CVE-2019-11810: kernel: a NULL pointer dereference in drivers/scsi/megaraid/megaraid_sas_base.c leading to DoS

Bug #1849206 reported by Bruce Jones on 2019-10-21
274
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
High
Robin Lu

Bug Description

CVE-2019-11810
status : fixed
cvss2Score : 7.8
Attack Vector: N
Access Complexity : L
Autentication: N
Availability Impact :C
Affected packages:
['kernel', 'kernel-tools', 'kernel-tools-libs', 'perf', 'python-perf']
An issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free.
https://nvd.nist.gov/vuln/detail/CVE-2019-11810

CVE References

Bruce Jones (brucej) on 2019-10-21
tags: added: stx.security
Bruce Jones (brucej) on 2019-10-21
Changed in starlingx:
importance: Undecided → High
tags: added: stx.3.0
Ghada Khalil (gkhalil) wrote :

This CVE meets the fix criteria for StarlingX. Therefore, it needs to be fixed in master for stx.3.0 and then cherry-picked to r/stx.2.0.

tags: added: stx.2.0
summary: - Fix CVE-2019-11810
+ CVE-2019-11810: kernel: a NULL pointer dereference in
+ drivers/scsi/megaraid/megaraid_sas_base.c leading to DoS
Ghada Khalil (gkhalil) on 2019-10-21
Changed in starlingx:
status: New → Triaged
Cindy Xie (xxie1) on 2019-10-22
Changed in starlingx:
assignee: nobody → Cindy Xie (xxie1)
Lin Shuicheng (shuicheng) wrote :

Here is the link from Redhat:
https://access.redhat.com/errata/RHSA-2019:2837

And the issue is fixed in kernel srpm. The problem is that we cannot find the same version rt kernel.
The issue is fixed in rt kernel also for RedHat 8 and RedHat 7.7, but only in std kernel for RedHat 7.6.
"
Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.6
"
The new std kernel with issue fixed:
kernel-3.10.0-957.35.1.el7.src.rpm

But for rt kernel, I could find below version only (27 in rt VS 35 in std):
kernel-rt-3.10.0-957.27.2.rt56.940.el7.src.rpm

The only way to keep std and rt kernel with the same version is to use kernel from CentOS 7.7.
std kernel: https://access.redhat.com/errata/RHSA-2019:2029
    kernel-3.10.0-1062.el7.src.rpm
rt kernel: https://access.redhat.com/errata/RHSA-2019:2043
   kernel-rt-3.10.0-1062.rt56.1022.el7.src.rpm

Any suggestion for this issue?
Thanks.

Lin Shuicheng (shuicheng) wrote :

Just find "kernel-3.10.0-957.35.1.el7.src.rpm" is for RedHat only. CentOS 7.6 doesn't have it also.
So I prefer to fix this issue in CentOS 7.6 by cherry-pick upstream patch to current kernel srpm (kernel-3.10.0-957.21.3.el7.src.rpm).
Here is the patch link provided in CVE:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bcf3b67d16a4c8ffae0aa79de5853435e683945c

Here is the bug track for RedHat OS:
https://bugzilla.redhat.com/show_bug.cgi?id=1709164

Lin Shuicheng (shuicheng) wrote :

The issue is fixed with below srpm from CentOS 7.7.
std kernel: https://access.redhat.com/errata/RHSA-2019:2029
    kernel-3.10.0-1062.el7.src.rpm
rt kernel: https://access.redhat.com/errata/RHSA-2019:2043
   kernel-rt-3.10.0-1062.rt56.1022.el7.src.rpm

To fix below kernel CVE, std/rt kernel will be upgraded to a higher version than this version.
https://bugs.launchpad.net/starlingx/+bug/1847817

So we will upgrade kernel srpm to below version, which will cover this issue.
std kernel: kernel-3.10.0-1062.1.2.el7.src.rpm
https://access.redhat.com/errata/RHSA-2019:2829
rt kernel: kernel-rt-3.10.0-1062.1.2.rt56.1025.el7.src.rpm
https://access.redhat.com/errata/RHSA-2019:2830

Lin Shuicheng (shuicheng) wrote :

Since bug #1847817 fix will include fix for this issue also, mark it as duplicated.

Ghada Khalil (gkhalil) on 2019-11-22
information type: Private Security → Public Security
Changed in starlingx:
assignee: Cindy Xie (xxie1) → Robin Lu (robinlu)
Changed in starlingx:
status: Triaged → In Progress
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.