Bug 1831399 (CVE-2020-10732)

Summary: CVE-2020-10732 kernel: uninitialized kernel data leak in userspace coredumps
Product: [Other] Security Response Reporter: Wade Mealing <wmealing>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, allarkin, aquini, bhsharma, bhu, blc, bmasney, brdeoliv, bskeggs, cye, dbohanno, dhoward, dvlasenk, esammons, esandeen, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarod, jarodwilson, jbuchert, jeremy, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kcarcia, kdump-bugs, kernel-maint, kernel-mgr, lcapitulino, lgoncalv, linville, lzampier, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, mleitner, mmilgram, nmurray, ptalbert, qzhao, rparrazo, rrobaina, rt-maint, rvrbovsk, rysulliv, scweaver, steved, sukulkar, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel’s implementation of Userspace core dumps. This flaw allows an attacker with a local account to crash a trivial program and exfiltrate private kernel data.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 22:00:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1832059, 1832060, 1832061, 1832062, 1832063, 1832634    
Bug Blocks: 1827001    

Description Wade Mealing 2020-05-05 05:18:28 UTC 
A flaw was found in the Linux kernel implementation of userspace core dumps.  This flaw allows anyone with access to core dumps to see a small amount of private kernel data about the current running kernels internal state which could be used to further allow an attack to more reliably execute.  This information could be user processes or kernel state from previous executions.

References: 
 
https://github.com/google/kmsan/issues/76
https://twitter.com/grsecurity/status/1252558055629299712
https://github.com/ruscur/linux/commit/a95cdec9fa0c08e6eeb410d461c03af8fd1fef0a
Comment 3 Wade Mealing 2020-05-06 04:04:31 UTC 
This flaw is rated as moderate, it can be a pretty useful information leak to defeat kaslr and
also be leveraged as part of another attack.
Comment 6 Wade Mealing 2020-05-06 04:33:56 UTC 
There is no 'simple' fix to this.  The bug is located in the ELF executable loader.  If this code was to be blacklisted most executables would not run on the system making it operable for most use cases.
Comment 8 Wade Mealing 2020-05-06 04:44:33 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1832059]
Comment 11 Wade Mealing 2020-05-06 05:13:17 UTC 
Mitigation:

Possible mitigation would be to disable core dumps system-wide by setting:

* hard core 0

In the  /etc/security/limits.conf file and restarting applications/services/processes which users may have access to or simply reboot the system.  This disables core dumps which may not be a suitable workaround in your environment.
Comment 15 Bhupesh Sharma 2020-05-15 06:32:22 UTC 
The proposed fix has been accepted in linus-next tree (git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git):

commit aca969cacf07f41070d788ce2b8ca71f09d5207d
Author: Alexander Potapenko <glider>
Date:   Thu May 14 13:40:13 2020 +1000

    fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()

<..snip..>

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index fb7697029046..1a8b0c74f5b0 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -1729,7 +1729,7 @@ static int fill_thread_core_info(struct elf_thread_core_info *t,
                    (!regset->active || regset->active(t->task, regset) > 0)) {
                        int ret;
                        size_t size = regset_size(t->task, regset);
-                       void *data = kmalloc(size, GFP_KERNEL);
+                       void *data = kzalloc(size, GFP_KERNEL);
                        if (unlikely(!data))
                                return 0;
                        ret = regset->get(t->task, regset,
Comment 16 errata-xmlrpc 2020-09-29 18:59:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062
Comment 17 errata-xmlrpc 2020-09-29 20:54:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060
Comment 18 Product Security DevOps Team 2020-09-29 22:00:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10732
Comment 19 Justin M. Forbes 2020-10-08 18:59:43 UTC 
This was fixed for Fedora with the 5.6.16 stable kernel updates.
Comment 20 errata-xmlrpc 2020-11-04 00:50:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4431 https://access.redhat.com/errata/RHSA-2020:4431
Comment 21 errata-xmlrpc 2020-11-04 02:23:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4609 https://access.redhat.com/errata/RHSA-2020:4609