Bug 1832866 (CVE-2020-12657)

Summary: CVE-2020-12657 kernel: use-after-free in block/bfq-iosched.c related to bfq_idle_slice_timer_body
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, asavkov, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, joe.lawrence, john.j5live, jonathan, josef, jpoimboe, jross, jshortt, jstancek, jthierry, jwboyer, kcarcia, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, ptalbert, qzhao, rhandlin, rt-maint, rvrbovsk, steved, williams, wmealing, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.6.5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's implementation of the BFQ IO scheduler. This flaw allows a local user able to groom system memory to cause kernel memory corruption and possible privilege escalation by abusing a race condition in the IO scheduler.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-09 23:20:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1832867, 1835529, 1835530, 1835531, 1835532, 1835533, 1835534, 1835535, 1835536, 1835537, 1835538    
Bug Blocks: 1833237    

Description Michael Kaplan 2020-05-07 12:23:56 UTC
An issue was discovered in the Linux kernels implementation of BFQ IO scheduler.  A local user who is able to groom system memory may be able to cause kernel memory corruption and possibly privilege escalation through abusing a race condition in the IO scheduler.

Comment 2 Michael Kaplan 2020-05-07 12:25:42 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1832867]

Comment 3 Justin M. Forbes 2020-05-07 21:59:40 UTC
This was fixed for Fedora with the 5.5.18 stable kernel update.

Comment 6 Wade Mealing 2020-05-14 01:29:33 UTC
Mitigation:


The default io scheduler for Red Hat Enterprise Linux 8 is the mq-deadline scheduler, however it can be 
configured to any of the available schedulers available on the system on a per-device basis.

The schedulers in use can be verified by the block devices entry in sysfs, for example for "sda":

# cat /sys/block/sda/queue/scheduler 
[mq-deadline] kyber bfq none

All block devices in the system will need to be changed to be mitigated.  If the system workload requires
bfq, this may not be an acceptable workaround however some systems may find changing io schedulers to be an
acceptable workaround until system updates can be applied.

See https://access.redhat.com/solutions/3756041 for how to configure the io scheduler persistently across
system reboots or contact Red Hat Global Support Services.

Comment 9 errata-xmlrpc 2020-06-09 18:23:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2428 https://access.redhat.com/errata/RHSA-2020:2428

Comment 10 errata-xmlrpc 2020-06-09 18:45:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2429 https://access.redhat.com/errata/RHSA-2020:2429

Comment 11 errata-xmlrpc 2020-06-09 19:10:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2427 https://access.redhat.com/errata/RHSA-2020:2427

Comment 12 Product Security DevOps Team 2020-06-09 23:20:36 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12657

Comment 13 errata-xmlrpc 2020-06-15 19:00:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2567 https://access.redhat.com/errata/RHSA-2020:2567

Comment 14 errata-xmlrpc 2020-06-23 13:07:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2667 https://access.redhat.com/errata/RHSA-2020:2667

Comment 15 errata-xmlrpc 2020-06-23 13:08:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2669 https://access.redhat.com/errata/RHSA-2020:2669