Bugzilla – Bug 1132374
VUL-1: CVE-2019-11191: kernel-source: Linux kernel < 4.8 local generic ASLR bypass for setuid binaries
Last modified: 2020-06-26 13:43:47 UTC
CVE-2019-11191 The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled and ia32_aout is loaded, allows local users to bypass ASLR on setuid a.out programs (if any exist) because install_exec_creds() is called too late in load_aout_binary() in fs/binfmt_aout.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11191 https://www.openwall.com/lists/oss-security/2019/04/03/4/1 https://www.openwall.com/lists/oss-security/2019/04/03/4 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11191 https://bugs.chromium.org/p/project-zero/issues/detail?id=807
This has a sibling CVE / bug 1132472
I have got a bit confused by the link https://bugs.chromium.org/p/project-zero/issues/detail?id=807 It is actually related to CVE-2019-3901. It is just another variant of the race between install_exec_creds() and ptrace_may_access() in perf code. I am unable to find any fix related to aout binary format loader and /proc/pid/stat reading. It would be possible to slightly reduce the race window by moving install_exec_creds() up in load_aout_binary(). But the effect would be much smaller than in load_elf_binary (CVE-2019-11190, bug#1132472) because it is already called pretty early. The full fix does not exist and it can't be done easily, see Jan Horn's comment in the bug #1132472. I suggest to close this bug as wontfix because: + moving install_exec_creds() does not help much in this case + aout format is a relict. There are hardly any users. If there are any they probably will not be setuid. IMHO, it is not worth the effort.
Based on the comment #7, closing as wontfix.
SUSE-SU-2019:1533-1: An update that solves 9 vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1104367,1110785,1113769,1120843,1120885,1125580,1125931,1131543,1131587,1132374,1132472,1134848,1135281,1136424,1136446,1137586 CVE References: CVE-2018-17972,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11833,CVE-2019-11884,CVE-2019-3846,CVE-2019-5489 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): kernel-default-3.12.74-60.64.115.1, kernel-source-3.12.74-60.64.115.1, kernel-syms-3.12.74-60.64.115.1, kernel-xen-3.12.74-60.64.115.1, kgraft-patch-SLE12-SP1_Update_34-1-2.5.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): kernel-default-3.12.74-60.64.115.1, kernel-source-3.12.74-60.64.115.1, kernel-syms-3.12.74-60.64.115.1, kernel-xen-3.12.74-60.64.115.1, kgraft-patch-SLE12-SP1_Update_34-1-2.5.1 SUSE Linux Enterprise Module for Public Cloud 12 (src): kernel-ec2-3.12.74-60.64.115.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1527-1: An update that solves 14 vulnerabilities and has 81 fixes is now available. Category: security (important) Bug References: 1005778,1005780,1005781,1012382,1019695,1019696,1022604,1053043,1063638,1065600,1066223,1085535,1085539,1090888,1099658,1100132,1106110,1106284,1106929,1108293,1108838,1110785,1110946,1112063,1112178,1116803,1117562,1119086,1120642,1120843,1120885,1120902,1122776,1125580,1126040,1126356,1128052,1129138,1129770,1130972,1131107,1131488,1131543,1131565,1132212,1132374,1132472,1133188,1133874,1134160,1134162,1134338,1134537,1134564,1134565,1134566,1134651,1134760,1134806,1134813,1134848,1135013,1135014,1135015,1135100,1135120,1135281,1135603,1135642,1135661,1135878,1136424,1136438,1136446,1136448,1136449,1136451,1136452,1136455,1136458,1136539,1136573,1136575,1136586,1136590,1136623,1136810,1136935,1136990,1137142,1137162,1137586,1137739,1137752,843419 CVE References: CVE-2013-4343,CVE-2018-17972,CVE-2018-7191,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11486,CVE-2019-11815,CVE-2019-11833,CVE-2019-11884,CVE-2019-12382,CVE-2019-3846,CVE-2019-5489 Sources used: SUSE Linux Enterprise Server 12-SP3 (src): kernel-azure-4.4.180-4.31.1, kernel-source-azure-4.4.180-4.31.1, kernel-syms-azure-4.4.180-4.31.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1534-1: An update that solves 12 vulnerabilities and has 8 fixes is now available. Category: security (important) Bug References: 1099658,1106284,1110785,1113769,1120843,1120885,1131543,1131565,1132374,1132472,1134537,1134596,1134848,1135281,1135603,1136424,1136446,1136586,1136935,1137586 CVE References: CVE-2018-17972,CVE-2018-7191,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11815,CVE-2019-11833,CVE-2019-11884,CVE-2019-12382,CVE-2019-3846,CVE-2019-5489 Sources used: SUSE OpenStack Cloud 7 (src): kernel-default-4.4.121-92.114.1, kernel-source-4.4.121-92.114.1, kernel-syms-4.4.121-92.114.1, kgraft-patch-SLE12-SP2_Update_30-1-3.5.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): kernel-default-4.4.121-92.114.1, kernel-source-4.4.121-92.114.1, kernel-syms-4.4.121-92.114.1, kgraft-patch-SLE12-SP2_Update_30-1-3.5.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): kernel-default-4.4.121-92.114.1, kernel-source-4.4.121-92.114.1, kernel-syms-4.4.121-92.114.1, kgraft-patch-SLE12-SP2_Update_30-1-3.5.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): kernel-default-4.4.121-92.114.1, kernel-source-4.4.121-92.114.1, kernel-syms-4.4.121-92.114.1 SUSE Linux Enterprise High Availability 12-SP2 (src): kernel-default-4.4.121-92.114.1 SUSE Enterprise Storage 4 (src): kernel-default-4.4.121-92.114.1, kernel-source-4.4.121-92.114.1, kernel-syms-4.4.121-92.114.1, kgraft-patch-SLE12-SP2_Update_30-1-3.5.1 OpenStack Cloud Magnum Orchestration 7 (src): kernel-default-4.4.121-92.114.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1570-1: An update that solves 15 vulnerabilities and has 62 fixes is now available. Category: security (important) Bug References: 1005778,1005780,1005781,1012382,1019695,1019696,1022604,1053043,1063638,1065600,1066223,1085535,1085539,1090888,1099658,1100132,1106110,1106284,1106929,1108838,1109137,1112178,1117562,1119086,1120642,1120843,1120902,1125580,1126356,1127155,1128052,1129770,1131107,1131543,1131565,1132374,1132472,1133190,1133874,1134338,1134806,1134813,1135120,1135281,1135603,1135642,1135661,1135878,1136424,1136438,1136448,1136449,1136451,1136452,1136455,1136458,1136539,1136573,1136575,1136586,1136590,1136598,1136623,1136810,1136922,1136935,1136990,1136993,1137142,1137162,1137586,1137739,1137752,1137915,1138291,1138293,1138374 CVE References: CVE-2018-7191,CVE-2019-11190,CVE-2019-11191,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11487,CVE-2019-11833,CVE-2019-12380,CVE-2019-12382,CVE-2019-12456,CVE-2019-12818,CVE-2019-12819,CVE-2019-3846,CVE-2019-5489 Sources used: openSUSE Leap 42.3 (src): kernel-debug-4.4.180-102.1, kernel-default-4.4.180-102.1, kernel-docs-4.4.180-102.1, kernel-obs-build-4.4.180-102.1, kernel-obs-qa-4.4.180-102.1, kernel-source-4.4.180-102.1, kernel-syms-4.4.180-102.1, kernel-vanilla-4.4.180-102.1
SUSE-SU-2019:14089-1: An update that solves 9 vulnerabilities and has 9 fixes is now available. Category: security (important) Bug References: 1110785,1113769,1119314,1120326,1120843,1120885,1131295,1131543,1132374,1132472,1132580,1133188,1134102,1134729,1134848,1137586,923908,939260 CVE References: CVE-2014-9710,CVE-2018-17972,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11486,CVE-2019-11884,CVE-2019-5489 Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): kernel-bigmem-3.0.101-108.95.2, kernel-default-3.0.101-108.95.2, kernel-ec2-3.0.101-108.95.2, kernel-pae-3.0.101-108.95.2, kernel-ppc64-3.0.101-108.95.2, kernel-source-3.0.101-108.95.1, kernel-syms-3.0.101-108.95.1, kernel-trace-3.0.101-108.95.2, kernel-xen-3.0.101-108.95.2 SUSE Linux Enterprise Server 11-EXTRA (src): kernel-default-3.0.101-108.95.2, kernel-pae-3.0.101-108.95.2, kernel-ppc64-3.0.101-108.95.2, kernel-trace-3.0.101-108.95.2, kernel-xen-3.0.101-108.95.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): kernel-bigmem-3.0.101-108.95.2, kernel-default-3.0.101-108.95.2, kernel-ec2-3.0.101-108.95.2, kernel-pae-3.0.101-108.95.2, kernel-ppc64-3.0.101-108.95.2, kernel-trace-3.0.101-108.95.2, kernel-xen-3.0.101-108.95.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1692-1: An update that solves 9 vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1090078,1110785,1113769,1120843,1120885,1125580,1125931,1131543,1131587,1132374,1132472,1134848,1135281,1136424,1136446,1137586 CVE References: CVE-2018-17972,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11833,CVE-2019-11884,CVE-2019-3846,CVE-2019-5489 Sources used: SUSE Linux Enterprise Server 12-LTSS (src): kernel-default-3.12.61-52.154.1, kernel-source-3.12.61-52.154.1, kernel-syms-3.12.61-52.154.1, kernel-xen-3.12.61-52.154.1, kgraft-patch-SLE12_Update_40-1-1.5.1 SUSE Linux Enterprise Module for Public Cloud 12 (src): kernel-ec2-3.12.61-52.154.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.