CVE-2019-9213
published 2019-03-05CVE-2019-9213: In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit…
PriorityP334medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EXPLOIT
EPSS
5.67%
92.0th percentile
In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | linux | < linux 4.19.28-1 (bookworm) | linux 4.19.28-1 (bookworm) |
| linux | linux_kernel | >= 0 < 4.19.28-1 | 4.19.28-1 |
| linux | linux_kernel | >= 0 < 4.19.28-1 | 4.19.28-1 |
| linux | linux_kernel | >= 0 < 4.19.28-1 | 4.19.28-1 |
| linux | linux_kernel | >= 0 < 4.19.28-1 | 4.19.28-1 |
| linux | linux_kernel | >= 0 < 3.13.0-168.218 | 3.13.0-168.218 |
| linux | linux_kernel | >= 0 < 4.4.0-145.171 | 4.4.0-145.171 |
| linux | linux_kernel | >= 0 < 4.15.0-47.50 | 4.15.0-47.50 |
| linux | linux_kernel | >= 4.14 < 4.14.105 | 4.14.105 |
| linux | linux_kernel | >= 4.19 < 4.19.27 | 4.19.27 |
| linux | linux_kernel | >= 4.20 < 4.20.14 | 4.20.14 |
| linux | linux_kernel | >= 4.9 < 4.9.162 | 4.9.162 |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.9MEDIUMAV:L/AC:L/Au:N/C:N/I:N/A:C
osv7.8HIGH
vendor_ubuntu7.8HIGH
vendor_debian5.5MEDIUM
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4r7r-87cf-rc4r: In the Linux kernel before 4
ghsa_unreviewed·2022-05-14
CVE-2019-9213 [MEDIUM] CWE-476 GHSA-4r7r-87cf-rc4r: In the Linux kernel before 4
In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.
OSV
linux, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-oracle, linux-raspi2 vulnerabilities
osv·2019-04-02·CVSS 7.8
CVE-2018-14678 [HIGH] linux, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-oracle, linux-raspi2 vulnerabilities
linux, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-oracle, linux-raspi2 vulnerabilities
M. Vefa Bicakci and Andy Lutomirski discovered that the kernel did not
properly set up all arguments to an error handler callback used when
running as a paravirtualized guest. An unprivileged attacker in a
paravirtualized guest VM could use this to cause a denial of service (guest
VM crash). (CVE-2018-14678)
It was discovered that the KVM implementation in the Linux kernel on ARM
64bit processors did not properly handle some ioctls. An attacker with the
privilege to create KVM-based virtual machines could use this to cause a
denial of service (host system crash) or execute arbitrary code in the
host. (CVE-2018-18021)
Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the
Ad
OSV
linux-lts-xenial, linux-aws vulnerabilities
osv·2019-04-02·CVSS 7.0
CVE-2017-18249 [HIGH] linux-lts-xenial, linux-aws vulnerabilities
linux-lts-xenial, linux-aws vulnerabilities
USN-3932-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
It was discovered that a race condition existed in the f2fs file system
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service. (CVE-2017-18249)
Wen Xu discovered that the f2fs file system implementation in the Linux
kernel did not properly validate metadata. An attacker could use this to
construct a malicious f2fs image that, when mounted, could cause a denial
of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100,
CVE-2018-14614, CVE-2018-14616)
Wen Xu and Po-Ning Tseng
OSV
linux-hwe, linux-azure vulnerabilities
osv·2019-04-02·CVSS 7.8
CVE-2018-19824 [HIGH] linux-hwe, linux-azure vulnerabilities
linux-hwe, linux-azure vulnerabilities
USN-3930-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.10.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 18.10 for Ubuntu 18.04 LTS.
Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the
Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate
attacker could use this to cause a denial of service (system crash).
(CVE-2018-19824)
Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information
leak in the Bluetooth implementation of the Linux kernel. An attacker
within Bluetooth range could use this to expose sensitive information
(kernel memory). (CVE-2019-3459, CVE-2019-3460)
Jann Horn discovered that the KVM implementation in th
OSV
linux vulnerabilities
osv·2019-04-02·CVSS 7.5
CVE-2017-1000410 [HIGH] linux vulnerabilities
linux vulnerabilities
It was discovered that an information leak vulnerability existed in the
Bluetooth implementation of the Linux kernel. An attacker within Bluetooth
range could possibly expose sensitive information (kernel memory).
(CVE-2017-1000410)
It was discovered that the USB serial device driver in the Linux kernel did
not properly validate baud rate settings when debugging is enabled. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2017-18360)
Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the
Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate
attacker could use this to cause a denial of service (system crash).
(CVE-2018-19824)
Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an infor
OSV
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
osv·2019-04-02·CVSS 7.0
CVE-2017-18249 [HIGH] linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
It was discovered that a race condition existed in the f2fs file system
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service. (CVE-2017-18249)
Wen Xu discovered that the f2fs file system implementation in the Linux
kernel did not properly validate metadata. An attacker could use this to
construct a malicious f2fs image that, when mounted, could cause a denial
of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100,
CVE-2018-14614, CVE-2018-14616)
Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation
in the Linux kernel did not properly validate metadata. An attacker could
use this to construct a malicious btrfs image that, when mo
OSV
linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-oracle vulnerabilities
osv·2019-04-02·CVSS 7.8
[HIGH] linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-oracle vulnerabilities
linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-oracle vulnerabilities
USN-3931-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu
16.04 LTS and for the Linux Azure kernel for Ubuntu 14.04 LTS.
M. Vefa Bicakci and Andy Lutomirski discovered that the kernel did not
properly set up all arguments to an error handler callback used when
running as a paravirtualized guest. An unprivileged attacker in a
paravirtualized guest VM could use this to cause a denial of service (guest
VM crash). (CVE-2018-14678)
It was discovered that the KVM implementation in the Linux kernel on ARM
64bit processors did not properly handle some ioctls. An attacker with
OSV
CVE-2019-9213: In the Linux kernel before 4
osv·2019-03-05·CVSS 5.5
CVE-2019-9213 [MEDIUM] CVE-2019-9213: In the Linux kernel before 4
In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.
Ubuntu
Linux kernel (HWE) vulnerabilities
vendor_ubuntu·2019-04-02·CVSS 7.8
CVE-2018-14678 [HIGH] Linux kernel (HWE) vulnerabilities
Title: Linux kernel (HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3931-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu
16.04 LTS and for the Linux Azure kernel for Ubuntu 14.04 LTS.
M. Vefa Bicakci and Andy Lutomirski discovered that the kernel did not
properly set up all arguments to an error handler callback used when
running as a paravirtualized guest. An unprivileged attacker in a
paravirtualized guest VM could use this to cause a denial of service (guest
VM crash). (CVE-2018-14678)
It was discovered that the KVM implementation in the Linux kernel on ARM
64bit processors did not properly handle
Ubuntu
Linux kernel (HWE) vulnerabilities
vendor_ubuntu·2019-04-02·CVSS 7.8
CVE-2018-19824 [HIGH] Linux kernel (HWE) vulnerabilities
Title: Linux kernel (HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3930-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.10.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 18.10 for Ubuntu 18.04 LTS.
Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the
Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate
attacker could use this to cause a denial of service (system crash).
(CVE-2018-19824)
Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information
leak in the Bluetooth implementation of the Linux kernel. An attacker
within Bluetooth range could use this to expose sensitive information
(kernel memory). (CVE-2019-3459, C
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2019-04-02·CVSS 7.0
CVE-2017-18249 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that a race condition existed in the f2fs file system
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service. (CVE-2017-18249)
Wen Xu discovered that the f2fs file system implementation in the Linux
kernel did not properly validate metadata. An attacker could use this to
construct a malicious f2fs image that, when mounted, could cause a denial
of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100,
CVE-2018-14614, CVE-2018-14616)
Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation
in the Linux kernel did not properly validate metadata. An attacker could
use this to construct a malicious
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2019-04-02·CVSS 7.8
CVE-2018-14678 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
M. Vefa Bicakci and Andy Lutomirski discovered that the kernel did not
properly set up all arguments to an error handler callback used when
running as a paravirtualized guest. An unprivileged attacker in a
paravirtualized guest VM could use this to cause a denial of service (guest
VM crash). (CVE-2018-14678)
It was discovered that the KVM implementation in the Linux kernel on ARM
64bit processors did not properly handle some ioctls. An attacker with the
privilege to create KVM-based virtual machines could use this to cause a
denial of service (host system crash) or execute arbitrary code in the
host. (CVE-2018-18021)
Mathias Payer and Hui Peng discovered a use-after-free vulnerability i
Ubuntu
Linux kernel (Trusty HWE) vulnerabilities
vendor_ubuntu·2019-04-02·CVSS 7.5
CVE-2017-1000410 [HIGH] Linux kernel (Trusty HWE) vulnerabilities
Title: Linux kernel (Trusty HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3933-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 ESM.
It was discovered that an information leak vulnerability existed in the
Bluetooth implementation of the Linux kernel. An attacker within Bluetooth
range could possibly expose sensitive information (kernel memory).
(CVE-2017-1000410)
It was discovered that the USB serial device driver in the Linux kernel did
not properly validate baud rate settings when debugging is enabled. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2017-18360
Ubuntu
Linux kernel (Xenial HWE) vulnerabilities
vendor_ubuntu·2019-04-02·CVSS 7.0
CVE-2017-18249 [HIGH] Linux kernel (Xenial HWE) vulnerabilities
Title: Linux kernel (Xenial HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3932-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
It was discovered that a race condition existed in the f2fs file system
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service. (CVE-2017-18249)
Wen Xu discovered that the f2fs file system implementation in the Linux
kernel did not properly validate metadata. An attacker could use this to
construct a malicious f2fs image that, when mounted, could cause a denial
of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2019-04-02·CVSS 7.8
CVE-2018-19824 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the
Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate
attacker could use this to cause a denial of service (system crash).
(CVE-2018-19824)
Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information
leak in the Bluetooth implementation of the Linux kernel. An attacker
within Bluetooth range could use this to expose sensitive information
(kernel memory). (CVE-2019-3459, CVE-2019-3460)
Jann Horn discovered that the KVM implementation in the Linux kernel
contained a use-after-free vulnerability. An attacker in a guest VM with
access to /dev/kvm could use this to cause a denial of
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2019-04-02·CVSS 7.5
CVE-2017-1000410 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that an information leak vulnerability existed in the
Bluetooth implementation of the Linux kernel. An attacker within Bluetooth
range could possibly expose sensitive information (kernel memory).
(CVE-2017-1000410)
It was discovered that the USB serial device driver in the Linux kernel did
not properly validate baud rate settings when debugging is enabled. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2017-18360)
Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the
Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate
attacker could use this to cause a denial of service (system crash).
(CVE
Red Hat
kernel: lack of check for mmap minimum address in expand_downwards in mm/mmap.c leads to NULL pointer dereferences exploit on non-SMAP platforms
vendor_redhat·2019-02-27·CVSS 5.5
CVE-2019-9213 [MEDIUM] CWE-476 kernel: lack of check for mmap minimum address in expand_downwards in mm/mmap.c leads to NULL pointer dereferences exploit on non-SMAP platforms
kernel: lack of check for mmap minimum address in expand_downwards in mm/mmap.c leads to NULL pointer dereferences exploit on non-SMAP platforms
In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.
A flaw was found in mmap in the Linux kernel allowing the process to map a null page. This allows attackers to abuse this mechanism to turn null pointer dereferences into workable exploits.
Mitigation: Enabling selinux prevents the public exploit from working correctly.
Package: kernel (Red Hat Enterprise Linux 5) - Not affected
Package: kernel (Red Hat Enterprise Linux 6) - N
Debian
CVE-2019-9213: linux - In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check ...
vendor_debian·2019·CVSS 5.5
CVE-2019-9213 [MEDIUM] CVE-2019-9213: linux - In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check ...
In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.
Scope: local
bookworm: resolved (fixed in 4.19.28-1)
bullseye: resolved (fixed in 4.19.28-1)
forky: resolved (fixed in 4.19.28-1)
sid: resolved (fixed in 4.19.28-1)
trixie: resolved (fixed in 4.19.28-1)
No detection rules found.
Exploit-DB
Reliable Datagram Sockets (RDS) - rds_atomic_free_op NULL pointer dereference Privilege Escalation (Metasploit)
exploitdb·2020-01-23
CVE-2019-9213 Reliable Datagram Sockets (RDS) - rds_atomic_free_op NULL pointer dereference Privilege Escalation (Metasploit)
Reliable Datagram Sockets (RDS) - rds_atomic_free_op NULL pointer dereference Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on Linux systems by abusing
a NULL pointer dereference in the `rds_atomic_free_op` function in the
Reliable Datagram Sockets (RDS) kernel module (rds.ko).
Successful exploitation requires the RDS kernel module to be loaded.
If the RDS module is not blacklisted (default); then it will be loaded
automatically.
This exploit supports 64-bit Ubuntu Linux
Exploit-DB
Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem
exploitdb·2019-03-06
CVE-2019-9213 Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem
Linux mem_rw -> access_remote_vm -> __access_remote_vm
-> get_user_pages_remote -> __get_user_pages_locked -> __get_user_pages
-> find_extend_vma
Then, if the VMA in question has the VM_GROWSDOWN flag set:
expand_stack -> expand_downwards -> security_mmap_addr -> cap_mmap_addr
This, if the address is below dac_mmap_min_addr, does a capability check:
ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
SECURITY_CAP_AUDIT);
But this check is performed against current_cred(), which are the creds of the
task doing the write(), not the creds of the task whose VMA is being changed.
To reproduce:
user@deb10:~/stackexpand$ cat nullmap.c
#include
#include
#include
#include
#include
#include
int main(void) {
void *map = mmap((void*)0x10000, 0x1000, PROT_READ|PROT_WRITE,
MAP_PRIVAT
Metasploit
Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation
metasploit
Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation
Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation
This module attempts to gain root privileges on Linux systems by abusing a NULL pointer dereference in the `rds_atomic_free_op` function in the Reliable Datagram Sockets (RDS) kernel module (rds.ko). Successful exploitation requires the RDS kernel module to be loaded. If the RDS module is not blacklisted (default); then it will be loaded automatically. This exploit supports 64-bit Ubuntu Linux systems, including distributions based on Ubuntu, such as Linux Mint and Zorin OS. Target offsets are available for: Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116-generic; and Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54-generic. This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included. Failed exp
CTF
20190608-0ctf_tctf2019finals / README
ctf_writeups·2019
20190608-0ctf_tctf2019finals / README
# 0CTF/TCTF 2019 Finals
We got 2nd place in 0CTF/TCTF 2019 Finals (Shanghai, China).
As we have lots of final exams at that week, we don't have much time to finish this writeup in detail. We'll just write down the post-competition salon notes for most of the challenge.
**It's recommended to read our responsive [web version](https://balsn.tw/ctf_writeup/20190608-0ctf_tctf2019finals/) of this writeup.**
- [0CTF/TCTF 2019 Finals](#0ctftctf-2019-finals)
- [Pwn](#pwn)
- [BabyHeap 2.29](#babyheap-229)
- [Embeded Heap](#embeded-heap)
- [png2a](#png2a)
- [wasabi001](#wasabi001)
- [Solution1:](#solution1)
- [Solution2 (intended):](#solution2-intended)
- [wasabi002](#wasabi002)
- [Solution:](#solution)
- [Fast_Furious](#fast_furious)
- [unintended solution](#unintended-solution)
- [Fast_Furious
Bugzilla
CVE-2019-9213 kernel: lack of check for mmap minimum address in expand_downwards in mm/mmap.c leads to NULL pointer dereferences exploit on non-SMAP platforms [fedora-all]
bugzilla·2019-03-06·CVSS 5.5
CVE-2019-9213 [MEDIUM] CVE-2019-9213 kernel: lack of check for mmap minimum address in expand_downwards in mm/mmap.c leads to NULL pointer dereferences exploit on non-SMAP platforms [fedora-all]
CVE-2019-9213 kernel: lack of check for mmap minimum address in expand_downwards in mm/mmap.c leads to NULL pointer dereferences exploit on non-SMAP platforms [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM
Bugzilla
CVE-2019-9213 kernel: lack of check for mmap minimum address in expand_downwards in mm/mmap.c leads to NULL pointer dereferences exploit on non-SMAP platforms
bugzilla·2019-03-06·CVSS 5.5
CVE-2019-9213 [MEDIUM] CVE-2019-9213 kernel: lack of check for mmap minimum address in expand_downwards in mm/mmap.c leads to NULL pointer dereferences exploit on non-SMAP platforms
CVE-2019-9213 kernel: lack of check for mmap minimum address in expand_downwards in mm/mmap.c leads to NULL pointer dereferences exploit on non-SMAP platforms
In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.
An upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a1d52994d440e21def1c2174932410b4f2a98a1
References:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1792
https://seclists.org/oss-sec/2019/q1/166
Discussion:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1686137]
---
Bit of a p
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0a1d52994d440e21def1c2174932410b4f2a98a1http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00045.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-04/msg00052.htmlhttp://packetstormsecurity.com/files/156053/Reliable-Datagram-Sockets-RDS-rds_atomic_free_op-Privilege-Escalation.htmlhttp://www.securityfocus.com/bid/107296https://access.redhat.com/errata/RHSA-2019:0831https://access.redhat.com/errata/RHSA-2019:1479https://access.redhat.com/errata/RHSA-2019:1480https://bugs.chromium.org/p/project-zero/issues/detail?id=1792https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.105https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.27https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20.14https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.162https://github.com/torvalds/linux/commit/0a1d52994d440e21def1c2174932410b4f2a98a1https://lists.debian.org/debian-lts-announce/2019/03/msg00034.htmlhttps://lists.debian.org/debian-lts-announce/2019/04/msg00004.htmlhttps://lists.debian.org/debian-lts-announce/2019/05/msg00002.htmlhttps://usn.ubuntu.com/3930-1/https://usn.ubuntu.com/3930-2/https://usn.ubuntu.com/3931-1/https://usn.ubuntu.com/3931-2/https://usn.ubuntu.com/3932-1/https://usn.ubuntu.com/3932-2/https://usn.ubuntu.com/3933-1/https://usn.ubuntu.com/3933-2/https://www.exploit-db.com/exploits/46502/http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0a1d52994d440e21def1c2174932410b4f2a98a1http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00045.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-04/msg00052.htmlhttp://packetstormsecurity.com/files/156053/Reliable-Datagram-Sockets-RDS-rds_atomic_free_op-Privilege-Escalation.htmlhttp://www.securityfocus.com/bid/107296https://access.redhat.com/errata/RHSA-2019:0831https://access.redhat.com/errata/RHSA-2019:1479https://access.redhat.com/errata/RHSA-2019:1480https://bugs.chromium.org/p/project-zero/issues/detail?id=1792https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.105https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.27https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20.14https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.162https://github.com/torvalds/linux/commit/0a1d52994d440e21def1c2174932410b4f2a98a1https://lists.debian.org/debian-lts-announce/2019/03/msg00034.htmlhttps://lists.debian.org/debian-lts-announce/2019/04/msg00004.htmlhttps://lists.debian.org/debian-lts-announce/2019/05/msg00002.htmlhttps://usn.ubuntu.com/3930-1/https://usn.ubuntu.com/3930-2/https://usn.ubuntu.com/3931-1/https://usn.ubuntu.com/3931-2/https://usn.ubuntu.com/3932-1/https://usn.ubuntu.com/3932-2/https://usn.ubuntu.com/3933-1/https://usn.ubuntu.com/3933-2/https://www.exploit-db.com/exploits/46502/
2019-03-05
Published