,CVE-2018-17972,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11486,CVE-2019-11884,CVE-2019-5489
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    kernel-bigmem-3.0.101-108.95.2, kernel-default-3.0.101-108.95.2, kernel-ec2-3.0.101-108.95.2, kernel-pae-3.0.101-108.95.2, kernel-ppc64-3.0.101-108.95.2, kernel-source-3.0.101-108.95.1, kernel-syms-3.0.101-108.95.1, kernel-trace-3.0.101-108.95.2, kernel-xen-3.0.101-108.95.2
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-108.95.2, kernel-pae-3.0.101-108.95.2, kernel-ppc64-3.0.101-108.95.2, kernel-trace-3.0.101-108.95.2, kernel-xen-3.0.101-108.95.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-bigmem-3.0.101-108.95.2, kernel-default-3.0.101-108.95.2, kernel-ec2-3.0.101-108.95.2, kernel-pae-3.0.101-108.95.2, kernel-ppc64-3.0.101-108.95.2, kernel-trace-3.0.101-108.95.2, kernel-xen-3.0.101-108.95.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 27 Swamp Workflow Management 2019-06-24 22:12:30 UTC

SUSE-SU-2019:1692-1: An update that solves 9 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1090078,1110785,1113769,1120843,1120885,1125580,1125931,1131543,1131587,1132374,1132472,1134848,1135281,1136424,1136446,1137586
CVE References: CVE-2018-17972,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11833,CVE-2019-11884,CVE-2019-3846,CVE-2019-5489
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    kernel-default-3.12.61-52.154.1, kernel-source-3.12.61-52.154.1, kernel-syms-3.12.61-52.154.1, kernel-xen-3.12.61-52.154.1, kgraft-patch-SLE12_Update_40-1-1.5.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.61-52.154.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.