Bug 1150469 (CVE-2019-16229)

Summary: VUL-1: CVE-2019-16229: kernel-source: NULL pointer dereference in alloc_workqueue in drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: E-mail List <kernel-maintainers>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: bpetkov, meissner, mhocko, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/242226/
Whiteboard: CVSSv3:SUSE:CVE-2019-16229:4.0:(AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2019-09-12 07:58:41 UTC
CVE-2019-16229

drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux kernel 5.2.14 does not
check the alloc_workqueue return value, leading to a NULL pointer dereference.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16229
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16229
https://lkml.org/lkml/2019/9/9/487
Comment 1 Michal Hocko 2019-09-12 09:37:36 UTC
I can see a flood of CVEs like this one and I again feel this is a CVE process abuse. Let's see what the potentially failing allocation is
tbl_size = nr_node_ids * sizeof(wq->numa_pwq_tbl[0]);
kzalloc(sizeof(*wq) + tbl_size, GFP_KERNEL);

wq is 320B, pool_workqueue is 256B, take nr_node_ids something real, say less than 100 and we are still under 4KB. The memory allocator simply does't fail those allocations unless there is a very special conditions - e.g. the caller is an OOM victim. I am really skeptical that an initialization call is called in such a context.

That being said, adding a check for the failure makes sense but assigning a CVE and make it a big deal is just dubious to say the least.
Comment 2 Borislav Petkov 2019-09-13 12:57:30 UTC
I agree. Marcus, can we kill those CVEs?
Comment 3 Marcus Meissner 2019-10-10 05:56:43 UTC
I filed a rejection request with Mitre. This might take a while.
Comment 4 Marcus Meissner 2019-10-11 07:07:17 UTC
Now marked as disputed.