Bug 1157300 – VUL-1: DISPUTED: CVE-2019-19064: kernel-source: A memory leak in the fsl_lpspi_probe() function in drivers/spi/spi-fsl-lpspi.c

Bug 1157300 - (CVE-2019-19064) VUL-1: DISPUTED: CVE-2019-19064: kernel-source: A memory leak in the fsl_lpspi_probe() function in drivers/spi/spi-fsl-lpspi.c

(CVE-2019-19064)
Summary:	VUL-1: DISPUTED: CVE-2019-19064: kernel-source: A memory leak in the fsl_lpsp...

Status:	RESOLVED INVALID

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/247502/
Whiteboard:	CVSSv3.1:NVD:CVE-2019-19064:7.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-11-20 10:43 UTC by Wolfgang Frisch
Modified:	2022-12-23 11:43 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wolfgang Frisch 2019-11-20 10:43:45 UTC

CVE-2019-19064

A memory leak in the fsl_lpspi_probe() function in drivers/spi/spi-fsl-lpspi.c
in the Linux kernel through 5.3.11 allows attackers to cause a denial of service
(memory consumption) by triggering pm_runtime_get_sync() failures, aka
CID-057b8945f78f.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19064
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19064.html
https://github.com/torvalds/linux/commit/057b8945f78f76d0b04eeb5c27cd9225e5e7ad86
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19064

Comment 2 Takashi Iwai 2019-11-20 11:30:51 UTC

Will backport once when the fix is merged to Linus tree.

Another candidate for dispute: a once-off leak at the driver probe time for an error condition that is hard to trigger at will (the clock enablement fails at runtime resume of the given clk).

Comment 3 Wolfgang Frisch 2019-11-20 14:28:49 UTC

(In reply to Takashi Iwai from comment #2)
> Another candidate for dispute: a once-off leak at the driver probe time for
> an error condition that is hard to trigger at will (the clock enablement
> fails at runtime resume of the given clk).

I requested CVE rejection from Mitre.

Comment 4 Takashi Iwai 2019-11-26 10:13:54 UTC

The relevant code is found in only SLE15-SP2 branch, and the fix is backported now.

Reassigned back to security team.

Comment 5 Alexandros Toptsoglou 2020-05-12 14:13:03 UTC

Closing as DISPUTED