ASA-2019-00420 – Linux kernel: Use-after-free via race condition between modify_ldt() and #BR exception


Allele Security Alert

ASA-2019-00420

Identifier(s)

ASA-2019-00420, CVE-2019-13233

Title

Use-after-free via race condition between modify_ldt() and #BR exception

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel versions before 5.2

Linux kernel versions 5.1.x before 5.1.9
Linux kernel versions 4.19.x before 4.19.50

Linux kernel versions with the following commit applied:

x86/insn-eval: Add utility function to get segment descriptor

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=670f928ba09b

Fixed version(s)

Linux kernel version 5.2

Linux kernel version 5.1.9
Linux kernel version 4.19.50

Linux kernel versions with the following commit applied:

x86/insn-eval: Fix use-after-free access to LDT entry
https://github.com/torvalds/linux/commit/de9f869616dd95e95c00bdd6b0fcd3421e8a4323

Proof of concept

Yes

Description

There is a use-after-free for access to an LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds violation.

Technical details

When a #BR exception is raised because of an MPX bounds violation, Linux parses the faulting instruction and computes the linear address of its memory operand. If the userspace instruction is in 32-bit code, this involves looking up the correct segment descriptor and adding the segment offset to the address.

get_desc() locks the mm context, computes the pointer to the LDT entry, but then drops the lock again and returns the pointer. This means that when the caller actually accesses the pointer, the pointer may have been freed already.

Credits

Jann Horn (Google Project Zero)

Reference(s)

Issue 1879: Linux: UAF via race between modify_ldt() and #BR exception
https://bugs.chromium.org/p/project-zero/issues/detail?id=1879

x86/insn-eval: Fix use-after-free access to LDT entry
https://github.com/torvalds/linux/commit/de9f869616dd95e95c00bdd6b0fcd3421e8a4323

x86/insn-eval: Add utility function to get segment descriptor

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=670f928ba09b

Linux 5.2
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2

Linux 5.1.9
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.1.9

Linux 4.19.50
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.50

CVE-2019-13233
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13233

CVE-2019-13233
https://nvd.nist.gov/vuln/detail/CVE-2019-13233

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: November 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.