CVE-2019-8912

Published: 18 February 2019

In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.

From the Ubuntu security team

It was discovered that a use-after-free vulnerability existed in the user- space API for crypto (af_alg) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-47.50)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(4.2.0-16.19)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(3.11.0-12.19)
Patches:
Introduced by 86741ec25462e4c8cdce6df2f41ead05568c7d5e
Fixed by 9060cb719e61b685ec0102574e10337fa5f445ea
Introduced by 86741ec25462e4c8cdce6df2f41ead05568c7d5e
Fixed by ff7b11aa481f682e0e9711abfeb7d03f5cd612bf
linux-aws
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1035.37)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(4.4.0-1001.10)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(4.4.0-1002.2)
linux-aws-hwe
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.15.0-1035.37~16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-azure
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.18.0-1014.14~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.15.0-1041.45)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (4.15.0-1041.45~14.04.1)
linux-azure-edge
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.18.0-1014.14~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.15.0-1041.45)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-euclid
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(4.4.0-9019.20)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-flo
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(abandoned)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
linux-gcp
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1029.31)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.15.0-1029.31~16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-gcp-edge
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.18.0-1008.9~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-gke
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end-of-life)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-goldfish
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end-of-life)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
linux-grouper
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
linux-hwe
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.18.0-17.18~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.15.0-47.50~16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-hwe-edge
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(5.0.0-15.16~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.15.0-47.50~16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-kvm
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1031.31)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(4.4.0-1004.9)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-lts-trusty
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-lts-utopic
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [end-of-life])
linux-lts-vivid
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [end-of-life])
linux-lts-wily
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [end-of-life])
linux-lts-xenial
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(4.4.0-13.29~14.04.1)
linux-maguro
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
linux-mako
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(abandoned)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
linux-manta
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
linux-oem
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1035.40)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(was needs-triage now end-of-life)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-oracle
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1010.12)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.15.0-1010.12~16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-raspi2
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1033.35)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(4.2.0-1013.19)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-snapdragon
Launchpad, Ubuntu, Debian
Upstream
Released (5.0)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(4.4.0-1077.82)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(4.4.0-1012.12)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Notes

AuthorNote
tyhicks
NVD has published CVSS metrics that state that the attack vector is
"Network" which results in a CRITICAL CVSS score but that does not match
Ubuntu's assessment. The attack vector is "Local" since AF_ALG is a address
family that strictly operates locally between a userspace process and the
kernel crypto API and the attack requires a specific sequence of operations
to be performed on the file descriptor that represents the socket.
This has been addressed in a more generic manner, to fix
other network families, by this commit in the net tree:
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=ff7b11aa481f682e0e9711abfeb7d03f5cd612bf

References