Bug 1847539 (CVE-2020-14304)

Summary: CVE-2020-14304 kernel: ethtool when reading eeprom of device could lead to memory leak
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, mleitner, nmurray, ptalbert, qzhao, rt-maint, rvrbovsk, steved, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---Flags: allarkin: needinfo+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-10 21:28:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1847557, 1847596, 1847597, 1847598, 1847599, 1847600, 1847601, 1911198    
Bug Blocks: 1837276    

Description Alex 2020-06-16 15:10:03 UTC 
If running ethtool for reading eeprom of device (param -m or param -e), it can lead to reading some uninitialized values from kernel memory.
However, attacker can just read some unknown values from drivers memory, but cannot control what and where reads and these values related to the driver only. Attacker cannot affect availability and cannot make any other higher impact than such reading.

The rate of issue is low both because need root access for running "ethtool -m/-e" and because it can work only for some specific network drivers.

The suggested patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960702#70
Comment 2 Alex 2020-06-16 15:41:26 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1847557]
Comment 6 Alex 2020-06-17 18:48:52 UTC 
Statement:

This issue is rated as having Low impact because of being limited to only reading some of the values from the memory of some particular drivers and very limited kernel stack exposure.
Comment 7 Alex 2020-06-17 18:48:56 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 10 Petr Matousek 2020-06-24 12:23:43 UTC 
External References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960702