Bug 1171452 (CVE-2019-20795) - VUL-1: CVE-2019-20795: iproute2: use-after-free in get_netnsid_from_name in ip/ipnetns.c
Summary: VUL-1: CVE-2019-20795: iproute2: use-after-free in get_netnsid_from_name in i...
Status: RESOLVED FIXED
Alias: CVE-2019-20795
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/259363/
Whiteboard: CVSSv3.1:SUSE:CVE-2019-20795:4.4:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-11 11:06 UTC by Alexandros Toptsoglou
Modified: 2023-06-27 07:01 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Alexandros Toptsoglou 2020-05-11 11:11:38 UTC
The issue introduced with commit at [1] in version 4.15. This commit was backported to version 4.12 and thus SLE12-SP4,5 and SLE15 and SLE15-SP1 are affected. SLE15-SP2 and Factory ship an already fixed version. 

Follow the following steps to reproduce:
 # ip netns add net1
 # export MALLOC_MMAP_THRESHOLD_=0
 # ip netns list
then Segmentation fault (core dumped) will occur.

OUTPUT: 

==26320== Command: ip netns list
==26320== 
==26320== Invalid read of size 4
==26320==    at 0x123312: get_netnsid_from_name (ipnetns.c:133)
==26320==    by 0x12423C: netns_map_init (ipnetns.c:233)
==26320==    by 0x124538: do_netns (ipnetns.c:785)
==26320==    by 0x1152AB: do_cmd (ip.c:115)
==26320==    by 0x114D44: main (ip.c:305)
==26320==  Address 0x5a370c8 is 24 bytes inside a block of size 28 free'd
==26320==    at 0x4C2F50B: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==26320==    by 0x12330C: get_netnsid_from_name (ipnetns.c:132)
==26320==    by 0x12423C: netns_map_init (ipnetns.c:233)
==26320==    by 0x124538: do_netns (ipnetns.c:785)
==26320==    by 0x1152AB: do_cmd (ip.c:115)
==26320==    by 0x114D44: main (ip.c:305)
==26320==  Block was alloc'd at
==26320==    at 0x4C2E2DF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==26320==    by 0x159153: rtnl_recvmsg (libnetlink.c:441)
==26320==    by 0x1592C1: __rtnl_talk (libnetlink.c:612)
==26320==    by 0x1232C9: get_netnsid_from_name (ipnetns.c:114)
==26320==    by 0x12423C: netns_map_init (ipnetns.c:233)
==26320==    by 0x124538: do_netns (ipnetns.c:785)
==26320==    by 0x1152AB: do_cmd (ip.c:115)
==26320==    by 0x114D44: main (ip.c:305)
==26320== 
==26320== Invalid read of size 4
==26320==    at 0x123312: get_netnsid_from_name (ipnetns.c:133)
==26320==    by 0x123D87: netns_list.isra.0 (ipnetns.c:355)
==26320==    by 0x12453D: do_netns (ipnetns.c:786)
==26320==    by 0x1152AB: do_cmd (ip.c:115)
==26320==    by 0x114D44: main (ip.c:305)
==26320==  Address 0x5a3f5d8 is 24 bytes inside a block of size 28 free'd
==26320==    at 0x4C2F50B: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==26320==    by 0x12330C: get_netnsid_from_name (ipnetns.c:132)
==26320==    by 0x123D87: netns_list.isra.0 (ipnetns.c:355)
==26320==    by 0x12453D: do_netns (ipnetns.c:786)
==26320==    by 0x1152AB: do_cmd (ip.c:115)
==26320==    by 0x114D44: main (ip.c:305)
==26320==  Block was alloc'd at
==26320==    at 0x4C2E2DF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==26320==    by 0x159153: rtnl_recvmsg (libnetlink.c:441)
==26320==    by 0x1592C1: __rtnl_talk (libnetlink.c:612)
==26320==    by 0x1232C9: get_netnsid_from_name (ipnetns.c:114)
==26320==    by 0x123D87: netns_list.isra.0 (ipnetns.c:355)
==26320==    by 0x12453D: do_netns (ipnetns.c:786)
==26320==    by 0x1152AB: do_cmd (ip.c:115)
==26320==    by 0x114D44: main (ip.c:305)

[1] https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=86bf43c7c2fdc33d7c021b4a1add1c8facbca51c
Comment 2 Michal Kubeček 2020-05-11 11:46:57 UTC
Agreed. Offending commit was backported to branches based on 4.12 and no older
ones. I'm a bit doubtful about the security aspect but it's definitely a bug
which should be fixed.

One question: https://smelt.suse.de/maintained/ shows SUSE:SLE-15:Update
under "disabled". Is it only because SLE15 is under LTSS (not regular)
maintenance or does it mean there should be no update for SLE15?
Comment 3 Michal Kubeček 2020-05-11 11:47:39 UTC
Forgot to set NEEDINFO.
Comment 4 Alexandros Toptsoglou 2020-05-11 12:07:06 UTC
(In reply to Michal Kubeček from comment #2)
> Agreed. Offending commit was backported to branches based on 4.12 and no
> older
> ones. I'm a bit doubtful about the security aspect but it's definitely a bug
> which should be fixed.
> 
> One question: https://smelt.suse.de/maintained/ shows SUSE:SLE-15:Update
> under "disabled". Is it only because SLE15 is under LTSS (not regular)
> maintenance or does it mean there should be no update for SLE15?

Hi Michal, 

it means that SLE15 is under LTSS. So we accept submissions for it.
Comment 5 Michal Kubeček 2020-05-11 12:18:56 UTC
Thank you. I'll prepare updates for all four 4.12 based packages (SLE12-SP4/5
and SLE15/SLE15-SP1).
Comment 6 Marcus Meissner 2021-08-06 14:56:23 UTC
umm, any news?
Comment 10 Gianluca Gabrielli 2021-10-05 07:08:54 UTC
Also SUSE:SLE-12-SP2:Update/iproute2 is flagged as affected, could you please submit the patch there as well?
Comment 11 Michal Kubeček 2021-10-05 08:22:02 UTC
(In reply to Gianluca Gabrielli from comment #10)
> Also SUSE:SLE-12-SP2:Update/iproute2 is flagged as affected, could you
> please submit the patch there as well?

I don't think that's correct. The statement freeing a buffer before reading
return value from it was added in upstream version 4.15 by commit 86bf43c7c2fd
("lib/libnetlink: update rtnl_talk to support malloc buff at run time") which
is also what Fixes tag refers to. SLE12-SP2 and SLE12-SP3 iproute2 packages
are based on version 4.4 and the offending commit was not backported there.
Comment 12 Gianluca Gabrielli 2021-10-05 08:32:15 UTC
(In reply to Michal Kubeček from comment #11)
> (In reply to Gianluca Gabrielli from comment #10)
> > Also SUSE:SLE-12-SP2:Update/iproute2 is flagged as affected, could you
> > please submit the patch there as well?
> 
> I don't think that's correct. The statement freeing a buffer before reading
> return value from it was added in upstream version 4.15 by commit
> 86bf43c7c2fd
> ("lib/libnetlink: update rtnl_talk to support malloc buff at run time") which
> is also what Fixes tag refers to. SLE12-SP2 and SLE12-SP3 iproute2 packages
> are based on version 4.4 and the offending commit was not backported there.

Thanks for the update, I'm adjusting accordingly our tracking system.
Comment 16 Swamp Workflow Management 2021-10-18 13:17:43 UTC
SUSE-SU-2021:3452-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1085669,1171452
CVE References: CVE-2019-20795
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    iproute2-4.12-16.6.1
SUSE Linux Enterprise Server 12-SP5 (src):    iproute2-4.12-16.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.