Bug 1189429 (CVE-2019-9475) - VUL-0: CVE-2019-9475: kernel-source,kernel-source-rt,kernel-source-azure: In /proc/net of the kernel filesystem, there is a possible information leak due to a permissions bypass. This could lead to local information disclosure with no addit
Summary: VUL-0: CVE-2019-9475: kernel-source,kernel-source-rt,kernel-source-azure: In ...
Status: RESOLVED FIXED
Alias: CVE-2019-9475
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/301981/
Whiteboard: CVSSv3.1:SUSE:CVE-2019-9475:5.5:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-13 13:16 UTC by Marcus Meissner
Modified: 2024-06-07 12:17 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2021-08-13 13:16:39 UTC 
CVE-2019-9475

In /proc/net of the kernel filesystem, there is a possible information leak due
to a permissions bypass. This could lead to local information disclosure with no
additional execution privileges needed. User interaction is not needed for
exploitation.Product: AndroidVersions: Android-10Android ID: A-9496886

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9475
https://source.android.com/security/bulletin/android-10
Comment 1 Marcus Meissner 2021-08-13 13:32:53 UTC 
Might be android specific, no real references to upstream kernel
Comment 2 Marcus Meissner 2021-08-13 14:57:56 UTC 
also nothing stands out in fs/proc/proc_net.c git log
Comment 4 Marcus Meissner 2021-09-21 09:39:36 UTC 
The only 2019 potential info leak is:

commit 1fde6f21d90f8ba5da3cb9c54ca991ed72696c43
Author: Alexey Dobriyan <adobriyan@gmail.com>
Date:   Fri Feb 1 14:20:01 2019 -0800

    proc: fix /proc/net/* after setns(2)
    
    /proc entries under /proc/net/* can't be cached into dcache because
    setns(2) can change current net namespace.
    
    [akpm@linux-foundation.org: coding-style fixes]
    [akpm@linux-foundation.org: avoid vim miscolorization]
    [adobriyan@gmail.com: write test, add dummy ->d_revalidate hook: necessary if /proc/net/* is pinned at setns time]
      Link: http://lkml.kernel.org/r/20190108192350.GA12034@avx2
    Link: http://lkml.kernel.org/r/20190107162336.GA9239@avx2
    Fixes: 1da4d377f943fe4194ffb9fb9c26cc58fad4dd24 ("proc: revalidate misc dentries")
    Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
    Reported-by: Mateusz Stępień <mateusz.stepien@netrounds.com>
    Reported-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>



would also neeed followup fix:
commit c6c75deda81344c3a95d1d1f606d5cee109e5d54
Author: Alexey Dobriyan <adobriyan@gmail.com>
Date:   Tue Dec 15 20:42:39 2020 -0800

    proc: fix lookup in /proc/net subdirectories after setns(2)
    
    Commit 1fde6f21d90f ("proc: fix /proc/net/* after setns(2)") only forced
    revalidation of regular files under /proc/net/
    
    However, /proc/net/ is unusual in the sense of /proc/net/foo handlers
    take netns pointer from parent directory which is old netns.
    
    Steps to reproduce:
    
            (void)open("/proc/net/sctp/snmp", O_RDONLY);
            unshare(CLONE_NEWNET);
    
            int fd = open("/proc/net/sctp/snmp", O_RDONLY);
            read(fd, &c, 1);
    
    Read will read wrong data from original netns.
    
    Patch forces lookup on every directory under /proc/net .
    
    Link: https://lkml.kernel.org/r/20201205160916.GA109739@localhost.localdomain
    Fixes: 1da4d377f943 ("proc: revalidate misc dentries")
    Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
    Reported-by: "Rantala, Tommi T. (Nokia - FI/Espoo)" <tommi.t.rantala@nokia.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Comment 10 Andrea Mattiazzo 2024-06-07 12:17:15 UTC 
All done, closing.