Bug 1133106 (CVE-2019-3901)

Summary: VUL-1: CVE-2019-3901: kernel-source: race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs. As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access()
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: carlos.lopez, gabriele.sonnu, mhocko, smash_bz, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/230005/
Whiteboard: CVSSv3:SUSE:CVE-2019-3901:3.3:(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) maint:planned:update
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2019-04-23 12:41:58 UTC
,

A race condition in perf_event_open() allows local attackers to leak sensitive
data from setuid programs. As no relevant locks (in particular the
cred_guard_mutex) are held during the ptrace_may_access() call, it is possible
for the specified target task to perform an execve() syscall with setuid
execution before perf_event_alloc() actually attaches to it, allowing an
attacker to bypass the ptrace_may_access() check and the
perf_event_exit_task(current) call that is performed in install_exec_creds()
during privileged execve() calls. This issue affects kernel versions before 4.8.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3901
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3901
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3901.html
http://www.cvedetails.com/cve/CVE-2019-3901/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3901
Comment 2 Tony Jones 2019-09-11 23:10:13 UTC
(In reply to Marcus Meissner from comment #1)
> 
> https://bugs.chromium.org/p/project-zero/issues/detail?id=807
> 
> https://seclists.org/oss-sec/2019/q2/9
> 
> An upstream patch:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
> commit?id=79c9ce57eb2d5f1497546a3946b4ae21b6fdc438

This bug is 2019,   the above patch is from 2016.
Comment 3 Tony Jones 2019-10-02 23:31:24 UTC
Claimed fix: 79c9ce57eb2d5f1497546a3946b4ae21b6fdc438 tags/v4.6-rc6~10^2~2

Already in cve/linux-4.4 via stable (patches.kernel.org/patch-4.4.11-12)

Will check prior branches but difficulty of attack is high.
Comment 7 Tony Jones 2022-05-10 15:02:02 UTC
Sorry my bad.
Comment 8 Carlos López 2022-06-09 09:52:09 UTC
Done, closing.