Bug 1835127 (CVE-2020-10742)

Summary: CVE-2020-10742 kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, allarkin, bhu, blc, bmasney, brdeoliv, bskeggs, carnil, dhoward, dvlasenk, esammons, eshatokhin, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jaeshin, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, ptalbert, qzhao, rt-maint, rvrbovsk, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause a kernel panic. The highest threat from this vulnerability is to data confidentiality and system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 22:00:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1848484, 1848485, 1848486, 1848487, 1824270, 1835128, 1839679, 1839680, 1839681    
Bug Blocks: 1827054    

Description Marian Rehak 2020-05-13 08:04:26 UTC 
NFS client crashes due to index buffer overflow during Direct IO write. In some circumstances, it reaches out of the index after just one memory allocation by kmalloc which is causing kernel panic at random function. (sub_debug shows Redzone is overwritten)

Upstream Issue:

https://bugzilla.redhat.com/show_bug.cgi?id=1824270
Comment 1 Marian Rehak 2020-05-13 08:05:03 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1835128]
Comment 3 Salvatore Bonaccorso 2020-05-14 21:28:01 UTC 
Hi Marian,

I'm trying to track this issue for Debian, and looked as well up https://bugzilla.redhat.com/show_bug.cgi?id=1824270. Do you have any additional information on this issue: Did it ever affected mainline/upstream or is the issue specific to the Red Hat kernel?

Regards,
Salvatore
Comment 4 Marian Rehak 2020-05-18 11:02:17 UTC 
Hello Salvatore,

This flaw is based on the bz you mentioned so there are no additional information apart from that as far as I know. I'm sorry I couldn't be of more help.

Best regards.
Marian
Comment 6 Salvatore Bonaccorso 2020-05-22 15:31:31 UTC 
Hi Marian,

(In reply to Marian Rehak from comment #4)
> Hello Salvatore,
> 
> This flaw is based on the bz you mentioned so there are no additional
> information apart from that as far as I know. I'm sorry I couldn't be of
> more help.

Okay thanks, I was hoping there was more already known as it mentioned an internal discussion for developing the kernel patches which then were specifically applied to the 3.10 version.

I was not able to triggere the issue for instance in 4.19.118, and with only the available information I was suspecting it might be fixed in 3.11-rc1 upstream something related to 18aad3d552c7 ("NFSv4.1 Refactor nfs4_init_session and nfs4_init_channel_attrs") and/or 68bf05efb7fa ("nfs41: fix session fore channel negotiation") or maybe something completely else.

This would be as well inline with the fact that a fix was only needed for RHEL7 with kernel-3.10.0-1140.el7?

Thanks for taking time here to reply to my query.

Regards,
Salvatore
Comment 10 Alex 2020-05-31 10:28:02 UTC 
In reply to comment #3:
> Hi Marian,
> 
> I'm trying to track this issue for Debian, and looked as well up
> https://bugzilla.redhat.com/show_bug.cgi?id=1824270. Do you have any
> additional information on this issue: Did it ever affected mainline/upstream
> or is the issue specific to the Red Hat kernel?
> 
> Regards,
> Salvatore

Hi Salvatore,

Based on the info from engineering:

"Upstream, nfs_direct_write_schedule_segment was removed in
v3.16, and iovec has been transformed to iov_iter, so this
is a RHEL-only patch."

which is from our rhel-7 patch.

Best Regards,
Alexander
Comment 14 Marian Rehak 2020-06-02 10:30:02 UTC 
Acknowledgments:

Name: Jay Shin (Red Hat)
Comment 16 errata-xmlrpc 2020-09-29 18:59:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062
Comment 17 errata-xmlrpc 2020-09-29 20:54:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060
Comment 18 Product Security DevOps Team 2020-09-29 22:00:54 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10742