SB2019091310 - Input validation error in Linux kernel
Published: September 13, 2019 Updated: June 1, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2019-15030)
The vulnerability allows a local authenticated user to #BASIC_IMPACT#.
In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check.
Remediation
Install update from vendor's website.
References
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.193
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.144
- https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.73
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.2.15
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3