In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.
Weakness
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory “belongs” to the code that operates on the new pointer.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Linux_kernel | Linux | 4.10 (including) | 4.14.103 (excluding) |
| Linux_kernel | Linux | 4.19 (including) | 4.19.25 (excluding) |
| Linux_kernel | Linux | 4.20 (including) | 4.20.12 (excluding) |
| Linux_kernel | Linux | 5.0-rc1 (including) | 5.0-rc1 (including) |
| Linux_kernel | Linux | 5.0-rc2 (including) | 5.0-rc2 (including) |
| Linux_kernel | Linux | 5.0-rc3 (including) | 5.0-rc3 (including) |
| Linux_kernel | Linux | 5.0-rc4 (including) | 5.0-rc4 (including) |
| Linux_kernel | Linux | 5.0-rc5 (including) | 5.0-rc5 (including) |
| Linux_kernel | Linux | 5.0-rc6 (including) | 5.0-rc6 (including) |
| Linux_kernel | Linux | 5.0-rc7 (including) | 5.0-rc7 (including) |
| Linux_kernel | Linux | 5.0-rc8 (including) | 5.0-rc8 (including) |
| Red Hat Enterprise Linux 7 | RedHat | kernel-alt-0:4.14.0-115.17.1.el7a | * |
| Linux | Ubuntu | bionic | * |
| Linux | Ubuntu | cosmic | * |
| Linux | Ubuntu | esm-infra/bionic | * |
| Linux | Ubuntu | upstream | * |
| Linux-aws | Ubuntu | bionic | * |
| Linux-aws | Ubuntu | cosmic | * |
| Linux-aws | Ubuntu | esm-infra/bionic | * |
| Linux-aws | Ubuntu | upstream | * |
| Linux-aws-hwe | Ubuntu | esm-infra/xenial | * |
| Linux-aws-hwe | Ubuntu | upstream | * |
| Linux-aws-hwe | Ubuntu | xenial | * |
| Linux-azure | Ubuntu | bionic | * |
| Linux-azure | Ubuntu | cosmic | * |
| Linux-azure | Ubuntu | esm-infra-legacy/trusty | * |
| Linux-azure | Ubuntu | esm-infra/bionic | * |
| Linux-azure | Ubuntu | esm-infra/xenial | * |
| Linux-azure | Ubuntu | trusty | * |
| Linux-azure | Ubuntu | trusty/esm | * |
| Linux-azure | Ubuntu | upstream | * |
| Linux-azure | Ubuntu | xenial | * |
| Linux-azure-edge | Ubuntu | bionic | * |
| Linux-azure-edge | Ubuntu | esm-infra/bionic | * |
| Linux-azure-edge | Ubuntu | upstream | * |
| Linux-azure-edge | Ubuntu | xenial | * |
| Linux-euclid | Ubuntu | upstream | * |
| Linux-flo | Ubuntu | trusty | * |
| Linux-flo | Ubuntu | upstream | * |
| Linux-flo | Ubuntu | xenial | * |
| Linux-gcp | Ubuntu | bionic | * |
| Linux-gcp | Ubuntu | cosmic | * |
| Linux-gcp | Ubuntu | esm-infra/bionic | * |
| Linux-gcp | Ubuntu | esm-infra/xenial | * |
| Linux-gcp | Ubuntu | upstream | * |
| Linux-gcp | Ubuntu | xenial | * |
| Linux-gcp-edge | Ubuntu | bionic | * |
| Linux-gcp-edge | Ubuntu | esm-infra/bionic | * |
| Linux-gcp-edge | Ubuntu | upstream | * |
| Linux-gke | Ubuntu | upstream | * |
| Linux-gke | Ubuntu | xenial | * |
| Linux-goldfish | Ubuntu | trusty | * |
| Linux-goldfish | Ubuntu | upstream | * |
| Linux-goldfish | Ubuntu | xenial | * |
| Linux-grouper | Ubuntu | trusty | * |
| Linux-grouper | Ubuntu | upstream | * |
| Linux-hwe | Ubuntu | bionic | * |
| Linux-hwe | Ubuntu | esm-infra/bionic | * |
| Linux-hwe | Ubuntu | esm-infra/xenial | * |
| Linux-hwe | Ubuntu | upstream | * |
| Linux-hwe | Ubuntu | xenial | * |
| Linux-hwe-edge | Ubuntu | esm-infra/xenial | * |
| Linux-hwe-edge | Ubuntu | upstream | * |
| Linux-hwe-edge | Ubuntu | xenial | * |
| Linux-kvm | Ubuntu | bionic | * |
| Linux-kvm | Ubuntu | cosmic | * |
| Linux-kvm | Ubuntu | esm-infra/bionic | * |
| Linux-kvm | Ubuntu | upstream | * |
| Linux-lts-trusty | Ubuntu | upstream | * |
| Linux-lts-utopic | Ubuntu | trusty | * |
| Linux-lts-utopic | Ubuntu | trusty/esm | * |
| Linux-lts-utopic | Ubuntu | upstream | * |
| Linux-lts-vivid | Ubuntu | trusty | * |
| Linux-lts-vivid | Ubuntu | trusty/esm | * |
| Linux-lts-vivid | Ubuntu | upstream | * |
| Linux-lts-wily | Ubuntu | trusty | * |
| Linux-lts-wily | Ubuntu | trusty/esm | * |
| Linux-lts-wily | Ubuntu | upstream | * |
| Linux-lts-xenial | Ubuntu | upstream | * |
| Linux-maguro | Ubuntu | trusty | * |
| Linux-maguro | Ubuntu | upstream | * |
| Linux-mako | Ubuntu | trusty | * |
| Linux-mako | Ubuntu | upstream | * |
| Linux-mako | Ubuntu | xenial | * |
| Linux-manta | Ubuntu | trusty | * |
| Linux-manta | Ubuntu | upstream | * |
| Linux-oem | Ubuntu | bionic | * |
| Linux-oem | Ubuntu | cosmic | * |
| Linux-oem | Ubuntu | esm-infra/bionic | * |
| Linux-oem | Ubuntu | upstream | * |
| Linux-oem | Ubuntu | xenial | * |
| Linux-oracle | Ubuntu | bionic | * |
| Linux-oracle | Ubuntu | cosmic | * |
| Linux-oracle | Ubuntu | esm-infra/bionic | * |
| Linux-oracle | Ubuntu | esm-infra/xenial | * |
| Linux-oracle | Ubuntu | upstream | * |
| Linux-oracle | Ubuntu | xenial | * |
| Linux-raspi2 | Ubuntu | bionic | * |
| Linux-raspi2 | Ubuntu | cosmic | * |
| Linux-raspi2 | Ubuntu | upstream | * |
| Linux-snapdragon | Ubuntu | upstream | * |
Potential Mitigations
References
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00052.html
- http://patchwork.ozlabs.org/patch/1042902/
- http://www.securityfocus.com/bid/107063
- https://access.redhat.com/errata/RHSA-2020:0174
- https://usn.ubuntu.com/3930-1/
- https://usn.ubuntu.com/3930-2/
- https://usn.ubuntu.com/3931-1/
- https://usn.ubuntu.com/3931-2/
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-8912
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00052.html
- http://patchwork.ozlabs.org/patch/1042902/
- http://www.securityfocus.com/bid/107063
- https://access.redhat.com/errata/RHSA-2020:0174
- https://usn.ubuntu.com/3930-1/
- https://usn.ubuntu.com/3930-2/
- https://usn.ubuntu.com/3931-1/
- https://usn.ubuntu.com/3931-2/