Bug 1133106 - (CVE-2019-3901) VUL-1: CVE-2019-3901: kernel-source: race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs. As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access()
(CVE-2019-3901)
VUL-1: CVE-2019-3901: kernel-source: race condition in perf_event_open() allo...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/230005/
CVSSv3:SUSE:CVE-2019-3901:3.3:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-23 12:41 UTC by Marcus Meissner
Modified: 2022-06-09 09:52 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-04-23 12:41:58 UTC
,

A race condition in perf_event_open() allows local attackers to leak sensitive
data from setuid programs. As no relevant locks (in particular the
cred_guard_mutex) are held during the ptrace_may_access() call, it is possible
for the specified target task to perform an execve() syscall with setuid
execution before perf_event_alloc() actually attaches to it, allowing an
attacker to bypass the ptrace_may_access() check and the
perf_event_exit_task(current) call that is performed in install_exec_creds()
during privileged execve() calls. This issue affects kernel versions before 4.8.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3901
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3901
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3901.html
http://www.cvedetails.com/cve/CVE-2019-3901/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3901
Comment 2 Tony Jones 2019-09-11 23:10:13 UTC
(In reply to Marcus Meissner from comment #1)
> 
> https://bugs.chromium.org/p/project-zero/issues/detail?id=807
> 
> https://seclists.org/oss-sec/2019/q2/9
> 
> An upstream patch:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
> commit?id=79c9ce57eb2d5f1497546a3946b4ae21b6fdc438

This bug is 2019,   the above patch is from 2016.
Comment 3 Tony Jones 2019-10-02 23:31:24 UTC
Claimed fix: 79c9ce57eb2d5f1497546a3946b4ae21b6fdc438 tags/v4.6-rc6~10^2~2

Already in cve/linux-4.4 via stable (patches.kernel.org/patch-4.4.11-12)

Will check prior branches but difficulty of attack is high.
Comment 7 Tony Jones 2022-05-10 15:02:02 UTC
Sorry my bad.
Comment 8 Carlos López 2022-06-09 09:52:09 UTC
Done, closing.