Bugzilla – Bug 1171452
VUL-1: CVE-2019-20795: iproute2: use-after-free in get_netnsid_from_name in ip/ipnetns.c
Last modified: 2023-06-27 07:01:17 UTC
CVE-2019-20795 iproute2 before 5.1.0 has a use-after-free in get_netnsid_from_name in ip/ipnetns.c. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20795 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20795.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20795 https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=9bf2c538a0eb10d66e2365a655bf6c52f5ba3d10
The issue introduced with commit at [1] in version 4.15. This commit was backported to version 4.12 and thus SLE12-SP4,5 and SLE15 and SLE15-SP1 are affected. SLE15-SP2 and Factory ship an already fixed version. Follow the following steps to reproduce: # ip netns add net1 # export MALLOC_MMAP_THRESHOLD_=0 # ip netns list then Segmentation fault (core dumped) will occur. OUTPUT: ==26320== Command: ip netns list ==26320== ==26320== Invalid read of size 4 ==26320== at 0x123312: get_netnsid_from_name (ipnetns.c:133) ==26320== by 0x12423C: netns_map_init (ipnetns.c:233) ==26320== by 0x124538: do_netns (ipnetns.c:785) ==26320== by 0x1152AB: do_cmd (ip.c:115) ==26320== by 0x114D44: main (ip.c:305) ==26320== Address 0x5a370c8 is 24 bytes inside a block of size 28 free'd ==26320== at 0x4C2F50B: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==26320== by 0x12330C: get_netnsid_from_name (ipnetns.c:132) ==26320== by 0x12423C: netns_map_init (ipnetns.c:233) ==26320== by 0x124538: do_netns (ipnetns.c:785) ==26320== by 0x1152AB: do_cmd (ip.c:115) ==26320== by 0x114D44: main (ip.c:305) ==26320== Block was alloc'd at ==26320== at 0x4C2E2DF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==26320== by 0x159153: rtnl_recvmsg (libnetlink.c:441) ==26320== by 0x1592C1: __rtnl_talk (libnetlink.c:612) ==26320== by 0x1232C9: get_netnsid_from_name (ipnetns.c:114) ==26320== by 0x12423C: netns_map_init (ipnetns.c:233) ==26320== by 0x124538: do_netns (ipnetns.c:785) ==26320== by 0x1152AB: do_cmd (ip.c:115) ==26320== by 0x114D44: main (ip.c:305) ==26320== ==26320== Invalid read of size 4 ==26320== at 0x123312: get_netnsid_from_name (ipnetns.c:133) ==26320== by 0x123D87: netns_list.isra.0 (ipnetns.c:355) ==26320== by 0x12453D: do_netns (ipnetns.c:786) ==26320== by 0x1152AB: do_cmd (ip.c:115) ==26320== by 0x114D44: main (ip.c:305) ==26320== Address 0x5a3f5d8 is 24 bytes inside a block of size 28 free'd ==26320== at 0x4C2F50B: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==26320== by 0x12330C: get_netnsid_from_name (ipnetns.c:132) ==26320== by 0x123D87: netns_list.isra.0 (ipnetns.c:355) ==26320== by 0x12453D: do_netns (ipnetns.c:786) ==26320== by 0x1152AB: do_cmd (ip.c:115) ==26320== by 0x114D44: main (ip.c:305) ==26320== Block was alloc'd at ==26320== at 0x4C2E2DF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==26320== by 0x159153: rtnl_recvmsg (libnetlink.c:441) ==26320== by 0x1592C1: __rtnl_talk (libnetlink.c:612) ==26320== by 0x1232C9: get_netnsid_from_name (ipnetns.c:114) ==26320== by 0x123D87: netns_list.isra.0 (ipnetns.c:355) ==26320== by 0x12453D: do_netns (ipnetns.c:786) ==26320== by 0x1152AB: do_cmd (ip.c:115) ==26320== by 0x114D44: main (ip.c:305) [1] https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=86bf43c7c2fdc33d7c021b4a1add1c8facbca51c
Agreed. Offending commit was backported to branches based on 4.12 and no older ones. I'm a bit doubtful about the security aspect but it's definitely a bug which should be fixed. One question: https://smelt.suse.de/maintained/ shows SUSE:SLE-15:Update under "disabled". Is it only because SLE15 is under LTSS (not regular) maintenance or does it mean there should be no update for SLE15?
Forgot to set NEEDINFO.
(In reply to Michal Kubeček from comment #2) > Agreed. Offending commit was backported to branches based on 4.12 and no > older > ones. I'm a bit doubtful about the security aspect but it's definitely a bug > which should be fixed. > > One question: https://smelt.suse.de/maintained/ shows SUSE:SLE-15:Update > under "disabled". Is it only because SLE15 is under LTSS (not regular) > maintenance or does it mean there should be no update for SLE15? Hi Michal, it means that SLE15 is under LTSS. So we accept submissions for it.
Thank you. I'll prepare updates for all four 4.12 based packages (SLE12-SP4/5 and SLE15/SLE15-SP1).
umm, any news?
Also SUSE:SLE-12-SP2:Update/iproute2 is flagged as affected, could you please submit the patch there as well?
(In reply to Gianluca Gabrielli from comment #10) > Also SUSE:SLE-12-SP2:Update/iproute2 is flagged as affected, could you > please submit the patch there as well? I don't think that's correct. The statement freeing a buffer before reading return value from it was added in upstream version 4.15 by commit 86bf43c7c2fd ("lib/libnetlink: update rtnl_talk to support malloc buff at run time") which is also what Fixes tag refers to. SLE12-SP2 and SLE12-SP3 iproute2 packages are based on version 4.4 and the offending commit was not backported there.
(In reply to Michal Kubeček from comment #11) > (In reply to Gianluca Gabrielli from comment #10) > > Also SUSE:SLE-12-SP2:Update/iproute2 is flagged as affected, could you > > please submit the patch there as well? > > I don't think that's correct. The statement freeing a buffer before reading > return value from it was added in upstream version 4.15 by commit > 86bf43c7c2fd > ("lib/libnetlink: update rtnl_talk to support malloc buff at run time") which > is also what Fixes tag refers to. SLE12-SP2 and SLE12-SP3 iproute2 packages > are based on version 4.4 and the offending commit was not backported there. Thanks for the update, I'm adjusting accordingly our tracking system.
SUSE-SU-2021:3452-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1085669,1171452 CVE References: CVE-2019-20795 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): iproute2-4.12-16.6.1 SUSE Linux Enterprise Server 12-SP5 (src): iproute2-4.12-16.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.