Bug 1817141 (CVE-2020-10690)
| Summary: | CVE-2020-10690 kernel: use-after-free in cdev_put() when a PTP device is removed while it's chardev is open | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, haliu, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, pmatouse, qzhao, rkeshri, rt-maint, rvrbovsk, security-response-team, steved, vdronov, williams |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | kernel 5.5 | Doc Type: | If docs needed, set a value |
| Doc Text: |
There is a use-after-free problem seen due to a race condition between the release of ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed, it can cause an exploitable condition as the process wakes up to terminate and clean all attached files. The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the inode.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-09-29 22:00:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1774657, 1787568, 1798395, 1817354, 1817355, 1817356, 1817357, 1817358, 1826223, 1888688 | ||
| Bug Blocks: | 1811167 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-03-25 16:45:25 UTC
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1826223] Statement: This issue is rated as having Low impact as there is a need for high privilege access to trigger this problem. This will need an access to /dev/ptpX which is privileged operation, also removing the module is needed (again, privileged operation). Hi Rohit, It looks RHEL7 has fixed this issue in bug 1774657. RHEL8 has fixed it in bug 1787568. Should we close the RHEL7/8's CVE tracker bug 1817354, bug 1817355? Thanks Hangbin This was fixed for Fedora with the 5.4.8 stable kernel updates. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10690 |