Bug 1158887 (CVE-2019-19602) - VUL-1: CVE-2019-19602: kernel-source: when GCC 9 is used, fpregs_state_valid in arch/x86/include/asm/fpu/internal.h allows context-dependent attackers to cause a denial of service (memory corruption) aka CID-59c4bd853abc
Summary: VUL-1: CVE-2019-19602: kernel-source: when GCC 9 is used, fpregs_state_valid ...
Status: RESOLVED FIXED
Alias: CVE-2019-19602
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/248463/
Whiteboard: CVSSv3.1:SUSE:CVE-2019-19602:3.6:(AV...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-10 10:45 UTC by Wolfgang Frisch
Modified: 2024-06-25 14:11 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2019-12-10 10:45:31 UTC 
CVE-2019-19602

fpregs_state_valid in arch/x86/include/asm/fpu/internal.h in the Linux kernel
before 5.4.2, when GCC 9 is used, allows context-dependent attackers to cause a
denial of service (memory corruption) or possibly have unspecified other impact
because of incorrect fpu_fpregs_owner_ctx caching, as demonstrated by
mishandling of signal-based non-cooperative preemption in Go 1.14 prereleases on
amd64, aka CID-59c4bd853abc.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19602
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19602.html
https://github.com/golang/go/issues/35777#issuecomment-561935388
https://github.com/torvalds/linux/commit/59c4bd853abcea95eccc167a7d7fd5f1a5f47b98
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19602
https://bugzilla.kernel.org/show_bug.cgi?id=205663
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.2
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=59c4bd853abcea95eccc167a7d7fd5f1a5f47b98
Comment 3 Michael Matz 2019-12-10 15:13:30 UTC 
I'm not aware of the kernel teams using gcc9 except in Factory.  But of course,
ultimately the kernel teams should know :-)

(So, yeah, we can probably ignore this for the enterprise products, but it
should eventually be fixed, maybe we will somewhen compiler with later GCCs).
Comment 4 Borislav Petkov 2019-12-10 15:22:47 UTC 
Ok, since it is trivial to backport, I'll take it.

Provided it passes analysis and someone explains to me why this is a CVE and how "context-dependent attackers [can] cause a denial of service" through memory corruption in userspace FPU ... I guess I'm not seeing it yet.

Thx.
Comment 5 Borislav Petkov 2019-12-10 17:37:53 UTC 
Wolfgang, can you pls find out how exactly can one DOS the box with this?

Because if I'm not missing something, this should not be a CVE...

Thx.
Comment 6 Wolfgang Frisch 2019-12-10 17:56:24 UTC 
(In reply to Borislav Petkov from comment #5)
> Wolfgang, can you pls find out how exactly can one DOS the box with this?
> Because if I'm not missing something, this should not be a CVE...
I did not have time to test it myself yet.
There are 2 reproducers, written in C and Go respectively:
https://bugzilla.kernel.org/show_bug.cgi?id=205663
https://github.com/golang/go/issues/35326
Comment 7 Borislav Petkov 2019-12-10 18:11:05 UTC 
(In reply to Wolfgang Frisch from comment #6)
> There are 2 reproducers, written in C and Go respectively:
> https://bugzilla.kernel.org/show_bug.cgi?id=205663

Yes, we used that reproducer to confirm the upstream fix but that reproducer is harmless.

> https://github.com/golang/go/issues/35326

That one is the same, AFAICT: 

https://github.com/golang/go/issues/35326#issuecomment-558690446

Ok, can you find out who requested the CVE so that we can talk to him/her?

Thx.
Comment 11 Borislav Petkov 2020-01-13 14:40:16 UTC 
5f409e20b7945 ("x86/fpu: Defer FPU state load until return to userspace") is in
5.2 so only those three:

master: has it
stable: has it
15sp2: has it

Add the CVE number to 15SP2 and bounce back.
Comment 12 Marcus Meissner 2020-12-08 08:10:12 UTC 
adjusted tracking, closing