Bug 1132374 - (CVE-2019-11191) VUL-1: CVE-2019-11191: kernel-source: Linux kernel < 4.8 local generic ASLR bypass for setuid binaries
(CVE-2019-11191)
VUL-1: CVE-2019-11191: kernel-source: Linux kernel < 4.8 local generic ASLR b...
Status: RESOLVED WONTFIX
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Michal Hocko
Security Team bot
https://smash.suse.de/issue/229542/
CVSSv3:SUSE:CVE-2019-11191:3.3:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-12 14:41 UTC by Marcus Meissner
Modified: 2020-06-26 13:43 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-04-12 14:41:08 UTC
CVE-2019-11191

The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled and ia32_aout
is loaded, allows local users to bypass ASLR on setuid a.out programs (if any
exist) because install_exec_creds() is called too late in load_aout_binary() in
fs/binfmt_aout.c, and thus the ptrace_may_access() check has a race condition
when reading /proc/pid/stat.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11191
https://www.openwall.com/lists/oss-security/2019/04/03/4/1
https://www.openwall.com/lists/oss-security/2019/04/03/4
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11191
https://bugs.chromium.org/p/project-zero/issues/detail?id=807
Comment 4 Marcus Meissner 2019-04-15 05:17:14 UTC
This has a sibling CVE / bug 1132472
Comment 7 Petr Mladek 2019-05-16 13:03:44 UTC
I have got a bit confused by the link
https://bugs.chromium.org/p/project-zero/issues/detail?id=807
It is actually related to CVE-2019-3901. It is just another variant of the race between install_exec_creds() and ptrace_may_access() in perf code.

I am unable to find any fix related to aout binary format loader and /proc/pid/stat reading.

It would be possible to slightly reduce the race window by moving install_exec_creds() up in load_aout_binary(). But the effect would be much smaller than in load_elf_binary (CVE-2019-11190, bug#1132472) because it is already called pretty early.

The full fix does not exist and it can't be done easily, see Jan Horn's comment in the bug #1132472.

I suggest to close this bug as wontfix because:

   + moving install_exec_creds() does not help much in this case

   + aout format is a relict. There are hardly any users. If there are
     any they probably will not be setuid.

IMHO, it is not worth the effort.
Comment 8 Petr Mladek 2019-05-17 13:07:22 UTC
Based on the comment #7, closing as wontfix.
Comment 9 Swamp Workflow Management 2019-06-18 00:02:25 UTC
SUSE-SU-2019:1533-1: An update that solves 9 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1104367,1110785,1113769,1120843,1120885,1125580,1125931,1131543,1131587,1132374,1132472,1134848,1135281,1136424,1136446,1137586
CVE References: CVE-2018-17972,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11833,CVE-2019-11884,CVE-2019-3846,CVE-2019-5489
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    kernel-default-3.12.74-60.64.115.1, kernel-source-3.12.74-60.64.115.1, kernel-syms-3.12.74-60.64.115.1, kernel-xen-3.12.74-60.64.115.1, kgraft-patch-SLE12-SP1_Update_34-1-2.5.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    kernel-default-3.12.74-60.64.115.1, kernel-source-3.12.74-60.64.115.1, kernel-syms-3.12.74-60.64.115.1, kernel-xen-3.12.74-60.64.115.1, kgraft-patch-SLE12-SP1_Update_34-1-2.5.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.74-60.64.115.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2019-06-18 00:21:48 UTC
SUSE-SU-2019:1527-1: An update that solves 14 vulnerabilities and has 81 fixes is now available.

Category: security (important)
Bug References: 1005778,1005780,1005781,1012382,1019695,1019696,1022604,1053043,1063638,1065600,1066223,1085535,1085539,1090888,1099658,1100132,1106110,1106284,1106929,1108293,1108838,1110785,1110946,1112063,1112178,1116803,1117562,1119086,1120642,1120843,1120885,1120902,1122776,1125580,1126040,1126356,1128052,1129138,1129770,1130972,1131107,1131488,1131543,1131565,1132212,1132374,1132472,1133188,1133874,1134160,1134162,1134338,1134537,1134564,1134565,1134566,1134651,1134760,1134806,1134813,1134848,1135013,1135014,1135015,1135100,1135120,1135281,1135603,1135642,1135661,1135878,1136424,1136438,1136446,1136448,1136449,1136451,1136452,1136455,1136458,1136539,1136573,1136575,1136586,1136590,1136623,1136810,1136935,1136990,1137142,1137162,1137586,1137739,1137752,843419
CVE References: CVE-2013-4343,CVE-2018-17972,CVE-2018-7191,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11486,CVE-2019-11815,CVE-2019-11833,CVE-2019-11884,CVE-2019-12382,CVE-2019-3846,CVE-2019-5489
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    kernel-azure-4.4.180-4.31.1, kernel-source-azure-4.4.180-4.31.1, kernel-syms-azure-4.4.180-4.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2019-06-18 00:50:28 UTC
SUSE-SU-2019:1534-1: An update that solves 12 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 1099658,1106284,1110785,1113769,1120843,1120885,1131543,1131565,1132374,1132472,1134537,1134596,1134848,1135281,1135603,1136424,1136446,1136586,1136935,1137586
CVE References: CVE-2018-17972,CVE-2018-7191,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11815,CVE-2019-11833,CVE-2019-11884,CVE-2019-12382,CVE-2019-3846,CVE-2019-5489
Sources used:
SUSE OpenStack Cloud 7 (src):    kernel-default-4.4.121-92.114.1, kernel-source-4.4.121-92.114.1, kernel-syms-4.4.121-92.114.1, kgraft-patch-SLE12-SP2_Update_30-1-3.5.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    kernel-default-4.4.121-92.114.1, kernel-source-4.4.121-92.114.1, kernel-syms-4.4.121-92.114.1, kgraft-patch-SLE12-SP2_Update_30-1-3.5.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    kernel-default-4.4.121-92.114.1, kernel-source-4.4.121-92.114.1, kernel-syms-4.4.121-92.114.1, kgraft-patch-SLE12-SP2_Update_30-1-3.5.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    kernel-default-4.4.121-92.114.1, kernel-source-4.4.121-92.114.1, kernel-syms-4.4.121-92.114.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.121-92.114.1
SUSE Enterprise Storage 4 (src):    kernel-default-4.4.121-92.114.1, kernel-source-4.4.121-92.114.1, kernel-syms-4.4.121-92.114.1, kgraft-patch-SLE12-SP2_Update_30-1-3.5.1
OpenStack Cloud Magnum Orchestration 7 (src):    kernel-default-4.4.121-92.114.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2019-06-18 13:19:02 UTC
openSUSE-SU-2019:1570-1: An update that solves 15 vulnerabilities and has 62 fixes is now available.

Category: security (important)
Bug References: 1005778,1005780,1005781,1012382,1019695,1019696,1022604,1053043,1063638,1065600,1066223,1085535,1085539,1090888,1099658,1100132,1106110,1106284,1106929,1108838,1109137,1112178,1117562,1119086,1120642,1120843,1120902,1125580,1126356,1127155,1128052,1129770,1131107,1131543,1131565,1132374,1132472,1133190,1133874,1134338,1134806,1134813,1135120,1135281,1135603,1135642,1135661,1135878,1136424,1136438,1136448,1136449,1136451,1136452,1136455,1136458,1136539,1136573,1136575,1136586,1136590,1136598,1136623,1136810,1136922,1136935,1136990,1136993,1137142,1137162,1137586,1137739,1137752,1137915,1138291,1138293,1138374
CVE References: CVE-2018-7191,CVE-2019-11190,CVE-2019-11191,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11487,CVE-2019-11833,CVE-2019-12380,CVE-2019-12382,CVE-2019-12456,CVE-2019-12818,CVE-2019-12819,CVE-2019-3846,CVE-2019-5489
Sources used:
openSUSE Leap 42.3 (src):    kernel-debug-4.4.180-102.1, kernel-default-4.4.180-102.1, kernel-docs-4.4.180-102.1, kernel-obs-build-4.4.180-102.1, kernel-obs-qa-4.4.180-102.1, kernel-source-4.4.180-102.1, kernel-syms-4.4.180-102.1, kernel-vanilla-4.4.180-102.1
Comment 13 Swamp Workflow Management 2019-06-18 16:46:12 UTC
SUSE-SU-2019:14089-1: An update that solves 9 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 1110785,1113769,1119314,1120326,1120843,1120885,1131295,1131543,1132374,1132472,1132580,1133188,1134102,1134729,1134848,1137586,923908,939260
CVE References: CVE-2014-9710,CVE-2018-17972,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11486,CVE-2019-11884,CVE-2019-5489
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    kernel-bigmem-3.0.101-108.95.2, kernel-default-3.0.101-108.95.2, kernel-ec2-3.0.101-108.95.2, kernel-pae-3.0.101-108.95.2, kernel-ppc64-3.0.101-108.95.2, kernel-source-3.0.101-108.95.1, kernel-syms-3.0.101-108.95.1, kernel-trace-3.0.101-108.95.2, kernel-xen-3.0.101-108.95.2
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-108.95.2, kernel-pae-3.0.101-108.95.2, kernel-ppc64-3.0.101-108.95.2, kernel-trace-3.0.101-108.95.2, kernel-xen-3.0.101-108.95.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-bigmem-3.0.101-108.95.2, kernel-default-3.0.101-108.95.2, kernel-ec2-3.0.101-108.95.2, kernel-pae-3.0.101-108.95.2, kernel-ppc64-3.0.101-108.95.2, kernel-trace-3.0.101-108.95.2, kernel-xen-3.0.101-108.95.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2019-06-24 22:12:23 UTC
SUSE-SU-2019:1692-1: An update that solves 9 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1090078,1110785,1113769,1120843,1120885,1125580,1125931,1131543,1131587,1132374,1132472,1134848,1135281,1136424,1136446,1137586
CVE References: CVE-2018-17972,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11833,CVE-2019-11884,CVE-2019-3846,CVE-2019-5489
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    kernel-default-3.12.61-52.154.1, kernel-source-3.12.61-52.154.1, kernel-syms-3.12.61-52.154.1, kernel-xen-3.12.61-52.154.1, kgraft-patch-SLE12_Update_40-1-1.5.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.61-52.154.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.