Bug 1106174 (CVE-2018-14619)

Summary: VUL-1: CVE-2018-14619: kernel-source: crash (possible privesc) in kernel crypto subsystem.
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED UPSTREAM QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: smash_bz, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/213390/
Whiteboard: CVSSv3:RedHat:CVE-2018-14619:6.2:(AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv2:NVD:CVE-2018-14619:7.2:(AV:L/AC:L/Au:N/C:C/I:C/A:C) CVSSv3:NVD:CVE-2018-14619:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2018-08-28 07:02:31 UTC 
via oss-sec


CVE-2018-14619

Gday,

Syzkaller/syzbot found a use-after-free bug in the cryptographic
subsystem of the Linux kernel [1], that can be used to panic the
system and possibly escalate privileges.

The bug was introduced in commit 72548b093ee3, and has been addressed
in b32a7dc8aef1882fbf983eb354837488cc9d54dc, a reproducer is available
on the tail end of  syzbots email to kernel list (
https://lkml.org/lkml/2017/11/27/866 ).  Most RHEL kernels are not
affected as they do not have the feature, but it does affect the
kernel-alt package (the 4.11 based kernel for 64-bit ARM , IBM POWER9
(little endian ) and IBM z Systems ).

Upstream fix:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b32a7dc8aef1882fbf983eb354837488cc9d54dc

Reproducer:
https://lkml.org/lkml/2017/11/27/866

Thanks.

-- 
Wade Mealing

Product Security - Kernel

Red Hat


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14619
Comment 1 Marcus Meissner 2018-08-28 11:05:45 UTC 
bad commit was in 4.14
Comment 2 Takashi Iwai 2018-08-29 08:36:35 UTC 
The buggy commit isn't included in SLE15, either, so it's only about TW.
And the fix commit is already in 4.15-rc4, so it's been fixed months ago on TW, too.

Back to security team.
Comment 3 Marcus Meissner 2018-08-29 08:40:11 UTC 
fixed