Bug 1150469 - (CVE-2019-16229) VUL-1: CVE-2019-16229: kernel-source: NULL pointer dereference in alloc_workqueue in drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c
(CVE-2019-16229)
VUL-1: CVE-2019-16229: kernel-source: NULL pointer dereference in alloc_workq...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: E-mail List
Security Team bot
https://smash.suse.de/issue/242226/
CVSSv3:SUSE:CVE-2019-16229:4.0:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-12 07:58 UTC by Alexander Bergmann
Modified: 2020-06-29 14:50 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-09-12 07:58:41 UTC
CVE-2019-16229

drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux kernel 5.2.14 does not
check the alloc_workqueue return value, leading to a NULL pointer dereference.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16229
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16229
https://lkml.org/lkml/2019/9/9/487
Comment 1 Michal Hocko 2019-09-12 09:37:36 UTC
I can see a flood of CVEs like this one and I again feel this is a CVE process abuse. Let's see what the potentially failing allocation is
tbl_size = nr_node_ids * sizeof(wq->numa_pwq_tbl[0]);
kzalloc(sizeof(*wq) + tbl_size, GFP_KERNEL);

wq is 320B, pool_workqueue is 256B, take nr_node_ids something real, say less than 100 and we are still under 4KB. The memory allocator simply does't fail those allocations unless there is a very special conditions - e.g. the caller is an OOM victim. I am really skeptical that an initialization call is called in such a context.

That being said, adding a check for the failure makes sense but assigning a CVE and make it a big deal is just dubious to say the least.
Comment 2 Borislav Petkov 2019-09-13 12:57:30 UTC
I agree. Marcus, can we kill those CVEs?
Comment 3 Marcus Meissner 2019-10-10 05:56:43 UTC
I filed a rejection request with Mitre. This might take a while.
Comment 4 Marcus Meissner 2019-10-11 07:07:17 UTC
Now marked as disputed.