CVE-2019-11811: kernel: use-after-free in IPMI

Bug #1849209 reported by Bruce Jones on 2019-10-21
274
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Critical
Robin Lu

Bug Description

CVE-2019-11811
status : fixed
cvss2Score : 10
Attack Vector: N
Access Complexity : L
Autentication: N
Availability Impact :C
Affected packages:
['kernel', 'kernel-tools', 'kernel-tools-libs', 'perf', 'python-perf']
An issue was discovered in the Linux kernel before 5.0.4. There is a use-after-free upon attempted read access to /proc/ioports after the ipmi_si module is removed, related to drivers/char/ipmi/ipmi_si_intf.c, drivers/char/ipmi/ipmi_si_mem_io.c, and drivers/char/ipmi/ipmi_si_port_io.c.
https://nvd.nist.gov/vuln/detail/CVE-2019-11811

CVE References

Bruce Jones (brucej) on 2019-10-21
tags: added: stx.security
Bruce Jones (brucej) on 2019-10-21
Changed in starlingx:
importance: Undecided → Critical
tags: added: stx.3.0
Ghada Khalil (gkhalil) wrote :

This was previously reported in https://bugs.launchpad.net/starlingx/+bug/1840778
After further investigation, it was determined that StarlingX is not really vulnerable. See the details in the LP above. I think we can close this as a duplicate.

summary: - Fix CVE-2019-11811
+ CVE-2019-11811: kernel: use-after-free in IPMI
tags: added: stx.2.0
Changed in starlingx:
assignee: nobody → Ghada Khalil (gkhalil)
status: New → Invalid
Ghada Khalil (gkhalil) wrote :

Re-opening: Even though the current StarlingX kernel version (957.21.3) is not vulnerable to this CVE, the vulnerability maybe introduced when picking up a newer kernel to address the following CVEs:
https://bugs.launchpad.net/starlingx/+bug/1849206
https://bugs.launchpad.net/starlingx/+bug/1847817

Note: All open kernel CVEs should be investigated and addressed together.

Changed in starlingx:
status: Invalid → Confirmed
Ghada Khalil (gkhalil) on 2019-10-21
Changed in starlingx:
status: Confirmed → Triaged
Ghada Khalil (gkhalil) on 2019-10-23
Changed in starlingx:
assignee: Ghada Khalil (gkhalil) → Cindy Xie (xxie1)
Cindy Xie (xxie1) on 2019-11-19
Changed in starlingx:
assignee: Cindy Xie (xxie1) → Lin Shuicheng (shuicheng)
Lin Shuicheng (shuicheng) wrote :

We are upgrading kernel to kernel-3.10.0-1062.1.2.el7.src.rpm currently, and I confirm below fix is already included in this srpm.
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=401e7e88d4ef80188ffa07095ac00456f901b8c4

So no extra work is needed for this CVE.

Ok, Thanks :)

Lin Shuicheng (shuicheng) wrote :

Since both previous 957 and latest 1062 kernel doesn't have this CE issue.
I will close this issue as Invalid.
Feel free to add your comments if you have other idea.
Thanks.

Changed in starlingx:
status: Triaged → Invalid
Ghada Khalil (gkhalil) wrote :

The vuls scanning tool is reporting this CVE for StarlingX. Given we are now picking up a version of the kernel (1062) that has the fix, I prefer to have this CVE / launchpad referenced in that commit and marked as Fix Released when the commit is merged.

Changed in starlingx:
status: Invalid → Triaged
assignee: Lin Shuicheng (shuicheng) → Robin Lu (robinlu)
Ghada Khalil (gkhalil) wrote :

Assigning to Robin to link to his commits with the kernel upversion to 1062:
https://review.opendev.org/#/c/695359/
https://review.opendev.org/#/c/695358/
https://review.opendev.org/#/c/695355/

Ghada Khalil (gkhalil) on 2019-11-22
information type: Private Security → Public Security
Changed in starlingx:
status: Triaged → In Progress
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers