Bug 1152516 (CVE-2019-16921)

Summary: VUL-0: CVE-2019-16921: kernel-source: missing initialization of resp data structure in hns_roce_alloc_ucontext in drivers/infiniband/hw/hns/hns_roce_main.c
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: E-mail List <kernel-maintainers>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: abergmann, carnil, smash_bz
Version: unspecifiedFlags: carnil: needinfo?
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/243467/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2019-09-30 12:47:05 UTC 
CVE-2019-16921

In the Linux kernel before 4.17, hns_roce_alloc_ucontext in
drivers/infiniband/hw/hns/hns_roce_main.c does not initialize the resp data
structure, which might allow attackers to obtain sensitive information from
kernel stack memory, aka CID-df7e40425813.

Already fixed in SLE and openSUSE:
https://github.com/openSUSE/kernel/commit/72be029e947510dd6cbbbaf51879622af26e4200

The original SUSE bug is bsc#1104427.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16921
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16921.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16921
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=df7e40425813c50cd252e6f5e348a81ef1acae56
https://github.com/torvalds/linux/commit/df7e40425813c50cd252e6f5e348a81ef1acae56
Comment 1 Alexander Bergmann 2019-09-30 12:47:27 UTC 
Closing as fixed.
Comment 2 Salvatore Bonaccorso 2019-10-05 19:27:47 UTC 
Hi,

Alexander, possible to open up the original issue? I'm trying to understand more the context on the CVE-2019-16921 assignment.

Unless I miss something, the fixing commit is df7e40425813c50cd252e6f5e348a81ef1acae56 upstream which is in v4.17-rc1. Though it fixes an issue introduced by e088a685eae9 ("RDMA/hns: Support rq record doorbell for the user space") which is as well just in 4.17-rc1.

Is the assignnement due to SUSE possibly having backported the later commit to SUSE provided kernels? Because e088a685eae9 as such did not land in any other stable versions.

Regards,
Salvatore