[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2019-10142 linux kernel: integer overflow in ioctl handling of fsl hypervisor
From:       Greg KH <greg () kroah ! com>
Date:       2019-05-22 16:31:25
Message-ID: 20190522163125.GA32400 () kroah ! com
[Download RAW message or body]

On Thu, May 23, 2019 at 12:52:17AM +1000, Wade Mealing wrote:
> Gday,
> 
> > From the upstream git commit:
> 
> "The "param.count" value is a u64 that comes from the user. The code later
> in the function assumes that param.count is at least one and if it's not
> then it leads to an Oops when we dereference the ZERO_SIZE_PTR. Also the
> addition can have an integer overflow which would lead us to allocate a
> smaller "pages" array than required. I can't immediately tell what the
> possible run times implications are, but it's safest to prevent the
> overflow."
> 
> At this time Red Hat products are not affected this code is not built as
> the CONFIG_FSL_HV_MANAGER build option is not enabled by default.    Device
> (/dev/fsl-hv) ownership and permissions which prevent unprivileged users
> from being able to exploit this without some elevated permissions (I think
> this will default to user: root group:root with 0660 mask) however some
> Linux distributions may use udev to set this to non root ownership or
> another group.   In the default configuration, a user who is sufficiently
> privileged to exploit this is likely able to attack the system without it.
> 
> I open the discussion and note the CVE listed above for discussions that
> may reference this patch and perhaps save someone some time in
> investigation.
> 
> Red Hat bugzilla:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10142
> 
> Upstream fix:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6a024330650e24556b8a18cc654ad00cfecf6c6c
> 

Note, this fix is in the following released stable kernels at this point
in time:
	3.18.140 4.4.180 4.9.177 4.14.120 4.19.44 5.0.17 5.1.3

Also, to let oss-security know, the 3.18.y kernel tree is now really
end-of-life on kernel.org, but if people care about it still, they can
follow the android-common 3.18 branch as it will continue to get
security updates for at least the rest of this year, if not maybe a bit
longer.

thanks,

greg k-h


[prev in list] [next in list] [prev in thread] [next in thread]